The Trouble with the BISO Role
Photo by NeONBRAND / Unsplash

The Trouble with the BISO Role

The BISO role has always looked good on paper and but has trouble living up to the hype. I share my view on how this role needs to evolve.

Mike P
Mike P

Before diving into the troubles with the BISO role, first, you have to understand what the role is, what the role is not, and the challenges it can face.

What is a BISO?

A role billed as "the security ambassador to the business," the "CISO's tactical and operational arm," or even a "mini-CISO."

Alyssa Miller defines it as:

A Business Information Security Officer (BISO) is a senior security leader assigned to lead the security strategy of a division or business unit. They provide a bridge from the centralized security function to the business. The BISO functions like a deputy CISO reporting into the business line.

A BISO is common in large companies with multiple lines of business (i.e., financial services, insurance, etc.). Over the last few years, this role has started to make its way into other industries and gained a lot of popularity.

I also like Alyssa's points on the necessary qualities for someone to be successful in a BISO include:

  • Broad security knowledge
  • Executive presence
  • Influencer leadership
  • Strategic thinking

A successful person in this role can get high visibility across the business and IT. They will be a leader who bridges gaps and enables the business to move forward in a secure way.

The Goal of the BISO Role

The ultimate goal of the BISO role is to make sure security happens in all parts of a business in a fluid manner.

The BISO needs to enable a secure experience for employees and customers alike. You have to understand the line of business functions and goals and be able to align security to those ends.

As a BISO, you get to see (and hear!) the impact (positive or negative) security can have. BISOs get to have unique perspectives that many people in IT do not get the opportunity to see. They get to:

✅ Understand a line of business

✅ Track customer-facing business services and understand the value

✅ Harness the ability to work cross-functionally (many cybersecurity people don't get this)

✅ Stay focused on risk mitigation for business enablement

That all sounds pretty good, right?

Where the Role Has Trouble

The BISO role has risen up more over the past few years, and it's a relatively new discipline in cybersecurity. It has always looked good on paper but has trouble living up to the hype.

As a former BISO at a very large financial services company, many of the accolades and promises of the role on the Internet don't come from practical, first-hand experience. They are "paper understandings" of the role not always founded in real execution in a real organization.

I'm sharing my view on how this role needs to evolve based on having to live it every day. The BISO role falls short for one reason. The role comes with accountability and no responsibility.

BISO's are accountable but have no authority.

It's typically not the fault of the individuals in BISO roles, but rather the systems put in place to support the role.

When the BISO role is introduced, the centralized security teams and IT counterparts don't know what to do with the role. If the role is new to the organization then likely all parties involved, including the BISO do not know what to do with the role in that environment.

How and when should security teams and business teams engage the BISO? Are centralized teams no longer allowed to talk directly to end-users or the business teams? Who makes "the call" on risk-related issues?

Example Scenario: Is the BISO authorized to tell a business application team they can delay a security patch because of a business release or go-live event?

If not communicated and supported clearly from the outset, the BISO role can create a death spiral environment. The environment invites the centralized security functions to bypass or scapegoat the BISOs and causes the BISOs to try anything to show their value (often coming up short).

When companies get large enough, each department is like a small company unto itself. Getting things done inside of those departments across teams is hard enough. Convincing outside teams to focus on your work over their work is an almost impossible challenge.

Now add the ever-changing, constant fire drill world that is cybersecurity to the mix. This isn't new to many cybersecurity professionals, but adding in the BISO role makes this even more challenging.

Breaking down the four buckets of work for a large company's security program

As a result of this split, the majority of the "security work" comes from the first three buckets. This is no surprise to most people in cybersecurity.

So what does that mean for the BISO role? If you're familiar at all with The Phoenix Project, then you may recall the Four Types of Work:

  1. Business Projects - work led by the business for the business that may involve IT
  2. Internal IT Projects - work led by IT for IT
  3. Updates and Changes - work generated from the first two types of work
  4. Unplanned Work (Recovery Work) - incidents and problems generated by work not in the first three types of work

Looking back at the four buckets of cybersecurity work, the first three buckets of people cover all four types of work above.

You might be asking yourself, "well, what else is there then and who is in that 'everyone else' bucket?"

The fourth bucket is where the BISO role lives.

That fourth bucket is where the fires happen, and that's where the BISO can live. BISO's can wind up doing nothing but firefighting and apologizing for issues that shouldn't even be issues.

When priorities aren't aligned or when cybersecurity delivery is less than ideal, the BISO role gets called to the plate. As a result, the BISO role holds the blame from both sides for not meeting expectations.

The days quickly become nothing but damage control for one side or another. It's easy to spend your whole day beating back the fires instead of stopping the fires from happening.

So What Can You Do?

If you find yourself in a BISO role, follow these five principles to drive accountability and improve the relationships between the business and cybersecurity teams:

  1. Represent the customer experience side of cybersecurity.
  2. Don’t do the work of the delivery teams.
  3. Be the translation layer.
  4. Don’t hire people from delivery teams.
  5. Don’t own the data.

Represent the customer experience side of cybersecurity.

The number one goal of business is not to be the most secure, it's to serve customers and make money.

In most large companies, there is a one-way street where security teams tell business teams what to do and not do. As a result, security organizations often lack self-awareness. They lack the ability to see understand how they impact the business with each thing they do.

A popular social media post in the cybersecurity community on the goal of the BISO role:

"The goal [of the BISO] isn't to recite security policy to the line of business being supported but to make the line of business successful through education of the sharp edges they need to worry about."

This quote starts off the right way with "The goal isn't to recite security policy to the line of business", but then falls short.

Did you catch it? That one-way statement? The way of working that sees the role as a shepherd of the business, but not a two-way street? The BISO role does start with the word "Business" after all...

Pushing security efforts without respect to the downstream impacts on the business is missing the entire point. Security cannot be done for the sake of security, but that's often how it comes across to the business teams.

Things security teams do that affect the business team and sour internal relationships include:

  • Not thinking about the end-user experience of a security request or control (poor execution)
  • Many and overlapping requests from the same cybersecurity team (lack of prioritization)
  • Many and overlapping requests from different cybersecurity teams (lack of collaboration)
  • New requests that don't leverage the data or insights collected from previous requests (not working smart)
  • Every request being an emergency (security is not all about active threats)

Security teams work FOR the business, not the other way around. They need to understand the downstream impact of what they are asking of others.

When the business has to drop everything to respond to every ask from the security team, deliver that feedback as the BISO to the security teams to fix it.

The business often takes the brunt of security initiatives, but a BISO can fix this broken bridge.

The most important job is to be the missing feedback loop.

Don't do the work of the delivery teams.

This will be one of the most challenging aspects to deal with. A BISO that reports directly to the CISO will be viewed by the cybersecurity teams as someone who only works for the cybersecurity team.

As a result, BISOs will be expected to push cybersecurity work into the business without question. This will happen across all functions in a cybersecurity team and inevitably the work required will fall on the same sets of business and technology teams.

If you let it, the BISO role will become a one-way street and you will be driving the bus over the business teams. This goes back to teams doing cybersecurity for the sake of cybersecurity and not as business enablement.

Remember, although you may report to the CISO, you work FOR the business.

You are in a unique position to see and understand the impact that yet another cybersecurity ask has on the business. If approached correctly, the unique viewpoint this role has can offer great strides in business enablement.

Help me [BISO], you're our only hope. - the business teams (probably) 👀

Be the translation layer.

Translation and explaining the "why" is of the utmost importance.
If the business teams don't understand the need for a security initiative or change, give that feedback. Security teams need the opportunity to address it.

This may mean convincing the security teams to slow and to prioritize better. Every ask to the business cannot be of the utmost importance. Remember the business has a day job too.

Focusing on what will mitigate the most risk is an essential key to a successful cybersecurity program. Here are quick reminders to making that work:

  • Clear and consistent communication for every ask with "why this is important."
  • Prioritization and timing for every ask.
  • Thoughtful collaboration with a focus on minimal end-user impact on every ask.
  • A forum to receive questions and ask for feedback with every ask.

Be the translation layer between security initiatives where the business needs to be involved, but don’t do the work. See #2.

Don't hire people from delivery teams.

Do not hire architects, engineers, or other people who are used to "delivering" the work or being on the teams that deliver security services.

These people will have many (good) opinions on the best ways to deliver a service, but will not be in a position to change the way a service is delivered. If they see obvious gaps with a service or team, they will be told to "stay in their lane."

No offense to anyone in the architecture or engineering roles today (I was personally in those roles for many years), but a BISO role may not be for you. If you enjoy delivering services and implementing technical solutions, this role is not for you.

Hiring people who are used to delivering security services will ultimately lead to frustration and not being fulfilled in their roles as a BISO.

If you are one of these people in this role today, it's time to get out now.

Don’t own the data.

The best people to solve a problem are those who are closest to the problem. That often means being the closest to the data and being the closest to understanding what the "ask" is.

As a BISO, you will have the (dis)advantage of being asked to do multiple things from many cybersecurity teams that have great overlap. You can help connect the right teams together to enrich each other's data and processes.

This can be met with resistance from cybersecurity teams, as it means changing a process or procedure on their side to solve for a greater need. You may be asked to take on the brunt of ownership and stewardship of this newfound data.

As a BISO you will be asked to stitch together dispersed data on the fly into coherent pieces. If you do it once, you will always have to do it so be sure it makes sense for you to take on. If it doesn't make sense, this work should go back to the security teams who are closest to the data.

BISO are consumers of services and data from the teams running the cybersecurity groups, not the data keepers.

As a BISO, your goal is to elevate the service delivery of cybersecurity to the business. You help see, uncover, and solve higher-level, strategic challenges.

You are not the owner of these new sources, you are just the one who can see how they connect.

The power of networks is in how the pieces integrate with one another. As a BISO you can be that integration piece and you can use your visibility to make real value.

Closing Thoughts

If you can start with these approaches in mind, your BISO function can bring great value to the business. I wish you luck if you are currently on this journey!

And please... don't do spreadsheets for the sake of doing spreadsheets!

Do you agree or disagree with this list? What's your experience as a BISO? I'd love to hear your feedback, so drop me a note.

career