Cybersecurity is a field of constant innovation, both on the business and the technical side. As we’ve written about in a previous blog post, businesses frequently struggle to communicate cyber risk to their Board of Directors. Effectively evaluating levels of risk, determining the appropriate level of response, and communicating that to the board without reducing cybersecurity to a simple cost of doing business is incredibly difficult. Enter: The Business Information Security Officer (BISO). Large companies such as Charles Schwab, Citibank, and Deloitte have implemented the BISO role into their organizational structure to act as a go-between for the Chief Information Security Officer (CISO) and executives without the technical understanding required to make tactical cybersecurity decisions.
Since CISOs are typically swathed in the technical and strategical deployment of their cybersecurity programs, they are not always the best equipped for employing business strategy. That isn’t to say that CISOs are incapable of business strategy, it’s quite the opposite as many CISOs are extraordinary business leaders. The theory behind employing a BISO is to act as a bridge between the technical decision makers and the business decision makers to best coordinate shared priorities, as well as relieving business strategy considerations from the CISO. Ideally, this should result in the best outcome for both parties, since it becomes possible to better balance the two priorities. The key here is that the BISO cannot be a replacement for the CISO, since the purpose of the position is to supplement the CISO’s decision making ability with their experience in business operations.
However, employing a BISO may not be the best solution for all businesses. It works well with large businesses what have a strong communication culture, established processes, and a large enough cybersecurity program to necessitate the division of responsibilities, but the benefits may be significantly reduced in smaller organizations. In small to medium sized businesses the increased organizational complexity, delegation of responsibilities, and increased salary expense are significant considerations that need to be accounted for.
For organizations that cannot justify the added organizational complexity or restructuring needed to implement a BISO into their organizational structure, there are tools to serve similar functionalities. Compliance dashboards and data visualization tools such as CnSight are game-changing tools that facilitate coordination between the technical and business strategic decision-making processes. As we have mentioned in previous blog posts, simple high-level executive dashboards are an amazing tool to empower decision-making individuals to make both the right choice for both cybersecurity resilience and business strategy.