The BISO: bringing security to business and business to security

Throughout her career in IT security, Irina Singh has thrived on difficult projects. With a bachelor of science degree in management of information systems and a minor in international business, she now manages a team of business information security liaisons serving four foundational business units at medical device company Medtronic. “One of my slogans is that we bring business to security and security to the business,” she says.

Singh calls herself a business information security partner, but the title most commonly employed for this role is business information security officer (BISO). People in these roles are responsible for one or more areas of the business and they usually report to the CISO or CTO, based on job descriptions found online and those laid out by multiple sources interviewed for this article. The people holding these roles also come from diverse educational and experiential backgrounds, at the core of which are strong familiarity with compliance regulations, solid cybersecurity foundations, and business acumen.

“I graduated just after 9/11 when jobs were scarce, so I went to an energy startup and learned everything from scratch—how to build a computer from scratch, administering servers and databases, and so much more. After that job, I transitioned into IT audit with a Fortune 100 audit and accounting firm and took advantage of mentoring and training, where I learned how much I enjoy project-based work,” Singh says.

Bridging security and business communication gaps

As part of her consulting work with the Fortune 100 consulting firm, Singh audited financial institutions focusing on GLBA, PCI, and SAS 70 audits (the predecessor to SOC II, with which she is also familiar). Then she started working for a large healthcare IT services group, where she also got to focus on government compliance. Ultimately, she ended up at Medtronic, where she forged the BISO role before it was officially defined. She preferred to stay clear of the “officer” title, instead calling herself a business information security partner, but she knew she needed to address the communication difficulties between cybersecurity and business departments that plague many large organizations.

“I started by incorporating myself directly into the security function. I went to every team meeting that I could, learning their culture and workflow so that they could see me as a trusted extension of the security team,” Singh explains. Then, when it was time to guide the business stakeholders through the relevant cybersecurity processes or get a highly visible business initiative priority, her message was well received. She also helped build a risk dashboard for reporting and compliance, one that includes third-party vendor risk, compliance risks, and merger and acquisition risks. Singh was able to replicate the dashboard across the company’s business units.

Then, two years ago Singh was offered the chance to extend her program across four separate business units. She now has five business relationship managers on her team who partner with the respective business and IT VPs and other leaders, bringing their security, risk, and compliance expertise to the table.

“I’ve heard people say every CISO should be a BISO. It’s possible in a small organization with a single focus. But in a complex environment, the CISO can’t reach all levels of the security organization or every business unit. They don’t have the time to educate about the technologies on each project their units are working on. These struggles are common across all large organizations,” she says. “So, the BISO must sell the partnership to both sides. It’s a critical, relationship-based position that requires an understanding of the technical concepts and the business they’re supporting.”

BISOs need to understand business-specific risks

Renee Guttmann, who’s been CISO to several Fortune 50 companies, says that the most important thing she looks for in a BISO is a thorough understanding of the business unit they support, which includes identifying the company’s “crown jewels”: what the most important assets are, where they are, and the targeted attacks to which they are potentially vulnerable. The BISO should be able to identify the risks and work with others, such as architecture and infrastructure managers, to prioritize risks. They should be the go-to person when a business unit wants to start a new technology project, engaging early on to ensure that the business does not acquire technology that can accidentally expose it to attacks.

“If you’re writing the job description for hiring a BISO, it should say something like: ‘You are the client-facing side of security’,” Guttmann says. “I’ve had to be very particular to ensure that the BISOs I’ve hired had knowledge in the group they would be supporting. If they’re supporting finance, they had better know about balance sheets, audit rules, risks, and controls. Additionally, the head of that business unit must be involved in the interviewing and hiring of the BISO that’s going to support their function.”

In one case, Guttmann describes how she hired a BISO with “in-the-trenches” chops who helped train a corporate communications group on how to respond to an incident. The people in the group thought they knew everything they needed to properly respond to a security incident. But then the BISO opened their eyes to what would actually be expected of them during an event. She adds, “Everyone from public relations attended the session, and then they wrote back that it was one of the most fascinating sessions they’ve been to, and that they learned so much because the session was completely dedicated to them.”

Stopping potentially risky practices

The BISO also needs to learn how to put the brakes on projects that may be dangerous. In one case, when a client wanted to install remote access to mission-critical databases accessed only through weak passwords, Guttmann’s BISO failed to explain that they couldn’t do it with their existing technology and would need to come up with more secure options, such as multi-factor authentication. “That problem boiled up to me because my BISO couldn’t have the difficult conversation with that business unit EVP,” she recalls. “So, I initiated more training for my BISOs on how to have that difficult conversation and how to present options.”

In Guttmann’s experience, as in most companies that employ BISOs, the BISOs have reported to her with a dotted line to the leaders of the business units they support. Sometimes, BISOs report to the CTO, and others report directly to the business unit leaders.

Regardless of reporting structure, the role is important enough to the security leadership function that the Women in Cybersecurity community (WiCyS) has a dedicated WiCyS BISO Affiliate with 95 members. Barbee Mooneyhan, a leader for the WiCyS BISO affiliate, incorporates BISO methodologies into her responsibilities running security and privacy as Chief Information Security and Privacy Officer of Woebot Health.

In small companies, CISOs are the BISOs

She wears many hats because her company is smaller and because Woebot is focused on being a mental health ally through an AI chatbot with user-guided ability to help process mild to moderate anxiety and depression. Because of the sensitive nature of the products, she needs to support innovation while protecting client and user-sensitive data. As such, her conversations with other business unit leaders are based on ethics and compliance, particularly when they bring new ideas that potentially impact sensitive data.

“I intentionally fill the role of a BISO within my security role, which is common in small-to-medium businesses. I spend a lot of my time in meetings with our business leaders and other workforce members to understand their needs and provide them guidance on how to meet those needs in compliance with privacy laws and ethical obligations,” she says, adding, “The BISO role is a fascinating and absolutely necessary position to enable businesses to move forward.”