A BISO (Business Information Security Officer) is an ombudsman for business lines across an institution. This person is responsible for representing the business requirements, controls, and perspectives of their respective areas. BISOs can have a tremendous impact on the success of the information security program by ensuring clear communication happens between the CISO and business lines. I think we can all agree in many instances there is little to no communication, leading to many missed opportunities, problems, and risks.
When I started programs from scratch or rebooted them, I have used a model similar to the BISO model with security committees. I tried to have an individual nominated from each business line to represent them on the committee. Their perspectives, questions, and concerns were invaluable to ensuring the effectiveness of the program and getting our message to the users in their area. Here are some examples:
- The model helped users understand their role in security. Security is not a Wizard of Oz thing where we just sit behind a curtain and pull levers, rather it’s a full team sport. So, training got completed at higher percentages and users reported events and incidents faster.
- New vendors were brought to the table before the contracts are signed more frequently. In addition to due diligence, we have saved money by understanding if we already have a solution in a platform the institution already owns or licenses.
- Security risk acceptances were more broadly vetted. Say there is a system limitation or vulnerability that we can’t remediate. Instead of only relying on my perspective of whether to accept this (red flag!) I could understand how remediating could impact and potentially limit operations. Additionally, I could better advise management on compensating controls and the real risk. As a bonus, I slept better at night, too.
- Risk assessments were more accurate and valuable. Using the business line representatives to help find the right people and therefore the right answers, I learned so much about the environment and the business. This increased the value of my role and the program in the eyes of my peers. Also, this gave the business lines a route to vet any questions or concerns they have about security.
- Employees with an interest in security were given an opportunity to get involved. We face a great shortage of security professionals right now, and some in security roles lack mentoring opportunities to grow. When we have people who can step up and already know the institution, it’s certainly a win-win scenario.
So, should your institution have a BISO program? If you find you’re missing representation and insight from your business lines, I would greatly recommend it whether it goes by the name BISO or not. Also, it really doesn’t have any direct costs, just a piece of the group's time.
If you would like more information on how to expand your governance model to include BISOs, please contact us at support@bedelsecurity.com.