What’s the logic behind companies hiring for BISO (Business Information Security Officer) roles instead of a CISO role. Is it because they don’t want to dilute power in the C-Suite, don’t prioritize security at the right level or is there some other reason?

Security & GRCTeam & Organizational Design
21.4k views5 Upvotes14 Comments
CTO in Software, 11 - 50 employees
My perspective is that this is actually a good thing and the #1 priority of the BISO is to seamlessly integrate security solutions within the various areas/lines of business. They are a blend of security expertise, technologist, and business analyst.
2 Replies
Chief Security Officer in Software, 10,001+ employees

How does that differ from a CISO?

vCIO, Infrastructure Architect, Manager in Services (non-Government), 1,001 - 5,000 employees

From what I've seen the BISO is more dirty hands and still has the technical knowledge to get in there, where CISOs are more along the executive team route and deal more as an ambassador to the business.

1
CTO in Software, 11 - 50 employees
Sorry for not answering this previously, the BISO reports to the CISO
1 Reply
Chief Security Officer in Software, 10,001+ employees

I've actually seen the opposite. I've seen companies hire a BISO role for the express purpose of NOT defining a CISO role. For some large companies there are BISO's who report to CISO's and I do agree it makes sense to have someone security minded represent a particular business unit, but for the companies that don't have an existing CISO, I'm not sure of the logic for creating a BISO role instead of a CISO role. It seems to me a way of avoiding creating a C-Level role and/or possibly bringing someone in at a lower level to satisfy the function. Coming back to my post, this seems like security may not be prioritized at the right level and/or the company doesn't want to give up power in the C-Suite.

1
CISO in Software, 1,001 - 5,000 employees
It feels to me to be a needless distinction. CISOs are by design the ambassadors between business risk and the technical discipline of cybersecurity. While there certainly are many flavors out there, and a good practitioner transcends their title, [B vs. C]ISO strikes me as a misguided hedge.
2 1 Reply
CISO in Software, 201 - 500 employees

I absolutely agree with @Bob, good practitioner always transcends their title, not only for this case.

Founder/CTO in Hardware, 11 - 50 employees
Not sure I see the logic behind a BISO. The CISO's job is to protect the security of the companies data and infrastructure. I would question whether or not the role is prioritzed correctly in the org.
1
CIO & SVP, Strategy & Innovation, Supply Chain Logistics and Retail Analytics in Retail, 5,001 - 10,000 employees
While there could be a number of reasons for this, could it be that there is a perception that the CISO in some organizations have become the king of NO?

The role from our business partners perspective should be focused on how we can meet their needs rather than why we can’t help them achieve their goals.
1
IT-chef / Director IT in Energy and Utilities, 201 - 500 employees
While it may be many reasons as to why/why not ( logic or power) my experience is that today, while system/digital development is extremely fast, system and information security is lagging behind. This has an impact on both large and small cooperations, while large cooperation may have through time a solid governance defined by the old IT legacy, smaller companies may not have a CISO nor a BISO.
In either way there is a change! if a CISO already exists with the the old domains of expertise a BISO may be needed to strengthen the overall security road map, desperately needed. If a CISO doesn’t exist but there is a CIO (small company) I would recommend to acquire the operational expertise reporting to the CIO.
I some cases there is a maturity factor to take into account, being aware of the speed of change in the digital/tech transformation and to safe guard ANY information security. The company should be aware and be responsive to this security need and hopefully there should not be an issue of power as the focus should be the health of the company. That’s my humble opinion and logic.
1
Assistant Director IT Auditor in Education, 10,001+ employees
I suspect it is because a lot of CISO does not work with the business to help them solve security issues, but rather stick with strict security policies in place. The BISO helps the business find alternatives ways to carry out their business processes while complying with security policies. They (BISO) simply get a better understanding of business issues involving security and how best to solve them.
3
CEO in Services (non-Government), Self-employed
Jurisdiction and expertise/ experience is the short answer for why hiring a BISO to complement a CISO makes sense.

From what we've seen the motivation for hiring one or more BISO roles is based on subject matter expertise and from a specific jurisdiction (geo) or business domain.

It's largely to complement the CISO role with needed expertise (law, regulatory) and focussed on "content and context" and the need to secure data which may or may not be owned by the company.

We often forget "who owns the data?" is still a question for many organizations.

The BISO may address the what, why and when questions and the CISO develops the How. In tandem both reduce risk and potential liabilities upstream and downstream.
2 1 Reply
Assistant Director IT Auditor in Education, 10,001+ employees

However, without assigning data ownership, confusion occurs and accountability is blurred. This is an area where where organizations can improve their data governance and follow a well defined data life cycle process.

2
CEO in Services (non-Government), Self-employed
I see the logic in a large enterprise having both roles. TheBusiness Information Security Officer would present the existential threats to the corporation as dictated by the market from competitors, customers and suppliers as outside in view While Is the CISO role is focused on the inside out view.
2

Content you might like

There is a new cyber domain/niche that is trying to change how we do inline cyber security, called Enterprise Browser or Browser Isolation; there are many vendors in the space that are in the way compete with traditional SWG and ZTNA, and I am wondering what do you think on the space. What are some pros and cons, and is there a need for education on the topic?

Security & GRC
Read More Comments
2.7k views1 Upvote6 Comments

What services matter most (or are your favorite) in alignment with your cloud provider? i.e. Database/warehouse (like Redshift), analytics, AI/ML…

Strategy & ArchitectureCloudEnd-User Services & Collaboration+24 more
833 views3 Upvotes

What would you rather have MBA or CISSP? Why?

People & LeadershipStrategy & ArchitectureProcess Management+9 more

MBA / Master's Degree73%

CISSP / Comparable Certification26%


753 PARTICIPANTS
6.7k views1 Upvote16 Comments

What are your thoughts on SaaS management platforms (SMP)?

People & LeadershipStrategy & ArchitectureCloud+87 more
786 views4 Upvotes

Would a security tool that provided visibility into the cyber hygiene of your web application user base be valuable?

Governance, Risk & ComplianceSecurity & GRCThreat & Vulnerability Management+2 more

Yes91%

No9%


296 PARTICIPANTS
709 views3 Upvotes