Home

What’s the logic behind companies hiring for BISO (Business Information Security Officer) roles instead of a CISO role. Is it because they don’t want to dilute power in the C-Suite, don’t prioritize security at the right level or is there some other reason?

I suspect it is because a lot of CISO does not work with the business to help them solve security issues, but rather stick with strict security policies in place. The BISO helps the business find alternatives ways to carry out their business processes while complying with security policies. They (BISO) simply get a better understanding of business issues involving security and how best to solve them.

18164 views
9 comments
5 upvotes
Related Tags
Anonymous Author
I suspect it is because a lot of CISO does not work with the business to help them solve security issues, but rather stick with strict security policies in place. The BISO helps the business find alternatives ways to carry out their business processes while complying with security policies. They (BISO) simply get a better understanding of business issues involving security and how best to solve them.
3 upvotes
Anonymous Author
It feels to me to be a needless distinction. CISOs are by design the ambassadors between business risk and the technical discipline of cybersecurity. While there certainly are many flavors out there, and a good practitioner transcends their title, [B vs. C]ISO strikes me as a misguided hedge.
2 upvotes
Anonymous Author
Jurisdiction and expertise/ experience is the short answer for why hiring a BISO to complement a CISO makes sense. From what we've seen the motivation for hiring one or more BISO roles is based on subject matter expertise and from a specific jurisdiction (geo) or business domain. It's largely to complement the CISO role with needed expertise (law, regulatory) and focussed on "content and context" and the need to secure data which may or may not be owned by the company. We often forget "who owns the data?" is still a question for many organizations. The BISO may address the what, why and when questions and the CISO develops the How. In tandem both reduce risk and potential liabilities upstream and downstream.
2 upvotes
Anonymous Author
I see the logic in a large enterprise having both roles. TheBusiness Information Security Officer would present the existential threats to the corporation as dictated by the market from competitors, customers and suppliers as outside in view While Is the CISO role is focused on the inside out view.
2 upvotes
Anonymous Author
Not sure I see the logic behind a BISO. The CISO's job is to protect the security of the companies data and infrastructure. I would question whether or not the role is prioritzed correctly in the org.
1 upvotes
Anonymous Author
While there could be a number of reasons for this, could it be that there is a perception that the CISO in some organizations have become the king of NO? The role from our business partners perspective should be focused on how we can meet their needs rather than why we can’t help them achieve their goals.
1 upvotes
Anonymous Author
While it may be many reasons as to why/why not ( logic or power) my experience is that today, while system/digital development is extremely fast, system and information security is lagging behind. This has an impact on both large and small cooperations, while large cooperation may have through time a solid governance defined by the old IT legacy, smaller companies may not have a CISO nor a BISO. In either way there is a change! if a CISO already exists with the the old domains of expertise a BISO may be needed to strengthen the overall security road map, desperately needed. If a CISO doesn’t exist but there is a CIO (small company) I would recommend to acquire the operational expertise reporting to the CIO. I some cases there is a maturity factor to take into account, being aware of the speed of change in the digital/tech transformation and to safe guard ANY information security. The company should be aware and be responsive to this security need and hopefully there should not be an issue of power as the focus should be the health of the company. That’s my humble opinion and logic.
1 upvotes
Anonymous Author
My perspective is that this is actually a good thing and the #1 priority of the BISO is to seamlessly integrate security solutions within the various areas/lines of business. They are a blend of security expertise, technologist, and business analyst.
0 upvotes
Anonymous Author
Sorry for not answering this previously, the BISO reports to the CISO
0 upvotes