What is a BISO?

As cybersecurity technology and challenges continue to evolve and diversify, so too do cybersecurity job titles.  

The Business Information Security Officer (BISO) has swiftly gone from unheard of to rarity to increasingly common in the last two years.  And now, as of December 2021, the BISO is — as judged by job postings worldwide — arguably in high demand with hundreds of open roles in the U.S. advertised on LinkedIn Jobs.

What, exactly, is a BISO?  What distinguishes this role from other, earlier, and better-established cybersecurity roles? And is the BISO here to stay, or merely a hierarchical flash in the pan? Having held the role at Salesforce prior to joining Zscaler, I have a fresh perspective to help executive teams determine if it makes sense for their security leadership rosters. 

The premise of the BISO is straightforward. The Chief Information Security Officer (CISO) oversees cybersecurity policy and technology at an organization-wide level, while BISOs are responsible for leading security for a specific business unit (BU). These situations are increasingly common amongst multinationals and conglomerates with multiple lines of business, as each of the respective BUs have materially different cybersecurity priorities and challenges.

While it’s theoretically possible for a company to have only one BISO, such organizations are more likely to simply allocate those responsibilities to a traditional CISO. In practice, a company with only one BISO would overlap responsibilities with the CISO. The value of the BISO is in building strategic relationships within a business unit as a trusted advisor. A traditional CISO could simply not scale or absorb the scope of several specialized BISO’s. In every regard, BISOs are an extension of the CISO, amplifying their mission and vision as change agents. These similarities position them as natural successors to a CISO, or as their delegate in a deputy role.

The roles and responsibilities of the BISO continue to evolve. At a high level, the BISO leads the development of the business unit’s cybersecurity strategy. The strategy is an amalgamation of the collective visions of the CISO and their peer executive in the business unit. In practice, this involves carefully balancing risk management, competing priorities, budgets, and resources. As such, a BISO's ability to influence and obtain consensus is critical as the CISO and business executive will unequivocally have different priorities.

Will the BISO role still be here in five years? Time will tell. But the rapid proliferation of this job title in organizations worldwide suggests the answer is yes, BISOs are here to stay. The real question is how will the CISO role evolve in light of BISOs?  Both job functions will continue to co-evolve with the cybersecurity field. However, if it ends up a fad, we can be sure the BISOs job duties will continue to develop in parallel with the cybersecurity field.

What to read next 

The Business Information Security Officer