Perry Carpenter is Chief Evangelist for KnowBe4 Inc., provider of the popular Security Awareness Training & Simulated Phishing platform.
Numerous studies confirm that the absence of security technology isn’t what tends to get organizations into trouble. On the contrary, it’s humans. People are the ones who make poor security decisions and judgment errors: They click on bogus links, visit the wrong websites, download malware-loaded files, take security for granted and use weak passwords. Knowingly or unknowingly, they can put organizations at risk.
While a robust security culture has been hailed as an answer to most human-related security challenges, it continues to elude many businesses because it requires chief information security officers (CISCOs) to build relationships at various levels and understand the idiosyncrasies of various business units. Various reports highlight how many CISOs struggle with competing priorities and how their security strategies often lack alignment with business objectives.
Who Is A BISO And How Do They Fit In?
For CISOs to succeed in their role, they need to be cognizant of all units across the business to avoid unexpected issues or unresolved matters. They should know their audience and tailor their approach to their specific needs and objectives. By aligning their security programs with the overall business strategy, CISOs can effectively meet the requirements of different departments.
CISOs must also effectively communicate the security challenges facing the organization. The idea is to foster responsible participation for deeper collaboration on security initiatives.
Unfortunately, a majority of CISOs are spending their limited time firefighting issues rather than contributing to business strategy or forging relationships. This is where a business information security officer (BISO) can come in. According to Forrester, the BISO operates on behalf of the CISO, serving as an advisor and bridge to functional leaders. In other words, it’s a security role that puts business first.
CISO Versus BISO
A BISO usually works for the CISO either directly or via a dotted-line relationship. While the CISO manages the most senior strategic relationships (such as the C-suite and the board), the BISO typically partners with the senior leaders of the other business units. So a BISO is kind of like a mini-CISO for every division or the lines of business that they support.
In large, multinational corporations, multiple BISOs representing different business groups can all roll up to a CISO. Not only does this help divide responsibility and improve the implementation of security programs but it also helps CISOs gain a better pulse of the business and the different security use cases and requirements.
How Do BISOs Influence Security Culture?
Security culture can be defined as the values, attitudes, customs, beliefs, and social behaviors that influence the security posture of an organization. It’s the stuff that drives secure behavior in employees (even when no one’s watching); it’s the security instinct that kicks in when someone sees something unusual or suspicious.
Traditionally, most CISOs are not in close contact or communication with employees, and therefore, it is difficult for them to influence and promote a positive security culture. With the BISO role, it’s different; since the BISO enjoys closer ties with various business groups and has a better understanding of employee requirements and sentiments, they are better positioned to influence culture change.
Let’s look at different ways you can use a BISO to help strengthen security culture:
1. Alignment
When business models, products and services are being strategized or developed, security is often treated as an afterthought. You can use BISOs and their partnerships with other department leaders to help make sure security is present right from the start and woven across products, processes and each and every customer interaction.
2. Training
BISOs should have a good understanding of security risks, scenarios and employee behaviors within each department they serve. Use this understanding to have them develop training programs that are tailored to individuals, making the programs more pertinent and relatable. I’ve found that this personalization can boost engagement, ultimately improving the retention of the training.
3. Communications
Since BISOs work closely with specific business groups, they should be able to explain security in a language employees can understand. The result is that employees can stay updated about security policies and procedures, potential risks and best practices, gaining a clearer picture of their own responsibilities towards security.
4. Collaboration
A BISO serves as the point of contact for leaders to communicate security expectations, challenges and areas where security can contribute value to the business. This helps foster trust, confidence and collaboration among teams.
Security culture is a top priority of most CISOs. That being said, they must also accept the reality that it’s impossible for them to be everywhere. BISOs, on the other hand, can act as catalysts, influencers and change agents on behalf of CISOs, helping them build and nurture a resilient workforce.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
