Business Information Security Officer: What Is This Role?

  ICT, Rassegna Stampa, Security
image_pdfimage_print

Sometimes, staying informed on security trends as an executive means staying informed on business trends. Here, Chris Bonavita, VP Strategy and Technology Adoption at GTT, discusses the emergence and benefits of the Business Information Security Officer (BISO). 

Bonavita: Most of my career has been at the intersection of technology and business transformation. I’ve led technology platform sales at Accenture, run a large business process outsourcing operation that I helped transform from a premise-based model to a fully cloud-based one, and most recently built out specialized SD-WAN, SASE, and cybersecurity sales teams at Lumen Technologies before joining GTT. Here, I serve as Vice President of Strategy and Technology Adoption, accelerating GTT Strategic investments  to advance its networking and security as a service solutions on the GTT Envision platform. 

What connects all of those experiences is a focus on how technology actually moves the needle for a business in terms of operational and financial outcomes. That’s why the Business Information Security Officer conversation resonates with me. The idea that security has to be integrated into business outcomes rather than sitting adjacent to them is something I’ve seen play out across every role I’ve held.

Security: What is a Business Information Security Officer?

Bonavita: The BISO is a security leader who is directly accountable for the business outcomes that security risks can affect, like revenue, profitability, and competitive position. This is different from the CISO, who is accountable for security posture; things like protecting infrastructure, networks, and systems. 

I recently became aware that a number of Fortune 500 companies have begun using this title, and when I looked at what was driving it, it made complete sense. Security operations have always ultimately been about protecting the organization’s ability to make money, keep money, and transact business. Some organizations are just now formalizing that reality.

Security: Why is the Business Information Security Officer role emerging?

BonavitaThe short answer is cyber insurance. In the early days of the cyber insurance market, insurers wrote policies without really understanding what they were taking on. Cyber was a new risk category, so there was no historical loss data to model against. Basically, they were pricing in the dark. 

Then ransomware exploded, and the losses burned the insurers. So, the insurers came up with much stricter underwriting standards and started auditing companies. They would deny coverage to companies that didn’t meet their new requirements. That got the attention of CFOs and boards.

Security leaders had to start thinking in financial terms. They had to understand things like coverage gaps and underwriting risk scores. What exactly would a misconfigured endpoint actually cost the business? Once you’re thinking that way, the traditional CISO role isn’t enough. 

And now, AI is accelerating security risks to the business faster than ever. So, companies need a designated security role with a mandate that’s explicitly tied to business outcomes.

Security: What are the organizational benefits of appointing a Business Information Security Officer?

Bonavita: The most immediate benefit is alignment. Security stops being something that happens in a silo and starts being integrated into how the business actually operates. The BISO works alongside finance, legal, and operations, and that changes the conversation at every level of the organization.

The second benefit is prioritization. One of the hardest problems in security is deciding what to protect. The instinct is to protect everything equally, but that’s not feasible. It’s too expensive and the resources don’t exist. A BISO who is tied to business outcomes is better positioned to make those calls, because they understand what data and systems actually matter to the business and what a compromise would cost in real terms.

The third is AI governance. Many organizations are deploying AI tools faster than they can govern them. The BISO’s job is to navigate the tension between AI adoption and the protection of the company’s intellectual property and proprietary processes. 

Security: Anything else you’d like to add?

Bonavita: One thing I’d emphasize is that a BISO can only be effective if they have visibility into your data flows across your network infrastructure. You can’t protect what you can’t see, and you can’t prioritize what you don’t understand.

Many security tools operate several steps removed from where data actually lives and moves. By the time a threat is detected, the data has already traveled through multiple layers of infrastructure. The organizations getting this right are those working with partners who have visibility at the network level. That’s where you can actually determine what’s valuable and what isn’t, what’s normal and what’s a threat, and ultimately what the business needs to protect to stay competitive.

https://www.securitymagazine.com/articles/102423-business-information-security-officer-what-is-this-role

Lascia un commento