Is it time to deploy a BISO within organisations given the drive towards Security & Privacy by Design?
Looking at the source I’d wonder if SC magazine is advocating for someone not technical enough to look beyond all those five star reviews on technical controls...
Cynicism aside isn’t this translator, business metrics ROI shower and people worker something most CISOs do or have on their team anyway. CISOs that are too technically focused (as to technically competent) don’t in my experience tend stay on as CISOs and they already tend to have delegates to handle this. Enterprise Architecture advocates will also try to ensure technology is aligned to business goals and in many cases you need the technical/analytics skills to select proper metrics, and analyse things otherwise your ROI you are showing might not be tied to something meaningful.
Candy Alexander makes the most sense to me in the article, and It will be interesting to see what happens in IBM after the dust settles.
I guess the answer is yes, sure formalise it as a BISO if it makes sense in your organisation, but try not to create too many poles in your organisation. Especially be aware of the risk of doing a Yahoo(I’ll broadly define this as if you don’t like what competent people tell you, ignore it or get second opinions until you get the answer you want).
@Early_Adopter I believe your comment where it makes sense applies. The global organisation I work within, has applied a Security & Privacy by Design approach through each and every Business Unit. There are processes and approvals to go through for each and every service, new initiative with the drive to ensure to the best of our ability it is secure and is compliant with whatever privacy regulation applies to that situation.
It makes sense within very large enterprise scale organisations, it is very difficult for a single CISO to keep an eye on everything that applies or should be put in place and to ensure that it is everyone's responsibility. It is in fact every individual's responsibility, but you always get some who attempt to bypass controls, however, they have not been through the process and approval, then you know exactly what their position is and whether or not it should go into production etc.
When you are dealing with global mandates, many business units and a whole host of services and regulations, across many industry sectors - it really helps.
It works very well indeed in our circumstances.
Yeah, I’d agree.
One person CISOs without other ISOs helping them are probably not really CISOs.
As well as regulations in every jurisdiction we have externally mandated Security by Design as well as internally mandated(for now) privacy by design and ethical AI use(separated though as PBD is a function of the the DPO org, etc).
I’d wonder what makes a BISO a BISO though - in your org(I take you have a global policy that excepts where needed) are they attached to one or more businesses or are they domain experts specific to the business in question?
@Early_AdopterWe have specific lines of business, so each BISO is aligned to the Business Unit.
We apply Security & Privacy by Design procedures, processes by Business Unit aligned to corporate security policy including international Privacy requirements.
Not so long ago, I worked at a Global organization and we regionalized Security and Privacy due to the various laws, regs, etc.
I was attached to the global CISO office and was also a Regional ISO. In this particular company, they tried to assign "departmental" security folks. In some cases, it worked beautifully and in others it failed. The issue, unlike IBM, their business was manufacturing and the Business Units considered Security a hinderance.(even after many talks/discussions/justifications). In some case, they assigned folks that were concerned and others said it was just another job that they had no time for.
So I think the model would work in some organisations while not in others but I have to ask will this spur an entirely new suite (the B-Suite, the BOO, the BFO, etc.). Sorry had to go there.