Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion
‎11-01-2020 03:48 PM
‎11-01-2020 03:48 PM

Is it now time to deploy a BISO?

Hi All

 

Is it time to deploy a BISO within organisations given the drive towards Security & Privacy by Design?

 

https://www.scmagazine.com/home/security-news/network-security/everybody-wants-a-unicorn-as-companie...

 

Your thoughts?

 

Regards

 

Caute_cautim

Reply
6 Replies
Early_Adopter
Community Champion
‎11-01-2020 06:27 PM
‎11-01-2020 06:27 PM

Looking at the source I’d wonder if SC magazine is advocating for someone not technical enough to look beyond all those five star reviews on technical controls...

 

Cynicism aside isn’t this translator, business metrics ROI shower and people worker something most CISOs do or have on their team anyway. CISOs that are too technically focused (as to technically competent) don’t in my experience tend stay on as CISOs and they already tend to have delegates to handle this. Enterprise Architecture advocates will also try to ensure technology is aligned to business goals and in many cases you need the technical/analytics skills to select proper metrics, and analyse things otherwise your ROI you are showing might not be tied to something meaningful.

 

Candy Alexander makes the most sense to me in the article, and It will be interesting to see what happens in IBM after the dust settles.

 

I guess the answer is yes, sure formalise it as a BISO if it makes sense in your organisation, but try not to create too many poles in your organisation. Especially be aware of the risk of doing a Yahoo(I’ll broadly define this as if you don’t like what competent people tell you, ignore it or get second opinions until you get the answer you want).

 

 

Reply
0 Kudos
Caute_cautim
Community Champion
‎11-01-2020 06:56 PM
‎11-01-2020 06:56 PM

@Early_Adopter    I believe your comment where it makes sense applies.   The global organisation I work within, has applied a Security & Privacy by Design approach through each and every Business Unit.  There are processes and approvals to go through for each and every service, new initiative with the drive to ensure to the best of our ability it is secure and is compliant with whatever privacy regulation applies to that situation. 

 

It makes sense within very large enterprise scale organisations, it is very difficult for a single CISO to keep an eye on everything that applies or should be put in place and to ensure that it is everyone's responsibility.   It is in fact every individual's responsibility, but you always get some who attempt to bypass controls, however, they have not been through the process and approval, then you know exactly what their position is and whether or not it should go into production etc.

 

When you are dealing with global mandates, many business units and a whole host of services and regulations, across many industry sectors - it really helps.

 

It works very well indeed in our circumstances.

 

Regards

 

Caute_cautim

Reply
0 Kudos
Early_Adopter
Community Champion
‎11-01-2020 08:27 PM
‎11-01-2020 08:27 PM

Yeah, I’d agree.

 

One person CISOs without other ISOs helping them are probably not really CISOs.

 

As well as regulations in every jurisdiction we have externally mandated Security by Design as well as internally mandated(for now) privacy by design and ethical AI use(separated though as PBD is a function of the the DPO org, etc).

 

I’d wonder what makes a BISO a BISO though - in your org(I take you have a global policy that excepts where needed) are they attached to one or more businesses or are they domain experts specific to the business in question?

 

 

 

 

Reply
0 Kudos
Caute_cautim
Community Champion
‎11-01-2020 08:58 PM
‎11-01-2020 08:58 PM

@Early_AdopterWe have specific lines of business, so each BISO is aligned to the Business Unit. 

 

We apply Security & Privacy by Design procedures, processes by Business Unit aligned to corporate security policy including international Privacy requirements.

 

Regards

 

Caute_cautim

Reply
0 Kudos
Early_Adopter
Community Champion
‎11-02-2020 01:25 AM
‎11-02-2020 01:25 AM

That makes a lot of sense. Thanks.

Reply
0 Kudos
dcontesti
Community Champion
‎11-02-2020 11:03 AM
‎11-02-2020 11:03 AM

Not so long ago, I worked at a Global organization and we regionalized Security and Privacy due to the various laws, regs, etc.

 

I was attached to the global CISO office and was also a Regional ISO.  In this particular company, they tried to assign "departmental" security folks.  In some cases, it worked beautifully and in others it failed.  The issue, unlike IBM, their business was manufacturing and the Business Units considered Security a hinderance.(even after many talks/discussions/justifications).  In some case, they assigned folks that were concerned and others said it was just another job that they had no time for.

 

So I think the model would work in some organisations while not in others but I have to ask will this spur an entirely new suite (the B-Suite, the BOO, the BFO, etc.).  Sorry had to go there.

 

d

 

Reply
0 Kudos