Business Impact Security Officer (BISO)
Updated: Apr 22, 2019
Generational changes have undermined the InfoSec function, within the business environments. Over the past 2 decades we have seen a shift in terminology from Information Security to Cyber Security and with enhancements to the privacy laws, the use of the term Data Security. All of this has led to a confusion as to what these roles bring to a business.
In 2002, I commenced a 10 week residential Counter Intelligence (CI) course, at the RAF Police School, where I was introduced to the concept of applying suitable defensive controls for the protection of military assets. This was not limited to data assets, or computer assets, but to any asset identified as having a pivotal role to play. The greater the importance, the higher the value. This included ensuring that the assets were protected from Confidentiality breach, Integrity degradation or Unavailability. Consequently, CI professionals were trained to understand and recognize the risks associated with any higher value asset, and were not 'tunnel visioned' into a particular perspective (i.e. Data Protection).
Consequently, we became 'all round' professionals with an eye for seeing things differently to our peer groups.
Bizarrely, the term Cyber Security was first used in 1989, following the increasing popularity of the internet and has been defined as:
"Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack"
However, any respected InfoSec professional will tell you that the job is far more reaching than just protecting computer systems from unauthorized access or attack. For example, what about helping to safeguard a system, through effective life-cycle management to ensure that the critical business systems remain operational and so reduce the chance of having a long-term systems outage.
Let's look at the latest military strike aircraft, which is heavily reliant on its on-board computer system to help it to fly and target the enemy. Yes, suffering a cyber-attack would impact the operational effectiveness of that aircraft, but no more than a software coding error or missing upgrade.
The impact of a Technology Risk would have an equivalent impact, yet the potential for an occurrence is likely to be more frequent, without some formalised policy and procedure, and risk assessment.
What is the associated business impact of a critical system or process not being available, for a period of time? If you are in the business of providing services to your customers, what would be potential impact of an unavailable system? Imagine that you are a Business to Business (B2B) organisation, manufacturing and providing rare ingredients to your business customers and one of your manufacturing plants stop operating. What would be the costs to your business?
More or less of a risk than having a personal data breach?
Unable to continue operations (underestimated costs of downtime).
Employees not being able to do their job (but still expecting to be paid, as they have families to feed).
A drop in employee morale.
Not being able to produce and supply goods to your customers.
Your customers being not being able to produce their goods/services..
Those customers going into liquidation, due to a lack of goods/services being produced by you.
Those customers looking for more reliable, alternative, suppliers.
The damage to your reputation.
The damage to your share price.
You could rely on your IT Operations team to keep things on track (why not, surely this is the job they get paid to do?) Of course, if they are not too busy resetting user passwords, dealing with employee help-desk requests, updating software, etc. However, what if one of your issues spanned across IT Operations, Data Privacy & Regulatory compliance, and would impact your day to day business functions? Would your Chief Technical Officer (CTO), or Chief Information Officer (CIO) have the same independent view as your Chief Information Security Officer (CISO)? Probably not!
I have seen Executive Management go the extra mile, as a result of the 'scaremongering' from the introduction of the General Data Protection Regulation (GDPR) but in regard to maintaining critical IT operations and services have continued with the same narrow minded view that InfoSec, ITSec, OpSec & CommSec is not a critical business function.
All of which could be the focus of attention for an effective BISO.
Much like the training from my CI course, a BISO (not to be confused with a Business Information Security Officer (comes close, but still confuses the role by including the word 'Information') appointment might be more appropriate in today's technology reliant business environments to ensure that their is an all rounded focus on both the traditional and non-traditional threats, against the myriad of threat actors:
Terrorist. Both traditional and Cyber, who are looking for targets with the best collateral damage.
Espionage. Your competitors wanting to gain that advantage, or State-Sponsored.
Sabotage. That amateur hacker wanting to make a name for themselves, by changing your website (Cyber-Graffiti), or the disgruntled employee wanting to get back at the organisation.
Subversion. Using your website to as a communication platform, or to undermine the company brand.
Organised Crime. Being targeted by State-Sponsored or Organised Criminal gangs looking to make money out of your vulnerabilities (e.g. Identity Theft, Stealing Credit Card data, Stealing credentials, etc.)
Non-Traditional (Indirect target).
Theft. An opportunist thief looking for valuable and attractive items that they can easily sell on, where there is little or no interest in the data or technology (e.g. A business laptop, Smartphone, ATM, etc.).
Protester. The unavailability of systems or services, as the result of protester activity.
Accidental. The non-deliberate actions of your personnel, leading to the loss of systems or services.
Investigative Journalist. With the advent of Social Media and Fake News, gaining access to branded corporate information, can provide the platform for notoriety.
Natural Disaster. Probably the most difficult to defend prepare for, as you look to predict what disasters that might impact your business and the implications, thereof.
Consequently, if you are looking at the value of having an all rounder Cyber/Info/Tech Security specialist and whether you can afford to have such a role within your business, imagine all the potential impacts of not having your vital services available to you when you need and the wider impact to your business. This role has become far more than a 'tick box' or desirable but is now an essential part of doing good business, as an integral oversight for the protection of business operations.
Therefore, if you are a business that failed to appreciate the value a good BISO brings, your organisation or are struggling with the concept, then ask yourself how good your business would be if the first time you discovered an issue was when something broke, was hacked, or was stolen?
A good BISO has only one objective, to support your company and to help ensure that you are best placed to identify and respond to any issues that could impact your business operations. As a side aspect, they will also deliver the compliance obligations but ultimately they are your 'Wing Persons' and have you covered.