Let’s face it, whether you’re a seasoned infosec veteran or someone who just googled how to get SOC 2 certified, this question will apply: “How can I get security to deliver value to the business?”
If you’re struggling with a clear answer, we’ve got you covered. At the first stop on our cybersecurity networking event series, PtaaS Exchange, Cobalt’s Chief Strategy Officer Caroline Wong and Riot Games’ Head of Security Nicole Dove talked through the changes teams everywhere need to make security more agile, collaborative, and valuable.
From scaling your pentesting program without breaking the bank, to introducing a new role called “The BISO,” their conversation will help you learn about different tactics that bring security closer to the business.
Here’s a high-level summary of what Caroline and Nicole discussed in their keynote.
What Are the Problems that Arise Between Security and the Business?
Cybersecurity is currently in its shining moment. There are plenty of regulatory agencies asking how to protect data and ensure the safety of consumers. However, despite this increased focus on data security, organizations are seeing a significant lag between their teams.
Business and security leaders do not speak the same language and with that comes miscommunication of business goals and objectives. Security is not an afterthought so it is important to have someone within an organization whose role is to bridge the gap between these teams and ensure they’re pursuing the same end goal.
Luckily there’s a role that’s steadily gaining momentum to help solve this miscommunication problem: the BISO.
Enter the BISO
The Business Information Security Officer, commonly referred to as the “BISO”, is a relatively new position within an organization that acts as a translator, data collector, and liaison to make sure business and security teams are on the same page.
If the job of security practitioners is to protect the business, then it’s critical for them to understand how they protect the business. This is where the BISO role shines.
The BISO links data to what the business goals are and adds them to sprints with the security team. As the translator between security and business teams, the BISO aligns these teams towards a common goal.
How to Develop and Integrate the BISO Role?
The BISO is a security champion so organizations must pull them into the business strategy from the get go so they can operate with the right level of context and push that knowledge out to the right stakeholders. Before you can build a security team, the BISO needs to understand what they’re working on and how that ultimately impacts the business.
Here both speakers underscored that the security team doesn’t make the business decisions happen. The security team is more about influencing the business teams to understand how the organization is protected.
By understanding the goals of both teams, the BISO keeps the organization aligned.
How Can Security and Business Work More Effectively?
Collaboration and communication is key. Nicole finished off the conversation highlighting how security and business teams can work effectively through a shared understanding of business goals:
- Learn what the business teams are doing, rather than trying to educate the business partners about what the security team is doing. The security team is good at not being blockers.
- Identify the emerging vulnerabilities and how you can prevent the most damage to the business.
- Collect as much data as possible. Data collection is a big part of the security team.
- Learn from security. By shifting security left and introducing it from the beginning, the business teams can learn what goes into keep the business safe.
To hear Caroline and Nicole riff more on the BISO role, check out their episode of Humans of Infosec.