Why BISOs should oversee policy & report to CROs
By Edwin Doyle, Global Cyber Security Strategist.
Cyber security policy is a comprehensive framework consisting of guidelines, protocols, principles and regulations that aim to safeguard an organization’s information technology infrastructure, networks and sensitive data from a variety of cyber threats; ranging from inadvertent breaches to malicious attacks.
Who owns policy?
The Chief Risk Officer, typically tasked with overseeing an organization’s policies, possesses a diverse skill set that encompasses law, finance and accounting, which are crucial in effectively managing and mitigating potential risks, including those inherent in cyber insurance contracts.
After conducting extensive research on CRO job descriptions via numerous Google searches, I have observed a notable absence of technical qualifications and requirements for this critical responsibility. However, considering the legacy of this role, this finding does not come as a surprise.
Cyber security policies
Cyber security policies are designed to provide a framework for safeguarding an organization's digital assets and ensuring the confidentiality, integrity, and availability of data and systems.
Cyber security policies are developed to align with an organization's overall risk management strategy and are intended to provide a roadmap for maintaining a secure and resilient digital environment.
Cyber events aren’t like other risks
The insurance industry recognizes this fundamental distinction. While natural disasters, such as tornadoes, may occasionally disrupt business operations, their probability can be accurately calculated by mathematicians to enable reasonably priced policies. In contrast, cyber risks are highly dynamic and constantly evolving, rendering it challenging to predict their likelihood or potential impact. As such, how does a cyber insurance underwriter anticipate new technological breakthroughs in cyber or the discovery of a zero day vulnerability?
The CISO and the CRO
To assign the CISO as the consigliere for the CRO makes sense at first glance, but when I review job listings for a CISO, I see things like mandatory hands-on technical expertise listed as a top priority. Does the CISO have the business risk experience necessary to communicate with the CRO?
Enter the BISO
There is demand for a skillset to bridge the gap between the technologist (CISO) and the risk to the business (CRO).
In today’s era of increased regulation and advanced threat capabilities that never sleep, the CRO requires the support of a competent Business Information Security Officer (BISO) to safeguard an organization against a wide spectrum of challenges. These challenges may range from seemingly minor clerical errors to conducting a cost-benefit analysis of the entire technology stack against losses from a breach, to everything in-between.
There’s too much room for error and it isn’t clear as to whether certain kinds of real-world situations could be prevented under the organization of a CRO with an accounting/legal background and a CISO, who would have a technical background. Essentially, the BISO plays a vital role in mitigating security risks.
CISO vs. BISO
At the moment, there’s a bit of ambiguity between the job descriptions of a CISO and BISO. Human Resources departments have yet to establish precise demarcation between the two.
However, it’s important to note that there are significant responsibilities for a BISO to focus on and issues for a BISO to address within an organization. It’s crucial to define the specific duties and responsibilities of both roles as to ensure that they complement one another and effectively address cyber security needs.
In deciding on whether or not to hire a BISO, the following mission statement and answers to the subsequent interview questions will help you make up your mind:
Mission: The BISO’s responsibility is to protect confidentiality, integrity and availability of information systems and their business impact.
Question 1: Describe a complex information business risk management challenge you faced in your previous role as a BISO (or similar), and how you addressed it?
This question helps gauge the candidate's ability to handle complex risk management situations and allows you to get a sense of their problem solving skills. A strong BISO should be able to provide a specific example that showcases their experience in identifying, assessing, and evaluating the financial risks, as well as their decision-making and leadership abilities.
Question 2: How do you ensure that digital risk management is embedded into the organizational culture and operations?
This question assesses a BISO’s approach to integrating risk management into the company's culture and operations. A top-performing BISO should have a strategic mindset and be able to articulate strategies for creating a risk-aware culture throughout the organization. They should emphasize the importance of risk management as an ongoing process and demonstrate how they have successfully implemented risk management practices in their previous roles.
Question 3: How do you stay updated with the latest industry trends and regulatory changes related to the emerging role of the BISO?
This question evaluates the candidate's commitment to continuous learning and professional development. A top-performing BISO should be knowledgeable about the latest industry trends, emerging risks, and regulatory changes that may impact the organization. They should demonstrate a proactive approach to staying updated with relevant information and their ability to apply that knowledge to improve the organization's overall profitability.
The recent case in which Zurich Insurance was forced to pay $100 million towards Mondelez’s NotPetya cleanup underlines the crucial need for a competent BISO to manage complex cyber security insurance relationships. With the ever-increasing frequency and severity of cyber attacks, such a professional is essential in mitigating the financial and reputational risks associated with incidents.
Consider hiring a BISO today. For more insights into the BISO role, please see CyberTalk.org’s past coverage. Lastly, to receive more timely cyber security news, top-tier reports and cutting-edge analyses, please sign up for the cybertalk.org newsletter.