A Need for the Cyber Security Strategic Business Partner
By David Stucky, Business Information Security Analyst (Cyber Information Assurance Analyst), Penn State University
Information Security’s beginnings are well rooted in Information Technology. For Cyber Security to truly mature, it must be driven by business as much as technology. We need people at every level, from Chief Information Security Officer (CISO) to security analysts, that can understand business interests as much as they can understand technology. People that can enable the business while advocating for cyber security. We need to focus on securing data, people, and processes as much as technology. That begins with understanding the data, who the people are, how and where work is done, and which technologies will enable business.
When a business unit needs to collaborate in efforts to protect its data, people and processes are the first things Cyber Security needs to understand. We need to learn about their data, where it originates, where it lives, and where it goes. We need to know who provides the data, who works with it and to whom it is shared. We need to learn about their manual workflows and system integrations. Focusing on those needs, we can develop a process starting with something as simple as a data classification and business process document for every business unit’s critical processes. This document can be extended to become an executive summary of the documentation for each business process and Cyber Security plan.
Not every organization will need a BISO. Many organizations could benefit from understanding how a Business Information Security Analyst (BISA) role could help enhance relationships within various business and cyber security lines.
To start this, ask the business leaders and subject matter experts how they collect and share their data. Ask them how they manage and maintain their manual workflows. Ask them whether their system integrations are on premise, third-party, cloud, enterprise systems, functional level systems, manual, automated, etc. Ask for their data’s business lifecycle and regulatory and retention requirements. None of these are asked through the lens of technical IT or security questions. They are business process questions and often, the business subject matter experts have a greater understanding of who does what with their data and why. This process enables business leaders to understand and define their unit’s business processes. This helps inform the Cyber Security plan and IT needs.
A Business Information Security Officer (BISO) is an enterprise level role positioned to engage business interests with cyber security requirements. Often the BIOS is responsible for understanding the Cyber Security requirements for a line of business. In some organizations, this may be grouped into similar areas of interest. A higher education institution could consider having separate BISOs, for academia, research, and administration. This can allow the CISO to enhance the cyber security program in the organization’s units while successfully enabling various business interests.
Not every organization will need a BISO. Many organizations could benefit from understanding how a Business Information Security Analyst (BISA) role could help enhance relationships within various business and cyber security lines. A BISA provides similar benefits to a BISO at the functional level rather than the enterprise level. The BISA would report to the CSIO while embedded in a specific functional unit or across areas of similar interest. The role would enhance the CISO’s capacity to balance the internal goals and objectives of the business units while advocating for Cyber Security. Working directly with lines of business, understanding their interests, and aligning their needs with a Cyber Security plan, the BISA can enhance the cyber security program.
Implementing a BISA role benefits organizations by having a business information security role at the functional level of various lines of business. If you take an assessment of your current roles and work, you may discover there are existing roles ready to be leveraged. People may be performing similar liaison duties between business units and Cyber Security under various functional roles. You may be able to better leverage people in such roles by aligning them as a team of BISAs or Cyber Security Strategic Partners with some level of reporting back to the CISO.
Lager organizations with heavily centralized Cyber Security and IT may benefit from having Cyber Security Strategic Partner roles embedded within similar business units while reporting centrally. This is like having a dedicated HR consultant or financial officer that your business units work with to more effectively utilize central services based on your unit’s specific business needs. In higher education, those similar lines of business could be as broad as academia, research, and administration. Cyber Security Strategic Partner roles could also focus on specific areas of need, such as PCI-DSS, across various business interests and units.
If you can, and where specifically needed, create staff level potions at the functional level embedded within a business unit or over multiple related areas. A cyber security strategic partner embedded in the business units will enable businesses to drive and advocate for information security. If these liaisons report centrally to the CISO, the CISO will have delegated seats at many tables. Giving the CISO far greater insight into the functional level needs of each line of business and making them a more valuable strategic partner at the enterprise level.
Too often, the business sees Cyber Security as IT. This makes it hard for business to see the value of having a partner to advocate for the security of the business processes for which they are responsible. We need to make sure we have Cyber Security staff embedded in the units at the functional level to enable the business while advocating for Cyber Security. The CISO needs liaisons, business information security analysts, cyber security strategic partners, or whatever you want to call them that understand lines of business. Cyber Security has not been just a technical IT issue for a long time. Cyber security must enable the business while advocating for security.