The BISO role is still young, but that doesn’t mean it isn’t critical to cyber security operations, communications, and overall success. One of the secrets to a well-rounded BISO is the ability to leverage your non-technical skills in the BISO position.
The Global Business Information Security Officer at CBRE, Patrick Benoit, joins host George Rettas, president and CEO of Task Force 7 Radio and Task Force 7 Technologies. After running through his many accolades, including a Lean Si Sigma Black Belt, a master’s in economics, and an enlisted soldier in the US military, George kicks off the conversation by asking Patrick about the many pivots his career has taken.
Patrick explains how he worked defense contracts in the military, programming and developing software. Once he joined back into the civilian sector, he worked in computer operations and software development before he started a consulting company. After consulting for some big names, which he lists in the conversation, Patrick left the company, sold his equity, and went to work for a small aircraft engine manufacturer.
He moved back into the enterprise world by doing infrastructure delivery for Dell. It was there that Patrick realized how his sales and consulting experience applied to the technology world. It was his responsibility to deliver the outcome of infrastructure services to clients.
After he left Dell and joined Experian, he helped build a business partner program. Patrick explains, “The idea of the business partner was that we were the global technology, the global CIO's representative and the global CISO's representative down into the business line and we represented the business line back to CISO.”
When he joined CBRE, he was asked to build a BISO program. It was his experience in sales that set him up for success in this role, because, in Patrick’s words, “First and foremost, it’s a sales job.”
George reminds his listeners—particularly young folk—that career paths aren’t always linear. They pivot, each offering transferrable skills, from vertical to vertical. With an open mind and good connections, anything is possible.
Next, the conversation moves to the role of the BISO position. Patrick compares the BISO role to swim lanes: “You take direction from the CISO and you go to the business executives and you say, ‘Hi, I'm here to help you, and I can tell you anything you need to know about security, and if you have any questions about security or needs within global security, I can help you get that done,’ and I learn about your business. Then I turn around and walked back to the CISO and say, ‘Hey, I've been working with the business down there. They really need some help with X, Y, Z in security. What can we do for them?’"
While, naturally, a BISO has security expertise, Patrick explains how the role has more to do with sales than security itself. “The real role, as I built the BISO role, is to face the customer from sales pursuit all the way through account management and be able to stand there [and] tell the right story—the clean, good, proper story that builds comfort with the client about how you do security in your company.”
Swimming back down the other lane, the BISO works with product owners to help them build their products, mature their products, and understand the security in the product so the BISO can turn around and tell the client the story that was built for them. George notes that the BISO role can be difficult for people who have come up through security, as opposed to sales, because their technical side sometimes gets in the way of telling a transparent, truthful, to-the-point, story.
Regarding the CISO/BISO relationship, Patrick stresses that it should work as a team dynamic. Ideally, the CISO and BISO have complementing strengths. For example, a CISO who enjoys being in front of people in a boardroom, committee, or ELT scenario will work best with a BISO who is more task and procedurally oriented, and vice-versa.
The conversation continues when George asks Patrick, “What are the key areas of process and improvement that will make this role more important in the future and more successful with the business?” Patrick describes the tasks of a BISO as two-sided: input and output.
The cumbersome process of intaking client requests through questionnaires, risk assessments, and audits—particularly through email—is unnecessary. Patrick offers a better way. “Wrapping a ticketing system process around your front end is just a good idea. It gives you some ability to track, assign. It's scalable because you add new people, you use the same intake process and it gives you the ability to start developing metrics about what kinds of work you're processing for the team.”
On the output side, responding to questions uniformly and timely is often lacking. In order to better handle so much information, Patrick suggests building a standard library of answers. By standardizing evergreen evidence, touchpoints are reduced—you’re not having to bother an engineer 50 different times with 50 different questions—questions get answered faster, and you don’t run the risk of giving different answers to the same question.
Security professionals get a bad rap as a blocker and a hinderance to positive customer experiences. However, with no BISO to answer detailed security questions in an RFP, clients can lose confidence in a company’s ability to get the job done. Additionally, a knowledgeable BISOs give the sales team a value-add.
George and Patrick discuss the continuing evolution of security roles, noting that the BISO role is still in its infancy. It is advantageous for corporations to look at the BISO primarily as a business role. George and Patrick lament about specific pain points and roadblocks that are preventing that from happening.
Things get personal when George asks Patrick what other life experiences have helped him on his cybersecurity journey. Despite his mother’s accusation of being a Jack of all trades and a master of none, Patrick prides himself in being a master of all trades. For example, Patrick talks about how his flight instructing and martial arts plays into the cybersecurity world. “One of the things we teach student pilots is, as they're flying and they look at their instruments and something goes wrong, the very first thing they have to do is stop trying to find the problem and fly the plane. If you don't fly the plane, the problem doesn't matter. It's a lot the same in cybersecurity.” The parallels only grow from there.
Moving on, George explains when and where cybersecurity certifications are advantageous before weighing in on reports indicating that the demand for cyber security professionals is outpacing the supply by millions. “I don't believe it's as bad as we're making it out to be, and I think there are plenty of ways to fix it too.”
This jam-packed conversation finishes with a conversation about the future of AI and its role in cyber security, how data breaches have changed the industry, the biggest challenges Patrick sees with cyber security, and the future of cyber security. “I think we’ll continue to evolve into more of a service kind of orientation. I think we're going to see greater and greater and greater moves toward security as a service.”
The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes, click here.