9 minute read
BISO – no that is not a typo
SAI HONIG
by Sai Honig, Engagement Security Consultant at Amazon Web Services
You have probably heard the title CISO or chief information security officer. Many companies have someone in this role. In some industries, such as finance or banking, the role is mandatory. According to ZDNet, a CISO is responsible for establishing security strategy and ensuring data assets are protected. CISOs traditionally work alongside the chief information officer (CIO) to achieve these aims.
The CISO works with the CIO and technology teams to design, build, test, deploy, maintain and upgrade technology systems. The CISO is responsible for implementing and maintaining the security of these systems.
The fact is, our world is exponentially increasing its use of technology. With that comes an expectation that everyone—including all our non-technical teams—knows how to use these technologies in a safe and secure manner. Within many organisations there are a large number of non-technical staff: finance, accounting, marketing, supply chain, human resources, education, healthcare, legal, machinists and so on.
BRIDGING THE TECH/NON-TECH GAP
So, how do we bridge the gap between those in non-technical teams and those in technology teams? How do we communicate safe and secure use of technology? How do we prepare entire organisations when new technologies are rolled out? This is where a business information security officer (BISO) may be useful.
A BISO is generally a senior cybersecurity leader whose duty it is to bridge the gap between security and the interests of the business. A BISO typically acts as the CISO’s deputy to oversee strategy at a granular level. In large organisations there may be multiple BISOs embedded in major business units or regional teams. For large scale technology rollouts there may be a BISO who acts as the focal point for business teams.
If security is to function as a strategic business enabler there needs to be alignment between business priorities and information security priorities. If security and business teams are not collaborating, security incidents become more likely as technology use increases. Even with the best monitoring and the strongest security teams, incidents may still go unnoticed and unresolved.
A good BISO needs to be:
• A good listener, to learn about the challenges from both the technical teams and business functions. • A good translator, to translate technology
terminology and jargon for non-technical teams in both written and oral communications. • A good educator, to help both technical teams and business functions to understand each other’s requirements. • A good risk manager, to understand that not all risks can be avoided and to know when avoidance, prevention or detection is necessary. • Able to function between disparate teams: teams work differently, so flexibility is key.
It would be helpful for a BISO to be someone with experience in both the technology world and the business world, and there are several aspects of cybersecurity it would be appropriate for a BISO to oversee. A BISO could serve as a first point of contact for some cybersecurity incidents. They could help de-escalate an issue before it becomes a serious problem requiring resources from other teams. A BISO could work with partners or third parties on behalf of the security team to streamline onboarding of security services. A BISO could also educate staff on new services or functions as they are rolled out.
A BISO IN ACTION
Here is a real-world example. I worked directly with a contracts team developing a process to evaluate and onboard SaaS providers. This required understanding how current requirements needed to be included before signing contracts and completing security reviews prior to onboarding new vendors. Another example: I evaluated a current SaaS vendor for the legal team before its contract extension was signed. The legal team was not aware of certain vendor processes or of their own responsibilities as the customer. This evaluation also entailed updating internal processes to meet increased security requirements.
In another instance I worked with DevOps and engineering teams helping to drive security into the design of new applications and infrastructure.
In many of my roles I have had to work with privacy, compliance and audit functions to address requests quickly and provide resolution to findings.
According to Brandon Wales, director of the Cybersecurity and Infrastructure Security Agency (CISA) cybersecurity threats should be treated as business risks. So why not have the business involved with cybersecurity? Each year, Cybersecurity Awareness Month (October)—initiated by the US President and Congress in 2004—presents a great opportunity to evaluate the need for a BISO to serve as a conduit between business and security. Because, at the end of the day, when there is a breach—large or small—the (whole) business is at risk.
www.linkedin.com/in/saihonig
ATSE ISSUES DIRE WARNING ON STEM SKILLS SHORTAGE
by Stuart Corner
The Australian Academy of Technological Sciences and Engineering (ATSE) has issued a strident warning about the low number of people with STEM skills coming out of Australia’s education system, saying an urgent rethink is needed to tackle this growing national skills crisis.
According to ATSE, Australia “lacks the capacity and critical capabilities to be able to deliver on our technologypowered, human-driven potential both now and into the future.”
It says steps must be taken urgently “to ensure we have enough science, technology, engineering and mathematics (STEM) workers in the roles where they are needed most … to prevent us from becoming a global digital and technological laggard.”
The conclusions come from a new ATSE report: Our STEM Skilled Future: An Education Roadmap for an Innovative Workforce. Its findings and recommendations are the result of a series of roundtables held during 2022 led by ATSE fellows and attended by more than 120 individuals from industry, academia and government.
Launching the report, science writer and presenter Bernie Hobbs said the report called for a serious rethinking of Australia’s approach to encouraging careers in STEM, and provided a roadmap for building an innovative workforce.
“Australia will need an extra 100,000 digitally skilled workers and another 40,000 engineers. Right now we won’t come anywhere near to making up that shortfall. So the message is clear: all our efforts to get more people into STEM and keep them there have not worked.”
TECHNOLOGY SELF-SUFFICIENCY ESSENTIAL
A more dire warning came from ATSE president, Hugh Bradlow, talking about what he described as “the elephant in the room.”
“If there is one thing the last few years has taught us it should be that we cannot rely on autocratic regimes for our energy and manufactured goods,” Bradlow said. “We have to accept that, if Australia’s future is going to be secured, we have to be able to make our own goods, power our own systems and defend ourselves. We have got to accept that as a new reality, which is a big change from the last 50 years.”
Cynthia Nolan, an education consultant specialising in STEM, blamed universities, in part, for the shortage of people gaining engineering and digital skills. She said universities’ lack of emphasis on these subjects as prerequisites for entry discouraged young people, particularly girls, from studying them at school.
“I’ve spoken to many parents, and I’ve run a lot of events with parents around this, especially with girls,” she said. “One of the biggest issues is that a lot of the universities do not encourage—or do not acknowledge—learning of digital skills or engineering as an assumed knowledge or a prerequisite to go into university.
“So parents advise their children, rightfully, to not necessarily study these in secondary school and to study the more traditional maths and sciences, which is great. However, it does not engender that passion for engineering and digital solutions. And so, inevitably, the pipeline keeps reducing.”
FOUR RECOMMENDATIONS
The report makes four recommendations.
• Establish a National Skills Taxonomy to streamline consistent communication about needs and pathways among Australia’s organisations and individuals. • Prioritise and invest in evidence-based approaches to STEM program development and assessment to ensure education and training is fit-for-purpose and provides value for money. • Promote and support a culture of lifelong STEM learning in the workforce to ensure Australia has the skills it needs now and into the future. • Raise the profile of STEM careers in Australia to showcase their accessibility and attractiveness.
STEM SKILLS TAXONOMY SOUGHT
It says the lack of a comprehensive skills taxonomy “introduces challenges for individuals and organisations to communicate the skills they have – and need – in a shared common language … [and] results in a lack of clarity around pathways for upskilling, reskilling, or transferring skills between comparable roles across sectors.”
It argues that a comprehensive skills vocabulary and taxonomy could help solve this challenge and enable rapid mobility into areas where capacity and capability are needed most.
The onus for doing this would fall on the federal government. The report says the government should:
• Continue to expand and define its skills vocabulary, prioritising STEM skills in urgent demand. • Use the skills vocabulary to map a taxonomy of roles and highlight adjacent job families. • Provide industry-specific skill demand forecast information to all Australians.
EVIDENCE-BASED APPROACHES NEEDED
The report also argues that there is little curation and evaluation of the quality and effectiveness of the many STEM learning resources and training programs, saying “this raises challenges for businesses seeking to find appropriate, value-formoney learning pathways to up-skill and re-skill their workforces, and for would-be students to make informed choices about the training they select.”
It calls for a number of federal government initiatives to address the issue:
• Establish a self-assessment and quality framework for evaluating STEM training skills (based on its proposed skills taxonomy), assessing skills imparted and competency levels. • Establish a centralised directory of qualityassessed STEM training programs to support the selection of appropriate training pathways and programs. • Support education providers to establish priority
STEM training programs, quality assessed against the framework. • Establish a centralised resource of self-serve
STEM resources, quality assessed against the framework.
The report also calls for industry peak bodies to work with the federal government to establish simple industry standards for digital skills such as those in cybersecurity, artificial intelligence and data analysis “to enable the acknowledgement of skills acquired through diverse educational mechanisms such as micro- credentialling, on-the-job training and vendorprovided training.”
MORE SUPPORT FOR DIVERSITY AND PARENTING WANTED
In addition, digital employers should “showcase their willingness to attract, retain and promote candidates from diverse educational, experiential and cultural backgrounds, and embrace continuous workplace learning via diverse educational mechanisms.”
They should also “develop flexible work arrangements and robust parental leave policies to improve retention for people with caring responsibilities in engineering careers,” and “conduct genuine and regular audits of their structural and cultural impediments to genuine diversity at all levels.”
