There’s Only One Stock: Managing Cybersecurity in a Global Business

In the twelve years since I have been the CISO of Principal®, the company has continued to grow - in size, products, geographies and more. Of course, new opportunities, growth and change also bring new risks. In cybersecurity terms, we have a broad surface to protect and defend. Years ago as I participated in strategic planning with our technology leadership team, it became apparent that business strategies, coupled with innovative technology plans, emerging cybersecurity regulatory requirements and continually evolving cyber threats, would require a different approach to our information security team. My centralized team was well positioned to provide a firm foundation for the enterprise with shared security technology and governance but did not have deep knowledge of each individual business at a granular level. The best way forward would include more integration of cybersecurity leadership in the business areas themselves. The goal was to achieve two-way communication, with business unit leadership gaining a subject matter expert and my centralized team gaining more insight into each business.

Enter the BISO

For the last six years, we have built an organizational model for managing cybersecurity on a global basis around the role of the business information security officer (BISO). In most business areas, the BISO is a leader of a small team of information security engineers dedicated to serving as a conduit between the enterprise and the business in the region in which they operate. The BISO has a solid line to their business area and brings the business point of view into information security services and governance decisions as part of an overall information security steering group. This team also actively participates in the creation, adjustment and measurement of our enterprise information security strategy, especially in terms of prioritization and investment direction.

Of the six BISOs we have in place at Principal, none do their job in exactly the same way. For example, in our Principal International business unit, the US-based BISO has information security officers (ISOs) in each country to help navigate local regulations, business requirements, operational and strategic security implementations. Our BISO for Principal Global Services in India serves as the local information security leader for all the business conducted there and plays a key leadership role working in partnership with my centralized team in the US. Each of the BISOs have built specific regional and domain expertise including the compliance requirements of their markets or industry.

Mini-CISO = Big Job

• • Board Presentations: As CISO, I present a cybersecurity report to our company Board of Directors. When subsidiary boards need an understanding of cyber security strategies, risks and impacts for their business, the BISO generally handles these focused cybersecurity updates and is in the best position to share successes or to help drive change in the business area if requested by the subsidiary board.
  • Relationships: Like the CISO, building relationships is key to a BISO’s success. It is important for the BISO to spend time building a wide network within their business area that allows for them to understand key business goals, technology roadmaps and challenges. This is an excellent way for a BISO to proactively hear about organizational change, get feedback about how the security team is doing and to build advocates for security initiatives. And in the event of a cyber related incident, having a level of credibility and trust with key business leaders is a big benefit.
  • External Partnerships: As members of FS-ISAC, we all benefit from sharing and learning from our peers and as CISO I participate in the CISO Congress, as well as other industry groups. The BISOs bring their deep knowledge and understanding of the business area they cover to FS-ISAC groups and other specific industry groups associated with our businesses around the world.
  • Strategic Business Change: The CISO is responsible for the cyber posture of the organization as a whole. As the organization changes through mergers, acquisitions or divestitures, there may be an impact on the enterprise cybersecurity program. CISOs often have insight into potential deals and can provide high-level cyber-related input, including program alignment, organizational maturity, exposure to new threats, and possible future investments or expense management. The BISO can have more detailed conversations about topic such as service level agreements, technology capabilities, specific risks of doing business in a new country, access management, and how cybersecurity fits into the proposed operating model.
  Clearly each BISO must balance between being a generalist who plays a broad role in their business area and being a deep expert. This is one reason many of our BISOs were initially individual contributors but are now leaders of small, business-focused information security teams. As the BISO role became embedded in our business and the spotlight on cybersecurity grew, the benefits of having BISOs and their teams serving as the boots on the ground have contributed to continuous improvement of our enterprise information security program. The BISO helps to translate cyber jargon into business language. In a sense, they must be ‘bilingual’ as they ensure business leaders understand that our entire information security team is working to enable them to move quickly and smooth the path to success while also conveying to the centralized information security team what the business area requires in order to execute on their goals.
  
  

  Our Information Security Community

  Six years into the BISO model, it is still a work in progress, but we are confident that it is strengthening our global cybersecurity posture on many levels. Our centralized enterprise information security department depends on the BISOs and their teams, and vice versa. The BISO model is critical to building an effective global cybersecurity program, which is increasingly a competitive differentiator as opposed to simply a necessary expense for regulatory compliance. We consider the BISOs, their team members and the centralized information security team our global information security community. Knowing we all protect the same stock symbol (PFG) helps to bind us to our common mission and strategy.