The BISO: an operational bridge between cybersecurity and business lines

Assigned to a business perimeter rather than the central IT organisation, the BISO delivers cybersecurity directly where the business operates. They guide technical teams, liaise with operational management, and tailor security requirements to real-world usage, regulatory constraints, and the expectations of internal and external clients.

“The BISO is a business-oriented version of the CISO role, designed for operational teams and customers. Their scope isn’t about securing the back-office IT, but rather ensuring the security of the services delivered and reinforcing the organisation’s trusted-partner status with its clients. They essentially act as a business or client-facing CISO. This requires a strong presence on the ground, supporting commercial, technical, legal and security teams,” explains Guillaume Vacher, BISO at Equans France (Bouygues Group).

A role rooted in the field

In the daily work of a BISO, the operational dimension is central. They regularly visit sites, speak with business teams to understand their challenges, participate in customer workshops, and help define the security strategy for a building or an infrastructure project.

“This proximity allows them to spot concrete risks, for instance in smart buildings or energy-efficiency systems. From there, they can propose simple and economically viable solutions so cybersecurity isn’t perceived as an obstacle,” notes Guillaume Vacher. In other words, the BISO aims to turn a technical or regulatory constraint into a commercial asset, demonstrating that security can be a differentiator.

“The BISO acts as an internal relay. They ensure that the level of security applied to any application or project is proportionate. This precise understanding of business needs helps avoid standardised requirements that would be neither relevant nor acceptable for certain applications. They validate projects, authorise handovers to business teams, and represent cybersecurity to external clients, including local authorities in the case of Suez,” comments Paul Gompel, BISO / Water Division CISO at Suez.

A decisive role during cyber crises

The BISO also plays a major role when cyber incidents strike. “If one of the systems operated by field teams suffers a cyberattack, the BISO supports the crisis unit, protects the company’s contractual posture, assists the client with remediation, and helps rebuild trust. After such an event, the client may decide to raise its requirements and expand the contract scope to include long-term cybersecurity measures,” explains Guillaume Vacher.

Regulatory matters are another significant part of the job. The BISO ensures that offerings comply with applicable regulations, guides business teams on their obligations, and helps shape credible security approaches in bids. They also intervene in contract discussions: clarifying responsibilities—especially when a client requires compliance with frameworks such as NIS2—and ensuring that commitments fall within the correct legal boundaries.

A role with inherent limitations

Typically, the BISO reports to the organisation’s CISO and fits within a governance chain designed to maintain coherence between central cybersecurity and business operations. They represent the cybersecurity function on the ground while relaying group-level policies and guidance. This intermediary position allows them to translate operational needs for technical cybersecurity teams, and conversely, adapt group policies to operational realities.

However, the role has its limits. “It relies on a profile deeply rooted in business needs, which can reduce the ability to maintain a high technical level. It also creates scenarios of dual leadership, since the BISO influences teams they don’t directly manage. They must constantly arbitrate between competing priorities,” explains Paul Gompel. The Suez Water Division BISO also highlights the challenge of standardising practices across BISOs, since each one reflects the culture of their business unit. At Suez, six BISOs cover—beyond the water division—waste management, support functions, IT, construction engineering, and international operations. This structure mirrors the group’s executive organisation.

Finally, Paul Gompel points out that no dedicated national BISO community exists; BISOs are still perceived as a type of business-focused CISO. They participate in the usual ecosystems such as CESIN or Clusif. In his view, the main value of the BISO terminology is its clarity: it emphasises the business-centric nature of the role and avoids the ambiguity currently surrounding the term “CISO”, which is used for widely varying responsibilities depending on the organisation.

Box: Key figures

According to a 2023 study titled “The BISO Role in Numbers” by the IANS (Institute for Applied Network Security), BISO compensation averages $320,000. Total compensation (including all benefits) ranges from $160,000 to $600,000. Annual pay increases average 14%, mostly allocated to base salary and stock grants. On average, BISOs earn 21% lessthan CISOs.