BISO Case Study

In this case study, I will examine the rising role of the Business Information Security Officer (BISO). The goal of this study is to analyze the current environment for BISOs and draw a conclusion about whether a fictitious company "Simpton Corp." should hire a BISO.

Background:

For this case study, Simpton Corp. is intended to be a fictitious entity and any relation to an actual entity of that name is entirely coincidence. Do not google or otherwise look for the name "Simpton" as it was fabricated for this study.

Simpton is a young company that offers a successful online fitness platform. The flagship Simpton product is a hardware device called the "Fit88". The Fit88 is a small Android-powered device paired with a unique wearable chest-strap sensor and equipped with a camera, heat sensor, Bluetooth, and WiFi radios. Users place the Fit88 anywhere in the room where they are working out and, while wearing the sensor, record metrics on their body’s electrical impulses, heart rate, temperature, and composition. The Fit88 online portal produces detailed reports and analyses of activity and offers feedback on fitness, recommendations, and integrated product suggestions.

While Fit88 began in 2012 as a startup in Estonia, it quickly gained traction across Scandinavia, Eastern, and Western Europe. In 2018, eyeing a need to penetrate the lucrative American market, they established an office in San Francisco and raised investment capital from a U.S.-based venture capital firm. They began marketing service in the U.S. and now have 15% of global revenue from U.S.-based consumers, with strategic goals to increase that number to 75% to hit their revenue targets and take the company public in 2023.

In mid-2020, Simpton Corp. suffered a high-profile cybersecurity breach. While rumored to be a targeted attack by a major national state intended to ultimately harm a specific diplomat known to use the Fit88 product, the end result was all Fit88 devices being compromised and the wearable chest straps heated to an uncomfortable, but not harmful, 120 degrees Fahrenheit.  Simpton was forced to take emergency action and issue a global software update to all users to stop the issue and hire a well-known, but expensive, cybersecurity incident response firm to provide assurance that the adversary was cut off from Simpton systems and the risks exploited in the attack kill chain fully remediated. While Simpton had a "Head of Security" designated among its Engineering staff before, the incident drove them to hire a dedicated Chief Information Security Officer with five full-time staff dedicated to a focused security program.

Media coverage of the incident drove an influx of customer support inquiries and a small wave of demands for termination and a full refund. Just as Simpton’s leadership thought the incident could drive them out of business, the rate of weekly signups increased by 20x. A marketing analysis concluded that the press around the cybersecurity incident had the unintended consequence of creating massive global awareness of and interest in the Fit88 product.

With the security incident closed and customer growth outpacing goals, the CEO and Board of Directors were excited to meet and update sales targets and their timeline to list the company publicly. During the meeting, however, the Simpton General Counsel (GC) shared word that at least two European countries had issued requests for information about consumer data protections in recent weeks, creating concerns that actions under the EU's General Data Protection Regulation (GDPR) may be imminent. The Board asked the GC to closely monitor the situation and analyze similar potential ramifications in other jurisdictions, specifically requesting the GC meet with the CISO to evaluate the cybersecurity program and any improvements they should make to withstand increased scrutiny.

After discussing the situation, performing independent research, and speaking with external consultants, the GC and CISO are deliberating whether it would be appropriate to establish one or more Business Information Security Officers (BISOs) in specific geographies.