Security Forem

Ivan Piskunov
Ivan Piskunov

Posted on

BISO Glossary

#resources #career #leadership #cybersecurity

Who This Article Is For

For leaders and practitioners working at the intersection of cybersecurity and business: BISOs, CISOs, product owners, business-unit leaders (BUs), CFOs, and anyone making decisions about risk and security investments.

The core idea of the BISO role is to translate security into the language of business—and back—so decisions weigh controls against the value/risk trade-off for a given business process. Many industry descriptions frame the BISO as a bridge between Security and the business, not a duplicate of the CISO.

What this is:

a practical, business-focused glossary for a Business Information Security Officer (BISO) — the bridge between C-suite and security/engineering. It blends terms from cybersecurity, risk, finance, strategy, privacy, legal/compliance, and operations. Definitions use American English and prefer globally recognized nomenclature.

How it was compiled: synthesis of leading frameworks, standards, and industry literature, including (non-exhaustive): NIST (CSF 2.0; SP 800-53/-61/-171), ISO/IEC 27001/27002, COBIT, CIS Controls v8, AICPA Trust Services Criteria (SOC 2), PCI DSS, FFIEC handbooks, CISA guidance, MITRE ATT&CK/D3FEND, ISACA/FAIR Institute materials, ITIL 4, major US regulations (HIPAA, GLBA Safeguards, SOX, CCPA/CPRA, SEC cyber-disclosure), vendor/cloud shared-responsibility docs, and standard finance/strategy texts (e.g., P&L, EBITDA, ROI, TCO, NPV). Also considered: user-provided finance primers for P&L/ROI/EBITDA context.

How to use it: scan by section; examples are included where they clarify executive conversations.

1) Governance, Risk & Strategy

  1. Corporate Governance — system of rules, practices, and processes by which a company is directed and controlled; sets tone for risk, compliance, and security prioritization.
    Example: Board Risk Committee charters include cyber oversight.

  2. Risk Appetite — the amount and type of risk an organization is willing to pursue or retain to meet objectives.

  3. Risk Tolerance — acceptable deviation from appetite for specific metrics (e.g., “≤ 1 critical data loss incident/year”).

  4. Risk Capacity — maximum risk the enterprise can absorb before threatening viability (financial/operational constraints).

  5. Three Lines Model — governance model: (1) business ownership/management, (2) risk/compliance oversight (incl. security), (3) independent assurance (internal audit).

  6. Enterprise Risk Management (ERM) — coordinated approach to identifying, assessing, responding to, and monitoring enterprise risks.

  7. GRC (Governance, Risk, and Compliance) — integrated processes/tools to align policies, risks, and controls with business objectives.

  8. Inherent Risk — risk level absent any controls.

  9. Residual Risk — risk remaining after controls.
    Example: Phishing residual risk after MFA and training.

  10. Control Objective — desired outcome of a control (e.g., “only authorized users access PHI”).

  11. Compensating Control — alternative control providing equivalent protection when a prescribed control is infeasible.

  12. Risk Register — authoritative log of risks, owners, ratings, and treatments.

  13. Risk Treatmentavoid, reduce/mitigate, transfer/share (e.g., insurance), or accept.

  14. Business Impact Analysis (BIA) — identifies critical processes, dependencies, and impacts, informing RTO/RPO.

  15. Strategic Alignment — ensuring security initiatives directly support business goals/KPIs (revenue protection, growth enablement).

2) Cybersecurity Frameworks & Control Baselines

  1. NIST CSF 2.0 — US-centric cybersecurity framework organized by Identify-Protect-Detect-Respond-Recover (plus governance), mapping to controls and outcomes.

  2. NIST SP 800-53 — control catalog for federal/regulated environments; families like AC (Access Control), AU (Audit), SC (System and Communications Protection).

  3. NIST SP 800-171 — requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems.

  4. CMMC — maturity model aligning with NIST 800-171 for US defense suppliers.

  5. ISO/IEC 27001 — certifiable ISMS standard; 27002 details controls (Annex A themes like IAM, crypto, supplier security).

  6. COBIT — governance framework for enterprise IT; focus on value delivery and assurance.

  7. CIS Controls v8 — prioritized safeguards (“basic/ foundational/ organizational”).

  8. MITRE ATT&CK — adversary tactics/techniques knowledge base used for detection engineering and threat-informed defense.

  9. MITRE D3FEND — countermeasure knowledge graph mapping to ATT&CK.

  10. SOC 2 (Trust Services Criteria) — AICPA attestation over Security, Availability, Processing Integrity, Confidentiality, Privacy (Type I vs Type II).

  11. PCI DSS — payment-card security standard for entities storing/processing/transmitting cardholder data.

3) Security Architecture, Operations & Metrics

  1. Zero Trust — “never trust, always verify”; continuous authz; micro-segmentation; data-centric controls.

  2. PoLP (Principle of Least Privilege) — grant minimum necessary access.

  3. Defense-in-Depth — layered controls across people, process, technology.

  4. SDLC / **SSDLC** — (Secure) Software Development Life Cycle integrating security from design to deployment.

  5. SAST / DAST / IAST / RASP — static/dynamic/interactive app testing; runtime self-protection.

  6. SBOM — Software Bill of Materials; inventory of components for vulnerability/transparency.

  7. EDR / XDR — endpoint/extended detection & response; correlates telemetry across hosts, network, identity, cloud.

  8. SIEM — Security Information & Event Management; log aggregation, correlation, alerting.

  9. SOAR — Security Orchestration, Automation & Response; playbooks to standardize/automate actions.

  10. UEBA — User and Entity Behavior Analytics; anomaly detection.

  11. MTTD / MTTR — Mean Time to Detect/Respond; key operational KPIs.

  12. CVSS — Common Vulnerability Scoring System; standard severity rating for vulns.

  13. Vulnerability Management (VM) — continuous discover-assess-remediate cycle.

  14. Patch Management — prioritized application of updates based on risk.

  15. Configuration Baseline / Hardening — secure configurations (e.g., CIS Benchmarks).

  16. Red Team / Purple Team — adversary emulation; collaborative blue-red improvement.

4) Identity, Access & Data Protection

  1. IAM — Identity & Access Management: provisioning, authn/authz, lifecycle.

  2. IdP — Identity Provider; issues/validates credentials and tokens.

  3. SSO — Single Sign-On; centralized authentication across apps.

  4. MFA — Multi-Factor Authentication (e.g., FIDO2/WebAuthn, TOTP).

  5. SAML / OAuth 2.0 / OIDC — federation and delegated auth standards (SAML assertions; OAuth tokens; OIDC adds identity layer).
    Example: B2B SAML for SaaS; consumer OIDC via OAuth 2.0.

  6. PAM — Privileged Access Management; vaulting, session control, just-in-time access.

  7. CIEM — Cloud Infrastructure Entitlement Management; governs cloud permissions at scale.

  8. DLP — Data Loss Prevention; detects/prevents unauthorized data movement.

  9. Tokenization / Encryption (at rest/in transit) — data protection techniques; leverage KMS/HSM for key control.

  10. Data Classification — labeling by sensitivity (Public, Internal, Confidential, Restricted).

  11. PII / PHI / PCI Data — personal, health, and cardholder data categories with specific obligations.

  12. Data Minimization — collect/retain only what’s needed for stated purposes.

5) Cloud, SaaS & Modern Infra

  1. Shared Responsibility Model — delineates provider vs customer duties (varies by IaaS/PaaS/SaaS).

  2. CSPM / CWPP / CNAPP — Cloud Security Posture Mgmt; Workload Protection; converged cloud-native app protection platform.

  3. CASB — Cloud Access Security Broker; visibility/control for SaaS usage.

  4. KMS / HSM — key management and hardware security modules.

  5. VPC / Subnet / Security Group / NACL — cloud networking segmentation primitives.

  6. WAF — Web Application Firewall; shields against OWASP Top 10, bots.

  7. SRE / SLI-SLO-SLA — Site Reliability Engineering; metrics, objectives, contractual commitments.

  8. Change Management (CAB, RFC/CRQ) — controlled change process to reduce incidents/regressions.

  9. IaC — Infrastructure as Code (e.g., Terraform, CloudFormation) with policy-as-code guardrails.

6) Incident Management, BCP/DR & Threats

  1. NIST 800-61 (IR) — incident response lifecycle: Preparation → Detection/Analysis → Containment/Eradication/Recovery → Post-Incident.

  2. Playbook / Runbook — documented steps for incident handling/operations.

  3. Tabletop Exercise (TTX) — discussion-based simulation to test readiness.

  4. BCP / DRP — Business Continuity / Disaster Recovery Plans.

  5. RTO / RPO — Recovery Time / Recovery Point Objectives.

  6. Threat Intelligence (TI/CTI) — curated knowledge about adversaries, TTPs, indicators.

  7. TTPs — Tactics, Techniques, and Procedures; attacker behavior patterns.

  8. Phishing / BEC — social engineering to steal creds or redirect payments (Business Email Compromise).

  9. Ransomware — malware encrypting data for extortion; countered via EDR, backups, segmentation.

  10. Loss Event — realized incident causing financial/operational impact; basis for risk quantification.

7) Third-Party & Procurement

  1. TPRM / SCRM — Third-Party Risk Management / Supply-Chain Risk Management.

  2. RFI / RFP / RFQ — information request, proposal, quotation; procurement stages.

  3. MSA / SOW — Master Services Agreement; Statement of Work.

  4. DPA — Data Processing Addendum; defines roles (controller/processor), transfers, security.

  5. BAA — Business Associate Agreement for HIPAA-covered data.

  6. SIG / SIG Lite — standardized vendor security questionnaires (Shared Assessments).

  7. SOC 1 vs SOC 2 — SOC 1: financial controls (ICFR); SOC 2: security/privacy criteria.

  8. Pen Test Letter / ASV Scan (PCI) — third-party test attestations for compliance.

  9. Right-to-Audit Clause — contractual right to inspect vendor controls.

8) Privacy & Legal (US-centric, business-relevant)

  1. CCPA/CPRA — California consumer privacy rights (access, delete, opt-out of sale/share), sensitive data rules, contracts.

  2. GLBA (Safeguards Rule) — financial institutions’ data security program requirements.

  3. HIPAA (Privacy/Security/Breach Rules) — protections for PHI; applies to Covered Entities and Business Associates.

  4. SOX (Section 404) — internal control over financial reporting; ITGC relevance.

  5. SEC Cyber Disclosure — material incident and risk-management disclosures in public filings.

  6. FERPA / COPPA / VPPA — sector-specific US privacy rules (students, children <13, video data).

  7. DPIA / PIA — (Data) Privacy Impact Assessment for high-risk processing.

  8. Records of Processing (RoPA) — catalog of processing activities; often required under privacy regimes.

  9. Data Subject Request (DSR) — request to exercise privacy rights (access, delete, etc.).

  10. Breach Notification — statutory timelines/thresholds for notifying regulators/consumers.

9) Finance, Accounting & Value (for BISO conversations)

  1. P&L (Profit and Loss Statement) — income statement: revenue, COGS, Gross Profit, OpEx, Operating Income, Net Income.

  2. OpEx / CapEx — operating vs capital expenditures; impacts budget approval and depreciation.

  3. EBITDA — Earnings Before Interest, Taxes, Depreciation, and Amortization; proxy for operating performance.

  4. Gross Margin / Contribution Margin — profitability after COGS / incremental profit after variable costs.

  5. ROI — Return on Investment = (Gain − Cost)/Cost.
    Example: \$500k loss avoidance on \$200k control ≈ 150% ROI.

  6. IRR / NPV / Payback Period — investment evaluation metrics; discount cash flows to assess security/business cases.

  7. TCO — Total Cost of Ownership (license, cloud, headcount, support, training, migration, de-commissioning).

  8. ARR / MRR — Annual/Monthly Recurring Revenue (for SaaS business context).

  9. CAC / LTV — Customer Acquisition Cost; Lifetime Value; relevant when security measures affect conversion or churn.

  10. NRR / GRR — Net/Gross Revenue Retention; security reliability impacts renewal/expansion.

  11. Cost of Risk (CoR) — expected annualized loss + controls + insurance — informs optimal spend.

  12. ALE / SLE / ARO — Annualized Loss Expectancy; Single Loss Expectancy; Annualized Rate of Occurrence (classic quantitative risk).
    Example: \$2M SLE × 0.2 ARO ⇒ \$400k ALE.

  13. FAIR — Factor Analysis of Information Risk; calibrated, probabilistic loss modeling (e.g., P10/P50/P90).

10) Reporting, KPIs & Executive Communication

  1. KPI / KRI — Key Performance Indicator; Key Risk Indicator (leading vs lagging).

  2. Heat Map — visual of risk vs impact/likelihood; supports prioritization.

  3. Scorecard / Dashboard — curated metrics for execs (e.g., patch SLAs, phishing fail rate, critical vulns > 30 days).

  4. OKR — Objectives and Key Results; align security goals with business outcomes.

  5. Materiality — threshold at which information influences investor decisions; central to SEC cyber disclosures.

  6. Narrative Risk Story — concise, data-backed articulation of business risk and choices (accept/transfer/mitigate).

11) Data, Analytics & AI

  1. Data Lake / Warehouse — raw vs modeled storage; informs logging/telemetry strategy.

  2. Data Lineage — provenance/transformations; critical for auditability.

  3. De-identification / Pseudonymization — privacy-preserving techniques.

  4. Model Risk Management (MRM) — governance over ML models (bias, drift, explainability, security).

  5. Prompt Injection / Model Theft / Data Exfil via LLM — AI-specific threats and controls.

  6. Guardrails — policy and technical constraints for safe AI usage (red teaming, content filters, retrieval boundaries).

12) Operational Technology (OT) & Physical

  1. OT / ICS — Operational Technology / Industrial Control Systems (SCADA, PLCs).

  2. IIoT — Industrial Internet of Things; sensorized manufacturing/energy.

  3. Zone/Conduit Model — segmented architecture for ICS safety/security.

  4. Safety Integrity Level (SIL) — reliability measure for safety functions.

  5. Physical Security (CPTED, Badging, Mantraps) — complements cyber controls.

13) Crypto/Fintech (select terms BISOs encounter)

  1. KYC / AML — Know Your Customer / Anti-Money Laundering obligations; identity verification and transaction monitoring.

  2. Custody / Cold Storage — safeguarding digital assets; key management, multi-sig, HSMs.

  3. Stablecoin / Fiat On-Ramp — price-pegged crypto; bridges between banked funds and digital assets.

  4. Travel Rule — information-sharing requirement for certain crypto transfers (VASP-to-VASP).

14) Common Documents & Artifacts

  1. ISMS — Information Security Management System; policies, procedures, metrics, continual improvement.

  2. Policy / Standard / Procedure / Guideline — top-down to detailed how-to hierarchy.

  3. Control Matrix / RACI — maps controls to owners (Responsible, Accountable, Consulted, Informed).

  4. Data Map / Inventory — systems, data categories, flows, locations.

  5. Retention Schedule — how long data/artifacts are kept.

  6. Security Requirements Traceability Matrix (SRTM) — links requirements to tests/evidence.

15) Talks BISO Should Navigate — example phrasings

  1. “Risk Transfer via Cyber Insurance” — premiums, exclusions, retentions; align with incident playbooks and claims evidence.

  2. “Enablement vs. Restriction” — frame controls as revenue protection (e.g., faster audits, faster enterprise deals).

  3. “Material Incident Escalation” — crisply define thresholds, roles, and disclosure timing.

Mini-Examples (quick reference)

  • Compensating Control: If SaaS lacks SSO today, enforce MFA + IP allow-listing + tight off-boarding as a temporary equivalent.
  • ROI for Control: Implement phishing-resistant MFA; expected reduction in account-takeover loss from \$800k to \$150k on \$200k spend ⇒ 225% ROI, ~11-month payback.
  • Zero Trust Sound-bite for Execs: “We verify every user and device, every time, for every resource — and limit blast radius via segmentation.”

Appendix — Abbreviation Quick Table (selected)

ALE, ARO, BAA, BCP, BIA, BISO, CAPEX, CASB, CIEM, CISA, CISO, CNAPP, COBIT, CVSS, DAST, DLP, DORA, DPIA, DRP, EDR, EBITDA, ERM, FAIR, FFIEC, FIDO2, GLBA, GRC, HIPAA, HSM, IAM, IaC, ICS, IdP, IRR, ISO, ITGC, ITIL, KMS, KPI/KRI, LTV/CAC, MFA, MITRE ATT&CK, MRR/ARR, MSA, MTBF/MTTD/MTTR, NIST CSF, NPV, OIDC, OpEx, OWASP, PAM, PCI DSS, PHI/PII, PoLP, RACI, RASP, RFC/CRQ/CAB, RFP/RFI/RFQ, RoPA, ROI, RPO/RTO, SBOM, SEC (cyber), SIEM, SIG, SLA/SLO/SLI, SOW, SRE, SRTM, SSO, SAST/IAST, SOC 1/2, SOX, TCO, TI/CTI, TTPs, UEBA, WAF, WebAuthn, Zero Trust.

BISO vs. CISO — Quick Cheat Sheet

CISO: Enterprise-level security strategy and policy; runs the security program; reports to the board/CEO.

BISO: Lands the CISO’s strategy within a specific BU, maps risks to P&L, and closes the gap between product/sales/operations and the security function.

How a BISO Explains Security’s Value

  • Tie controls to business impact: What exactly are we protecting (process/revenue/obligations)?
  • Quantify risk: In dollars, downtime, and penalties—not just “red/yellow/green.”
  • Show alternatives: Transfer (insurance), avoid, reduce, accept—and the cost of each path.
  • Agree on metrics: KRI/KPI that the process owner understands.
  • Lock in accountability: RACI and clear business-side risk owners.

Conclusion

A BISO is, above all, a translator of value: putting security in service of the business, not the other way around. Learn the terms, align on metrics, and speak the business’s language—so you become the professional who makes the company both safer and more successful.

Top comments (0)