Sysadmins who work closely with Infosec: What are the characteristics of a good BISO?
Posted by tfm217@reddit | sysadmin | View on Reddit | 36 comments
BISO = Business Information Security Officer
I honestly don't know what this person should be doing in this role. He's acting like a glorified but unskilled project manager and passing along raw output CSVs with unsorted data from scanning tools. I just wish I knew what he was supposed to be doing for us.
trebuchetdoomsday@reddit
vogelke@reddit
FTFY.
trebuchetdoomsday@reddit
appreciated. i guess it's easily implied w/ a title like biso that they have a gartner rep.
tfm217@reddit (OP)
They used the phrase "defense in depth strategy" in an email with no explanation at some point, but I was too buried at the time to ask more about it
Jumpy_Valuable_8583@reddit
A "good" BISO at minimum should be doing the thing your current one isn't: prioritizing scan output by actual business risk, not just dumping the CVSS-sorted CSV on you. Raw output is them outsourcing triage — the hardest part of the job — to the people with the least context.
What to push back for:
- Every finding needs a "why this matters here" line. Asset criticality + exposure (internet-facing? auth required?) + exploit availability beats CVSS alone every time.
- Dedup across scan runs. Same CVE on the same host across 4 scans is 1 ticket, not 4.
- Filter to what's actionable this sprint, not the full 800-row dump.
Got tired of this exact pattern with our own client work, ended up writing a scanner (Radar) that ships a triaged, deduped, business-context-tagged report instead of a CVE catalog. Disclosure: founder. But you're not asking for too much — you're asking for the bare minimum of the role.
Jumpy_Valuable_8583@reddit
A "good" BISO at minimum should be doing the thing your current one isn't: prioritizing scan output by actual business risk, not just dumping the CVSS-sorted CSV on you. Raw output is them outsourcing triage — the hardest part of the job — to the people with the least context.
What to push back for:A "good" BISO at minimum should be doing the thing your current one isn't: prioritizing scan output by actual business risk, not just dumping the CVSS-sorted CSV on you. Raw output is them outsourcing triage — the hardest part of the job — to the people with the least context.
What to push back for:
- Every finding needs a "why this matters here" line. Asset criticality + exposure (internet-facing? auth required?) + exploit availability beats CVSS alone every time.
- Dedup across scan runs. Same CVE on the same host across 4 scans is 1 ticket, not 4.
- Filter to what's actionable this sprint, not the full 800-row dump.
Got tired of this exact pattern with our own client work, ended up writing a scanner (Radar) that ships a triaged, deduped, business-context-tagged report instead of a CVE catalog. Disclosure: founder. But you're not asking for too much — you're asking for the bare minimum of the role.
- Every finding needs a "why this matters here" line. Asset criticality + exposure (internet-facing? auth required?) + exploit availability beats CVSS alone every time.
- Dedup across scan runs. Same CVE on the same host across 4 scans is 1 ticket, not 4.
- Filter to what's actionable this sprint, not the full 800-row dump.
Got tired of this exact pattern with our own client work, ended up writing a scanner (Radar) that ships a triaged, deduped, business-context-tagged report instead of a CVE catalog. Disclosure: founder. But you're not asking for too much — you're asking for the bare minimum of the role.
homeless_wonders@reddit
Security professionals that I've worked with are usually just glorified dashboard readers. They don't really understand the content they're pushing, they just see number go up, and that is either bad or good, and always a priority. There are some good ones out there but my expectation is pretty low. I've only met three security professionals worth their weight, in close to 18 years
Coder3346@reddit
Have u worked with penetration testers? I think these people are the real sec deal
homeless_wonders@reddit
Most of them just run scripts to test, and red teams usually just social engineer their way into things. I stand by what I said. I've worked at some major tech companies too, including Crowdstrike. I've only ever met three people that were worth anything.
tenbre@reddit
Yeah, you can't understand things deeply until you're the one implementing the controls and fixing shit when it breaks something, and still trying to keep to the spirit of the control while maintaining business operations.
And then the sysadmins know of other workarounds anyway.
Coder3346@reddit
Yes there are alot of cheap pentesters. Real once stay nights trying to find complex issues. But of course I respect ur huge experience 🙃 I am still new in the jobs world and already found lots of glorified theoretical people.
homeless_wonders@reddit
Sure, real hackers know shit, and real engineers know shit too, that doesn't really shape the market, and you'll find more people who use fluff to work their way into these positions than actual skill. Good security teams exist, but there are definitely at least in my experience more that don't know anything.
I think it's the same with developers not knowing hardware or how OSes work. Good developers exist, but the majority you meet don't know hardware, and it's just a shame.
But what it means, at least from my perspective is if you are good at security , know how systems work, and know how to code you should have no problems entering the field, because there's a pretty big need.
Coder3346@reddit
Yes knowing the sysadmin work helped me alot. I deployed a home lab with vpn (netbird) load balncer/reverse proxy, internal domains by using docker and ansible ... and that alone made huge difference on how I see security, how I make practical recommendations etc.. the problem is that lots of people learn cybersecurity without learning computers.
Komputers_Are_Life@reddit
This 100% I had to explain to one of my level 1 techs why his buddy that works in cybersecurity has no idea what a SFP port is or does.
Almost everyone I know that works in cyberSec could not troubleshoot their way out of a cardboard box.
Not to say there is not good ones out in the world, I have just never met one.
Puzzleheaded-Sun8022@reddit
99% of them are unable to calculate a subnet mask in their head
ninadpathak@reddit
BISO role is still finding its shape in most orgs. Good ones bridge the gap between security team language and business risk language — translating CVSS scores into what it would actually cost if the exploit landed. Rare combination.
ninadpathak@reddit
BISO role is still finding its shape in most orgs. Good ones bridge the gap between security team language and business risk language — translating 'CVSS 9.1' into 'this is what it would cost us if this exploit landed.' Rare combination.
rambo_ram@reddit
Damn, kinda hurt seeing our reputation this bad in the sub. It's not unfounded though, I mostly agree and I think it's just the infosec industry is still KINDA in its early stage.
Youngins without experience basically became security professionals overnight - this was me when I became a soc analyst out of school and now I'm a Sr manager of security ops after 9 years🙃
teddyphreak@reddit
This is by no way limited to 'youngings' tho. I've dealt with plenty of Sr Security people with 10+ YOE that fit the exact description from OP
rambo_ram@reddit
I believe you. I'm one of them
tfm217@reddit (OP)
Yeah that's fair. To be clear, I don't mean to insinuate that there aren't good ones out there. I've appreciated a few in other Infosec roles, but I don't know this person's specific role too well.
This is just my struggle at the moment with this particular person,and I wanted to see what others experiences were.
rambo_ram@reddit
Nah but that's a dumb biso without other context lmao
tfm217@reddit (OP)
Unfortunately that's the maximum level of context I can describe the experience with him lol. It's also other admins / engineers experience from what I can gather, but I'm sure nobody really knows what he's supposed to be doing, which I realize is a very sad state of affairs.
rambo_ram@reddit
Can't say I haven't work with similar folks. Who knows maybe I'm one of those too. But to be clear this is not exclusive to cybersecurity
phoenix823@reddit
A good BISO would review the content of the scanning tools with you, help develop plans where immediate prioritization is crucial (ie. shut off RDP to the internet this second) vs. important (hey why is server XYZ consistently not getting patched?). They should help with the coordination of larger projects like plans to eliminate end-of-life software like Windows 2012 or old versions of SQL. That's got to be coordinated with the development teams. They should also help plan, schedule, and communicate the need to clean up old accounts that aren't in use, cycle passwords for privileged accounts, plan the implementation of InfoSec tools like PAM/IGA, help track audit findings requiring remediation, build and review the risk register, shit like that.
tfm217@reddit (OP)
Oh man we're so far away from most of these particulars. I recognize that this is largely an organizational maturity problem
phoenix823@reddit
Yeah the Info Risk Officer in my last job was like yours. I became the informal “BISO” but sat on the IT side. It’s a (bad) IT/InfoSec misalignment. None of those items should be controversial.
Coder3346@reddit
Most security top managers suck. They don't know shit of the technicalities (;
Duck_Diddler@reddit
We’re just making up titles at this point
R0B0t1C_Cucumber@reddit
I transitioned from infra to ISO... It is nothing like that.... I talk our technical teams through our requirements while they're considering design or purchase, train people, update policies, run security audits on things that stick out , keep compliance certificates up to date etc. there's alot to the role but I assure you spamming people with raw CSV is far from normal.
tfm217@reddit (OP)
Thanks for this. What sticks out here is the requirements / design discussions. This would actually be useful if we could get assistance in these types of areas.
R0B0t1C_Cucumber@reddit
Yeah, it's one of the nice integrations we have and it's a good relationship - we never tell them what products to use, only what security objectives need to be met and at times give suggestions. If all goes well I'll see them in 2 years for a regular quick checkup on compliance.
SysAdminDennyBob@reddit
Yea, every place now has one low-end security lackey that just scans devices and dumps the CVE's onto whatever team does the patching. Very common. You kind of need to pushback on some of the false positives and train that person to do some filtering. We had a guy that would scan and send me task on CVE's there were a day old. I had to train him on how the patch process worked. We patch very aggressively, but we only run that process once a month. Once I lock down my patch package, I don't add to it again until next month. I had to keep asking them "so, do you want to escalate this Edge patch as a zero day? Are you really going to go argue that with Change Control every 5 days?"
That role can help you find your gaps in patching applications, it has merit. It helped me to justify buying PatchMyPC to more quickly cover my product gaps. I used that guy to make the Security team cough up budget for my team.
Hotshot55@reddit
Why don't you ask him instead of the internet?
Tr1pline@reddit
never heard of that role.
macemillianwinduarte@reddit
Sounds like a security person lmao. Don't expect anything from him