In the twelve years since I have been the CISO of Principal®, the company has continued to grow - in size, products, geographies and more. Of course, new opportunities, growth and change also bring new risks. In cybersecurity terms, we have a broad surface to protect and defend. Years ago as I participated in strategic planning with our technology leadership team, it became apparent that business strategies, coupled with innovative technology plans, emerging cybersecurity regulatory requirements and continually evolving cyber threats, would require a different approach to our information security team. My centralized team was well positioned to provide a firm foundation for the enterprise with shared security technology and governance but did not have deep knowledge of each individual business at a granular level. The best way forward would include more integration of cybersecurity leadership in the business areas themselves. The goal was to achieve two-way communication, with business unit leadership gaining a subject matter expert and my centralized team gaining more insight into each business.
For the last six years, we have built an organizational model for managing cybersecurity on a global basis around the role of the business information security officer (BISO). In most business areas, the BISO is a leader of a small team of information security engineers dedicated to serving as a conduit between the enterprise and the business in the region in which they operate. The BISO has a solid line to their business area and brings the business point of view into information security services and governance decisions as part of an overall information security steering group. This team also actively participates in the creation, adjustment and measurement of our enterprise information security strategy, especially in terms of prioritization and investment direction.
Of the six BISOs we have in place at Principal, none do their job in exactly the same way. For example, in our Principal International business unit, the US-based BISO has information security officers (ISOs) in each country to help navigate local regulations, business requirements, operational and strategic security implementations. Our BISO for Principal Global Services in India serves as the local information security leader for all the business conducted there and plays a key leadership role working in partnership with my centralized team in the US. Each of the BISOs have built specific regional and domain expertise including the compliance requirements of their markets or industry.
Six years into the BISO model, it is still a work in progress, but we are confident that it is strengthening our global cybersecurity posture on many levels. Our centralized enterprise information security department depends on the BISOs and their teams, and vice versa. The BISO model is critical to building an effective global cybersecurity program, which is increasingly a competitive differentiator as opposed to simply a necessary expense for regulatory compliance. We consider the BISOs, their team members and the centralized information security team our global information security community. Knowing we all protect the same stock symbol (PFG) helps to bind us to our common mission and strategy.
For a financial services firm with many different business lines all around the world, it is impossible for a centralized information security department to understand all evolving risks and threats at a deep enough level to both protect and enable the entire business on a continuous basis. The role of the Business Information Security Officer (BISO) is to build a bridge between the specific needs and associated risks of the business and the enterprise information security department with its holistic view of the organization’s cyber posture and program. The exact role of the BISO will vary, but in effect they act as a “mini-CISO,” presenting to local boards, building relationships, representing the organization externally, and bringing cyber expertise to business strategy. The BISO model helps us differentiate our cyber program in the marketplace, which is increasingly a competitive advantage to the business.
Insurance products and plan administrative services provided through Principal Life Insurance Co., a member of the Principal Financial Group®, Des Moines, IA 50392. Principal Global Investors leads global asset management and is a member of the Principal Financial Group®. 1236257-072020
© 2023 FS-ISAC, Inc. All rights reserved.
Meg Anderson leads the Information Security & Risk team for Principal Financial in the role of VP-Chief Information Security Officer. She drives information security strategy for the global Fortune 500 company including...Read More
security operations, identity and access management, data protection, governance, risk and compliance. Meg participates on a wide variety of CISO councils, is a Board member of the Financial Services Information Sharing and Analysis Center (FS-ISAC) and is chair of the Strategy Committee of the board. Before the role of VP-CISO, Meg acquired over twenty years of technical and leadership experience in application development. Meg graduated from the University of Iowa with a Bachelor of Business Administration in Management Information Systems.