Bridging Business and Cybersecurity: Inside the Role of a Business Information Security Officer

As cyber threats become more sophisticated and health systems diversify their operations, new roles are emerging to close the gap between business needs and cybersecurity imperatives. One such position is the Business Information Security Officer (BISO), tasked with tailoring security strategies to the unique demands of each operational unit. At Michigan Medicine, Ashley Gelisse serves in this role, working to align risk management with the institution’s research, academic, and clinical missions while ensuring cybersecurity measures support productivity rather than impede it.

Gelisse’s position shows how cybersecurity is evolving beyond traditional, centralized models toward a more nuanced, relationship-driven approach that recognizes the complexities of large, federated health systems.

Defining the BISO Role

The BISO role functions as a bridge between cybersecurity teams and business operations, translating technical requirements into practical strategies that fit diverse workflows. At Michigan Medicine, Gelisse liaises between information security leaders and operational units spread across multiple sites and missions. “My role really is to be a liaison with the business side of the organization,” she explained. “We found we were missing that voice of the business.”



This perspective is particularly crucial in environments where applying a single, uniform set of controls can disrupt essential functions. Research teams, for example, often operate under tight grant deadlines, using novel tools or processes that don’t align neatly with standardized compliance frameworks. “What we were doing in terms of assuring, say, the clinical practice, it wasn’t always tuned adequately for the research practice,” Gelisse said. By serving as a translator between security requirements and operational realities, BISOs help organizations manage risk without sacrificing agility.

Customizing Controls Across Varied Risk Profiles

In a health system with both standardized and highly specialized IT environments, treating all departments the same from a security standpoint is impractical. Michigan Medicine’s clinical operations reveal this diversity: while 60% of its clinical IT environment is standardized under shared governance, the remaining 40%—such as radiology—maintains independent IT practices due to specialized tools and workflows.

Gelisse’s team addresses this by analyzing risk tolerance across different groups and adapting controls accordingly. “It’s not necessarily a one-size-fits-all approach,” she said. “Very different needs and use cases, different risks. So part of my role is to help understand those and translate back to the technical teams.” This approach often involves triangulating data from strategic objectives, threat intelligence, and operational priorities to strike a balance between protection and productivity.

Revenue cycle operations provide a case in point. When new threats emerged that required stronger safeguards, Gelisse’s team collaborated with revenue leaders to avoid disruptions that could jeopardize financial targets. “We were able to come up with a solution for them,” she said. “It required us to think differently. It was not a compliance solution.” Such negotiations—focused on both mitigating risk and preserving efficiency—reveal the value of BISOs as facilitators of compromise in high-stakes settings.

Building Relationships Before a Crisis

A central component of the BISO role is relationship-building, often well before any incident occurs. “One of my favorite sayings my boss uses is, ‘There’s no pope of UM Health,’” highlighting the intentionally federated nature of Michigan Medicine’s governance. To navigate this structure, her team holds regular mission-aligned meetings with leaders across the organization, fostering trust and familiarity in advance of emergencies.

This proactive outreach enables cybersecurity teams to be brought in earli...