According to Infosecurity Magazine, Mashreq Bank’s CISO has completely redefined the cybersecurity role since taking the position in 2008. The evolution started with basic technical controls like proxies and encryption but quickly shifted toward business integration. The bank now uses a staged BISO (Business Information Security Officer) program that begins with 80% security focus and gradually shifts to 50/50 business-security balance. They’ve also implemented zero-based budgeting that requires justifying security spending annually rather than automatically renewing previous budgets. The approach has gained positive reception from both business partners and the board who appreciate its transparency and adaptability to evolving threats.
From gatekeeper to business enabler
Here’s the thing about cybersecurity – it used to be the department that just said “no.” But this CISO realized that approach doesn’t actually work long-term. The real shift happened when he started asking “How can I be more impactful for the organization?” instead of just focusing on technical controls.
That’s why you now see him at events like the Gartner Summit talking about enabling business executives to become risk managers themselves. It’s a complete mindset flip – security isn’t about building walls anymore, it’s about giving people the tools and knowledge to make informed decisions. And honestly, that’s where the real value is. When business leaders understand risk themselves, they’re more likely to see security as a partner rather than an obstacle.
The business-security hybrid role
The BISO concept is fascinating because it acknowledges that you can’t just drop a technical security person into a business unit and expect magic to happen. The ideal candidate has substantial business leadership experience first, then develops cybersecurity knowledge. But let’s be real – finding people with that perfect blend is tough.
So Mashreq is taking a practical approach with their 12-month pilot program. They start people at 80% security focus and gradually shift them toward that 50/50 balance. It’s basically growing your own talent rather than hoping to find unicorns in the job market. This person becomes an ambassador who helps business lines see security as their own responsibility rather than something being imposed from outside.
Zero-based budgeting reality
Now, zero-based budgeting sounds like one of those corporate buzzwords that makes everyone groan. But in cybersecurity? It actually makes a ton of sense. Threats evolve constantly, so why would you just automatically renew last year’s budget?
The approach means looking at what you actually need given current threats and strategic priorities, not just maintaining the status quo. Sure, you’ll carry over some ongoing costs like license renewals, but everything else gets fresh scrutiny. And honestly, the board apparently loves this approach because it creates transparency and ensures resources go to what matters most right now.
Where we’ve actually improved
Here’s a sobering thought – 25% of the tools being used in cybersecurity today are the same as those from 2005. IPv4 is still everywhere despite its known security limitations. Progress in our industry can be painfully slow.
But there are real wins. Banking applications and transaction channels are vastly more secure than they were. The problem is that as we’ve hardened the technical layers, attackers have simply shifted to targeting humans through social engineering and phishing. So now we’re dealing with the “human firewall” challenge. The work continues, but at least we’re having smarter conversations about where the real risks lie.
