According to Infosecurity Magazine, Mashreq Bank’s CISO has completely redefined the security leadership role since 2008, shifting from basic technical controls to strategic business enablement. The bank is implementing a staged BISO program that starts with 80% security focus and evolves to a 50/50 split between security and business leadership. They’re using zero-based budgeting that forces fresh justification of security spending annually rather than simply extending previous budgets. The approach has gained positive board reception by demonstrating how security aligns with evolving threats and business strategy. After 25 years in cybersecurity, the CISO notes that 25% of tools remain unchanged since 2005, highlighting both progress and stagnation in the industry.
Sponsored content — provided for informational and promotional purposes.
The real shift isn’t about tools
Here’s the thing that struck me about this interview: we’re finally seeing CISOs talk about what actually matters. For years, security leaders were basically glorified IT managers focused on buying the next shiny firewall or intrusion detection system. But this CISO gets it – the real value comes from understanding business strategy, not just technical threats.
And that BISO concept? It’s brilliant but honestly pretty rare in practice. Most organizations still treat security as something that happens “over there” in the IT department. The idea of developing business leaders who also understand security risk – that’s the holy grail. But let’s be real: finding people with both substantial business leadership experience AND cybersecurity knowledge is like finding unicorns.
Zero-based budgeting sounds great, but…
Now, zero-based budgeting for security? That’s both brave and potentially risky. On one hand, it forces justification of every dollar and prevents security teams from getting lazy with “this is how we’ve always done it” thinking. The board apparently loves the transparency, which makes sense – who wouldn’t want to see exactly what they’re paying for?
But here’s my question: does this approach risk underfunding foundational security that doesn’t have immediate, obvious ROI? Sometimes you need to maintain basic controls even when they’re not “sexy” or aligned with the latest strategic initiative. I worry that in the rush to fund quantum computing preparedness (which, let’s be honest, most organizations won’t face for years), we might neglect the phishing attacks happening today.
We’re still failing at the human level
The most honest part of this entire interview comes at the end. After 25 years, the CISO admits that while technical defenses have improved, we’ve basically shifted attacks to target humans through social engineering and phishing. We’ve built better digital fortresses, but the attackers just started tricking the people inside to open the gates.
Basically, we’ve spent billions on technology but still haven’t figured out how to effectively secure human behavior. And that’s where the real work remains. The tools from 2005 are still relevant because the fundamental problems haven’t changed – we’re just playing whack-a-mole with different manifestations of the same issues.
So where does that leave us? This CISO’s journey from technical implementer to strategic partner is exactly what the industry needs. But we’ve got to be honest about how hard this transformation really is. Building security into business DNA requires changing decades of organizational habits – and that might be the toughest security challenge of all.
