According to Infosecurity Magazine, Mashreq Bank’s CISO has completely transformed the security role from technical implementation to strategic business partnership since taking the position around 2008. The bank has pioneered a Business Information Security Officer program that starts with an 80% security focus but evolves to a 50/50 split between security and business leadership over a 12-month pilot. They’ve also implemented zero-based budgeting that requires justifying security spending from scratch each year rather than simply extending previous budgets. The approach has gained positive reactions from both business partners and the board who appreciate how it aligns security with evolving threats and strategic priorities.
Sponsored content — provided for informational and promotional purposes.
From Tech Manager to Business Strategist
Here’s the thing about cybersecurity leadership – it’s been undergoing a quiet revolution. For years, CISOs were basically glorified IT managers focused on firewalls and encryption. But this interview shows how the role has fundamentally shifted. The Mashreq CISO realized early on that knowing the business vision and strategy was just as important as understanding technical threats. Compliance became the baseline, not the goal. So instead of just saying “no” to risky initiatives, they’re now co-constructing strategy from the beginning. That’s a massive cultural shift that many organizations still haven’t made.
Building Business-Security Hybrids
The BISO concept is particularly interesting because it tackles one of security’s biggest challenges: the business-security gap. Most security teams speak technical jargon while business leaders speak revenue and growth. The Mashreq approach basically creates translators – people who understand both domains deeply. Starting with an 80% security focus makes sense because you need that foundational knowledge. But gradually shifting to 50/50 ensures they remain credible business leaders rather than just security people in disguise. I wonder how many organizations are willing to invest this much time and resources into building these hybrid roles though.
Zero-Based Budgeting Reality
Now let’s talk about the zero-based budgeting approach. This is where many security leaders would get nervous. It’s so much easier to just roll forward last year’s budget with a small increase. But threats don’t stand still, so why should security budgets? The Mashreq method forces them to constantly reassess what’s actually needed versus what’s just comfortable. The positive board reaction suggests business leaders are hungry for this kind of disciplined thinking. They want to see security spending tied to actual risk reduction, not just maintaining the status quo.
Where We’ve Actually Made Progress
The CISO’s reflection on industry progress is brutally honest. 25% of security tools being the same as 2005? IPv4 still dominating despite known limitations? That’s pretty sobering. But the successes in banking security are real – mobile apps and transaction portals are genuinely more secure than they were a decade ago. The problem is that attackers just shift their focus. When you harden the technical layers, they go after the human element through social engineering and phishing. So the work never really ends – it just changes form. The goal isn’t perfect security, but enabling businesses to operate securely despite the evolving threats.
