Today’s CISOs are no longer just defenders of infrastructure, they’re strategic business enablers.
As cybersecurity becomes inseparable from enterprise risk and digital transformation, the CISO is increasingly expected to align security initiatives with broader business goals, influence boardroom decisions and drive innovation.
Olivier Busolini, group CISO at UAE-based Mashreq Bank, spoke at the Gartner Security & Risk Management Summit 2025 about his approach to transforming the information security function and ensuring it is a key stakeholder within the business.
In conversation with Infosecurity, Busolini described how he has worked to revolutionize the information security framework at Mashreq and how the remit and role of a modern CISO is changing.
With 25 years’ experience in cybersecurity, Busolini also discussed the need for a newer role, the business information security officers (BISO). He explained how this position can be integrated and developed over time to be a vital partner between business and cybersecurity.
Infosecurity Magazine: What are some historical challenges cybersecurity practitioners face within their current cybersecurity frameworks?
Olivier Busolini (OB): A decade or more ago, cybersecurity was largely understood as a technical discipline and often placed under the umbrella of IT. It was simply seen as another technology shop. Over time, especially in banking, that thinking has shifted.
Now, when we talk about “cybersecurity frameworks,” we mean frameworks with strategic purpose. Yes, technical controls remain essential, but they are enablers of higher-level objectives.
What we deliver now is not just protection, but the ability to empower the business. The old image of the CISO as the person who says “no” is no longer acceptable.
Despite this being a topic of conversation for the last couple of years, the real challenge is how we implement this change.
It isn’t enough to pitch “security as an enabler” to the board; the real test lies in embedding that mindset in operations, decision making and business relationships every day.
IM: At the Gartner Summit, you spoke about your journey to revolutionize the information security framework at Mashreq. What does revolutionizing this framework look like and why was it necessary?
OB: At Mashreq, our revolution began with a rearticulation of our security mission: from guardian to enabler. We had a pivotal turning moment when a business unit’s critical initiative involved regulatory assessments and security was part of that evaluation. The regulator’s stance was clear: follow the security requirements and your initiative gets regulatory validation.
That moment was transformational. Information security at Mashreq is seen as integral to business success and critical stakeholders in transformation.
IM: How has this process made you rethink the role of the modern CISO, if at all?
OB: Having worked in cybersecurity for 25 years, I often reflect on where my work had the most meaningful impact. I started as a penetration tester, a niche technical role. Later, I moved into governance and policy, working with frameworks like ISO 27000. Both in consulting and in earlier CISO roles, I saw how limited the impact is if security remains detached from the business.
When I became a CISO around 2008, we realized the need to build technical maturity like proxies, encryption, perimeter controls and so on. Fundamental, yes, but I gradually realized that being effective meant working closely with developers, technology and relationship managers. It meant understanding who needs which data, when and why.
“Knowing the business, the vision and its strategy is as important as knowing technology and threats.”
Over time I understood that knowing the business, the vision and strategy is as important as knowing technology and threats. Compliance is a necessary baseline, but it won’t drive growth.
So, my next question to myself was, ‘How can I be more impactful for the benefit of the organization?’ And the answer was by getting closer to the strategic initiative and transformational strategies at their origination. This is why I was at the Gartner Summit talking about enabling the business, giving executives the tools and knowledge to be risk managers as well as businesspeople.
Why I find this job today so interesting is because we are helping build trust and resilience not simply by deploying tools, but by co-constructing the organization’s strategy, aligning security operations and enabling business people to make informed decisions and reach out to the CISO organization when they face risks they aren’t comfortable handling alone.
IM: You have previously written about the importance of the role of business information officers (BISO) in elevating accountability for cybersecurity risks across the wider business. What advice do you have for CISOs to develop this role and how can they work effectively with the BISO?
OB: In an ideal model, a BISO has substantial business leadership experience, say two-thirds of the role in business leadership, and then develops sufficient cybersecurity knowledge. That balance allows them to understand both domains, articulate security risk to business stakeholders, and foster accountability. The reality is there’s a journey to this level of maturity, and you will probably need to start the journey differently.
At Mashreq, we’ve approached this in stages. We launched a BISO initiative in a willing business line for a 12-month pilot. We defined a job description: initially the role is heavily (80%) security focused, with about 20% business. Over time, as the person grows into the role and the organization matures, we shift toward a 50/50 split. The goal is to build someone who is first a business leader but well-versed in risk and cybersecurity.
This person becomes an ambassador for security, helping their business line see security not as an external imposition, but as part of their own responsibility. We also must enable the business with knowledge, tools, frameworks and telemetry so that they understand their risk posture and can take on more of the risk management responsibility themselves.
For example, we have new AI tools coming into the bank, and we need to help the business understand the key risks with this technology. We also need to look at our preparedness related to quantum computing. That’s not a risk for tomorrow, but we need to understand where we are today, and what our strengths and weaknesses are in terms of our cryptographic maturity.
IM: Could you tell us about the ‘Zero Based Budgeting’ funding strategy you have employed at Mashreq? What has been the reaction of the board and wider business to this approach?
OB: Zero-based budgeting is one of the tools we use to avoid simply extending the previous year’s plan. Although there is continuity in programs, every year, before preparing the budget, we assess where we are now, what has changed, both in the threat landscape and in the strategic orientation of the bank, and whether our plan remains relevant.
We may carry over some ongoing costs, like license renewals, but otherwise we frame our budget as a fresh projection: what do we need given the current threats, regulatory requirements, strategic priorities. This often means introducing or scaling new streams (for example, assessing quantum risks) rather than simply maintaining status quo.
This can be challenging because sometimes people are comfortable with the same plan. But threats evolve and this must be recognized in the budget. Apart from contractual continuation from the previous year, show what you need and make sure you are prioritizing what you need.
The reaction from the business partners and the board has been very positive. The board and business partners appreciate that risk evolves, and that budgeting must adapt. They welcome the discipline because it promotes transparency and ensures that resources are allocated to what matters most, not just what was done last year. This is also an approach the bank is adopting outside of cybersecurity.
IM: What are your biggest successes in cybersecurity today?
OB: Reflecting on the last 25 years in cybersecurity, I realize that 25% of the tools being used in the industry are the same as those being used in 2005. I see huge opportunity here.
IPv4 is still widely used, despite known security limitations. IPv6 has not become the universal standard, showing that progress is slow.
But there are real successes. In banking, we've made digital applications much more secure than they were before. Many of the systems and channels through which customers interact, be it mobile apps or transaction portals, are vastly more resilient.
This means we’ve shifted the threat profile. The technical layers are better defended, are more efficient and transparent and now many attacks are targeting transaction-level fraud, social engineering, phishing. It is commonly said nowadays that the human being is now the weakest link. But we exist to enable humans to bank securely. This is where I believe we still have some work to do: to improve the building of our processes, especially at the human level.