We recently sat down with Myriam Abiaad, BISO at Sky, to explore her journey from “cyber born and bred” technologist to leading BISO, and to understand how this evolving role is reshaping the relationship between security and the business.
We discussed subjects including the BISO as a bridge between cyber and the business, why chasing zero risk can undermine real security outcomes, and how shifting from prevention to resilience is changing the questions that boards should be asking.
How Did You Get into Cybersecurity?
I always say I’m cyber-born and bred. I studied information technology at university, and straight from there, I joined a Big Four firm doing IT security. The discipline evolved into information security, and I moved into my first BISO role. I’ve been doing this for over 13 years now.
I started my career in Luxembourg, and later moved to the UK, where I joined London City Airport before working for Sky.
What Is a BISO, and How Is It Different from a CISO?
A BISO is, in simple terms, a mini CISO. There are two main models. In smaller organizations, one BISO may own the company’s cyber strategy, including policy, governance, tooling, and supplier management, without a large in-house cyber team.
More often, and in larger organizations, we see a hub-and-spoke model: a central cyber function led by the CISO, with BISOs aligned to specific business areas. In that setup, each BISO owns the security posture of a defined slice of the business. The CISO sets strategy, builds capability, and defines controls. The BISO applies that strategy to the real world of delivery, where controls can create friction, fail to scale, or be worked around.
In both models, the role is the same: bridge the cyber and the business priorities. The BISO understands how the business works and shapes cyber services around its goals and risk appetite.
That’s the difference between a CISO and a BISO. The CISO looks upward to the board, the CEO, and executive peers. The BISO looks across the business, into delivery teams, systems, and processes, where security decisions meet operational reality.
Why Does that “Bridge” Role Matter?
Because without a bridge, when you just do a tick-box compliance type of cyber strategy, you’re at risk of becoming a gate blocker. When that happens, the business will find a way around you.
The job of a BISO is to understand what matters: the key people, systems, data, and processes that deliver value. From there, you can define what cyber risk really looks like in context.
If a control is getting in the way, you don’t just enforce it, you challenge it. You ask whether it’s achieving the intended outcome, or whether it’s pushing risk somewhere else.
I’ll say: how about I get rid of that control for you, but here’s where we’ll put a control that actually works.
It’s about bringing both sides (cyber and business) to the same level of understanding. Translating risk into something actionable. Making security something that enables, not something that obstructs.
What Does a BISO Actually Do Day to Day?
At a high level, it’s about maintaining a consistent view of cyber posture for the business.
Every month, I’ll come and say: these are your metrics; this is what’s new in cyber, and these are the things your teams are struggling with. That’s the baseline.
Behind that, there’s constant engagement with engineers, cyber subject matter experts, and business leaders. You become the escalation point for anything that doesn’t quite work. One-off issues get fixed quickly.
But patterns matter more. If we see the same problem over and over again, it means a process is broken. That’s where the real value comes in, identifying systemic issues and working with technology owners to fix them at the root.
It’s less about enforcing controls, more about diagnosing friction and redesigning how security fits into the way the business operates.
What Habits Hold Organizations Back?
One of the biggest is the pursuit of zero risk. Some companies have a risk appetite of zero, and that makes things worse.
In their bid to achieve total prevention, businesses invest all their energy into making sure that all threats are prevented. They do not invest enough in detecting, responding to, and recovering from threats.
The only way to have zero risk is to unplug your computer from the internet, and companies aren’t ready to do that.
At some point, “good enough” has to be accepted. The focus needs to shift from trying to stop everything, to being ready when something inevitably gets through.
Where Should Organizations with Limited Budgets Focus on?
First things first. I don’t begin with vulnerability scanning; I start with a penetration test or adversary simulation.That’s because all I want to know is what the attacker sees.
Where can they go? What can they access? And crucially, can you detect them?
If there’s a gaping hole, that becomes the priority. If there isn’t, you’ve learned something just as valuable. From there, the question isn’t just whether you can fix the issue, but whether you can detect, respond, and contain it if you can’t.
It’s a far more direct way of understanding risk than working through long lists of theoretical vulnerabilities.
What Should Boards be Asking about Cybersecurity?
The wrong question is still the most common one: “Are we protected?” The better question is: “How quickly can we detect, contain, and recover?”
This turns the focus from prevention to resilience. If the board asks if we’re protected, I say: you’re talking to the wrong person. Security isn’t about guarantees, but about response.
The metrics that matter reflect:
Mean Time to Detect (MTTD)
Mean Time to Contain (MTTC)
Backup restoration test results
Incident simulation outcomes
These are the indicators of whether an organization can withstand an attack, not just attempt to prevent one.
What Does Resilience Look Like in Practice?
At its core, resilience is about continuity, about what happens, and whether you can continue operating. Sometimes that means falling back to manual processes, which is not necessarily a failure.
A good example is an airport whose flight display screens were down, showing the “blue screen of death.” They had to resort to using flipboards, yet flights continued to operate on schedule. It may be inelegant, but it worked. This is resilience.
Contrast that with organizations that lose core systems (like payroll) and can’t operate for weeks. If you can’t pay your employees, that’s a problem.
Resilience isn’t about perfection. It’s about knowing what matters, your “crown jewels”, and ensuring those functions can continue, even in degraded conditions.
What Role Do People Play in Resilience?
A critical one, and often overlooked. In major incidents, it’s not just systems under pressure. It’s people. It’s all hands on deck, but that doesn’t mean someone works 24 hours a day for a week.
Without proper rotation, fatigue sets in, which leads to mistakes. Resilience plans need to account for that. Do you have enough people? Can you rotate teams? Do you have support on retainer?
Because ultimately, security isn’t just about technology. If people burn out, they will make mistakes.
What Keeps a CISO Up at Night?
Interestingly, it’s not always the attacks themselves. CISOs are accountable for everything, but they don’t control everything.
Infrastructure sits with IT. Budgets sit with finance. SaaS decisions happen across the business. HR controls disciplinary processes. Yet, when something goes wrong, the CISO is the one held responsible.
They have the drum, but they don’t necessarily have the stick.
That tension, of accountability without control, is the core challenge of the role. It’s exactly why the BISO function exists: to bridge the gap between strategy and reality, control and execution, and between what security intends and what the business actually does.
Meet Our Thought Leaders
Fortra® subject matter experts share their real-world experiences, offer practical tips, and help organizations navigate the cyber threat landscape.
