What’s the logic behind companies hiring for BISO (Business Information Security Officer) roles instead of a CISO role. Is it because they don’t want to dilute power in the C-Suite, don’t prioritize security at the right level or is there some other reason?

I see the logic in a large enterprise having both roles. TheBusiness Information Security Officer would present the existential threats to the corporation as dictated by the market from competitors, customers and suppliers as outside in view While Is the CISO role is focused on the inside out view.

Jurisdiction and expertise/ experience is the short answer for why hiring a BISO to complement a CISO makes sense.

From what we've seen the motivation for hiring one or more BISO roles is based on subject matter expertise and from a specific jurisdiction (geo) or business domain.

It's largely to complement the CISO role with needed expertise (law, regulatory) and focussed on "content and context" and the need to secure data which may or may not be owned by the company.

We often forget "who owns the data?" is still a question for many organizations.

The BISO may address the what, why and when questions and the CISO develops the How. In tandem both reduce risk and potential liabilities upstream and downstream.

I suspect it is because a lot of CISO does not work with the business to help them solve security issues, but rather stick with strict security policies in place. The BISO helps the business find alternatives ways to carry out their business processes while complying with security policies. They (BISO) simply get a better understanding of business issues involving security and how best to solve them.

While it may be many reasons as to why/why not ( logic or power) my experience is that today, while system/digital development is extremely fast, system and information security is lagging behind. This has an impact on both large and small cooperations, while large cooperation may have through time a solid governance defined by the old IT legacy, smaller companies may not have a CISO nor a BISO.
In either way there is a change! if a CISO already exists with the the old domains of expertise a BISO may be needed to strengthen the overall security road map, desperately needed. If a CISO doesn’t exist but there is a CIO (small company) I would recommend to acquire the operational expertise reporting to the CIO.
I some cases there is a maturity factor to take into account, being aware of the speed of change in the digital/tech transformation and to safe guard ANY information security. The company should be aware and be responsive to this security need and hopefully there should not be an issue of power as the focus should be the health of the company. That’s my humble opinion and logic.

While there could be a number of reasons for this, could it be that there is a perception that the CISO in some organizations have become the king of NO?

The role from our business partners perspective should be focused on how we can meet their needs rather than why we can’t help them achieve their goals.