The CISO Rises: From IT Risk to Board Agenda

Comment(s)

18 June 2026

How cybersecurity stopped being an IT problem — and became the defining business risk of our era

When a major Indian enterprise suffers a data breach today, the sequence of consequences arrives with brutal simultaneity. Within hours it is a regulatory matter — CERT-In mandates reporting within six hours of detection. Within a day it is a media story. Within a week it is a customer confidence crisis, a board inquiry, and potentially a legal exposure. The technical containment may be complete, but the institutional damage will run for years. This is the new geometry of a cyber incident: multi-dimensional, fast-moving, and far beyond the reach of any single IT function to manage alone.


The numbers make the case starkly. According to IBM's annual Cost of a Data Breach Report, the average cost of a data breach in India reached an all-time high of ₹220 million in 2025 — a 13 percent increase from the previous year, and a 39 percent rise since 2020. What is particularly telling is where that cost is accumulating. In 2024, the single largest driver of year-on-year cost growth in India was not technical remediation. It was lost business — operational downtime, customer attrition, and reputational damage — which escalated by nearly 45 percent in a single year. A breach is no longer expensive because of what it costs to fix. It is expensive because of what it costs to survive.

₹220M

Average cost of a data breach in India, 2025 — a 13% year-on-year rise

IBM Cost of a Data Breach Report, 2025

+45%

Rise in lost business costs (downtime, customer loss, reputational damage) in India, 2024

IBM Cost of a Data Breach Report, 2024

263 days

Average time to identify and contain a breach in India in 2025 — down 15 days from prior year

IBM Cost of a Data Breach Report, 2025

~1M gap

Cybersecurity professionals India needs vs. the roughly 500,000 currently available

NASSCOM / BW Security World, 2025

The regulatory floor is rising — fast

India's regulatory environment has permanently changed the calculus for enterprise technology leaders. The Digital Personal Data Protection Act places explicit, enforceable obligations on data fiduciaries, with penalties that are material rather than symbolic. The RBI's IT governance framework and its guidance on cyber resilience have raised the bar for financial institutions beyond anything that compliance checklists can address. SEBI's
cybersecurity directions mandate defined incident response protocols, board-level oversight, and annual third-party audits for listed entities. The message from every regulator is identical: cyber risk is governance risk, and governance lives at the top of the organisation.

AI has changed the threat landscape irrevocably
The rise of generative AI has done two things at once, with equal force. It has made defenders more capable — faster anomaly detection, more intelligent threat identification, better-informed response. And it has made adversaries significantly more dangerous. Attacks that once demanded sophisticated, well-resourced teams can now be engineered, personalised, and launched at scale. Phishing has become indistinguishable from legitimate communication. Deepfakes are being used to impersonate executives and authorise fraudulent transactions. Supply chain compromise — exploiting vendors, APIs, and third-party integrations — is now among the top three attack vectors in India, responsible for 17 percent of breaches, according to IBM's 2025 report.
The rise of generative AI has done two things at once, with equal force. It has made defenders more capable — faster anomaly detection, more intelligent threat identification, better-informed response. And it has made adversaries significantly more dangerous. Attacks that once demanded sophisticated, well-resourced teams can now be engineered, personalised, and launched at scale. Phishing has become indistinguishable from legitimate communication. Deepfakes are being used to impersonate executives and authorise fraudulent transactions. Supply chain compromise — exploiting vendors, APIs, and third-party integrations — is now among the top three attack vectors in India, responsible for 17 percent of breaches, according to IBM's 2025 report.

"Only 37% of Indian organisations have AI access controls in place. Nearly 60% have absent or early-stage AI governance policies — even as AI is being rapidly embedded across their operations."
— IBM Cost of a Data Breach Report, 2025


The CIO's evolving role

For India's technology leaders, this shift demands something more than technical adaptation. It requires a fundamental change in posture — from technology manager to enterprise risk strategist. The CISO who can only speak the language of vulnerabilities and patches has already fallen behind. The one who can translate threat landscapes into board-level risk language, who can build a security architecture that enables the business rather than constraining it, who understands that resilience is a design principle and not a product — that is the leader this moment is asking for.


There is a compounding challenge here that rarely gets the attention it deserves. India currently has a shortfall of approximately one million cybersecurity professionals against what its digital economy requires, according to NASSCOM estimates. Organisations operating without adequate security teams face data breach costs that are, on average, significantly higher than their well-staffed counterparts. The talent gap is not just an HR problem. It is a systemic risk that makes every other vulnerability harder to manage.


What good looks like

The organisations getting this right share a common characteristic: they have stopped treating security as a layer applied on top of their operations, and started treating it as a principle designed into them. Zero-trust is not, for them, a product they have purchased. It is a philosophy they have institutionalised — across identity management, data architecture, vendor relationships, and board reporting. Their CISOs sit at different tables. Their boards ask different questions. And when something does go wrong — because in this environment, something always will — they are built to absorb it and continue.

IBM's own data underscores the return on this investment: organisations that scaled AI for security experienced breach costs decrease by more than half compared to those that did not. The gap between organisations that have made this shift and those that have not is measurable, material, and widening.

"The organisations that will define the next decade are not the ones that never get breached. They are the ones architected to survive a breach without losing their customers, their regulators, or their nerve."



The CISO has risen to the board agenda. The question is no longer whether cybersecurity belongs in the boardroom. The evidence — financial, regulatory, and operational — has settled that argument. The question now is whether India's enterprise boards are ready to engage with it at the depth and urgency that this moment demands.


Categories -
Trend Watch
Share -