Indian enterprises must shift from vulnerability management to exposure management to secure evolving digital ecosystems.
Managing Director and Country Manager
Tenable India
As India’s digital economy accelerates, so do its cybersecurity challenges. From AI adoption to hybrid cloud complexity, organizations are grappling with an ever-expanding attack surface. In this exclusive interview with CISO Forum, Rajnish Gupta, Managing Director and Country Manager at Tenable India, discusses how Indian enterprises must shift from traditional vulnerability management to exposure management—a proactive approach to identifying, prioritizing, and mitigating cyber risks. He also shares insights into Tenable’s latest innovations, sector-specific trends, and how CISOs can better translate technical risks into boardroom language. For security leaders navigating AI, cloud, and compliance, this conversation offers timely and practical perspectives.
CISO Forum: What are Tenable’s strategic priorities for the Indian market over the next few years, especially in light of the region’s rapid digital transformation?
Rajnish Gupta: As Indian organizations accelerate their digital transformation initiatives and prepare for increased regulatory pressures, there’s a need to transition from traditional vulnerability management to exposure management, gaining context to make more informed decisions and proactively secure their expanding attack surfaces.
Following Tenable’s acquisition of Vulcan Cyber, to reinforce its commitment to leading the exposure management market, Tenable announced powerful new enhancements to its flagship platform, Tenable One, with the introduction of Tenable One Connectors and customizable risk dashboards.
With third-party data connectors, organizations unlock a contextualized view of all their security risk data in one place, regardless of the security products they use. Tenable One addresses the complexity of scattered data and operational efficiencies by consolidating exposure insights from both native and third-party tools into a unified, contextual view, transforming fragmented data into business-aligned intelligence.
CISO Forum: With India’s data protection laws evolving, how should organizations adapt their cloud and data security strategies to remain compliant while staying agile?
Rajnish Gupta: Data remains central to today’s business operations, especially with the widespread adoption of AI technologies, which is leading organizations to store exponentially greater volumes of data in the cloud.
While cloud providers offer significant security features, these may not always be optimally suited to every customer’s specific security requirements. Furthermore, the connectivity between cloud environments and a company’s on-premises IT systems can create an attractive entry point, allowing hackers to access the entire organizational infrastructure.
Organizations should introduce a well-designed ‘exposure management’ approach to cybersecurity, that is, identifying, assessing, and then addressing the security risks they are exposed to. Tenable sums this up in three words: ‘Know, expose, and close.’
The “know” phase involves understanding cloud resources to pinpoint potential security vulnerabilities. To deliver tangible value, the “expose” phase assesses, prioritizes, and aggregates cyber risks, enabling organizations to concentrate on their most critical issues. Finally, the “close” phase offers the necessary tools and processes to address, mitigate, and resolve identified security problems. This approach goes beyond mere knowledge provision, enabling organizations to address their security challenges efficiently.
CISO Forum: From your conversations with enterprise CIOs and CISOs, what are the most pressing cybersecurity challenges they are grappling with today?
Rajnish Gupta: One of the biggest concerns for CIOs and CISOs today is the widening gap between adopting new technologies and having the proper security measures in place to protect them. Technologies like AI and cloud computing are transforming how businesses operate, delivering unmatched speed and efficiency; however, security is struggling to keep pace with this evolution.
Tenable’s Cloud AI Risk Report 2025 found that cloud-based AI is especially vulnerable to misconfigurations that can expose sensitive data, models, and services to manipulation or leakage. As AI tools become more integrated into everyday business operations, these weaknesses can trigger cascading risks across an organization. What is particularly alarming is that most businesses have only addressed a fraction of their AI-related vulnerabilities, leaving critical assets exposed, as the report highlights.
Security teams are also dealing with fragmented visibility due to the rise of multiple siloed tools, making cloud detection and response more difficult than ever. That is why CIOs and CISOs are now shifting focus toward exposure management strategies—ones that go beyond traditional vulnerability management. They’re looking for approaches that help them proactively identify, understand, and mitigate risks, not just in cloud infrastructure but also in the AI systems that increasingly power innovation and decision-making.
CISO Forum: How is Tenable adapting its product portfolio to address the unique security needs of hybrid cloud environments every day in Indian enterprises?
Rajnish Gupta: Tenable Cloud Security is a unified cloud security (CNAPP) solution that simplifies the identification and remediation of risk across multi-cloud and hybrid environments, from code to cloud. Security teams can enhance visibility by gaining an end-to-end inventory of cloud assets, including VMs, instances, containers, Kubernetes, Infrastructure as Code (IaC), images, and identities, and identifying misconfigurations, vulnerabilities, and excess privileges from a single view. They can prioritize risk by identifying toxic combinations that pose the greatest threat, leveraging Tenable.
Research’s knowledge base for advanced prioritization that understands asset, identity, and risk relationships. This allows teams to pinpoint exploitable combinations and access detailed intelligence for corrective action.
Finally, Tenable Cloud Security enables cost-effective scaling by consolidating tools, streamlining workflows with step-by-step remediations and automation, and enforcing consistent policy from code to cloud. It facilitates compliance reporting with industry benchmarks, frameworks, and regulatory requirements across cloud and on-premises environments.
CISO Forum: In the context of AI-driven environments, what are some of the most underestimated or overlooked cloud security risks that SaaS enterprises should be aware of?
Rajnish Gupta: Cloud and AI are undeniably transforming the way businesses operate for the better. But they also introduce complex cyber risks when combined. The most overlooked aspect of the cloud is the toxic trilogy of critically vulnerable, overly privileged, and publicly exposed cloud assets. Nearly 4 in 10 organizations have toxic combinations in their environments. Tenable’s recent report found that approximately 70% of cloud AI workloads contain at least one unremediated vulnerability. Adding to the complexity are JENGA®-style cloud misconfigurations in managed AI services.
With 77% of organizations having the overprivileged default Compute Engine service account configured in Google Vertex AI Notebooks, all services built on it are at risk. Organizations also overlook blocking public access to AI training buckets. Overly permissive buckets are an open invitation for threat actors to poison AI training data.
The shared responsibility model in the cloud requires organizations to secure cloud workloads. Yet, many still don’t change default configurations. This means that publicly exposed and overly permissive accounts can be easily compromised, granting unauthorized access, which could result in the potential modification of all files on it.
CISO Forum: How do you see the role of AI and automation evolving in the context of vulnerability management and threat detection?
Rajnish Gupta: Vulnerability management is no longer enough to defend against the modern attack surface. With thousands of vulnerabilities emerging daily and rated as critical, it’s challenging to remediate every one. AI and automation are pivotal in cutting through the noise to help security teams understand the context behind risk relationships and prioritize remediation of vulnerabilities that pose the most significant risk to business continuity. This is exposure management, and Tenable is already leveraging AI and automation, enabling organizations to proactively address cyber risk.
Tenable One now features a vast and rapidly expanding ecosystem of out-of-the-box Connectors, enabling seamless integration with widely used third-party tools for endpoint detection and response (EDR), cloud security, vulnerability management, operational technology security, ticketing systems, and more. With new Connectors launching throughout Q2 2025 and beyond, Tenable unifies security data across the enterprise, delivering a comprehensive and actionable view of organizational risk.
At the core of the platform is the Tenable Exposure Data Fabric, a scalable, cloud-native architecture that ingests, normalizes, and connects data across the security ecosystem. This foundation powers Tenable ExposureAI, the platform’s machine-learning engine, which surfaces toxic risk combinations and hidden attack paths and prioritizes actions based on their potential business impact.
New unified risk dashboards further elevate the platform’s impact. Designed to eliminate time-consuming manual reporting, these dashboards offer fully customizable views that align with specific business roles and priorities. With flexible report configurations and powerful visualization options, security teams can deliver insights and communicate risks faster and with greater business impact.
CISO Forum: What industries or sectors in India are showing the most maturity or urgency when it comes to adopting advanced cybersecurity solutions?
Rajnish Gupta: In India, the BFSI sector leads in adopting advanced cybersecurity solutions driven by stringent regulations such as RBI mandates and the sensitive nature of financial data. The healthcare sector follows closely, driven by a surge in ransomware attacks, with a 21.82% share of cyber incidents expected in 2025. IT and telecom also show urgency, as the expansion of 5G, cloud adoption, and IoT significantly increases attack surfaces. The rising threat from nation-state actors has led the government and defense sectors to prioritize cybersecurity, with initiatives such as the National Cybersecurity Strategy enhancing resilience.
Manufacturing is maturing rapidly in India, with organizations integrating IoT security to protect supply chains. These sectors are leveraging AI-driven threat detection and automation to address vulnerabilities proactively. But there’s still work to be done. Despite adopting advanced security tools, many organizations struggle with tool sprawl and data silos, leaving security teams to crunch spreadsheets instead of proactively addressing security gaps that pose the most significant risk. This approach must change if India’s critical infrastructure organizations want to get ahead of threat actors.
CISO Forum: As cybersecurity becomes a board-level priority, how can security leaders better communicate risk in business terms to the C-suite and board members?
Rajnish Gupta: To effectively communicate cybersecurity risks to the C-suite and board, security leaders must translate technical risks into business impact, focusing on revenue, operations, and reputation. Tenable found that only 3% of vulnerabilities pose significant business risk, reiterating that high-impact exposures need prioritization. Using exposure management, security leaders can unify data from siloed tools, providing a clear view of critical risks and their potential financial or operational consequences. Contextualizing risks in terms of business metrics enhances decision-making. Security leaders should use clear KPIs, such as Vulnerability Priority ratings, to benchmark progress and align with business goals. By speaking in terms of financial impact, CISOs can better communicate risk and secure board support.
