Dr. Yusuf Hashmi, Group CISO at Jubilant Bhartia Group, highlights how AI is transforming CISOs from security guardians into strategic business leaders driving measurable outcomes.
The chief information security officer role has undergone a dramatic transformation—evolving from a purely technical position focused on network protection to a strategic business enabler driving organizational resilience. As artificial intelligence reshapes every corner of enterprise operations, today’s CISOs must navigate unprecedented challenges: translating cyber risks into board-ready business metrics, implementing AI-powered threat detection, and establishing governance frameworks for rapidly proliferating AI deployments. Dr. Yusuf Hashmi, Group CISO at Jubilant Bhartia Group, offers candid insights into this evolution, revealing why traditional security approaches are insufficient and how forward-thinking security leaders are preparing for an AI-dominated future where measurable outcomes—not just protection—define success.
CISO Forum: In what ways has the CISO role shifted from being technology-driven to becoming a business enabler, and how should CISOs demonstrate measurable outcomes to boards in today’s AI-driven environment?
Dr. Yusuf Hashmi: Due to the significant changes in the ecosystem over the past decade, this role now encompasses a wide range of capabilities. It’s not just about network security. Since the role has evolved, it has become more of a business enabler. CISOs now possess a deeper understanding of business than other IT functions, so they are closely aligned with the business—especially in a structure where cybersecurity is considered a business risk.
Therefore, when it comes to business risk, organizations must consider cybersecurity as a key risk—a core function that enables them to remain competitive. And AI is, of course, the talk of the town now. Every business function is getting AI-enabled. They don’t even need IT intervention when it comes to AI—they are driving these initiatives themselves. Tomorrow, there may be no IT when it comes to AI, because that’s the advantage AI brings to the business.
Hence, the CISO role is crucial for understanding the business, particularly the organizational context, and how these emerging, disruptive technologies fit into the picture. CISOs must translate this into business language and convert it into measurable outcomes. It’s more about outcomes now. Yesterday, I could say that we are safe—but that’s not enough. The board needs to know the measurable outcomes of your cybersecurity investments: what kind of posture you are in, and how you are measuring your performance holistically.
Yesterday, I could say we are safe—but that’s not enough. The board needs measurable outcomes from cybersecurity investments.
It’s not just about saying, “I’m working the same, I’m responding”—that’s not enough, actually. You need to develop a comprehensive approach to measuring your cybersecurity performance, which will demonstrate your ability to provide a detailed view of the CSO’s function and the team involved. It is essential to measure. The outcome must be achieved. The measure must be there—and that’s how you can improve in the near future.
CISO Forum: In your experience, what separates companies that are just dabbling with AI from those that are embedding it responsibly and securely across their business?
Dr. Yusuf Hashmi: AI is a capability that is very trendy because business professionals frequently discuss it with their peers. A form of peer pressure is emerging in the business world. “The X company is performing this function—hey, look, why are you not doing it?” Then they will come back to the CIO and say, “Look, what are you doing? Other companies are already taking the lead by adopting this AI capability, whether it is JNI or various others—what are you doing?
That is the time to think it through. From a security perspective, it is imminent that AI will be considered a top business enabler in the near future. Hence, CISOs must prepare their systems in advance, as they won’t have the time to set up traditional controls to manage their AI environment. You must start thinking from that perspective—that tomorrow, if there is a flurry of deployments across multiple functions—and it’s imminent—how would you create your control environment to ensure data is protected, the AI framework we have implemented works, performs ethically, remains unbiased, and continues to safeguard information.
That’s the primary focus, and that’s how you integrate it within the entire organization’s ecosystem.
CISO Forum: We often hear about the need for real-time threat intelligence, but achieving it is another matter. How do you see enterprises in India doing on this front, and what does ‘real-time’ defense really look like in practice?
Dr. Yusuf Hashmi: Threat intelligence is another grey area in the industry, especially in India. People in India don’t consider it a critical area of cybersecurity, which I personally believe it is. This is primarily due to the high volume of false positives originating from various sources. The real question is: how do you actually make these intelligence feeds, whether they’re TAXII feeds or other alerts, actionable?
Because while making them actionable, you have to rationalize, refine, and then apply them. Otherwise, you may take action on something that isn’t needed, or block some IOCs that have no significance for my organization. Therefore, it’s essential to understand threat intelligence, and AI will undoubtedly aid in this process, as vast amounts of data are constantly being processed. There is obsolete data, and there is recent data—it’s a significant challenge with the datasets that get created.
How can I reduce this noise coming from these platforms? That’s the first step. This is where AI will help me reduce the amount of noise that threat intel provides, and then I’ll take subsequent action.
The moment we all realize there’s actionable intelligence coming in, people will definitely look at it more seriously than they have so far with threat intelligence. That’s how you achieve real-time response capability. At this point, I’m unable to make it fully real-time—there’s too much noise coming from these threat intelligence reports that we need to filter out. And then, of course, embed that into my threat detection and response capabilities with automation. That’s what I believe is required.
CISO Forum: If you had to pick one non-negotiable focus area for CISOs preparing for the next five years, what would it be?
Dr. Yusuf Hashmi: Of course, I can’t compromise on the monitoring system. That’s my non-negotiable. I can’t just shut down my detection and monitoring system. In any case, I can’t negotiate on that. I also need to further enhance it in the near future by incorporating AI.
I’m dependent on people to respond, detect, and triage—but how can I enable AI agents to actually reduce that amount of humans in the loop, right? That’s something I can’t compromise on. I have to adopt the newest technology in the near future, which I can’t negotiate. I cannot simply fall back on or continue using traditional methods of security monitoring, threat detection, and response. I need to enable this in the mainstream AI ecosystem as soon as possible—and that, again, is non-negotiable.
CISO Forum: Cybersecurity is now discussed as much in the boardroom as in the IT team. From your perspective, how seriously are Indian boards taking it, and what does genuine ownership of the issue entail?
Dr. Yusuf Hashmi: Cybersecurity has always been a topic of discussion at the board. The biggest challenge here is that the board cannot effectively question the CISOs. Their questions are often very straightforward—”Are we safe?” or “How are we placed?” However, even if the CISOs provide answers, the board usually cannot determine whether what is being said is true or not. That ability to validate needs to be developed at the board level.
They should have questions ready whenever the CISO or the CIO presents the cybersecurity status. They must have the ability to question—it cannot be a one-sided dialogue or a monologue. That doesn’t work. They should be well aware of the industry, what’s happening outside the industry, and how it is actually being applied within the organization for which they hold responsibility for cybersecurity.
In India, when considering all publicly listed companies—the top thousand companies—cybersecurity must be included as a session within the enterprise risk committee. That’s how I also present the status. The view is that CISOs must have a dual role: they are the ones who highlight and identify risks, but the majority of remediation and risk reduction comes from the IT and CIO sides. Cross-questioning is critical. The CISOs and the board must know who to ask the right questions. And then, when someone responds, they must be able to understand and evaluate whether the answer is correct.
