Indian enterprises are caught in a familiar trap — managing sprawling arsenals of 40 to 60 disconnected security tools while facing threats that move faster than any analyst can keep up. As boardrooms shift from asking how many controls are deployed to how effectively risk is being managed, the pressure on security leaders to simplify, consolidate, and govern intelligently has never been greater.
Swapna Bapat, Vice President and Managing Director, India and SAARC, Palo Alto Networks, sits at the intersection of that transformation. In this wide-ranging conversation with CISO Forum, she addresses the hard questions — from realistic entry points for platformization and agentic SOC governance to DPDP compliance gaps and the underestimated dangers of AI-driven supply chain exposure. Her message to Indian boards is clear: cybersecurity is no longer a technology line item. It is the foundation of business resilience.
Vice President and Managing Director, India and SAARC
Palo Alto Networks
CISO Forum: Platformization starting point — For Indian enterprise managing 40–60-point solutions, what is the realistic entry point for platformization — and how does PANW quantify the risk reduction to a board still approving budgets line-by-line?
Swapna Bapat: Most Indian enterprises don’t begin platformization with a large-scale rip-and-replace exercise. The realistic starting point is usually consolidating areas where operational fragmentation creates the most risk — typically SOC operations, cloud security, identity, or network visibility.
The conversation with boards is also changing. Security leaders are increasingly moving away from positioning cybersecurity as isolated technologies spend and instead framing it as a business resilience and operational efficiency issue. When organizations manage 40–60 disconnected tools, the hidden costs often manifest as slower response times, duplicated workflows, alert fatigue, and limited visibility across environments.
Platformization helps reduce that operational complexity. The outcomes boards tend to focus on are measurable improvements such as faster detection and response, shorter incident investigation time, reduced tool overlap, and greater visibility across the attack surface. Ultimately, the discussion shifts from “how many tools are we buying?” to “how effectively are we reducing risk and improving resilience?”
CISO Forum: Prisma AIRS and AI risk in production — What are the three most operationally dangerous AI risks Prisma AIRS is detecting in Indian enterprise deployments today — and how do you govern AI risks the security team didn’t build?
Swapna Bapat: The biggest challenge enterprises are facing today is that AI adoption is moving significantly faster than governance maturity. Business teams are deploying AI capabilities directly into workflows to improve productivity and automate, often before security teams have full visibility into how these systems interact with enterprise data and applications.
A critical first step, therefore, is discovery. Organizations need visibility into which AI applications, models, and tools are already in use across the enterprise, so they can begin sanctioning usage, enforcing governance controls, managing access, and reducing risks of sensitive data exposure and loss.
One of the clearest risks emerging today is uncontrolled access to sensitive information through AI-connected environments and cloud services. Organizations are increasingly discovering that machine identities and non-human access paths are expanding far faster than traditional governance models were designed to handle.
The second major concern is the granting of excessive permissions to AI agents and connected systems. At the same time, the third is the rapid growth of unsanctioned or shadow AI usage across business functions. These risks become difficult to govern because security teams are often not the owners or builders of these deployments.
CISO Forum: Agentic SOC governance guardrails — How should a CISO sequence the move to an autonomous SOC, and what governance must be in place before AgentiX takes remediation actions within BFSI or manufacturing infrastructure?
Swapna Bapat: The transition toward an autonomous SOC should proceed gradually rather than through immediate full-scale automation. Most organizations begin by introducing AI into investigative workflows, alert prioritization, and threat correlation before gradually enabling automated response actions in tightly governed environments.
In sectors like BFSI and manufacturing, governance becomes absolutely critical before AI systems are allowed to take remediation actions. CISOs need clear escalation paths, human approval workflows for high-impact decisions, strict role-based access controls, and complete audit visibility into every automated action taken inside operational environments.
This is becoming especially important because identity weaknesses continue to play a major role in enterprise incidents globally. Unmanaged service accounts, excessive permissions, and fragmented identity governance are allowing attackers to move laterally much faster once initial access is gained.
CISO Forum: Ransomware: the first 60 minutes — What specifically does Cortex XSIAM do in the first 60 minutes of a ransomware attack that a traditional SIEM-plus-manual-SOC cannot?
Swapna Bapat: In the first 60 minutes of a ransomware attack, speed and correlation matter more than the volume of alerts. Traditional SIEM-led environments often depend on analysts manually stitching together telemetry from multiple tools before action can be taken. That creates delays at exactly the moment attackers are trying to escalate privileges, move laterally, turn off controls, and encrypt assets.
What platforms like Cortex XSIAM are designed to do differently is automate large parts of that early-stage detection and response cycle. Instead of treating alerts as isolated events, the platform correlates activity across endpoints, network traffic, and identity, the cloud, and user behavior in near real time to quickly build an attack context.
In practical terms, that means identifying suspicious lateral movement, detecting privilege escalation patterns, isolating compromised endpoints, prioritizing high-confidence incidents, and automating containment workflows before the attack fully propagates.
The value is not just in achieving full visibility, but in compressing the time between detection, investigation, and response. In a ransomware incident, those minutes can determine whether the threat is contained early or escalates into a business-wide disruption.
CISO Forum: Hidden SIEM migration risks — What is the migration risk that boards don’t ask about but should — and how long does a realistic XSIAM migration actually take for a 10,000-seat Indian enterprise?
Swapna Bapat: The migration risk boards often underestimate is not the technology migration itself — it is the operational and process migration around it. Most large enterprises have spent years building analyst workflows, alerting logic, escalation paths, compliance reporting, and integrations around their existing SIEM environments. If that transition is poorly handled, organizations can end up with visibility gaps, alert fatigue, or duplicated operations during the overlap period.
Another challenge is data quality. Many enterprises discover during migration that they are ingesting enormous amounts of low-value telemetry that adds cost and complexity without improving detection outcomes. Migration becomes an opportunity to rationalize what actually matters from a security and business-risk perspective.
The timeline for a full migration depends on factors such as the environment’s complexity, the number of integrations, regulatory requirements, and the SOC’s maturity. Organizations that already have strong visibility into their workflows, cleaner telemetry, and well-defined operational processes typically experience a much smoother, faster transition.
CISO Forum: DPDP architecture and India cloud — How does PANW’s India cloud investment concretely change the compliance architecture for BFSI and healthcare — and what DPDP decisions are Indian CISOs still deferring?
Swapna Bapat: The India cloud investment changes the conversation from “can we use cloud-delivered security?” to “how do we use it while keeping data location, latency, and regulatory expectations in view?” For sectors like BFSI and healthcare, that matters because they deal with highly sensitive customer, financial, and patient data, and are under greater scrutiny on where data is processed, logged, and analyzed.
Palo Alto Networks has expanded India-region support across areas such as WildFire, Prisma Access Cloud Management, and Prisma AIRS runtime/API detection services, which help customers address data residency and performance requirements more directly.
This investment has also expanded across a broader set of cloud-delivered security capabilities, including WildFire, Advanced WildFire, Prisma Access, Autonomous Digital Experience Management (ADEM), Cloud Identity Engine, Advanced URL Filtering, DNS Security, SaaS Security, Prisma Cloud, Cortex XSIAM, and Prisma AIRS runtime and API detection services. This helps organizations address data residency, latency, operational visibility, and performance requirements more effectively within India.
That said, DPDP readiness cannot be achieved solely through local cloud infrastructure. Many CISOs are still defining how to manage sensitive data, telemetry, retention, access governance, and breach reporting obligations across the enterprise.
CISO Forum: Prisma SASE 4.0 for hybrid India — How does single-vendor SASE change the security operations model — and where does it actually break down in practice for large Indian conglomerates?
Swapna Bapat: Single-vendor SASE changes the operating model by bringing access, policy, and visibility into one more consistent layer across users, branches, applications, and cloud environments. For security teams, that means fewer handoffs between networking and security teams, fewer policy gaps, and faster investigation when something goes wrong.
The value is especially clear for large, distributed enterprises, where users are no longer sitting behind a single corporate perimeter. The security model has to follow the user, device, application, and data wherever they are.
Where it breaks down in practice is not usually the technology promise, but the operating reality. Large Indian conglomerates have multiple business units, legacy infrastructure, inherited vendors, and different compliance needs. The challenge is getting enough organizational alignment to standardize policies, reduce duplication, and implement SASE consistently across very different parts of the business.
CISO Forum: IT/OT security for manufacturing and critical infrastructure — What does a realistic IT/OT security architecture look like today — and how does Precision AI change threat detection in OT environments where patching is impossible?
Swapna Bapat: A realistic IT/OT security architecture starts with accepting that OT cannot be treated like enterprise IT. In manufacturing and critical infrastructure, uptime and safety come first, so the priority is visibility, segmentation, controlled access, and continuous monitoring — not simply pushing patches or replacing legacy systems.
The first step is to identify the assets across plants, production lines, remote sites, and connected industrial systems. From there, organizations need to segment critical environments, enforce least-privilege access, monitor traffic between IT and OT, and build response plans that do not disrupt operations.
In OT environments, many systems are too old, too sensitive, or too critical to take offline regularly. AI-led detection can help identify abnormal device behavior, risky communication patterns, exposed assets, and potential exploit attempts earlier.
The goal is not to make OT look like IT. It is to protect industrial environments while respecting operational realities — especially where patching windows is limited or impossible.
CISO Forum: Supply chain: the underestimated risk — What does a mature supply chain risk program backed by PANW look like — and what is the one supply chain risk Indian CISOs are systematically underestimating in 2026?
Swapna Bapat: A mature supply chain security program today extends well beyond vendor assessments and periodic compliance reviews. Organizations need continuous visibility into SaaS integrations, APIs, managed service providers, software dependencies, cloud environments, and the broader ecosystem of third parties connected to enterprise infrastructure.
One of the most underestimated risks remains the level of implicit trust that organizations continue to place in interconnected external environments. Many enterprises invest heavily in securing their own infrastructure while assuming partners, vendors, and external platforms maintain equivalent governance standards and identity controls. Attackers are increasingly exploiting those weakly connected ecosystems to gain indirect access into larger organizations.
The growing dependence on browser-based workflows, machine-to-machine communication, and interconnected SaaS ecosystems is also creating new lateral movement opportunities that many enterprises still struggle to monitor effectively across distributed environments.
Supply chain resilience is rapidly becoming one of the defining cybersecurity leadership priorities for global enterprises.
CISO Forum: Board governance and the Year of the Defender — What is the single most important mindset shift Indian boards need to make in 2026 — and are you optimistic or sobered about how quickly India’s CISO community is making the transition?
Swapna Bapat: The biggest mindset shift boards need to make is recognizing cybersecurity as a continuous business resilience function rather than a periodic compliance or technology discussion. Security outcomes today directly influence operational continuity, customer trust, regulatory confidence, and enterprise reputation.
Boards also need to move beyond evaluating cybersecurity maturity through the number of deployed controls or completed compliance exercises. The more important question is whether the organization can detect, contain, recover, and adapt effectively in increasingly interconnected and AI-driven threat environments.
Frontier AI sharpens this urgency. As AI systems become more capable of reasoning, acting, and interacting with enterprise tools and data, the attack surface is no longer limited to infrastructure alone. It increasingly extends to how machines make decisions, access information, and execute tasks.
Indian CISOs today are significantly more business-aware and operationally aligned than they were even a few years ago. The organizations adapting fastest are the ones embedding cybersecurity into every layer of enterprise transformation rather than treating it as a parallel function.
