Security isn’t a cost center; It’s your biggest competitive weapon

As Indian enterprises race to expand into new geographies and defend against increasingly sophisticated threats, the old playbook treating security as a compliance checkbox is breaking down fast. In this candid conversation, Garry Singh, President of IIRIS Consulting, unpacks why risk management has evolved into a scientific, quantifiable discipline, one that spans everything from brand impersonation and vendor due diligence to physical resilience and cross-border expansion. Singh argues that the biggest barrier to better security isn’t technical; it’s a mindset problem among founders and leadership who prioritize growth targets over “doing things rightly” from day one. From COVID-driven shifts in business continuity thinking to why skill enhancement matters more than traditional training, Singh offers a clear-eyed look at what mature, intelligence-led risk management actually requires.

Garry Singh
President
IIRIS Consulting

CISO Forum: Indian CISOs are being asked to own cyber, physical, and reputational risk simultaneously. How does IIRIS approach this converged mandate and what does an integrated engagement actually look like?

Garry Singh:  IRIS does very scientific and methodical work, with step one being risk assessment. Not only does it assess the risk in terms of which tier it can be assigned, but also, at what stage, to a finite value ranging from 1 to 100. Once we know the risk levels, the corresponding risk mitigation techniques and methodologies are applied.

Once they are applied, there is a post-application assessment of the mitigations to determine the risk before and after their successful implementation. To ensure the residual risk is acceptable, this is how we, in a small way, process our work.

CISO Forum: Most Indian enterprises still treat security as a compliance exercise. What is the fundamental difference in outcomes when you shift to an intelligence-led model?

Garry Singh: Security or intelligence is actually the biggest value enabler you can find. It is not compliance; it is not a cost; it is something which can give you more opportunities in business. It is something that can increase your business profitability.

People who understand this effectively use security and intelligence to get the business to perform better. It is the lack of understanding by individuals rather than the professionals themselves.

CISO Forum: With the DPDPA rules notified, what are the top gaps you are seeing between legal compliance and operational readiness — and how is IIRIS helping enterprises close them?

Garry Singh: While we do work on strategic risk and operational risk, legal compliance is a risk that law firms and internal legal councils generally handle.

We do not go that side much. We do look at risks that are linked to the market, strategy, and competition. You will be surprised to learn that the Indian market has become so fiercely competitive that companies work against one another.

There are leaks, sabotage attempts, and cyberattacks. So, we work on all these aspects to sanitize and insulate any company from potential risks that could hit it and devalue it.

CISO Forum: Forensic investigation typically happens after a breach. How should CISOs be building pre-incident forensic readiness into their security programs?

Garry Singh: While we very actively work on preventive and detective methodologies, whatever systems you put in place may never be 100%. Then the forensics does come to work. But yes, we also are strong supporters of preventive and detective methodologies.

If the prevention is working very well, it can safeguard against high costs or losses that may occur during a breach. It is almost like the adage or cliché goes: it is penny-wise and pound-foolish not to do preventive work. Again, our thought process is to do preventive and detective work so that you can do damage control immediately and not let it lead to slippages, which are breaches and further losses.

CISO Forum: Brand impersonation and fake domains sit outside the security perimeter in most organizations. How is IIRIS defining brand protection as a security discipline and who is most exposed?

Garry Singh: As of now, when we are working on brand protection, first of all, I would like to say brand does not mean only the company name. Brand is also the CEO; brand is also various other individuals, chairpersons, personalities.

We have seen in the market not only the company name, but also fake IDs and various types of fake accounts can be created for their top management as well. We treat all of them as brands, and when we do brand protection work for these kinds of people, we exercise continuous scanning of the web and other channels to check whether anyone has infringed on the brand. At the moment, we even have to identify that, generally, we work with companies only when we know that any of those infringements, if it goes red, means it is surely a problem; we need to start action immediately.

Yellow means that a discussion with the company will confirm whether it is a major problem. Green means that, when it is a new effort by the company, it is not something infringing at all. This is how the methodology helps identify any infringement quickly and respond appropriately in the shortest time.

CISO Forum: BCM frameworks in India remain heavily IT-centric. For organizations with complex physical operations, what does a genuinely resilient program look like?

Garry Singh: While I will agree with your statement that BCM or the resiliency programs were very IT-specific till COVID, COVID was a major watershed moment when people realized the logistics supply chain is the biggest problem, not anything else. Yes, IT has been an enabler and a supporter all along. Still, COVID ensured all Indian companies woke up to the fact that the on-ground work, whether availability of workforce, availability of logistics supply chain, both incoming and outgoing, is as important. Presently, someone working on resiliency in BCM must also accept that key resources are the workforce, logistics supply chains, and so forth; IT is an enabler; focusing only on IT for business continuity is poor planning.

CISO Forum: Vendor and supply chain risk is now a primary attack vector. How mature is third-party risk management in Indian enterprises, and what does a practical program actually require?

Garry Singh: If you look at one stage, when the companies, let us take an example from India, Reliance for that matter, were building both sides of the supply chain, that means they will not only make a product, but they will also go for the raw material and so on. Similarly, all over the world, some companies were looking at both sides of the supply chain, inside and outside, and trying to develop them. But for the last 20 to 25 years, it is the era of expertise and specialization.

Even some non-critical functions, sometimes even marketing, are considered non-critical. In some companies, facility management- everybody thinks it is not my job. Some of them even think it is security management.

All of these have now been outsourced, and the companies are focusing on the core work and the core value they are creating. With this shift in era from trying to go both sides of the supply chain to becoming more expert, you are now heavily reliant on various vendors. So not only are these vendors a small part of your end product, but you sometimes depend heavily on them to ensure you survive.

We call this risk-based vendor due diligence and monitoring. A vendor or partner that poses a greater risk to you needs to be examined far more deeply and monitored, so that at no point does a vendor breach become your problem. That is how a structure gets designed and defined, and that is the subject we work upon.

CISO Forum: IIRIS runs training as a distinct service line. What is the nature of the gap you are addressing and what is the ROI argument for treating security training as a strategic capability?

Garry Singh: If I may use a different word that carries a different meaning. We really don’t work on training; we work on skill enhancement.

We are not really doing something great for the classroom, but we are making a meaningful on-the-ground impact. For example, somebody who has been trained or educated in college, master’s, whatever, but after you have passed out and you are at work, the technology is changing, the world is changing. You still need to upgrade yourself.

For those working professionals, you don’t need new degrees and diplomas. You continuously need those new skills. We work on skill enhancement so that you are always market-ready and never redundant.

That is the focus, not really training, but skill enhancement.

CISO Forum: Indian enterprises expanding into the Middle East, Africa, and Southeast Asia face risks that their domestic frameworks are not built to handle. What are the most underestimated exposures?

Garry Singh: Definitely, when you go to a new geography, like IRIS already having three offices in the Gulf area, which are in Dubai, Bahrain, and Oman, and we are there in Nigeria, the first Indian risk management company to open an office in Africa.

We are obviously on the eastern side, near Singapore and the Philippines. But any new geography you go to, it is almost like a new playing field. Sometimes it can be as different as if you are fond of tennis, whether you are playing on a grass court or you are playing on a clay court.

Once you are going there, you need to learn those things; you need to learn those compliances. In fact, a very positive impact for any company is that now, as I am learning compliance for Dubai and Singapore, I bring those best practices to the company level, so that these compliances are now well spread across the company. That is where the key aspect to start the operation.

Then, obviously, if your own operations and compliance differ, the risk for every client is different. For example, when we are operating for the same company in Lagos, Nigeria, or Bombay, India, the risks are not the same. You also need to give them those customized, tailor-made risk mitigations.

You cannot say, “Because it worked in Mumbai, let us do it in Lagos as well.” So you have to again re-conceptualize, re-define, re-design, and give that new tailor-made suit for Lagos that will fit there.

CISO Forum: Many Indian CISOs still struggle to translate risk into business language. What is the single most important shift in how a CISO presents security to the board?

Garry Singh: I will say I will not only involve the CISO, but also the founders, directors, and promoters. So most of the time, and especially in the so-called Indian start-up culture, the way it is going, the focus is always on the client; rightfully it should be. But focus also has to be always doing things rightly.

If the focus of that company is to do things right from day one, then you are not going to face risk after you have grown to a certain size, and then all of a sudden you fall. The good habits have to be taught right at the start. For example, even if somebody is learning how to drive, all the rules and techniques are taught before you get a license.

But whereas most of the founders, the only thing they work for is getting an investment and starting. No ecosystem in India makes these founders and promoters know, including sometimes CISOs, how to do things rightly, because they are in a rush to do things, achieving some targets and numbers. Doing things rightly remains a little less of a priority for them.

Author