As Indian enterprises accelerate their digital transformation, the CISO’s role is undergoing a quiet but fundamental reinvention. The question is no longer whether an attack will happen, but whether the business can survive it. From shadow AI and DPDP compliance to ransomware recovery and post-quantum readiness, the security agenda of 2026 demands a new kind of leader, one who speaks the language of business risk, not just threat vectors.
Debashish Jyotiprakash, Regional Vice President, APAC at Qualys, brings a sharp, ground-level perspective on where Indian security leadership is maturing — and where critical gaps remain. In this exclusive interaction with CISO Forum, he makes a compelling case for why resilience, not prevention, is the defining metric of the modern security mandate.
Regional Vice President, APAC
Qualys
CISO Forum: Our survey shows 44% of Indian CISOs now rank enterprise resilience above compliance and prevention. What is the most significant mindset shift you are seeing in how Indian security leaders frame their mandate to the board?
Debashish Jyotiprakash: CISOs are increasingly moving from being guardians of control to being owners of business resilience. This is a profound change because it moves cybersecurity from a technical function to a business continuity and risk management function. The best CISOs are no longer asking boards to fund tools. They are asking boards to invest in outcomes:
- Reduced operational disruption
- Faster recovery times
- Protection of critical revenue streams
- Quantifiable reduction in cyber risk
In many Indian enterprises, particularly in banking, manufacturing, telecommunications, and critical infrastructure, the conversation is evolving from “how do we prevent every incident?” to “how do we ensure the business can absorb the shock and recover from incidents when they happen?”
The mandate of the modern CISO is no longer to prove security. It is to prove resilience. The measure of success is not the absence of attacks but the business’s ability to withstand them and continue operating.
CISO Forum: Qualys has launched Agent Val and an AI Agents marketplace – yet shadow AI is now the #1 security challenge for Indian CISOs. How should CISOs govern AI as both their most powerful tool and their most ungoverned attack surface?
Debashish Jyotiprakash: The mistake many organizations make is treating AI as either a productivity initiative or a security initiative. It is both. The challenge for CISOs is that AI has become the first technology in decades that employees can deploy faster than governance can keep up. Every employee now has access to capabilities that were once reserved for engineering teams, data scientists, and even threat actors.
Most organizations have hundreds of AI services in use, while security teams only know about a fraction of them. The priority is discovery.
The most mature organizations are not asking, “Which AI tool are you using?” They are asking, “What data are you allowed to put into any AI system?”
AI is simultaneously our greatest force multiplier and our fastest-growing attack surface. The CISO’s job is not to slow adoption; it is to ensure innovation happens within measurable risk boundaries.
Organizations that win will not be the ones that ban AI. They will be the ones that achieve visibility, governance, and resilience before AI adoption outruns their ability to manage it.
CISO Forum: Agent Val promises to shift vulnerability management from CVSS assumption to live exploit validation. For Indian enterprises without a mature SOC, how realistic is the path to autonomous remediation today?
Debashish Jyotiprakash: Agent Val is great at doing harmless exploit validation at scale. Threat-informed validation is vital because it confirms whether a present vulnerability will indeed be exploitable in your environment or whether existing compensating controls will be effective in neutralizing the threat. Once security teams can prove exploitability, attack-path relevance, and business impact, remediation automation becomes far safer and more defensible. Validation, therefore, provides the confidence required for autonomous remediation.
The organizations that reach meaningful autonomy first will not necessarily have the largest or most mature SOCs. They will be the ones with the cleanest asset intelligence, the strongest understanding of business context, and the highest confidence in their validation data. That’s what turns automation from a liability into an advantage.
Autonomous remediation will not replace the SOC. Instead, it will replace repetitive operational decisions. Humans will continue to decide what risk is acceptable. Agentic AI agents will increasingly decide how to execute responses at scale, delivering greater resilience in the age of frontier AI models.
CISO Forum: Talent shortage has overtaken budget as the top internal barrier for Indian CISOs. Can AI agents genuinely compensate – and what governance guardrails are non-negotiable before they act autonomously?
Debashish Jyotiprakash: AI agents can compensate for talent shortages, but they cannot compensate for a lack of governance.
In fact, many Indian CISOs are discovering that their biggest scaling problem is no longer technology or budget. It’s the inability to find enough experienced analysts, threat hunters, incident responders, cloud security specialists, and vulnerability management experts to keep pace with the attack surface. AI agents are uniquely suited to eliminate what security teams spend most of their time on today, such as data correlation, alert triage, investigation enrichment, exposure prioritization, evidence collection, workflow orchestration, and remediation coordination.
One experienced analyst managing ten AI agents may become more effective than ten analysts managing ten thousand alerts.
AI is exceptionally good at reducing the “work about security” so humans can focus on the “work of security.” But there is a critical distinction: AI can replace tasks. It does not replace accountability. Before any organization allows autonomous action, several governance guardrails are non-negotiable, like:
- Every autonomous action must have a designated business owner.
- Without a proper business context, automation becomes operational risk.
- Autonomy without verifiable validation automates mistakes.
- Tiered autonomy models, since not every action deserves the same level of trust
- Every AI agent-driven decision should be explainable and traceable.
It’s about how to amplify our best people with AI, while ensuring every autonomous action remains governed, validated, and accountable. This is what the balance boards are increasingly looking for in an AI–powered scale with human-owned accountability.
CISO Forum: 60% of Indian CISOs rate DPDP enforcement as high impact on their 2026 strategy. How is it reshaping security architecture decisions – not just documentation – for your enterprise customers?
Debashish Jyotiprakash: The most interesting thing I’m seeing is that DPDP is forcing security leaders to think less about protecting infrastructure and more about controlling data movement. Historically, architecture decisions were driven by questions like, “Is the asset patched?”
Many enterprises have invested heavily in perimeter, endpoint, cloud, and identity controls. DPDP is exposing a more fundamental problem: you can’t protect data you don’t know exists. For many organizations, discovering sensitive data has become more important than deploying another security control.
DPDP is pushing a different conversation: where personal data sits, who can access it, where it moves, and whether we can prove control over it.
Traditionally, privacy teams and security teams operated separately. DPDP is forcing convergence. We are seeing enterprises build common architectures around data inventories, consent management, access governance, retention policies, and data lifecycle controls.
The future architecture is not a security architecture with privacy added later. It’s a data governance architecture with security embedded from the start. As a result, data loss prevention, DSPM, and exposure management programs are moving from optional initiatives to strategic requirements.
CISO Forum: TruRisk™ is designed to make cyber risk legible to the board. What are the most common failures you see when Indian CISOs attempt to quantify risk in business terms?
Debashish Jyotiprakash: The most common failure is that many CISOs are still quantifying security activity rather than reducing business risk. Boards don’t lose sleep over vulnerabilities, alerts, CVSS scores, or patch percentages. They worry about revenue disruption, operational downtime, regulatory exposure, customer trust, and shareholder value.
While the more effective conversation is, “the vulnerabilities that could disrupt online banking have been reduced by 60%” or “we reduced the likelihood of a manufacturing outage affecting ₹500 crore of annual production by 26%”, CISOs continue to open the dialogue with boards with security reports that still sound like, “we have 250,000 vulnerabilities. Patch compliance is 92%. Mean time to respond improved by 20%.”
Boards are often presented with metrics that measure how hard the security team worked. These are operational metrics, while boards care more about reduction in value at risk, business interruption likelihood, and exposure windows. Many organizations still struggle to translate cyber risk into economic impact.
The biggest mistake in cyber risk quantification is measuring what security teams can see rather than what the business stands to lose. On the other hand, boards don’t fund vulnerability reduction; they fund risk reduction. The difference is in the business context.
CISO Forum: Ransomware tops Indian CISO threat rankings at 79% severity. Many organizations can detect faster than they can recover. What are Indian CISOs still systematically getting wrong about ransomware resilience?
Debashish Jyotiprakash: The biggest mistake is that many organizations still treat ransomware as a cybersecurity problem when, in reality, it is a business recovery problem. Over the last few years, detection capabilities have improved dramatically. Most large enterprises can now identify ransomware activity far earlier than they could five years ago, yet many still struggle to answer the questions that matter most after detection, such as which business services are most affected. Or what is the blast radius? And which revenue-generating functions are offline?
So, most organizations have become good at finding ransomware. Far fewer have become good at surviving it. A ransomware event becomes a business crisis when recovery takes weeks instead of hours.
Many organizations discover during a crisis that dependencies were undocumented, recovery priorities were unclear, and even backup restoration took much longer than expected. Organizations may have tested backups but not recoverability, meaning they have not actually run a test to see whether they can restore critical business operations within the required timeframe.
When ransomware strikes, every asset suddenly becomes important. The organizations that recover the fastest already know their crown-jewel assets, their critical business processes, and their value at risk. Without that context, recovery becomes chaos. The most resilient organizations run ransomware exercises that involve the entire executive team, not just the SOC.
The organizations at the most risk are not those that get breached. They are those who discover during the breach that they have never rehearsed the recovery plan.
CISO Forum: Tool proliferation is a top-three internal barrier, yet Indian CISOs hold contracts across dozens of point solutions. How do you make the case for platform consolidation without demanding a rip-and-replace?
Debashish Jyotiprakash: The most successful CISOs don’t frame platform consolidation as a purely technical discussion. They position it as an operational efficiency and risk reduction discussion. The moment consolidation becomes a debate about vendors, it becomes political. But when you debate about outcomes, it becomes strategic.
Many executives hear “platform consolidation” and assume, “We are about to spend millions replacing everything.” That is rarely true or necessary. The real question is “which capabilities are redundant, underutilized, or creating operational friction?” Most enterprises don’t have a tooling problem. They have a signal fragmentation problem.
Think about how many tools are involved in discovering, validating, prioritizing, assigning, remediating, and verifying a single exposure? In many organizations, the answer is shockingly high. The strongest consolidation business cases emerge when CISOs map vulnerability management, incident response, exposure management, and identity governance workflows, and then quantify the human effort across systems.
The argument is not whether we can save money by reducing vendors. The argument is whether we can reduce operational complexity, improve resilience, accelerate remediation, and enhance risk visibility, with cost savings as a by-product. The enemy isn’t tool count. It’s decision latency.
The path to consolidation is therefore not a rip-and-replace exercise. It’s a journey toward a single source of truth on business risk, where existing investments are rationalized around outcomes, context, and operational efficiency rather than simply adding another dashboard to the pile. That’s why at Qualys, we are constantly advocating for organizations to adopt a Risk Operations Center (ROC), a single viewpoint on all enterprise risk, and a hub for all remediation efforts. The ROC is vendor-agnostic, which means you can gain visibility into your entire cyber risk management workflow without every sensor being from Qualys.
CISO Forum: Post-quantum readiness is the lowest-maturity capability in our survey — 42% are ad hoc. AI governance frameworks are equally nascent. Which structural investments cannot wait until 2027?
Debashish Jyotiprakash: What’s fascinating is that post-quantum security and AI governance appear to be completely different problems, but they actually share the same root issue: lack of visibility into what matters. Organizations that wait until 2027 to start will discover that neither challenge is fundamentally a technology migration problem. They’re both discovery and governance problems. The structural investments that cannot wait are not necessarily quantum-safe algorithms or AI controls. They are the foundational capabilities that make those transitions possible.
Unfortunately, most enterprises still cannot confidently answer where encryption is used, which applications depend on it, or even which APIs exchange sensitive data and which AI systems consume enterprise information. Without a continuously updated inventory, both PQC migration and AI governance become impossible at scale.
The biggest post-quantum risk isn’t weak cryptography. It’s hard-coded cryptography. Organizations should already be investing in architectures that allow cryptographic algorithms to be swapped without redesigning applications.
Many organizations are asking when they should start implementing post-quantum cryptography or deploying AI governance controls. And the real answer is, right now.
2027 might be too late to begin preparing for post-quantum security and AI governance because the hardest part isn’t deploying new technology, it’s discovering what needs to change. The organizations that will struggle most with quantum and AI won’t be those that lack cryptographers or data scientists; they will be the ones that still don’t have a trusted inventory of their assets, identities, data flows, and business dependencies. Without that context, both quantum migration and AI governance become compliance exercises rather than risk-reduction initiatives.
