When Resilience Becomes Architecture: India’s Cybersecurity Reckoning

India’s ransomware numbers tell a story of cautious progress. Median payments are down sharply, and more organizations are holding the line. But Sunil Sharma, Managing Director & Vice President – Sales, India & SAARC at Sophos, isn’t ready to call it a turning point. Not yet.

In a wide-ranging conversation with CISO Forum, Sharma cuts through the optimism with frontline data and uncomfortable truths: 53% of Indian victims still paid the ransom in 2025, identity breaches are accelerating faster than governance frameworks can respond, and the CISO role itself is structurally broken at a 10,000:1 ratio to the businesses it serves.

What emerges is less a vendor pitch than a frank diagnostic — on where Indian enterprises are genuinely maturing, where dangerous assumptions persist, and why resilience, at its core, is an architectural decision that no amount of reactive spending can substitute for.

CISO Forum: Your own State of Ransomware 2025 report found that 53% of Indian victims paid the ransom, yet median payments dropped sharply. What does this signal about where Indian enterprises actually stand on the prevention-to-resilience continuum — and what is you seeing on the ground that the numbers don’t fully capture?

Sunil Sharma: The data tells a story of transition, not triumph. The median ransom payment in India dropped by 79% to US$481,636, and the proportion of organizations paying the ransom fell from 65% in 2024 to 53% in 2025, a meaningful directional shift. But what the numbers don’t fully capture is the nature of that payment decision. Indian businesses spent an average of US $1.01 million on recovery costs, excluding the ransom itself, which means paying the ransom is often the beginning of the financial pain, not the end of it.

On the ground, the market is split: a small, but growing, cohort has invested in detection, backup maturity, and MDR is genuinely more resilient, and their outcomes are measurably better. But the majority are still in reactive mode; they pay because it seems like the fastest path back to operations. From an operational perspective, 41% of organizations from our study that experienced a ransomware attack cited a lack of people or capacity as a root cause of their attack, and 39% acknowledged that not having the right cybersecurity products contributed to their being victimized.

Most organizations that pay the ransom do so not because it is the smartest business decision, but because inadequate prior investment in prevention, backups, and response readiness left them with no other viable option. The most dangerous thing about India’s ransomware picture right now is the gap between awareness and action. People know what good looks like, but internal capacity constraints mean the journey from knowing to doing is slower than attackers are moving.

CISO Forum: Sophos’s 2026 Active Adversary Report finds 67% of all incidents are identity-rooted, with attackers reaching Active Directory in under 3.5 hours. Yet, our survey shows that identity lifecycle governance is among the lowest-maturity capabilities among Indian CISOs. What is the most dangerous identity assumption that Indian enterprises are still operating with?

Sunil Sharma: The most dangerous identity assumption Indian enterprises are still operating with is that Active Directory governance is an IT operations problem, not a security priority.

According to Sophos’s newly released State of Identity Security 2026 report:

• 76.8% of organizations surveyed in India suffered at least one identity-related breach in the past year
• 79% of ransomware victims in India confirmed their ransomware incident stemmed directly from an identity attack, establishing identity compromise not just as an entry vector, but as the primary delivery mechanism for the most damaging threat Indian enterprises face

The 2026 Active Adversary Report reinforces why this is so consequential. Globally, 67% of all incidents investigated by our IR and MDR teams were rooted in identity-related attacks, with attackers exploiting compromised credentials, weak or missing MFA, and poorly protected identity systems, often without deploying any new tools or techniques. Once inside, attackers reach Active Directory in a median of 3.4 hours, and the median dwell time has declined to three days, meaning the window for human-driven response is closing faster than most teams are prepared for.

The Two Most Dangerous Assumptions:

• Deploying MFA equals identity security: Adversary-in-the-middle phishing kits are now commodity tooling. They proxy a counterfeit login page, capture both the credentials and MFA token in real time, and replay them to the legitimate identity provider within seconds. App-based push and SMS one-time codes do not stop them.
• Credentials not in a breach database are safe: Sophos telemetry shows stolen credentials on the dark web more than doubled in a single year. If credentials have not appeared in a known breach database, that does not mean they are safe.

CISO Forum: Talent shortage has surpassed budget as the #1 internal barrier in our survey — 50% of Indian CISOs rate it high or extremely severe. Sophos MDR now secures over 33,000 organizations globally. How should a CISO frame the MDR decision to their board — not as outsourcing, but as a strategic architecture choice — and where does human-led MDR end and the enterprise’s own team begin?

Sunil Sharma: A CISO needs to make it clear to the board that MDR is not outsourcing security. It is how modern security operations are architecturally designed when talent scarcity is a structural reality. The board already accepts that the organization does not run its own data center for email or build its own ERP from scratch. Security operations at 24/7 coverage and threat-hunting depth have the same economics: it is more effective and more sustainable when delivered through a model built for scale.

Sophos MDR and XDR are trusted by more than 75,000 organizations worldwide, and our analysts’ experience securing those organizations from advanced, human-led threats directly informs AI Assistants and detection capabilities that no internal team could build unilaterally.

The Two-Layer Operating Model:

• Sophos MDR -the operational execution layer: Handles 24/7 monitoring, threat detection, investigation, and active response.
• Enterprise internal security team – the strategic layer: Owns governance, risk management, compliance, vendor relationships, policy, and the contextual business knowledge that no external team can possess.

This is not abdication. It is how elite security is delivered at scale. The talent shortage is a permanent condition of the market, not a temporary one. The architecture should be designed around that reality.

CISO Forum: Sophos acquired Secureworks in February 2025, bringing Taegis MDR and XDR into the fold. For an Indian enterprise CISO evaluating this combined platform, what has materially changed in detection, response, and coverage depth — and how does Sophos ensure that integration complexity doesn’t create new blind spots during the transition?

Sunil Sharma: With the completion of the Secureworks acquisition in February 2025, Sophos became the leading pure-play cybersecurity provider of MDR services globally. For an Indian enterprise CISO evaluating the combined platform, three things have materially changed:

• Detection depth: Secureworks’ Counter Threat Unit (CTU), which tracked more than 150 threat groups, is now part of Sophos X-Ops. The threat intelligence engine behind every detection has expanded dramatically.
• Platform integration: Sophos Endpoint is now natively integrated and automatically included in all Taegis XDR and Taegis MDR subscriptions, giving customers immediate access to combined prevention, detection, and response capabilities in a single platform while lowering costs and simplifying operations.
• Coverage breadth: The combined portfolio now includes Managed Services, next-generation SIEM, and ITDR capabilities that previously required separate vendor relationships.

On integration complexity and blind spots – Any acquisition introduces a transition period. The mitigation is architectural clarity. Customers on either platform retain continuity of their existing detection and response workflows, with Taegis remaining an open platform and Sophos Central serving as the unified management layer. The integration is being sequenced deliberately rather than rushed, specifically to avoid the coverage gaps that rapid integration can create.

CISO Forum: Sophos launched Identity Threat Detection and Response in October 2025. Our survey shows 68% of Indian CISOs rate identity-centric breaches as high or extremely severe, yet ITDR remains a nascent investment category in India. What should a CISO do in the next 90 days to reduce identity exposure — before a formal ITDR program is in place?

Sunil Sharma: Before any formal ITDR program is in place, a CISO can take three high-impact actions in 90 days that will materially reduce identity exposure:

• Run an identity posture assessment immediately: Without a full ITDR deployment, run a manual review of dormant accounts, service account privileges, and MFA gaps against your Active Directory and Entra ID environment. This will surface the highest-risk misconfigurations before they are exploited.
• Check credential exposure on the dark web: Sophos X-Ops observed a 106% increase in stolen credentials for sale on the dark web between June 2024 and June 2025. Sophos ITDR scans the dark web and breach databases for evidence of leaked or stolen credentials. Identify when login credentials are exposed on the dark web and breach databases.
• Enforce phishing-resistant MFA on highest-privilege accounts: Specifically, accounts with access to Active Directory, cloud admin consoles, and financial systems. Given that attackers are reaching Active Directory in a median of 3.4 hours, hardening those accounts is the single most effective thing an organization can do before a formal ITDR program is funded and deployed.

CISO Forum: Sophos’s sector research shows manufacturing is disproportionately targeted, with exploited vulnerabilities driving 32% of attacks, while BFSI leads in attack frequency in India. Given the layered regulatory pressures on both RBI, IRDAI, and now DPDP — how does a resilience architecture for these two sectors differ, and where do most organizations get it wrong?

Sunil Sharma: The two sectors have fundamentally different threat profiles and therefore require different resilience architectures:

1. Manufacturing – According to the 2025 Sophos State of Ransomware report:

• Root cause: Exploited vulnerabilities are the leading root cause, responsible for 32% of incidents, while lack of expertise is the most common organizational factor, cited by 42.5% of victims.
• Positive shift: 50% of manufacturing organizations stopped attacks before data could be encrypted, more than double the previous year’s 24%.
• Evolving threat: Adversaries have adapted. 39% of manufacturers that experienced encryption also had data stolen, one of the highest rates across all surveyed sectors.
• Resilience architecture priority: OT/IT network segmentation, aggressive vulnerability patching on edge devices and legacy systems, and backup strategies that survive a double-extortion scenario where data has already been exfiltrated before encryption begins.
• BFSI – The sector experienced the highest frequency of ransomware attacks in India over the past year.

• Regulatory complexity: The sector faces a layered regulatory environment. RBI’s cybersecurity framework, IRDAI’s guidelines, and DPDP Act obligations mean the resilience architecture must simultaneously satisfy operational recovery, data integrity, and regulatory reporting timelines.
• Where most organisations get it wrong: Resilience is treated as a technology checklist rather than an operational capability. Two critical distinctions:
• Having backups is not the same as having tested, recoverable backups
• Having an IR plan is not the same as having an IR plan that has been simulated under realistic adversarial conditions

CISO Forum: Tool proliferation and alert fatigue rank as the third-most-severe internal challenge in our survey. Sophos has deployed an AI Assistant for case investigations alongside its human analyst teams. Where is AI genuinely accelerating security outcomes in your MDR operations — and where does the over-reliance on AI actually create risk that only human judgment can address?

Sunil Sharma: With Sophos MDR analysts securing more than 35,000 organizations globally, there is a clear view of where AI is genuinely moving the needle and where human judgment remains irreplaceable. AI is accelerating security outcomes in three key areas:

• Initial triage and alert enrichment: AI processes and prioritizes incoming alerts at a speed no human team can match, ensuring analysts focus on what matters most.
• Pattern recognition across large telemetry volumes: AI identifies patterns across data volumes that would overwhelm human analysts working at speed.
• Case summarisation: AI reduces the cognitive load on analysts before they begin an investigation, helping security teams quickly identify risks, enrich investigations with threat intelligence, and take faster remediation actions.

And where over-reliance on AI creates risk:

• Adversary behavior at decision points: The Sophos Active Adversary Report 2026 found no evidence of a major AI-driven transformation in attacker behavior. AI is adding scale and noise, but not yet replacing attackers. The fundamentals still matter: strong identity protection, reliable telemetry, and the ability to respond quickly when something goes wrong. An AI system trained on historical attack patterns will have systematic blind spots around novel techniques.
• Business context and judgment: Human judgment is irreplaceable when understanding business context, knowing that a particular anomalous access event at 2 am is a legitimate financial close process or that isolating a specific endpoint will halt a critical production line. That contextual business knowledge cannot be encoded in any model.

The architecture that works is AI for speed and scale, humans for judgment and context.

CISO Forum: 60% of Indian CISOs in our survey rate DPDP Act enforcement as having a high or extremely high impact on their 2026 planning. Sophos recently expanded DNS Protection management regions to India. How should CISOs think about the intersection of data protection compliance and security architecture — and what compliance-driven investments are also genuinely improving security posture versus those that only satisfy auditors?

Sunil Sharma: The DPDP Rules, notified on November 14, 2025, provide an 18-month phased compliance timeline and require data fiduciaries to issue clear, standalone consent notices explaining the specific purposes for which personal data is being collected. The intersection of DPDP compliance and security architecture is more direct than most CISOs currently appreciate.

Investments that genuinely improve security posture while satisfying compliance:

• Data classification and mapping: You cannot protect what you have not identified. This is both a compliance requirement and a foundational security control.
• Breach detection and notification capabilities: DPDP mandates prompt notification, which requires the detection infrastructure to exist first. Compliance here directly drives security investment.
• Access controls and encryption: Both are regulatory requirements and foundational security controls, making them dual-purpose investments.

Investments that tend to satisfy auditors without improving posture:

• Point-in-time compliance assessments
• Checkbox policy documentation without operational implementation
• Vendor risk questionnaires that are never verified.

The DNS Protection expansion to India-based management regions is one concrete example of an architectural decision that serves both compliance intent, keeping data processing within jurisdictional boundaries, and the security function.

The right framing for the board is: every compliance investment should be evaluated against whether it would have reduced the blast radius of the last breach, or the next one. If the honest answer is no, it is an audit exercise, not a security investment.

CISO Forum: Our survey reveals that 48% of CISOs rate inadequate IR testing as a severe challenge and most organizations’ playbooks have never been tested under realistic conditions. Sophos launched Emergency Incident Response in 2025. What does your frontline IR data tell you about where Indian enterprise response plans most predictably fail — and what should a CISO simulate before a real incident forces the lesson?

Sunil Sharma: From Sophos’s global frontline IR and MDR data spanning 661 cases across 70 countries, response plans most predictably fail at three points. These failure patterns are consistently observed across markets, including India, where survey data confirms that 48% of CISOs rate inadequate IR testing as a severe challenge.

The three most common failure points are:

• Decision authority: When an incident is active, and containment requires isolating systems, shutting down services, or notifying regulators, organizations repeatedly discover that their IR plan does not clearly assign who has the authority to make those decisions. The technical response may be ready, but the governance response is not. Research consistently shows that the leading cause of prolonged incidents is not attacker sophistication; it is internal indecision. The technical problem might be resolved in hours, while the leadership problem drags on for days.
• Log availability: Missing logs due to data retention issues doubled in the most recent Active Adversary dataset, largely driven by firewall appliances where the default retention was only seven days and, in some cases, 24 hours. Forensic investigation is impossible without telemetry. Before simulating an incident, validate that logs are being retained and are accessible.
• Backup integrity under adversarial conditions: Most organizations have never tested whether their backups can be restored at speed when an adversary has had 72 to 96 hours of access to the environment. The simulation a CISO should run before a real incident is a tabletop exercise that begins with “your backups are inaccessible” and works forward from there. That single constraint will expose every assumption in your recovery plan.

CISO Forum: Your CISO Report 2026 puts the global CISO-to-business ratio at 10,000:1 — an unsustainable structural imbalance. Our survey corroborates this: burnout and attrition in security teams are rated high severity by 39% of respondents, and talent is now the top barrier. What is your honest assessment of how Indian enterprises should restructure the security function — not just hire more — to make the CISO role and the teams beneath it sustainable at the speed AI-era threats demand?

Sunil Sharma: The current model, one CISO supported by an overextended team, accountable for an expanding surface area of risk, and operating without adequate tooling or staffing, is not a talent problem. It is a structural design problem, and hiring more people into a broken structure will not fix it.

The 2026 CISO Report shows that organizations can no longer rely on traditional security leadership models to keep pace with the scale and sophistication of today’s threats. There are only 35,000 CISOs worldwide serving an estimated 359 million businesses, a 10,000:1 ratio that represents a market failure.

For Indian enterprises, the restructuring required has three components:

• Separate strategy from operational security: The CISO’s role should be risk governance, regulatory navigation, and board communication, and security architecture, not operational triage. Operational security should run through MDR or an equivalent 24/7 model that removes the CISO from the on-call rotation.
• Invest in automation at the operational layer: Junior analysts should not be manually doing work that degrades their capability and accelerates attrition. Burnout has measurable consequences. Nearly half of affected professionals report heightened anxiety about breaches, 39% admit to reduced productivity, and a third report reduced engagement at work, all of which directly undermine the effectiveness of the very defenses they are responsible for.
• Redefine what “the security team” means: In the AI era, the team includes managed services, automated detection pipelines, and the intelligence of platforms like Sophos X-Ops. The CISO who tries to build everything in-house will most likely lose to the adversary every time. The CISO who architects the right combination of internal governance, external operations, and platform intelligence has a sustainable model.