With India fast digitising its presence with projects such as UPI, Aadhaar, ONDC, and AI-based platforms, the scope of cyber threats has also become more multifaceted. The issue of IT policy has become an issue of national security. Alok Shankar Pandey, Group GM (IT) & CISO at Dedicated Freight Corridor Corporation of India Ltd (DFCCIL), gave great insights on how cybersecurity has changed over the years in a recent interview with ETCISO DeepTalks, which reveals that cybersecurity is no longer a backend process but a frontline defence mechanism.
Cybersecurity is no longer only about information security but also national interests since attacks have increased by 138 percent in the last 18 months. Pandey emphasised the need to respond to cyber threats in the most strategic way using AI, open-source applications, and even human intervention, supported by the changing laws about data protection, such as the DPDP Act.
Cybersecurity
According to Pandey, the current cyber threats are state-sponsored activities aimed at destabilising countries. They are not mere IT system attacks but strategic actions in the geopolitical war on the world stage. The networks that are critical infrastructures, e.g., transportation, banking, and public services, are now targets, and this has made cybersecurity a central part of national security.
He stated that the character of threats has changed, and rather than corporate espionage, cyberwarfare has become the new necessity of an enlarged perspective. Pandey cautioned that cybersecurity is not a technical topic: it is a national security topic, which indicates the magnitude and complexity of new attacks.
Public sector cyber readiness still evolving
Speaking about cybersecurity maturity within the government sectors, Pandey admitted that they are progressing at a slower pace than the ones in the private sector. Nonetheless, the understanding is increasing, particularly in such industries as railways, where the process of digitalisation is being implemented. He emphasised that cybersecurity should not be introduced into systems at the final stage, but it should be built into the system.
The emphasis on citizen services by the government has stalled cyber investments, and the sectors are starting to realise that digital safety and operational safety should be inseparable. The next National Cyber Reference Framework is perceived as one of the ways of establishing the blueprint of cybersecurity in India.
AI is a tool, not a replacement
AI is now essential in the identification of cyber threats and automation of repetitive tasks. However, Pandey warned that it should not be over-dependent. He said AI ought to help and not substitute human judgement, particularly in vital sectors such as transport, where human safety is vital.
His idea was to balance between the AI and human powers, making the former supplement and improve the latter, but not to engage in full control. The real world and risk analysis still involve human judgement, particularly where the stakes are high.
Preparing for the Quantum leap
Pandey provided a realistic view on the subject of quantum computing. Though it would ultimately threaten encryption standards, he said the technology is not quite there and therefore does not present an imminent threat. Nevertheless, the industry needs to be ready to face its effects.
He added, Quantum computing is hyped in the short term. Nevertheless, it will redefine cybersecurity in the future. “We should be prepared.”
Focus on risk, not just compliance
One of the key lessons of the session was the idea that Pandey brought up a risk-based approach to cybersecurity. He cautioned against the overuse of vendor-based solutions. Rather, he encouraged organisations to get to know their essential assets and risks first.
To complicate matters, he said, people often purchase tools when they do not know what they need. The business needs to be prioritised, as does the reality of risk exposure in relation to cybersecurity.
DPDP Act: Redefining data privacy in India
Indian businesses now have new challenges due to the implementation of the Digital Personal Data Protection (DPDP) Act. The DPDP Act focuses on penalties to institutions and regulators instead of focusing on individual compensation, a major difference between this and the GDPR.
The act will transform the manner in which personal data is treated, Pandey said. He emphasised the need to gather only required information and not to store what is unnecessary to be compliant and minimise the risks.
Cybersecurity: A leadership priority
Lastly, Pandey emphasised that CISOs should be able to talk the language of business. Since cyberattacks can now kill revenue streams, cybersecurity should be considered a topic of the boardroom.
Leaders are concerned with the business effect. And show to them how security is connected with the performance, and you will find support, he added. Pandey ended by reminding that cybersecurity is a culture, not a checklist of technical things, and it must be ingrained in the digital future of India.