Indian CISOs face a unique combination of threats: rising ransomware targeting Indian businesses, new regulatory mandates (CERT-In 2022, DPDP Act 2023, RBI guidelines), and the challenge of building security programmes with limited budgets. This roadmap helps you prioritise and build a mature security posture.
Priority 1: CERT-In Compliance (Non-Negotiable): India's CERT-In April 2022 directions are mandatory for all companies, service providers, and intermediaries. Key requirements: Report cyber incidents within 6 hours of detection. Maintain system logs for 180 days. Maintain accurate system clocks synchronised with NTP servers. Preserve records of financial transactions for 5 years. Failure to comply can result in imprisonment of up to 1 year under IT Act Section 70B.
Priority 2: Identity and Access Management: The majority of Indian breaches involve compromised credentials. Start with MFA for all cloud applications, then privileged access management (PAM) for admin accounts, then Zero Trust network access for remote employees. Microsoft Entra ID (formerly Azure AD) and Okta are widely used in India. Indian companies like Saviynt have strong IAM capabilities.
Priority 3: Endpoint Security and EDR: Every endpoint (laptop, server, mobile) is an attack vector. Deploy EDR (Endpoint Detection and Response) across all devices. In India, popular choices include CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Sophos Intercept X. Ensure mobile device management (MDM) for employee phones accessing corporate data.
Priority 4: Data Protection and DPDP Readiness: The DPDP Act 2023 introduces significant obligations around personal data. Build a data inventory, implement data classification, configure DLP (Data Loss Prevention) for sensitive data, ensure consent management for customer data processing, and establish data breach notification workflows (notification required to DPBI).
Priority 5: Security Operations (SOC): For businesses that cannot afford a 24/7 internal SOC, managed SOC services from Indian providers like Quick Heal, Tata Communications, or Paladion offer cost-effective threat monitoring. SIEM tools (Splunk, IBM QRadar, Microsoft Sentinel) centralise log management and support CERT-In 180-day retention requirements.
Frequently Asked Questions
What is the minimum cybersecurity budget for an Indian company with 200 employees?
A basic security programme for a 200-person company should budget ₹25–50 lakhs per year: EDR (₹8–15L), email security (₹3–5L), next-gen firewall (₹5–10L), MFA (₹2–4L), security awareness training (₹1–2L), and compliance/audit costs (₹5–10L). Actual costs vary by industry and risk profile.
Which security certifications are most relevant for Indian businesses?
ISO 27001 is the most widely recognised information security management standard globally and in India. For BFSI, RBI's Cybersecurity Framework is mandatory. For IT companies dealing with US clients, SOC 2 Type II is often required. For healthcare, HIPAA may apply if handling US patient data.
Want a customised cybersecurity roadmap for your organisation? Our CISOs-as-a-Service offering helps Indian companies build security programmes.