Govt isn’t just building a ‘digital India’, the goal is to build a digitally secure India

In an era when every click, transaction and identity leaves a digital footprint, cybersecurity has moved from the server room to boardroom. Over the past two decades, India has undergone one of the world’s most sweeping digital transformations, from the rise of internet banking and mobile telephony to nationwide platforms such as Aadhaar, UPI and GST. This shift has also brought a parallel change in how the country understands, organizes and responds to cyber risk.

The Chief Information Security Officer is no longer a technical custodian on the sidelines, but a strategic voice shaping enterprise and national resilience. In this conversation, our interviewee traces the arc of that evolution: from early IT security to today’s complex landscape of data governance, identity management, red teaming and cyber crisis readiness.

Speaking to Bizz Buzz, Atul Gupta, Partner, and Head – Digital Trust and Cyber, KPMG, delves at length on all these issues and reflects on the growing need for collaboration across companies, sectors and government to build a truly secure digital future

How have you seen the cybersecurity landscape evolve in India over the years?

The evolution has been rapid, and there have been a few clear turning points. The first major shift began in the early 2000s, when private banks like ICICI and HDFC adopted internet banking. They ushered in a new era of technology-led operations. Soon after, telecom companies accelerated this shift. Airtel, for example, outsourced its IT operations to IBM, which was a bold move at the time and made technology central to its functioning.

However, security was poorly understood back then. Incidents happened frequently, but they weren’t called “cyber incidents”; they were simply IT problems. This was the period when organizations began to realize that IT security was something they could not overlook. That defined the first decade: 2000–2010, where the focus was on securing IT systems, largely within the confines of data centers and internal networks.

And what changed after 2010?

The second decade brought two significant developments: cloud computing and regulatory intervention.

Initially, organizations hesitated to adopt the cloud. The mindset was: If my data is in my data centre, I can control it. If it’s on the cloud, I lose control. So people were slow to move.

But the real shift came when the RBI issued its Master Directions and mandated that banks appoint CISOs. This was the first moment the country formally recognized cybersecurity as a leadership responsibility.

Yet, even then, security was viewed as part of IT, and CISOs commonly reported to CIOs. Over time, as mobile technology took off—remember the Blackberry era, followed by the arrival of the iPhone—organizations saw that cyber risk does not sit in data centres alone. It affects the business itself. Global firms began shifting CISOs into risk management functions, not IT. India started adopting this model too.

Meanwhile, regulation deepened. CERT-In strengthened its role, telecom networks were required to undergo security audits when 3G and 4G rolled out, and audits became a normal part of operations. So the 2010s were the decade in which regulators became deeply engaged and organizations began understanding cyber risk structurally.

And then came the pandemic…

Yes, and the pandemic was the biggest tipping point of all. Overnight, digital became the default mode of working, shopping, transacting and connecting. The traditional idea of security was based on perimeter protection—just like a bank has a strong room at its centre with multiple security layers around it.

Organizations applied the same structure to digital infrastructure: the data centre was the strong room, and everything was built around defending it. But when employees shifted to remote work, that perimeter evaporated. An employee inside the secure network one day was suddenly operating through open internet the next.

The core systems remained protected, but the endpoints—individual devices—became exposed. And cyber attackers saw opportunity. Incident volumes surged. Every organization became a potential target, not just banks and telecoms. That changed cybersecurity from an IT concern into an enterprise-wide priority.

You mentioned information-sharing earlier. But isn’t there a risk that sharing incident details can help attackers learn how systems work?

In theory, yes, that’s why it is delicate. I didn’t mean that a lot of sharing is happening; rather, the intention to share has increased, though actual sharing remains limited. Companies are still cautious.

If you look at large incidents today, you’ll notice that organizations rarely release detailed threat intelligence to the public. Compare this to the US, where companies listed with the SEC must report incidents openly and explain what happened. Those disclosures provide valuable learning across industries.

In India, we are moving in that direction. Many regulators now require incidents to be reported within six hours. But sharing meaningful intelligence—root causes, indicators of compromise, response lessons—is still evolving.

Is the hesitation mainly due to reputational concerns?

That’s one part of it. Organizations want to finish their investigation before speaking publicly. Another factor is legal liability. No one wants to disclose prematurely. But the industry is learning that we cannot defend effectively without proactive practices. Red-teaming, for example, is now widely adopted. It simulates real-world attacks to expose vulnerabilities before attackers do.

Another emerging practice is threat hunting, which is looking for hidden attackers inside your environment even when you see no symptoms. It’s like doing a medical checkup when you feel healthy, to detect something that may cause trouble later.

We are also seeing growth in cyber crisis management planning. Just like airlines repeat safety instructions to help passengers act under stress, cyber crisis plans prepare leadership to make critical decisions under pressure. Should we notify employees? When do we inform regulators? When do we involve insurance? These are not technical decisions; they are business decisions.

Should organizations conduct periodic security analysis to detect weaknesses early?

Absolutely. Regular assessment is vital. India is increasingly adopting what the Western world calls the three lines of defence model.

First line: Operations — running and protecting systems daily.

Second line: Risk management — continuously evaluating threats and controls.

Third line: Audit — periodically reviewing and verifying everything independently.

For cybersecurity, this translates into: Cyber operations teams, Cyber risk teams and Cyber audit teams.

With such rising complexity, is it better for companies to outsource cybersecurity?

In many cases, yes. Cybersecurity requires highly specialized, constantly evolving skills. Maintaining those capabilities internally is expensive and challenging. Retaining skilled professionals is difficult too, because demand is high and skills become outdated quickly.

A specialized service provider, on the other hand, is structured to adapt. Their business depends on keeping up with threats and talent. That makes outsourcing a pragmatic model. However, organizations are not outsourcing decision-making. Governance, risk acceptance and final calls remain internal. Outsourcing is about execution, expertise and scale—not control.

So, while decision-making and governance remain with organizations, they are bringing in specialists to manage cybersecurity operations. Would it be correct to say this is fundamentally part of risk management?

Yes, this sits squarely within risk management. One of the most critical areas here is access control. Many breaches occur because identities are not managed well. Until now, identity management largely focused on humans. But we are rapidly moving into a world where machine identities are just as important, especially with agentic AI systems beginning to perform tasks and make decisions.

Even human identity management is already complex. Organizations not only manage employee identities, but also identities of vendors, third-party service partners, and even customers if they operate digital consumer platforms. Now add machine identities into that mix, and the complexity multiplies.

Most cyber incidents trace back to identity issues: someone had access they shouldn’t have, or an identity was compromised, or privileged credentials were not controlled tightly enough. So identity management is not just a technical task anymore. It has become a specialized domain in its own right.

So far, we have discussed enterprise-level cyber threats. Can the same security model be replicated at the government level as well?

It already is. If you look closely, the government has been adopting very similar models, though the stakes are far higher at the national scale. When you operate at the level of states or the country, the potential impact of a breach is enormous, so the responsibility becomes even more critical.

Many of India’s flagship digital programs are built with structured cybersecurity layers. Take Aadhaar, our national identity platform. The health data platform. NPCI, which runs the digital payment infrastructure. GST systems, which hold the tax backbone of the economy. Each of these is a massive digital ecosystem with millions of users and constant transactions. All of them follow structured cybersecurity governance.

A significant shift that has taken place is the appointment of designated CISOs within government departments and digital program bodies. This was not the case earlier. Now, there is clear accountability and leadership for cybersecurity within these institutions.

Additionally, national-level agencies such as CERT-In, NCCC, NCI, and NIC work closely with ministries and program bodies to ensure proper controls, monitoring and incident response frameworks are in place. The government isn’t just building a “digital India”; the goal is to build a digitally secure India. That is the underlying mission today.