India’s Cybersecurity Evolution: Exposure Risk, Healthcare Gaps, and Multi-Cloud IAM Challenges Take Center Stage

This interview with Rajnish Gupta, Managing Director & Country Manager for Tenable India, explores how enterprises are transitioning from reactive cyber practices to risk-aligned defense strategies. 

Gupta details sector-specific trends from cloud IAM blind spots to exposure overload in defense and BFSI, and explains how exposure management can unify India’s digital security posture.

A veteran of India’s cybersecurity landscape, Gupta brings insight from decades of leadership roles across Palo Alto Networks, Microsoft, RSA Security, Symantec, and Wipro. 

His experience at the intersection of enterprise risk, regulation, and security modernization offers a rare lens into challenges like cloud misconfigurations, GenAI-driven complexity, and DPDP enforcement.

He makes a strong case for metrics-based cyber programs, board-level engagement, and shifting security left through early-stage scanning—all essential pillars for India’s cyber resilience.

Vishwa: How are Indian enterprises evolving from surface-level cyber awareness to measurable, risk-driven action? Based on what you're seeing, which specific types of organizations, large enterprises, SMBs, or critical sector operators are making tangible shifts in how they approach exposure management? Could you share your observations or examples to help illustrate your response?

Rajnish: Many organizations still employ outdated, reactive cybersecurity strategies that fail to address today's evolving risk landscape. While comprehensive visibility across diverse assets from employee devices to cloud workloads and IoT sensors is crucial, it's insufficient on its own. 

Organizations require clarity, context, and, most importantly, actionable metrics to prioritize which vulnerabilities, misconfigurations, and excessive permissions pose the greatest immediate business risk.

Traditional vulnerability management is often a reactive "whack-a-mole" exercise, where teams frantically patch issues as they emerge or are discovered. This approach is inefficient, consuming valuable time and resources while leaving significant exposures unaddressed.

Adopting a metrics-driven approach shifts this paradigm, enabling proactive prioritization. For example, a zero-day vulnerability in a development environment might be low impact and isolated, but a six-month-old misconfiguration in a production cloud application represents a far more critical exposure. 

Risk-based metrics allow organizations to triage and address threats based on their actual business risk, characteristic of more mature security operations.

Vishwa: Tenable’s Cloud Risk Report highlights critical gaps like misconfigured access, leaked secrets, and overly permissive policies. From your vantage point, what real-world consequences are these gaps triggering? Are we talking about financial losses, reputation damage, regulatory heat, or something more long-term and systemic?

Rajnish: The critical cloud security gaps highlighted in Tenable’s report are not theoretical risks but active threats causing a cascade of damage.

Financially, organisations face staggering costs from incident response, operational downtime, and hefty regulatory fines. This is compounded by severe and often lasting reputational damage that destroys customer trust and market standing. 

A single cloud breach can lead to significant customer churn and cripple a company's brand. Beyond the immediate costs, the impacts are systemic and long-term. The theft of intellectual property from leaked secrets can erase a company's competitive advantage. 

Ultimately, these vulnerabilities and misconfigurations represent not just technical failings but fundamental business risks that threaten an organisation's resilience, profitability, and very viability in the digital economy.

Vishwa: Tenable has long advocated for moving away from vulnerability counting toward exposure-based risk reduction. Is this framing resonating beyond CISOs with regulators, investors, or even government agencies? What are the practical benefits of this shift for Indian organizations?

Rajnish: Traditional vulnerability management typically involves scanning assets for known vulnerabilities and remediating them based on severity scores. However, true security risk management requires a broader view that includes misconfigurations, attack surface visibility, and real-time threat intelligence. 

With exposure management, the vulnerability management team would be able to pinpoint the subset of assets affected by vulnerabilities. That’s because exposure management platforms help identify vulnerabilities and the context behind them. For example, it tells you if a vulnerability is externally accessible, possesses domain-level privileges, and is part of a critical attack path; exposure management identifies it as a priority vulnerability. 

That way, organizations would know where the greatest risk is and what they need to remediate first. Having this deep insight, context, and visibility transforms the risk assessment equation and allows vulnerability management teams to move decisively, quickly, and strategically.

Regulators are seeing the need to move beyond reactive to preventive cybersecurity. For instance, in August 2024, the Securities Exchange Board of India (SEBI) issued fresh cybersecurity regulations that advocate for preventive security. 

The Reserve Bank, too, has repeatedly reiterated the importance of anticipating cyber threats well in advance. We are seeing more and more CISOs view exposure management as a continuous discipline for achieving cyber resilience.

Vishwa: Tenable’s Cloud Risk Report 2025 reveals that organizations store passwords directly in the cloud. As Indian enterprises scale across AWS, Azure, and GCP, where do you see the biggest blind spots in visibility, control, and response? What’s improving, what is not, and how can organizations build a more proactive cloud defense?

Rajnish: For Indian enterprises rapidly scaling across AWS, Azure, and GCP, the risk of exposed secrets highlighted in Tenable's 2025 report points to deeper, systemic blind spots. The primary challenge is a fragmented view across multi-cloud environments, making a unified risk assessment nearly impossible. 

This is compounded by inconsistent Identity and Access Management (IAM), where a massive, unseen attack surface of over-privileged accounts persists. Consequently, siloed security teams and tools lead to dangerously slow and uncoordinated incident response times.

While basic security awareness and tool adoption are improving, the cultural shift to a true DevSecOps model is lagging. The complexity of managing thousands of permissions at speed continues to outpace manual controls and existing skills.

Building a proactive defense requires a strategic pivot. It must begin with unifying visibility through a comprehensive platform, like a CNAPP, to see all risks in one place. From there, organisations must enforce the principle of least privilege to prevent threats, not just detect them. 

The most critical step is embedding automated security scanning directly into the development pipeline. This "shift left" approach, supported by a culture where security is a shared responsibility, is the key to creating true resilience.

Vishwa: As the DPDP Act reshapes India’s data protection landscape, what does true cyber readiness look like beyond compliance? How can organizations align their security posture with the spirit of the law, not just its checkboxes? Among measures like mapping sensitive data flows, limiting over-permissive access, automating responses to high-impact threats, and running red-blue team simulations, which do you see as most critical today, and which are Indian companies still struggling to adopt effectively?

Rajnish: True cyber readiness begins with acknowledging that protected personal data is sprawling across on-premises, cloud, and hybrid environments, often managed by disparate security tools. Exposure management cuts through this complexity by consolidating data to eliminate blind spots and fragmented insights. 

This holistic perspective empowers security teams to move beyond isolated vulnerability scanning to truly understand how different exposures interrelate and contribute to the overall risk of a data breach under the Act.

Exposure management's key strategic benefit lies in connecting the dots between solution silos, revealing the attack paths that lead to sensitive data. Instead of merely listing vulnerabilities, exposure management provides contextualized risk insights, helping Indian enterprises prioritize the exposures that pose the greatest threat to data protected by the DPDP Act. 

This focus on business-aligned risk mitigation ensures security efforts are strategically aligned with preventing costly breaches and penalties.

Furthermore, this approach moves organisations from a reactive to a proactive stance. By offering continuous visibility and actionable intelligence, it enables security teams to anticipate and neutralize potential attack vectors before a data breach occurs. 

In an era defined by the DPDP Act, the ability to rapidly identify, prioritize, and remediate the most critical exposures is the hallmark of true cyber readiness, safeguarding both customer data and the organisation itself.

Vishwa: From your observations, how do cybersecurity budgets differ across large enterprises, mid-size businesses, and critical infrastructure players in India? Is there a recurring mismatch between how these organizations invest in tech upgrades versus how they secure them? What could help bridge that disconnect? Would it be dedicated cyber resilience planning, executive awareness, or something else?

Rajnish: Cybersecurity budgets are rising, particularly in the BFSI and IT sectors. However, a critical gap persists between rapid technology adoption, like GenAI, and the investment required to secure it. 

This gap is most pronounced in mid-sized businesses, which often view security as a cost rather than a strategic investment, and in critical infrastructure, where digitalization frequently outpaces security measures.

Exposure management provides a strategic solution to bridge this gap. By offering a unified view across all assets from IT and cloud to OT, it moves organizations beyond simply listing vulnerabilities and misconfigurations. Instead, it enables them to proactively identify and prioritize threats that pose the greatest actual risk to business operations. 

This approach ensures new technologies are secured from the start and empowers leadership with clear, contextualized risk insights, leading to better-informed decisions and a more resilient security posture.

Vishwa: Which sectors in India are facing the highest cyber risk exposure right now — BFSI, healthcare, or defense contractors? Should they focus more on network isolation, privileged access auditing, and embedding secure-by-design principles in DevSecOps? Who are the likely actors behind these operations, particularly in terms of state alignment or political motivation?

Rajnish: In India, sectors facing the highest cyber risk exposure include BFSI, healthcare, and defense. BFSI accounted for one in five cyber incidents in 2024, while healthcare experiences nearly four times the global average of weekly cyberattacks, primarily due to sensitive patient data and legacy systems. 

The defense sector is a significant target for nation-state actors, with government entities facing 42% of nation-state attacks in 2025 due to geopolitical tensions.

While traditional measures like air gapping and network isolation were effective in the past within critical infrastructure, the convergence of IT, OT, and IoT makes these approaches increasingly challenging. Preventing lateral movement and protecting identities now requires proactive security solutions like exposure management. This approach unifies visibility into the attack surface, identifying high-risk vulnerabilities and prioritizing their remediation. 

Specifically, for BFSI, it secures financial systems against third-party breaches; in healthcare, it protects legacy devices; and for defense contractors, it helps them preempt nation-state threats.

Exposure management enhances cybersecurity by streamlining network segmentation through risk mapping, improving privileged access auditing by detecting misconfigurations, and embedding security into DevSecOps processes by identifying flaws early. 

It also tackles third-party vulnerabilities and ensures compliance with regulations such as the DPDP Act, thereby reducing the overall attack surface. This is particularly crucial as 55% of executives express concern about cloud threats, yet 50% feel unprepared, underscoring the need for proactive measures.

The likely perpetrators in breaches against critical infrastructure are often state-aligned groups, particularly those targeting defense contractors for espionage. Conversely, cybercriminals focusing on BFSI and healthcare are typically motivated by financial gain.

Vishwa: Do you believe targeted campaigns like APT36’s recent operation against Indian defense organizations reflect a sharper, more aggressive wave of cyber-espionage? Would you characterize their core goals as surveillance, disruption, long-term infiltration, or all three? What patterns or signals suggest a sustained intent behind such campaigns? And how should India’s defense-linked organizations, including contractors, sub-vendors, and digital ecosystem partners, adapt their posture?

Rajnish: APT36’s recent operations against Indian defense organisations reflect a persistent evolution of cyber-espionage rather than a sharper, more aggressive wave. Their core goals remain focused on surveillance and establishing long-term infiltration to exfiltrate sensitive data, with disruption being a secondary effect, not a primary objective. 

This sustained intent is evident in their consistent refinement of custom malware like CrimsonRAT and their continuous use of lures tailored to the Indian defense landscape. The persistent, year-over-year targeting of the same sector clearly indicates a state-sponsored mandate for intelligence gathering.

In response, India’s entire defense ecosystem, including its vast supply chain of contractors and partners, must adapt its posture beyond simple compliance. This demands a shift to an "assumed breach" mentality. Such a strategy involves mandating stringent security across the entire supply chain and implementing advanced threat detection to spot APT36's tools. 

Crucially, it means bolstering the human firewall with continuous training and adopting proactive exposure management to identify and remediate potential attack paths before they can be exploited. This creates a more unified and resilient defense against determined adversaries.

Vishwa: With rising cyber risks across defense and critical infrastructure, how should national security exposures, such as the Op Sindoor incident, where real-time intelligence was reportedly relayed between adversaries, influence how India’s private sector approaches resilience? What can security teams and SecOps professionals learn from such high-stakes breaches, where timing, access, and cross-border coordination are critical? In your view, what’s the most effective way to align enterprise security operations more closely with national cyber defense priorities?

Rajnish: The key lesson for security teams is that adversaries operate with a speed and cross-border coordination that legacy, siloed security operations cannot match. The real-time nature of these threats means that detection and response must also happen in real-time, making minutes, not days, the critical metric for success.

The most effective way to align enterprise security with national priorities is to move beyond mere compliance and actively integrate with the national defense posture. This involves consuming and contributing to threat intelligence feeds from national bodies like CERT-In and the NCIIPC. 

It means prioritising the defense of systems and data that are critical not just to the enterprise's bottom line, but to India's economic and security interests. Adopting a proactive exposure management mindset, which provides a unified view of risk across the entire digital estate, allows companies to see themselves as an adversary would, enabling them to protect what truly matters.

Vishwa: In advanced markets, board-level conversations around cyber risk are increasingly mature, grounded in exposure metrics, and closely tied to business continuity. How are these dynamics evolving in India, particularly in CISO–board communications? Are topics like multi-cloud exposure, regulatory scrutiny, and ransomware impact receiving the strategic attention they warrant? What shifts would you recommend to deepen board-CISO engagement and strengthen how Indian enterprises approach cybersecurity at the leadership level?

Rajnish: In India, CISO-board conversations on cyber risk are moving from a technical, compliance-driven dialogue to one focused on business impact. This evolution is largely catalyzed by increased regulatory scrutiny from the DPDP Act and the tangible threat of ransomware. 

While topics like regulatory fines and ransomware downtime are receiving significant board-level attention, the strategic complexities of multi-cloud exposure are often not fully appreciated. 

The conversation tends to focus on the consequences of a breach rather than the preventative, unified view needed to manage a sprawling digital attack surface.

To deepen this engagement, CISOs must transition from being technical experts to business strategists. They should frame cybersecurity not as a cost but as a critical enabler of digital transformation and business resilience. 

The most effective shift involves presenting risk in quantifiable terms, using metrics from exposure management platforms to show how specific vulnerabilities translate into potential revenue loss or operational disruption.³ 

Furthermore, conducting board-level tabletop exercises based on realistic threat scenarios can make the risks tangible and drive home the necessity of proactive, unified security investments, aligning leadership with the realities of the modern threat landscape.