India's Cybersecurity Leadership Crisis: The CISO's Mandate in a Nation Under Digital Siege

India is experiencing a cybersecurity crisis that is simultaneously a technology crisis, a regulatory crisis and a leadership crisis. In 2024, the Indian Computer Emergency Response Team (CERT-In) reported over 1.39 million cybersecurity incidents — a figure that almost certainly understates the true scale, given that reporting compliance among mid-market enterprises remains inconsistent. Ransomware attacks on Indian healthcare providers, data breaches at major banks, and state-sponsored intrusions into critical infrastructure have collectively made cybersecurity a board-level agenda item in a way it has never been before. And yet, at the very moment when India needs its strongest ever cadre of Chief Information Security Officers, the country faces a structural shortage of qualified leaders capable of stepping into the role.

The gap between the scale of the threat and the depth of the talent pool is the defining challenge for Indian enterprise security in 2025. Understanding why that gap exists — and what it will take to close it — requires examining the regulatory environment that is reshaping the CISO mandate, the organisational maturity that most Indian enterprises have yet to achieve, and the specific leadership profile that the modern Indian CISO must embody.

The Regulatory Architecture Is Transforming the Role

Three regulatory frameworks have fundamentally altered what an Indian CISO must know, do and be accountable for. The first is the CERT-In mandate of April 2022, which requires organisations in virtually all sectors to report cybersecurity incidents to CERT-In within six hours of detection — one of the most stringent reporting timelines in the world. This mandate transformed the CISO from a background technical function into a frontline compliance officer, with personal accountability for ensuring that incident detection, internal escalation and regulatory reporting pipelines are functional and fast.

The second is the Digital Personal Data Protection Act (DPDP Act), enacted in August 2023 and progressively operationalised through 2024 and 2025. The DPDP Act creates a comprehensive framework for the collection, processing and protection of personal data of Indian citizens, with penalties of up to ₹250 crore for significant data breaches caused by negligence. For the CISO, this means that data classification, data minimisation, purpose limitation and breach notification protocols are no longer advisory best practices — they are legally mandated operational requirements. The DPDP Act has also elevated the role of the Data Protection Officer (DPO), a function that in many organisations is either combined with the CISO role or sits in close reporting proximity to it.

The third is the Reserve Bank of India's cybersecurity framework for regulated entities, most recently updated through the RBI's Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices. Banks, Non-Banking Financial Companies (NBFCs), payment aggregators and other RBI-regulated entities are now required to maintain Security Operations Centres (SOCs), conduct annual cyber risk assessments, implement specific controls around internet-facing applications, and submit detailed cybersecurity reports to RBI's supervisory teams. The Securities and Exchange Board of India (SEBI) has issued parallel directives through its Cybersecurity and Cyber Resilience Framework (CSCRF), mandating market intermediaries — stock brokers, depositories, asset management companies — to implement specific technical controls and conduct regular third-party audits.

"The CISO role in India has gone from a technical position that reported to the CTO to a regulatory compliance function that reports to the board. That transition has happened in about thirty-six months. Most organisations have not found leaders who can operate effectively in both worlds." — CISO of a leading private sector bank, speaking at a Gladwin International roundtable, January 2025.

The Attack Surface Has Exploded

India's digital transformation has been extraordinarily rapid and extraordinarily broad. The Unified Payments Interface (UPI) now processes over 15 billion transactions per month, representing a real-time payment infrastructure that is a high-value target for cybercriminals. The Aadhaar-based identity infrastructure has enrolled over 1.37 billion individuals, creating a centralised database of biometric and demographic data that requires world-class security governance. The Government e-Marketplace (GeM) and the National Digital Health Mission (ABDM) are extending digital infrastructure into domains — public procurement and healthcare — that have traditionally been paper-based and thus largely outside the cyber threat landscape.

At the enterprise level, the adoption of cloud computing, the proliferation of remote and hybrid work, the integration of Internet of Things (IoT) devices in manufacturing and logistics, and the accelerating deployment of artificial intelligence in customer-facing applications have collectively expanded the attack surface of every major Indian organisation by orders of magnitude. The average Indian enterprise now operates across multiple cloud environments, interacts with hundreds of third-party vendors through API integrations, and has employees accessing corporate systems from personal devices on home networks.

The threat actors have noticed. According to IBM's Cost of a Data Breach Report 2024, India has one of the highest average data breach costs in the Asia-Pacific region at $2.35 million per incident — and that figure has been rising at approximately 28% year-on-year for the past three years. The pharmaceutical, financial services, technology and healthcare sectors account for the majority of high-severity incidents, but no sector is immune.

The Leadership Vacuum

Against this backdrop, India's CISO talent market is under severe strain. Industry estimates from NASSCOM and the Data Security Council of India (DSCI) suggest that India has a shortfall of approximately 790,000 cybersecurity professionals — and while this figure encompasses all levels of the security workforce, the shortage is most acute at the senior leadership level.

The reasons are structural. The CISO role requires a rare combination of deep technical expertise, business acumen, regulatory literacy and executive communication skills. Technical professionals who have spent their careers in security operations, penetration testing or network architecture often lack the business and governance vocabulary to operate effectively with boards and regulators. Business leaders who have developed strong governance skills may lack the hands-on technical depth to make credible decisions about security architecture, vendor selection and incident response.

In practice, many Indian enterprises have tried to bridge this gap by appointing IT managers or IT Directors into CISO roles without providing the authority, resources or organisational positioning to make those roles effective. A CISO who reports to the CTO rather than the CEO or directly to the board faces structural barriers to independence — the same CTO who is being held accountable for delivery timelines and system availability may be reluctant to accept a CISO's recommendation to delay a product launch for security hardening.

Gladwin International's analysis of CISO placements across 60 Indian enterprises between 2022 and 2024 reveals a troubling pattern: approximately 42% of CISOs placed in Indian organisations with revenues above ₹500 crore reported to the CTO rather than the CEO or board, compared to a global benchmark of 28%. This structural subordination of security to technology limits the CISO's ability to exercise independent judgment and creates conflicts of interest that regulators are beginning to notice.

What Indian Boards Actually Need From Their CISOs

The most effective Indian CISOs in 2025 are operating at the intersection of three domains that rarely coexist in a single leader. The first is technical command: the ability to understand, at a meaningful level of depth, the threats facing the organisation, the controls that exist to address them, the gaps that remain, and the technical investment required to close those gaps. This does not mean that the CISO must personally be able to write exploit code or configure a firewall — but they must be able to hold their security architects, SOC analysts and penetration testers to account.

The second is regulatory and legal fluency: a working knowledge of CERT-In obligations, DPDP Act requirements, RBI and SEBI cybersecurity frameworks, and the sectoral regulations applicable to the organisation's industry. In regulated sectors like banking, insurance, telecom and healthcare, this regulatory knowledge is not optional — it directly determines whether the organisation can avoid enforcement action and maintain its operating licence.

The third is board-level communication: the ability to translate complex technical risk into business language that non-technical directors can understand, assess and act on. The best Indian CISOs can present a cybersecurity posture review to a board audit committee in thirty minutes, clearly articulating the organisation's top five residual risks, the investment required to address them, and the potential business impact if they are not addressed. This skill — which is as much about strategic narrative as technical accuracy — is among the rarest in the Indian security leadership market.

The organisational positioning question is equally important. Indian enterprises that are serious about security leadership are increasingly moving to a model where the CISO reports directly to the CEO or to the board's Risk Committee, with a dotted-line to the CFO for budget purposes. HDFC Bank, ICICI Bank, Infosys, TCS and a growing number of mid-market technology companies have adopted this structure. Enterprises that continue to subordinate the CISO to the CTO are, in the view of both regulators and institutional investors, not yet serious about security governance.

The Talent Market in 2025

Gladwin International's compensation benchmarking for Indian CISO roles in FY2025 shows total compensation (base salary plus variable plus long-term incentives) ranging from ₹1.2 crore to ₹4 crore per year depending on organisation size, sector and reporting structure. Banking and financial services consistently offer the highest compensation, driven by regulatory intensity and the direct financial consequences of a major security breach. Technology companies, particularly those with global customer bases and US or European data privacy obligations, are the second highest-paying segment.

The time-to-fill for CISO searches in India averaged 84 days in 2024 — the longest of any C-suite function Gladwin International tracks. This extended timeline reflects both the shortage of qualified candidates and the complexity of the assessment process: organisations hiring a CISO must evaluate technical depth, regulatory knowledge, executive maturity and cultural fit simultaneously, often using assessment frameworks that are borrowed from CTO searches and are not calibrated for the unique demands of the security leadership role.

India's cybersecurity moment has arrived. Whether Indian enterprises rise to meet it will depend, more than any other single factor, on the quality of the leaders they recruit to stand watch.