Cyber attacks in India have surged in the last few years. And recent high-profile cyber incidents to the country’s healthcare systems show that there’s no slowdown in sight. In fact, the threat landscape is becoming far more sophisticated, according to experts.

“Hacker motivations have changed drastically during the last decade,” said Kyndryl's Saket Verma, Cybersecurity Practice Leader in India. “What began with data thefts and service disruption is now leaning toward more sophisticated financial fraud, extortion, corporate espionage, state-sponsored strategic attacks and hacktivism. Keeping up with hackers is almost like running on a hamster wheel — and we want to stay a step ahead of them.”

As a result, experts say companies should develop an integrated cyber resilience approach that factors in protection and recovery. Additionally, they say that to create a more secure cyber world, it’s important for public-private partnerships to continue to build momentum. Case in point: Kyndryl partnered with India’s Ministry of Electronics and Information Technology in January to launch Cyber Rakshak, a training initiative to equip women in rural and remote areas with new cybersecurity skills.

Here, Verma discusses the state of cybersecurity in India, the power of public-private taskforces and how Kyndryl can help businesses along the way.

Where does India stand in terms of cybersecurity awareness and preparedness?
Frankly, India has its task cut out in the coming years, both in terms of national critical infrastructure and private enterprises. With every passing year, we will be dealing with exponential surges in cyber attacks and data breaches that could act as economic headwinds. So, we need to elevate our game plan — and swiftly at that.

What steps has India’s government taken to create a more cyber-secure environment?
The Indian government is deeply focused on addressing cybersecurity challenges through multiple dimensions, from establishing regulation through the Digital Personal Data Protection Bill 2022 to aligning ‘Make in India’ initiatives with cybersecurity requirements. There is a focus on critical national infrastructure across key industries and the public sector, such as banks, telecom operators, stock exchanges, power grids, railways and defense. The government is also forging strong partnerships within its own internal agencies as well as with the private sector to foster greater collaboration, skilling, technology adoption and joint innovation.

However, for such a large and diverse country that is experiencing brisk economic growth, these efforts need to be continuous, consistent and well-coordinated in the long run.

How has the security landscape evolved?
Cybersecurity follows a unique trajectory that is part revolutionary and part evolutionary: While the ‘outside-in’ innovation has been revolutionary, most of the ‘inside-out’ innovation has been evolutionary. We have come a long way from the era of anti-virus and firewalls to Cloud Access Security Brokers (CASB) and behavioral analytics. We have moved from protection and alerts, to identification, detection and risk management. Similarly, Identity & Access Management (IDAM) has evolved with time. Further, there is a lot of work going on in the area of threat management and response, which is revolutionary. All these shifts ultimately encourage companies to adopt state-of-the-art security and resiliency solutions, and rightly so.

How can more enterprises keep themselves safe?
If I could suggest a ‘cybersecurity charter’ for enterprises to stay safe and resilient, it would be to:

1. Explore technology integrations to achieve targeted use cases for the threat landscape relevant to their industry verticals.
2. Focus on curated threat intelligence for better contextualization to their environment.
3. Replace the product mindset of driving security controls with an outcome-oriented mindset.
4. Use risk-based vulnerability management, rather than grappling with unnecessary vulnerabilities that lack exploitability for their environment.
5. Execute regular attack simulation exercises for a bird’s-eye view of the organization’s risk posture, as well as have a robust business recovery and continuity plan in place.

There is a shortage of cybersecurity skills and talent in the workforce, coupled with high burnout rates. How are you helping your team navigate this?
Here’s what I have learned from leading a great team of cybersecurity professionals at Kyndryl: We need to be authentic, sensitive, and empathetic toward our people and their aspirations. Transparent and regular communication, shared understanding of team goals, workload planning and management, focus on delivering positive impact, a sense of camaraderie, a feel for collective wins and losses, and having fun — these are all steps in the right direction when you are building and sustaining a high-performance team.

There aren’t many cybersecurity experts out there. What’s the secret to finding and hiring them?
There is no shortcut to finding great talent. It takes time and effort to make lateral hires and have an early professional hire program in place like Kyndryl has. Employee referrals are equally game-changing. Previous cybersecurity experience is not always mandatory, but prior exposure to infrastructure and security helps. Learnability, imagination, and the ability to integrate and apply relevant tech solutions are also valuable.