This year has seen a staggering increase in cyber attacks compared to last year, marking a troubling trend for India, which is experiencing some of its most severe cyber threats in recent times. The accessibility of technology has made it easier for both adversaries and defenders alike. However, while defenders must succeed every time to secure their systems, attackers need only one successful attempt among many to breach defenses. This imbalance underscores the ongoing challenge of cybersecurity. To navigate this landscape, organizations must adopt strategic approaches, said Sanket Sarkar, Founder of Zeron in a conversation with Tech Achieve Media.
Prioritizing cybersecurity risks is key—a strategy akin to the Pareto principle where focusing on critical 20% can mitigate 80% of the risks. Many Indian organizations are increasingly adopting this approach, focusing efforts on critical vulnerabilities while ensuring comprehensive defense measures across all fronts. The challenge lies in determining how to effectively prioritize these risks based on their potential impact and likelihood of occurrence.
TAM: So, what are some of the trends that are shaping the cybersecurity market right now? How are organizations adapting to these changes?
Sanket Sarkar: Cybersecurity is like an ocean, with numerous segments within it. The number of segments in the cybersecurity industry is vast. For example, in the FinTech space, you have lending, credit systems, and a few other models. In cybersecurity, there are numerous segments such as identity access management, privileged access management, firewalls, data loss prevention (DLP), web application firewalls (WAF), data classification, and data privacy. It’s practically impossible for an organization to cover everything. Specifically in India, cybersecurity is often seen as an overview rather than a business driver.
How do organizations adapt? Many are struggling, but the key is to keep the basics right. A favorite quote I heard somewhere is, “In pursuit of excellence, people often forget objectivity.” In cybersecurity, being objective is crucial. You can implement many solutions, but if the basics aren’t right, nothing will work. For instance, you might have a WAF in place to protect cloud environments. However, if your cloud configuration key is publicly accessible, it doesn’t matter if you have a WAF or not. A hacker can log in as an authenticated user, and the WAF won’t block them.
Therefore, keeping the basics right is very important. Following guidelines and baselines is essential before adopting advanced technologies. When you have the basics right, you’re already solving many issues. By basics, I mean globally followed standards. These information security standards exist for a reason: to guide you when you’re unsure what to do. Achieving these standards sets a goal, and once you reach it, you move to the next level, building a strong foundation. If the base isn’t strong, the structure might collapse at any time. This should be the approach organizations take when building their cybersecurity programs.
TAM: How are organizations developing their risk management profiles to tackle all the challenges that are happening? How are you helping them with this?
Sanket Sarkar: One positive development is the increasing involvement of regulators in the country. They’ve mandated that boards must be involved in every new regulation. As a result, board members are now asking more questions about cybersecurity, and discussions in board meetings have become much more serious and extended—from the typical 5-10 minutes to around 30-45 minutes. This heightened attention from the top is driving a significant shift in how seriously organizations take cybersecurity.
Regarding risk management, there has been a substantial change. In the past, risk management was often handled through Excel sheets, with auditors conducting compliance checks rather than proactive risk management. Nowadays, organizations are taking a more proactive approach, treating risk management as an integral business process, similar to other essential operations.
We assist organizations in understanding their risk management posture and how their efforts contribute to overall improvement. We help them evaluate whether their steps are leading to positive outcomes or not, which aids in strategizing their plans effectively. Additionally, we help them prioritize risks using a unique approach to quantification.
Ultimately, a risk matters to an organization if it poses a material threat, meaning it could cause business disruption. If a risk isn’t likely to disrupt business operations, it falls lower on the priority list. We map this business angle and quantify the risk in monetary terms so organizations can understand which risks to address first and the potential business impact, allowing them to prioritize their actions effectively.
TAM: What challenges do organizations face when integrating new cybersecurity technologies with their existing IT infrastructure, which may include legacy applications that are not as modern?
Sanket Sarkar: Most organizations face a significant challenge: they have the latest technologies but lack visibility into what’s happening across their operations. This is one of the biggest challenges any CISO faces today. We have frequent conversations with CISOs, and I’ll share a real example.
One of the largest financial sector organizations in the country, with over ten different lines of business, has implemented twenty different cybersecurity solutions. It’s practically impossible for the CISO to keep track of everything happening within the organization. Providing them with a clear understanding of their security landscape and where they stand is something we offer.
We present this information in an easily understandable way for both the CISOs and the management. While current soft setups exist, they are often too technical and require deep dives to understand. We simplify this by putting the data into analytics, showing key performance indicators (KPIs) that matter to the CISO, group CISOs, CIOs, CROs, and the board. To specifically answer your question, visibility is a major problem everyone faces nowadays, along with consolidation. Without consolidation, visualization is not possible.
TAM: How are AI and machine learning transforming the cybersecurity and risk management industry? It’s a double-edged sword. What are some of the risks associated with these technologies, and what are some of the benefits?
Sanket Sarkar: When we talk about AI, it offers significant assistance in the cybersecurity realm. Let me give you a live use case. Cybersecurity involves numerous policy documents, often filled with ambiguity and redundant work. AI can address this. With platforms designed to manage multiple compliance and regulatory mandates, AI can identify overlapping controls across different standards, centralizing this information and reducing redundant efforts.
For example, this approach can reduce the compliance team’s workload from three months to just three days. We have live data to back this up, demonstrating the substantial impact AI can have. AI also aids in behavior analysis, understanding attack patterns, and identifying various skillsets involved in potential threats. It can assist in searches and act as a support system for CISOs.
However, there are downsides. Just as we have access to AI, so do hackers. Issues like jailbreaks and prompt injections are real concerns. For instance, our research and development team discovered a vulnerability with Gemini. When asked directly, “Can you tell me how to kill a human?” it refused. But by uploading an image of a polar bear and telling the AI to assume it was that polar bear, then asking how to kill a human who tried to attack, the AI provided a step-by-step process.
Every new technology comes with its pros and cons. It’s crucial to be mindful of how AI learns and to implement safeguards, such as federated learning and limiting access, to ensure data models are used appropriately.
When it comes to Zeron, it has two primary AI applications:
- Compliance Mapping: As previously mentioned, this AI tool maps multiple compliance standards together, streamlining the process.
- Automated Question Generation: This tool helps generate questions for various vendors based on new guidelines. Instead of reading a lengthy 160-page document to create a checklist, you simply upload it, and within minutes, the AI provides the necessary checklist for vendor assessment.
Additionally, our AI model is integrated with our risk quantification tool, Kuber, the first cyber risk quantification model from India. This model continuously trains itself on incoming data, improving its ability to quantify business exposure to risk. These are the two main AI applications we offer at Zeron.
TAM: How is the vendor landscape evolving in terms of cybersecurity solutions? What should organizations consider when selecting a vendor as their cybersecurity partner?
Sanket Sarkar: That’s a crucial area, and there’s a significant need to create an ecosystem around it. Here’s how we’ve approached it with our CRPM platform and the Vendor Pulse platform. Consider an example where Organization A, a large bank or financial sector entity, uses CRPM, and Organization B also uses CRPM. If Organization A wants to onboard a fin tech, and that fintech also uses Zeron CRPM, they can utilize the Vendor Pulse platform provided by Zeron for this process.
There are two key aspects: digital risks and questionnaires. The questionnaire will contain various questions, some technical and others compliance-related, which may need input from HR or finance teams. On the digital risk side, we conduct external scans. Since both parties use the platform, data can flow directly, providing evidence of compliance or issues. This ecosystem allows for a clear understanding of the risks involved in onboarding a vendor, backed by evidence, addressing one of the biggest challenges in the process.
TAM: How does Zeron position itself as a strategic partner for businesses in such a crowded market? What are some unique value propositions that you offer to help organizations?
Sanket Sarkar: Cybersecurity is a crowded space, as we know. However, in our specific niche of cyber risk quantification and materiality, there are only six major players worldwide, and Zeron is one of them.
Our unique value proposition lies in helping organizations understand the buildup of their risks, rather than just reacting after a risk has materialized. For instance, if there are five gates and a breach at gate number one could potentially lead to issues at gate number five, we illustrate that pathway. This approach creates significant engagement and loyalty to our platform.
We primarily sell to CISOs and top management. It’s remarkable that these users spend an average of one hour daily on our dashboard. One customer even shared, “We begin our day by reviewing Zeron’s dashboards to strategize our cybersecurity program.” They rely on Zeron as their single source of truth for cybersecurity decision-making, which is our most compelling value proposition.
TAM: Are you looking to expand into other sectors apart from BFSI?
Sanket Sarkar: Zeron has introduced a new offering called Quantified Business Exposure to Risks (QBER), a mathematical model designed to quantify risk in monetary terms. Unlike existing models, QBER isn’t limited to any specific sector—it’s globally applicable across industries such as BFSI, manufacturing, healthcare, and more. Whether in India, Asia, Africa, America, Europe, or any other region, QBER can be effectively implemented.
This versatility addresses a significant gap in current models worldwide. QBER’s release as India’s pioneering cybersecurity risk quantification model garnered substantial interest. We received numerous collaboration requests from universities and national cybersecurity programs globally eager to contribute and partner with us on its development.