Saturday, January 18, 2025
spot_img
More
    HomeBusiness InsightsEvolution of GRC and Cybersecurity in India: Best Practices and Emerging Trends

    Evolution of GRC and Cybersecurity in India: Best Practices and Emerging Trends

    The cybersecurity landscape in India has undergone a remarkable transformation in recent years, driven by the rapid adoption of digital technologies, evolving regulatory frameworks, and emerging threats. Governance, Risk, and Compliance (GRC) has become a cornerstone of this evolution, moving from being a mere checkbox activity to a proactive, risk-based approach. As industries navigate challenges like ransomware attacks, data breaches, and the rise of IoT, GRC frameworks are playing an essential role in fortifying organizational resilience. In this exclusive interview with Tech Achieve Media, Shashank Chaturvedi, an industry leader and information security advisor, shares his insights on the evolution of GRC, emerging trends, and best practices for strengthening cybersecurity governance in India.

    TAM: How has the adoption of GRC evolved in the Indian cybersecurity landscape?

    Shashank Chaturvedi: I have been in this space for the past 16 years, working across the service industry and consulting. During my consulting journey, I have explored numerous industry verticals. Over time, I’ve observed a significant shift in how GRC (Governance, Risk, and Compliance) is approached. Earlier, it was largely a checkbox activity—organizations implemented GRC solutions primarily to meet specific needs, such as financial reporting compliance.

    Also read: Gaining an In-Depth Understanding of the Digital Personal Data Protection Act – Rajeev Dutt, Swiss GRC

    However, the landscape has evolved. Today, GRC is viewed more proactively, with a stronger focus on risk-based approaches. This shift is driven by the emergence of new risks and the constantly changing technology landscape. India’s growing startup ecosystem further highlights the importance of GRC in managing emerging risks. In this dynamic environment, offensive security alone is insufficient. GRC will continue to play a pivotal role in navigating and mitigating these challenges effectively.

    TAM: What key trends are driving the growing emphasis on GRC within India’s cybersecurity frameworks today?

    Shashank Chaturvedi: Emerging risks, such as ransomware, present unique challenges. One approach to address these threats is to establish a dedicated threat management team. However, if you don’t clearly understand what you’re trying to protect, such as your critical business processes, or if you haven’t conducted a business impact analysis or assessed the inherent risks within your processes, it becomes difficult to allocate resources effectively.

    Emerging risk areas like IoT, blockchain (with Bitcoin as one of its applications), and ransomware are not just technical challenges. The broader ecosystem is also evolving. For instance, the rise of new startups and NBFCs (Non-Banking Financial Companies), particularly those focusing on microfinance, adds another layer of complexity. These organizations often serve rural populations with limited cybersecurity awareness, making them especially vulnerable. This underscores the growing importance of GRC (Governance, Risk, and Compliance) for microfinancing organizations. Regulators like the RBI and IRDAI are also recognizing these risks and actively pushing for stronger compliance measures.

    TAM: How have recent regulatory developments, such as the Digital Personal Data Protection Act (DPDPA), influenced GRC practices in India?

    Shashank Chaturvedi: This ties back to what I mentioned earlier. First and foremost, companies need to understand the data they are consuming and its purpose. If organizations don’t know how their data is being used, that’s a serious issue.

    Under the DPDPA, aspects like purpose and consent are critical. While data localization requirements have been removed from the draft, the government has retained the authority to mandate data localization through notifications if necessary. This means companies might still need to host data in India, which can increase costs due to the additional infrastructure required.

    This makes it crucial for companies to thoroughly understand their current landscape. Conducting proactive measures like gap assessments and risk assessments is vital. Simply purchasing a solution without ensuring the right people are in the right roles won’t address the core issues. DPDPA is undoubtedly a step in the right direction by the regulator and the government. However, companies must recognize that their success depends on understanding their business, identifying the risks they face, and taking responsibility—because the regulator can only do so much.

    TAM: What are the most pressing cybersecurity risks faced by Indian organizations, and how can GRC frameworks be leveraged to address these challenges effectively?

    Shashank Chaturvedi: Indian organizations have recently faced a surge in ransomware attacks. For example, there have been reports of significant data breaches in the healthcare sector, including patient data leaks. While banking is a highly regulated field, other sectors, like healthcare, are still catching up. Despite efforts to introduce regulations, there remains a significant gap.

    For instance, healthcare data can often be hosted outside India, where organizations lack control or oversight. This poses a substantial risk, especially with smaller, less secure players entering the market. Meanwhile, the rise of digital adoption is evident—practically every Indian now carries a mobile phone, which is increasingly used for banking, telemedicine, teleconsultations, and other critical services.

    While organizations can control their internal processes, they have limited influence over the devices their users carry. This is where the bigger challenge lies. GRC solutions should not be limited to standard compliance checks. Instead, they need to evolve towards deeper, almost psychometric-level analyses, incorporating telemetry data to understand stakeholders better—be it customers, vendors, or others in the ecosystem. An end-to-end approach is essential; focusing on isolated pieces of the puzzle won’t suffice. GRC must address the entire landscape holistically to tackle these emerging risks effectively.

    TAM: With increasing concerns about data breaches and ransomware attacks, how are Indian organizations enhancing data protection measures within their GRC strategies?

    Shashank Chaturvedi: Everything in GRC begins with risk management. Having a strong risk management strategy and framework is essential, and this framework must evolve alongside emerging technologies. The days of focusing solely on regulations like Sarbanes-Oxley or financial frauds, as in the aftermath of Satyam, are behind us. Today, the landscape has changed. Even an employee within an organization can become a potential breach point.

    Companies are now seeking solutions that integrate with GRC systems to address insider threats. Major players are already exploring ways to tackle such challenges, although specifics may vary. The human factor is becoming increasingly significant, and with the rapid advancements in AI, it’s critical to leverage AI for appropriate use cases.

    GRC is one of those use cases where AI can play a transformative role by enabling comprehensive integration—especially in large organizations. For instance, in the context of large banks, regulators like the RBI frequently introduce new requirements. Often, banks find themselves reacting to these mandates rather than taking a proactive approach.

    Adopting a risk-based approach instead of a reactive one can address many of these challenges. GRC is not merely a tool or solution—it’s a holistic approach that encompasses strategy, risk management, and a robust risk framework. A well-designed strategy ensures that organizations are better equipped to manage risks effectively, rather than simply chasing compliance requirements.

    TAM: What are some of the best practices for Indian organizations to adopt for strengthening their cybersecurity governance and ensuring compliance with evolving regulations?

    Shashank Chaturvedi: There may not be a single correct answer to this, as each industry has its unique characteristics and challenges. However, some best practices can serve as a foundation. Start with risk management—it’s the cornerstone of any robust framework. Establish a solid incident management program and ensure you have an effective Business Continuity Plan (BCP) and Disaster Recovery (DR) mechanism in place.

    Supply chain risk management has also become crucial, as highlighted during the COVID-19 pandemic. This is even more relevant in today’s geopolitical climate, with conflicts and wars creating new vulnerabilities. Vendor management, in particular, is becoming increasingly critical. Another emerging challenge is the growing presence of IoT. From internet-connected TVs to CCTV systems that might inadvertently expose data, the risk landscape is evolving rapidly. Proactively conducting risk assessments, implementing strong incident management protocols, and ensuring comprehensive BCP measures will be essential. Ultimately, if you get the fundamentals right, the specific technology you choose becomes less critical. A strong foundation in risk management and operational resilience will allow you to adapt to any technological advancements or challenges that arise.

    Author

    RELATED ARTICLES

    LEAVE A REPLY

    Please enter your comment!
    Please enter your name here

    Most Popular

    spot_img
    spot_img