India's Premier Invitation-Only Executive Network
Ciso Boardroom Data Governance India
LeadershipCISOData Governance

Ciso Boardroom Data Governance India

C
CXO India Editorial
23 min read
23 min read

India's regulators have rewritten the job description for the Chief Information Security Officer. SEBI now requires the CISO to report to the MD or CEO with unfettered board access. The DPDP Rules attach personal accountability and ₹250 crore penalties to data governance failures. The role is moving from server room to boardroom, and the people who can make that journey are scarce and expensive.

Key takeaways

  • SEBI's 2024 framework forces CISOs to report directly to the CEO with unfettered board access, equal in standing to the CTO.
  • India's DPDP Act imposes penalties up to 250 crore rupees for breaches, and Data Fiduciaries cannot offload liability to vendors.
  • India faces a 50% cyber talent shortfall, needing one million professionals against fewer than 500,000 available by 2027.
  • Average Indian breach costs hit 220 million rupees, yet 60% of breached organizations still lack any AI governance policy.

For most of the last two decades, the person responsible for an Indian company's cybersecurity sat several floors below the people who set its strategy. The Chief Information Security Officer reported to the CIO, who reported to the CFO or COO, who occasionally reported a sanitised version of cyber risk to a board that mostly wanted to know whether anything had broken yet. Security was a cost line, a compliance checkbox, an insurance question. The CISO was a technical specialist whose job was to keep the firewalls patched and the auditors satisfied.

That arrangement is being dismantled, and the agent of demolition is not a breach or a market panic. It is regulation, written in the precise and unsentimental language of SEBI circulars and Ministry of Electronics gazette notifications. In the space of roughly eighteen months, India's two most consequential digital regulators have rewritten the reporting lines, the accountability, and the seniority of the security function. The CISO is being pulled up into the room where decisions are made, and the people already in that room are discovering they need to understand a subject most of them have spent their careers avoiding.

This is the next chapter in the story of how the Indian C-suite is changing. The CHRO became a strategist, the CMO became a data scientist, the CFO became a forward-looking capital allocator. The CISO is now becoming something India has barely had: a board-grade translator of risk who happens to know how a network works. The transition is messy, the talent to fill it is desperately short, and the cost of getting it wrong has been priced by Parliament at up to ₹250 crore per failure.

A regulator decided the CISO should report to the chief executive

The clearest signal of the shift came from the Securities and Exchange Board of India. In August 2024, SEBI published its Cybersecurity and Cyber Resilience Framework[1], known as the CSCRF, applicable to its regulated entities. Stock exchanges, depositories, clearing corporations, mutual funds, brokers, investment advisers, and a long tail of intermediaries all fell within its scope. The framework is detailed and technical in most of its provisions, but one set of clauses reaches directly into the org chart.

For Market Infrastructure Institutions and what SEBI calls Qualified Regulated Entities, the larger and more systemically important players, the CISO role must now be at least equivalent in level and standing to the CTO or CIO, with a direct reporting line to the Managing Director or Chief Executive Officer, and with what the framework calls unfettered access to the board. SEBI clarified this further in its FAQs issued on 11 June 2025[2], confirming that a CISO reporting to an Executive Director or to the MD or CEO would be deemed compliant, that part-time CISOs are not permitted, and that the cybersecurity function must sit high enough in the hierarchy to be heard.

Read that again from the perspective of a brokerage that until recently treated its security lead as a mid-level IT manager. The regulator has effectively said: this person now sits at the same altitude as your technology chief, talks to your chief executive directly, and can walk into a board meeting whenever the situation demands it. That is not a tweak to a job grade. It is a structural reassignment of where security power lives.

The board committee that cannot ignore the subject

SEBI did not stop at reporting lines. Every regulated entity above the self-certification threshold must establish a board-level Technology Committee, and cybersecurity has to be a standing agenda item at that committee. This is the quiet half of the reform, and arguably the more important one. It is one thing to give the CISO a seat near the top. It is another to require, in writing, that the board itself looks at cyber risk on a recurring schedule rather than only after something has gone wrong.

The committee requirement forces a conversation that most Indian boards have been able to avoid. When a topic appears on a board agenda every quarter, directors have to ask questions about it, and to ask good questions they have to understand it. The CSCRF therefore does something more subtle than promote one executive. It obliges an entire class of company boards to build, or buy, a working literacy in cyber and data risk.

The banking regulator got there first, and made independence the point

SEBI's move did not happen in isolation. The Reserve Bank of India has been pushing financial institutions in the same direction for years, and its requirements are in some respects stricter. Under the RBI's framework for banks and large non-banking financial companies, a senior executive at the level of General Manager or equivalent must be designated as CISO, and crucially, that person must report outside the IT function. The logic is independence. If the CISO reports to the head of technology, the person responsible for flagging risk in a system answers to the person responsible for building and running that system. The incentives are wrong.

The RBI has been explicit, across its Master Directions on IT Governance and cyber resilience, that cybersecurity is a board-level concern rather than a CIO problem. Boards of regulated lenders must approve and annually review strategies and policies covering IT, information security, cyber security, and business continuity. For payment system operators, the RBI staggered the compliance calendar: large operators were required to comply by 1 April 2025, medium operators by 1 April 2026, and small operators by 1 April 2028, as documented in the RBI cybersecurity compliance requirements[3].

Why the virtual CISO shortcut hits a wall

The talent shortage, which we will come to, has produced an obvious-looking workaround: rent a CISO. Virtual or fractional CISO arrangements, where an external consultant or firm provides security leadership on a part-time basis, have become a growing business in India. They make sense for smaller companies that cannot justify or afford a full-time security executive of board calibre.

For regulated financial entities, the shortcut runs into the regulation. As analysts have noted in coverage of vCISO arrangements under RBI rules[4], the RBI's IT Governance Master Direction requires the CISO to be a senior employee of the regulated entity, not an outside contractor. A virtual CISO is not an employee, and access to incident-reporting infrastructure such as the RBI's Daksh portal is restricted to employees of the entity. So a regulated lender cannot simply outsource the role. It can use an external expert to shape strategy and run operations, but it must formally appoint an internal employee as the official CISO who interfaces with the regulator and the board. SEBI's stance is broadly parallel: remote and dedicated CISOs are allowed, group-level CISOs serving multiple entities within a group are permitted, but the part-time arrangement is out.

The combined message from both regulators is that the CISO must be real, senior, independent, and accountable. You cannot borrow one for a few hours a week and call it governance.

The DPDP Act turned data governance into a personal liability

If SEBI and the RBI changed where the CISO sits, the Digital Personal Data Protection Act and its Rules changed what the job is worth getting wrong. The DPDP Act was passed in 2023, but it sat largely dormant until the operational machinery arrived. That machinery is the DPDP Rules 2025[5], notified in November 2025, which finally gave the law its teeth, its timelines, and its institutions.

The Rules adopt a phased implementation. The first set of provisions took effect immediately on 14 November 2025, covering definitions, administrative matters, and the establishment of the Data Protection Board of India, the body that will investigate and adjudicate. The Consent Manager ecosystem, intermediaries through which individuals can grant, review, and revoke consent, comes into force roughly a year later, around 13 November 2026. The core operational obligations, the ones that actually constrain how companies handle data, switch on at the eighteen-month mark, on 13 May 2027.

Industry commentary, including EY's analysis of the new regime[6], has been consistent on one point: the staggered calendar feels generous and is not. The technical and organisational projects required, data mapping, consent infrastructure, retention controls, breach-response capability, will consume those eighteen months easily. Companies that treat May 2027 as a distant deadline will arrive at it unprepared.

The number that focuses the mind

The reason data governance has shot up the boardroom agenda is the penalty schedule. The Data Protection Board can impose financial penalties of up to ₹250 crore for a failure[7] to take reasonable security safeguards that results in a personal data breach. Other slabs apply to other failures: up to ₹200 crore for failures relating to children's data, smaller amounts for procedural lapses. These are per-instance penalties, assessed after the Board considers the nature, gravity, and duration of the violation, whether it was repeated, the sensitivity of the data, the harm caused, and the remediation undertaken.

A point that has not been fully absorbed by Indian management teams is the breadth of who is on the hook. Legal commentators analysing the DPDP penalty framework[8] have stressed that a Data Fiduciary's obligation to comply exists irrespective of any contractual arrangement to the contrary. If a cloud vendor, a SaaS provider, or a contractor causes a breach, the law treats it as the fiduciary's breach. You cannot write the liability away in a vendor agreement. The chief executive, the technology chief, and the security chief cannot push the accountability down the chain to a junior team or out to a supplier.

This is what converts a technical role into a board-grade one. When the downside of a data governance failure is a nine-figure penalty plus reputational damage plus regulatory scrutiny, the person who understands that risk in detail cannot remain three floors down. The board needs that person in the room, explaining what the company is exposed to and what it is doing about it, in language the board can act on.

The Data Protection Officer is a second governance role, and it must be Indian

The DPDP framework introduces a role that overlaps with but is distinct from the CISO: the Data Protection Officer. Not every company needs one. The obligation falls on entities the government designates as Significant Data Fiduciaries, a classification based on the volume and sensitivity of data processed, the risk to the rights of individuals, the risk to the sovereignty and integrity of India, and similar factors. Large consumer platforms, major financial institutions, big healthcare and telecom players are the obvious candidates.

Significant Data Fiduciaries carry a heavier set of obligations, set out in the Rules governing SDFs[9]: annual Data Protection Impact Assessments, periodic audits, algorithmic fairness assessments for systems that process personal data, stricter due diligence, and the appointment of a Data Protection Officer. The DPO requirements are specific in a way that matters for the C-suite conversation. The DPO must be an individual based in and residing in India. The DPO must report to the board of the company. And the DPO cannot be an outside vendor or an executive who is not domiciled in India.

So the largest Indian companies will end up with two senior people whose entire purpose is data and security governance, both with lines into the board: a CISO accountable for the integrity and security of systems, and a DPO accountable for the lawful, privacy-respecting handling of personal data. In some organisations these will be different people with different reporting structures. In others the functions will be tightly coupled. Either way, the boardroom now has to make room for governance voices it did not have to accommodate three years ago.

Security and privacy stop being separate disciplines

For years, information security and data privacy lived in different parts of the building. Security was an engineering and operations problem owned by technology. Privacy, where it existed at all, was a legal and compliance problem owned by the general counsel. The two teams used different vocabularies, answered to different bosses, and sometimes worked at cross purposes.

The DPDP regime forces them together. A reasonable security safeguard, the failure of which triggers the ₹250 crore exposure, is simultaneously a security control and a privacy control. A breach-notification obligation requires the security team to detect and characterise an incident and the privacy and legal team to assess and report it, within 72 hours. A purpose-limitation requirement, where data can only be used for the stated reason, is a governance rule that has to be enforced by technical controls the security team builds. You cannot draw a clean line between the two functions anymore. The convergence of security and privacy is not a management fashion in India; it is a structural consequence of how the law is written.

The talent does not exist in the quantity the law assumes

Every one of these requirements presumes a supply of people capable of fulfilling them. India does not have that supply. The numbers are stark, and they get worse the harder you look.

By the most widely cited estimates, drawn from DSCI and NASSCOM FutureSkills research[10], India needs around one million trained cybersecurity professionals and has fewer than half that number available. Some assessments are bleaker still, putting the pool of employable cybersecurity professionals at roughly 300,000 against a projected requirement approaching a million by 2027. The talent shortfall, by these counts, has reached around 50 percent of demand, as reporting on the talent gap[11] has detailed.

That is the picture for cybersecurity practitioners in general. The shortage at the top of the pyramid, the board-grade CISO who can run a security programme and also sit across from a chief executive and a set of directors and translate technical risk into business decisions, is far more acute. The skills that make someone a brilliant security architect are not the skills that make someone effective in a boardroom. Most security leaders rose through deeply technical careers. Very few of them were ever trained, or given the chance, to communicate upward to people who do not share their vocabulary.

The pay reflects the scarcity

Markets respond to shortage with price, and the CISO market is responding loudly. Compensation data for India puts experienced CISO pay in a wide band, with seasoned leaders earning between ₹60 lakh and ₹1 crore a year and the very top of the market stretching to ₹1.2 crore and beyond, according to compensation tracking for the role[12]. Year-on-year increases of 15 to 20 percent have become common.

The regulatory wave has amplified this. By several accounts, DPDP-driven compliance demand pushed salary increases of 30 to 50 percent in regulated industries between 2023 and 2025, and security leaders with credible AI-security expertise are commanding premiums of 20 to 25 percent on top of that, as organisations confront the new risks of generative AI. A company that needs a CISO who satisfies SEBI's seniority bar, can stand up in front of a board, and understands the DPDP exposure is bidding for a person who has perhaps a few hundred genuine peers in the country. The price reflects it.

The role chews people up

Even when companies find and pay for these leaders, they struggle to keep them. The CISO job has a reputation, earned globally and increasingly visible in India, for burning people out. Average CISO tenure runs roughly between eighteen months and three years, well short of the five-plus years typical of other C-suite roles. Surveys of security leaders make the reason plain. Recent burnout research[13] found that a large majority of security leaders have personally experienced or witnessed burnout among their peers, and that the overwhelming share describe themselves as moderately or tremendously stressed.

Adding personal legal liability to that pressure does not obviously help retention. A CISO who knows that a breach can trigger a ₹250 crore penalty for the company and intense scrutiny of their own conduct is carrying a weight that few executives outside the role appreciate. India is asking more of these people, paying them more, and exposing them to more, all at once. The companies that win the talent contest will be the ones that pair the responsibility with genuine authority, board backing, and the resources to actually reduce the risk rather than just be accountable for it.

The breaches are real, expensive, and getting more so

None of this regulatory urgency is theoretical. India is, by one important measure, the most expensive place in the world to suffer a data breach. IBM's 2025 Cost of a Data Breach Report[14] put the average total organisational cost of a breach in India at ₹220 million, roughly 13 percent higher than the previous year's figure of ₹195 million.

The anatomy of those breaches is instructive for anyone designing a governance response. The top three initial attack vectors in India were phishing, at 18 percent, third-party vendor and supply-chain compromise, at 17 percent, and exploitation of vulnerabilities, at 13 percent. The prominence of supply-chain compromise lands directly on the DPDP point about vendor liability. Nearly a fifth of breaches start outside the company's own walls, and the law makes the company answer for them anyway.

The breach lifecycle, the mean time to identify and contain an incident, fell to 263 days in India, an improvement of about fifteen days over the prior year, which suggests organisations are getting somewhat faster at detection. The sector-level numbers showed research organisations bearing the highest average cost, around ₹289 million, with transportation and industrial sectors close behind. These are not small numbers, and they sit on top of, not instead of, the regulatory penalties now in play.

The AI governance hole nobody has filled

The IBM data also exposed a fresh and widening gap. Nearly 60 percent of breached organisations in India either had no AI governance policy or were still developing one, and only around 37 percent reported having AI access controls in place. As Indian companies race to deploy generative AI into customer service, underwriting, hiring, and operations, they are feeding personal data into systems they do not yet govern. The DPDP Rules' requirement for algorithmic fairness assessments by Significant Data Fiduciaries is one early acknowledgement that data governance and AI governance are converging into the same problem. The CISO and DPO of 2027 will own a portfolio that includes risks barely understood in 2025.

From technical specialist to risk translator

Put the pieces together and a new job emerges, distinct from the CISO role of even five years ago. The technical foundation still matters; a security leader who cannot understand the systems they protect is useless. But the regulations have added a second skill set on top, and it is the scarcer one. The future Indian CISO has to be a translator: someone who can take a complicated, probabilistic, fast-moving technical risk and render it into the language of capital, liability, and strategic choice that a board can act on.

This is harder than it sounds. A board does not want a list of unpatched servers. It wants to know how much the company is exposed to, what the company is doing to reduce that exposure, what it would cost to reduce it further, and whether that spend is justified relative to other claims on capital. Answering those questions requires the security leader to think like a business executive while retaining the technical depth to know what is actually true. Global commentary on helping CISOs speak the language of business[15] has identified exactly this gap as the central professional development challenge of the role.

What the board has to learn in return

The obligation is not one-directional. If the CISO has to learn to speak to the board, the board has to learn enough to listen intelligently. Surveys of directors consistently find that while the large majority classify cybersecurity as a business risk, only about half rate their own board's understanding of it as strong enough for effective oversight, a gap explored in analysis of the divide between cyber oversight and boardroom expertise[16]. Very few boards include a member with genuine cyber experience.

India's SEBI-mandated board Technology Committees will, over time, push directors up this learning curve, because a committee that meets regularly on a subject cannot stay ignorant of it indefinitely. But the immediate effect is a scramble for cyber-literate independent directors, a category as scarce as board-grade CISOs. Expect to see, over the next few years, a flow of retired or transitioning security and data leaders onto Indian boards, and a steady business in director education aimed at the rest. The companies that move early will have boards capable of asking the right questions; the laggards will have boards that nod along to a presentation they do not understand, which is its own kind of governance failure.

What Indian companies should actually do before May 2027

The temptation, given a compliance deadline two years out, is to wait. That would be a mistake, and not only because the technical work takes longer than it looks. The reporting-line and seniority changes are not deferred to 2027; SEBI's and the RBI's structural requirements are live now, and the DPDP institutional framework already exists. The question for most Indian boards is not whether to act but in what order.

The first move is to fix the reporting structure honestly. If the CISO still reports into the CIO, that arrangement is on borrowed time for any regulated entity and is poor practice for everyone else. The independence the regulators demand is independence from the function being secured. Getting this right is mostly a matter of organisational will, not budget, which makes it the cheapest high-impact change available.

The second is to map the data and the exposure. A company cannot govern data it has not located, and most large Indian organisations do not have a current, accurate map of what personal data they hold, where it lives, why they collected it, who they share it with, and when they are supposed to delete it. The ₹250 crore exposure attaches to data the company may not even know it has. Data discovery and classification is unglamorous, slow, and the precondition for everything else.

The third is to decide who owns AI governance before the AI systems multiply further. The breach data shows most companies deploying AI without a governance policy. The DPDP framework will eventually require fairness assessments and tighter controls for the largest players, and the convergence of data, security, and AI risk means whoever owns the first two will likely inherit the third. Better to assign that ownership deliberately than to discover it after an incident.

The fourth, and the hardest, is people. A company that needs a board-grade CISO and a DPO based in India is competing in a market with a 50 percent shortfall and rising prices. The realistic options are to pay up for scarce external talent, to identify a technically strong internal candidate and invest seriously in their business and communication development, or to build a structure where an internal employee holds the accountable role supported by external expertise. Each has trade-offs, and the regulated entities have fewer options than they would like. What none of them can do is treat the role as a junior technical hire, because the regulator, the law, and the threat environment have all decided otherwise.

The room has changed shape

There is a particular moment, increasingly common in Indian companies, that captures the whole shift. The board is meeting. The agenda reaches the technology and risk items. And instead of the CFO reading a summary prepared by someone two levels down, the security leader is in the room, speaking for themselves, answering questions from directors who are obliged to ask them. The person who used to be invisible is now accountable, audible, and on the record.

That moment is not happening because Indian companies suddenly grew enlightened about cyber risk. It is happening because SEBI wrote it into a framework, the RBI built independence into its Master Directions, and Parliament attached a ₹250 crore price tag to getting data governance wrong. Regulation has done what years of breach headlines could not, which is to move the security function from the basement to the boardroom and make the rest of the C-suite reckon with it.

The harder truth is that India has rewritten the job faster than it has produced the people to do it. The reporting lines can be redrawn in an afternoon; the board committees can be constituted in a quarter; the policies can be drafted by lawyers. What cannot be conjured on a regulatory timeline is the supply of leaders who combine deep technical command with the judgment and fluency to stand in front of a board and tell the truth about risk in terms that change a decision. Those people are scarce, expensive, prone to burnout, and now personally exposed. The companies that find them, keep them, and actually listen to them will be the ones that turn a compliance burden into a real advantage. The rest will have a CISO in the boardroom and a governance gap they have simply moved upstairs. India will spend the next few years discovering which kind of company it has built.

Sources

  1. Cybersecurity and Cyber Resilience Framework — sebi.gov.in
  2. FAQs issued on 11 June 2025 — sebi.gov.in
  3. RBI cybersecurity compliance requirements — getastra.com
  4. vCISO arrangements under RBI rules — the420.in
  5. DPDP Rules 2025 — india-briefing.com
  6. EY's analysis of the new regime — ey.com
  7. ₹250 crore for a failure — dpdpa.com
  8. DPDP penalty framework — dpo-india.com
  9. the Rules governing SDFs — tsaaro.com
  10. DSCI and NASSCOM FutureSkills research — n-coe.in
  11. reporting on the talent gap — careeraheadonline.com
  12. compensation tracking for the role — whatisthesalary.com
  13. Recent burnout research — computerweekly.com
  14. 2025 Cost of a Data Breach Report — in.newsroom.ibm.com
  15. helping CISOs speak the language of business — thehackernews.com
  16. the divide between cyber oversight and boardroom expertise — clsbluesky.law.columbia.edu
Back to Insights
#CISO#Data Governance#Cybersecurity#SEBI CSCRF#DPDP Act#Leadership

Related insights

More from CXO India

Executive insights, market intelligence, and leadership spotlights — curated for India's C-suite.

CISO in the Boardroom: India's Data Governance C-Suite Shift | CXO India