Organisations, especially the Indian military and government, must begin preparation now rather than wait until urgency forces action. It is a matter of good management and far-sighted leadership.
Key initial steps include taking a full inventory of tech assets that use encryption, understanding how encryption keys are stored, improving collaboration between cybersecurity, development, and support teams, and assessing vendors’ quantum readiness.
These are foundational practices where many organisations are currently weak due to inherent complexity, fragmentation of assets, or inadequate governance, so the challenges will be considerable for many.
Jean-Christophe Gaillard, author of the manuals “The CyberSecurity Leadership Handbook for the CISO and the CEO” and “The Cybersecurity Spiral of Failure”, and gfiles Associate Editor Ravi Visvesvaraya Sharada Prasad (an alumnus of Carnegie Mellon and IIT Kanpur, who was ranked by Onalytica UK as the 19th most influential thought leader in the world in Telecommunications, and by the IoT community as the second most influential thought leader in the world in IoT Internet of Things ) discuss the future of cybersecurity in the Indian context, with emphasis on Aadhaar.
RVSP:- You are well known for coining the phrase – ‘The Cyber Security Spiral of Failure’, and you have written a book with this title. Breaches of computer and communications networks have a cascading effect, and the damage can worsen exponentially. Could you elaborate on your concept of the ‘Cyber Security Spiral of Failure’, and how to break out of it?
JCG: – The “Cybersecurity Spiral of Failure” describes a cycle I have observed across many large organisations in numerous countries. Instead of addressing root causes, executives often resort to short-term fixes after each data breach or security incident. This leads to layer upon layer of reactive measures that don’t necessarily strengthen the fundamentals. Over time, operational complexity becomes the norm, data breaches and attacks keep happening, frustration builds up with security teams, CISOs (Chief Information Security Officer ) leave after a few years having achieved very little in terms of real transformation, distrust sets in between IT security teams and business leaders, and all this creates a downward spiral which aggravates reluctance to invest in cybersecurity in the face of chronic execution failure.
Breaking out of this negative cycle requires clarity of vision over the mid- to long-term, and leadership more than technology. Organisations must treat cybersecurity as a business and cultural matter, not just a technical one.
At the top of the organisation, that means strong governance, clear accountability from the top down, and embedding business protection culture and concepts into business processes from the start. The downward spiral breaks when top leaders embody those values credibly and visibly all the time.
At CISO level, that means focusing on execution excellence, decluttering overcrowded cybersecurity technical estates and delivering around cybersecurity fundamentals, that still offer an excellent level of protection against many diverse threats and a high level of compliance with all government regulations. Getting things done instead of asking for more money and resources and personnel after every security breach, that’s how you really stand out as a CISO.
RVSP: – You have often spoken about the organisational structures and transformations which are required for a cybersecurity mindset. Most organisations react to breaches only after they occur, and implement quick-fix band-aid solutions, rather than design systems which have cybersecurity precautions built in at the very beginning. What advice can you provide to India’s government officials as well as Indian corporate leaders?
JCG: – Where organizational cybersecurity maturity levels are low; my advice is always to look over towards the mid- to long-terms and prioritize structural and cultural transformation. Change takes time.
Cybersecurity must not be seen as the exclusive responsibility of the IT or security teams; it must be integrated from the top down into governance, operations, and strategy.
For government agencies, that means – for example – embedding cybersecurity requirements into digital transformation projects at the design stage, not during or after deployment.
For corporate leaders, it means viewing cybersecurity as an inherent business concept — a way to build and maintain trust with customers, partners, and investors, a way to protect value creation and enhance growth. Not just another expensive box-ticking compliance exercise to demonstrate adherence to government regulations.
In practice, this involves clear ownership at board and leadership team level, adequate funding aligned with maturity levels and transformative objectives, and clear accountability that cuts across departments and geographies.
It is also about identifying and nurturing the talent pipelines that are going to allow successful delivery. Cybersecurity resources are scarce, and retention of expertise is as important as their acquisition.
RVSP: – India has long been a major victim of information warfare, both from state actors such as China and Pakistan, as well as from quasi-state terrorist organisations with plausible deniability.
What advice do you have for protecting India’s military and strategic computers and communications networks?
Should India indulge in offensive information warfare, and launch pre-emptive strikes on enemy networks? If so, what are the pros and cons?
JCG: – On matters of network security, whether it is military or corporate networks, and on matters of infrastructure security at large, my advice is always to focus on getting the fundamentals in place 100% – strong segmentation, robust identity and access management, regular testing, 24×7 monitoring, and in-built redundancy.
The question of offensive cyber operations is a matter for policymakers and defence leaders. From a professional standpoint, I stress that any strategy — offensive or defensive — must rest on the strong basics I enumerated above.
Military cybersecurity and digital battlefield good practices, both at NATO and elsewhere, have been continually structuring and restructuring themselves for the best part of the last thirty years, and the fundamentals still make sense.
RVSP:- What advice do you have for protecting India’s Critical Infrastructure such as electricity grids, telecommunications networks, gas and oil pipelines, irrigation, rivers and dams, nuclear plants, airports, railways, ports, roads, banking, stock exchanges, etc.
Most of these are decades old and were built when physical terrorism was almost unheard of, let alone cyber-attacks.
Many old SCADA networks would be vulnerable to numerous diverse types of cyber-attacks.
What advice do you have for India’s government and business leaders about the importance of cybersecurity in private sector corporations.
JCG:- Critical infrastructure often depends on legacy proprietary systems which were never designed with the current level and sophistication of cyber threats in mind. In addition, regular updates are not always feasible due to operational constraints, so compensating controls therefore become essential.
Protecting them requires first of all a thoughtful, well-governed approach to their digital transformation and a layered approach: strict segmentation of networks, robust monitoring, and limiting exposure to the internet wherever possible.
Business leaders, in those sectors as well as the services sector, must understand that cybersecurity is fast becoming an integral part of their fiduciary and legal responsibility.
Just as you wouldn’t neglect financial audits or safety procedures, you cannot ignore cyber risk anymore. Protecting infrastructure and corporate assets is about safeguarding national trust, consumer confidence, and economic stability. Strong governance from the top down is key. Security cannot just be seen as an add-on.
RVSP:- What are the latest methodologies and frameworks to calculate the direct and indirect costs of data breaches; the immediate and long term costs of cyber-attacks; downtime, theft of confidential information, opportunity costs, loss of reputation, etc?
JCG:- Measuring cyber risk and the cost of breaches is complex because it spans both tangible and intangible dimensions. Direct costs include remediation, investigation, and regulatory fines.
Indirect costs cover downtime, loss of intellectual property, brand damage, and customer churn.
However, leaders must recognise that not everything is measurable with precision, and many surveys in that space are disputable due to the number of assumptions made.
Frameworks like FAIR (Factor Analysis of Information Risk), on the other hand, provide structured methodologies for quantifying risk in financial terms.
Using these models to guide investment decisions and prioritise initiatives could make sense in some firms. But for me, “Are we spending enough on cyber security?” has become a more common question at Board level, than “Why do we need to spend on that?”…
Cybersecurity is increasingly being seen by many firms an investment in trust and resilience, not a sunk cost that needs to be justified.
RVSP: – How do advances in artificial intelligence and deep learning impact cybersecurity? Generative AI gives attackers a billion-to-one advantage over defenders.
JCG: – I think “a billion-to-one” is going a bit too far. We have been talking about AI in cybersecurity for years, way before ChatGPT emerged; I myself was already writing about it in 2018.
AI is a double-edged sword and there is no denying that Generative AI is accelerating a number of trends. Attackers can use AI to scale phishing, automate reconnaissance, and create convincing deepfakes. But at the same time, defenders can leverage AI for anomaly detection, threat hunting, and predictive analysis.
We have seen fast development in both attack and defence dimensions over the past few years, with recent reports implying that AI might be involved in 80% of ransomware attacks.
The key for organisations is to remain realistic and keep their eyes on the ball in terms of threat intelligence, something that has always been a key dimension of good practice, at least for large organisations.
Of course, organisations must integrate AI into their defensive toolkits; they must also consider the degree of human oversight they want to retain depending on the threats they face.
AI agents can automate lots of things, but security is not purely a technological arms race; it also depends on governance, ethics, and human judgment.
AI is raising the tempo of the cybersecurity battlefield, but strong fundamentals — visibility across the entire technological estate, strong and tested incident response processes — remain the foundation.
RVSP:- India suffers grievously from identity theft with Aadhaar cards being cloned and misused. What are the advantages and disadvantages of biometrics-based authentication and authorisation systems? Once a person’s biometrics are stolen or compromised, it is difficult to mitigate the damage.
From a person’s Instagram or YouTube video, shot from several feet away, it is possible to record his iris and retinal patterns, and his fingerprints. With 3D printing, you can generate ink impressions of his fingerprints and use these in paper documents to commit fraud. A person cannot grow a new iris or a new set of fingerprints, the way one can change locks or change passwords.
Is it time to move beyond the security paradigm that authentication and authorisation are based on some unique physical object that supposedly only I possess (keys to locks ), something supposedly only I know which nobody else knows (passwords ), something which is unique to me ( fingerprints, iris and retinal patterns, DNA ).
What are future technologies to prevent identity theft?
JCG:- Biometrics are attractive because they are convenient and unique — but they are also immutable. If compromised, unlike a password, you cannot reset your fingerprint or iris. That makes biometric-only systems risky. And Aadhaar is based on biometrics.
The future, in my view, lies in multi-factor, risk-based authentication. Combining factors — something you know, something you have, something you are, and increasingly, something you do — creates resilience.
RVSP :- Aadhaar nowadays also sends OTPs via SMS to one’s registered cellphone number, as well as confirmatory emails. But these emails are after-the-fact.
When Aadhaar records your videos, they make you blink your eyes or turn your head from side to side.
JCG:- Emerging technologies like behavioural biometrics, continuous authentication, and cryptographic proofs offer more secure alternatives.
The guiding principle is not to rely on a single factor. Identity systems must evolve toward layered, adaptive approaches that make impersonation far more difficult.
RVSP: – Most identity systems are designed to only confirm or deny whether I am the same person as whom I claimed to be yesterday. They do not actually verify that I really am whom I claim to be. They can only say that the person who is withdrawing money today is the same person who opened the bank account last year.
But they do not verify whether someone who opened a bank account in the name of Ravi VS Prasad was really me or someone else impersonating me. So, these do not provide much protection against money laundering or tax evasion.
What do you see as the future of identification technologies and systems, which also protect one’s privacy? Especially in an era of DeepFakes.
Just as we implement Zero Trust in network devices, should there not be an analogous Zero Trust for persons?
JCG: – Identity systems of the future should combine verification and trust minimisation. Just as Zero Trust assumes that no device in an information and communications network is inherently trustworthy, we should assume that no identity claim is absolute.
This is where decentralised identity and verifiable credentials come into play. Instead of one central authority holding all personal data, individuals can hold cryptographic proofs issued by trusted entities, shared only when needed. This reduces the risk of mass breaches and supports privacy.
Your analogy with Zero Trust for devices is valid: identity systems must continuously validate context, behaviour, and credentials, without relying solely on static enrollment checks.
RVSP: – I have maintained for several years that the only legitimate use of Aadhaar is for preventing fraudulent duplication in government subsidies. That Aadhaar prevents me from presenting myself as Ravi Prasad in Delhi today, Ajay Shah in Mumbai tomorrow, and Venkatesh Narayan in Chennai day after tomorrow, and withdrawing government benefits allocated to these individuals. Because the probability of numerous persons having the same fingerprints or iris patterns is infinitesimally small. I have maintained that any other use of Aadhaar is susceptible to vulnerabilities and misuse.
What is your opinion about Aadhaar? Its legitimate purposes, and safety, security, and privacy aspects.
JCG: -: Large-scale identity systems like Aadhaar have undeniable value in reducing fraud in subsidies and improving service delivery.
At the same time, any centralised identity system carries inherent risks — especially concerning privacy and misuse.
The priority should always be security by design and privacy by design, right from inception. That means minimal data collection, strong encryption, strict access controls, and clear legal safeguards. Aadhaar’s effectiveness depends on the rigour of its governance and the trust it can inspire.
The lesson here is not about rejecting such systems but about ensuring they are implemented with the highest standards of accountability, oversight, and respect for citizens’ rights.
RVSP: – You now have Zero Knowledge technologies where I can tell my bank – ‘I will prove to you that I really am the owner of this account. But I will not tell you my name or give you my photograph or my password or my fingerprints because these can be misused by your personnel or intercepted by Man in the Middle types of attacks’.
What are your forecasts for the implementation of such Zero Knowledge technologies and systems?
These actually originated in the 1990s from the world of espionage and blackmail, where you could threaten a spy – ‘I possess knowledge which can incriminate you’. And prove to him that you indeed possess incriminating evidence against him, without giving him the slightest clue whatsoever about what you know about him.
I have maintained for long years that Aadhaar ought to have also used these Zero Knowledge technologies rather than relying so heavily on biometrics technologies and SMS OTPs.
JCG: – Zero Knowledge Proofs (ZKPs) are cryptographic protocols that allow one party to prove knowledge of a fact — for example, a password or a credential — without revealing the fact itself.
In practice, this means a user can prove to a bank that they are the account holder without exposing their password, biometrics, or personal details. This significantly reduces the attack surface because even if intercepted, the information is useless to attackers.
ZKPs are powerful tools for enhancing privacy and reducing identity fraud. As these technologies mature, they may redefine authentication models across finance, healthcare, and government services.
RVSP: – Entering my password in an online banking system or an ATM is insecure because these can be captured by keyloggers, spyware, shoulder surfing, hidden cameras, or intercepted by Man in the Middle types of attacks.
You now have Zero Knowledge, Zero Trust technologies where you can tell your bank – I will not key in my password, but I will prove to you that I know what my password is, and I will also prove to you that no one else knows what my password is.
What is your forecast about the implementation of such Zero Trust, Zero Knowledge Protocol Proofs?
JCG: – These builds on the previous point. Traditional password entry is inherently insecure because it can be observed, intercepted, or stolen. Zero Knowledge Protocols allow us to prove we know the secret without ever sharing it.
In a Zero Trust context, this is crucial. Every access request must be verified continuously, and ZKPs provide a strong cryptographic basis for that.
Combined with behavioural analytics and continuous monitoring, ZKPs can enable a more robust, privacy-preserving approach to identity verification.
RVSP: – Yes, as you said, behavioural analytics and continuous monitoring are crucial, even if all the other log-in credentials are satisfied.
If I try to authenticate my Aadhaar in Delhi right now, and twenty minutes later, someone tries to authenticate the same Aadhaar in Mumbai, and forty minutes after, someone tries to authenticate the same Aadhaar in Chennai, then a coordinated database should raise an alarm.
To move on to my next question on Deep Fakes, which are becoming prevalent in the murky world of Indian politics.
RVSP: – What do you see as the future of deep fakes, and how to detect and protect oneself against deep fakes?
JCG: – Artificial Intelligence will always be a double-edge sword. Deepfakes will continue to grow in sophistication, making it harder for individuals to distinguish real from fake. At the same time, detection technologies will evolve in parallel, leveraging AI to spot subtle inconsistencies.
However, detection alone is not enough. Education and awareness must play a central role. People must learn to question content, verify sources, and avoid assuming that “seeing is believing.”
In parallel, organisations must adopt content provenance standards — digital watermarks, cryptographic signatures — to verify authenticity.
Deepfakes are a technological challenge, but also a cultural one: fostering critical thinking is as important as developing detection tools.
RVSP: – How should legal systems and laws of evidence adapt in the era of Deep Fakes? Videos and photos can no longer be conclusive proof in courts of law.
I have frequently said that historians in 2200 AD will claim – Humanity suffered a mass delusion between 1850 and 2022 AD when people naively believed that the images and photos and videos they saw on paper, on film, or on their laptop screens or phone handset or television screens were true and authentic.
Will business and legal systems need to go back to the 18th century when you trusted only the people whom you physically met in person or what you saw with your own eyes?
JCG: – Legal systems will need to adapt by relying less on the perceived authenticity of digital media and more on chains of custody and cryptographic verification. Courts of law may require content to be accompanied by proof of origin or certification from trusted authorities.
This doesn’t mean going back centuries. Instead, it means evolving to new models of trust. Digital signatures, verifiable credentials, maybe blockchain-based notarisation can support legal processes in the face of synthetic media.
The fundamental principle remains trust must be anchored in verifiable systems, not assumptions about what we see.
RVSP: – How can Indian consumers protect themselves against phishing, social engineering, Sim-swap attacks?
JCG: – Consumers must understand that most attacks exploit human behaviour, not just technology. The key here is to never trust blindly, to remain aware of the constant reality of the threats, and that anybody can be a target. It applies to consumers in everyday life and also to employees at work of course. Practical steps include:
• Never clicking suspicious links: if it looks too good to be true, it probably is.
• Verifying sender identities before acting: if your boss never sends you text messages, the one you have just received from him overnight is probably fake.
• Using multi-factor authentication wherever it is offered; do not dismiss it as a nuisance; it really does protect.
• Finally, contacting providers directly when in doubt, and the sooner, the better.
Telecom regulators and banks should also play a role by tightening verification for SIM swaps and raising awareness. Ultimately, cybersecurity is a shared responsibility: education is the strongest protection for consumers.
RVSP: – Yes, recently one of the top cybersecurity experts in the world, a fellow student with me at Carnegie Mellon, was deceived by a deepfake video from someone impersonating his CEO. My friend challenged the imposter by asking him personal details about the CEOs family, only for the imposter to provide absolutely correct answers about this private family information. So even an internationally renowned expert, who followed mandated protocols and procedures, got deceived.
RVSP:- Could you advise Indian information and telecom network operators on implementing Micro Segmentation to mitigate the impact of attacks?
JCG : -Micro segmentation divides a network into small, isolated zones so that if attackers penetrate one, they cannot freely move laterally. Each segment enforces its own security controls and monitoring.
This approach limits the blast radius of any breach and provides visibility into lateral traffic.
For critical systems, micro segmentation is a key strategy to contain incidents and protect crown jewels. It has always been a key dimension of good practice for network security and remains essential.
RVSP:- Could you elaborate on the challenges of post quantum cryptography? Especially since China is fast emerging as a leader in this futuristic field, and India’s military and strategic networks and databases could be targeted.
JCG : – Post-quantum cryptography is becoming a serious issue; it can no longer be seen as a speculative matter, far in the future.
Quantum computers threaten the current encryption algorithms protecting long-lived or highly sensitive data. With research steadily advancing and AI accelerating that progress, it is only a matter of time before adversaries can break existing encryption.
The concern is especially acute for the defence sector, critical national infrastructure, utilities, payment platforms, and any environment holding data that needs to remain secure for many years.
“Harvest-Now-Decrypt-Later” attacks should be taken seriously in all those sectors, whether they come from state-backed actors or cyber criminals.
RVSP: – You are absolutely correct in your warnings. Chinese telecom equipment used by Indian telecom network operators have been suspected of surreptitiously transferring “Harvest-Now-Decrypt-Later” information to China.
While this information may not be of any immediate use to China, it could become crucial and vital in the future, and could potentially cause significant damage to India.
JCG:- Organisations, especially the Indian military and government, must begin preparation now rather than wait until urgency forces action. It is a matter of good management and far-sighted leadership.
Key initial steps include taking a full inventory of tech assets that use encryption, understanding how encryption keys are stored, improving collaboration between cybersecurity, development, and support teams, and assessing vendors’ quantum readiness.
These are foundational practices where many organisations are currently weak due to inherent complexity, fragmentation of assets, or inadequate governance, so the challenges will be considerable for many.
If these preparations are delayed, we might be heading towards a “Y2K moment”: when many industries suddenly realise they are vulnerable and scramble under regulatory or operational pressure to retrofit PQC Post Quantum Cryptography across their systems.
To avoid that scenario, doing something now — even small steps like adding quantum readiness into supplier assessments or vendor risk programs — is better than inaction.
Jean-Christophe Gaillard is the Founder and CEO of Corix Partners, a UK-based Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation and Governance challenges.
A French and British national, he is a leading strategic advisor and a globally recognised cybersecurity thought-leader with over 25 years of experience developed in several financial institutions in the UK and continental Europe, and a track-record at driving fundamental change in the security field across global organisations, looking beyond the technical horizon into strategy, governance, culture, and the real dynamics of business transformation.
He runs the Corix Partners blog and the “Security Transformation Leadership” publication on Medium.
He is a Fellow of the Chartered Institute of Information Security (FCIIS) in the UK, and a member of the Forbes Business Council.
He has been ranking consistently in the top 5 of global influencers with Thinkers360 on Cybersecurity and was selected as their global Ambassador for GRC in 2025. He was listed as one of their overall Top Voices for 2023 and 2024.
He is the author of “The CyberSecurity Leadership Handbook for the CISO and the CEO” first released on Amazon in February 2023 (updated edition released in July 2024) and “The Cybersecurity Spiral of Failure” released on Amazon in January 2024.
Ravi Visvesvaraya Sharada Prasad is a computer scientist and author. He writes on technology and historical events in post-independent India. He is Associate Editor at gfiles.
