Trust Under Attack: Why Resilience and Not Compliance Will Define The Next Generation of Enterprise Security

Technology continues to evolve at breathtaking speed. Artificial intelligence is transforming cyber defence while simultaneously equipping attackers with more sophisticated capabilities. Regulatory expectations are rising, digital ecosystems are expanding, and organisations are becoming more interconnected than ever before.

Yet despite billions invested in cybersecurity technologies, many successful attacks still begin with something remarkably ordinary: a human decision.

The next chapter of cybersecurity, therefore, may have less to do with technology than with organisational culture, operational resilience and executive leadership.

In the concluding part of this exclusive interview with Puru Shah from the Risk Awareness team, Pranay Modi, Chief Information Security Officer, MAS Financial Services, explains why people should not be viewed as the weakest link, why resilience is replacing prevention as the defining cyber objective, and why organisations must move beyond compliance if they are to remain resilient over the coming decade.

Q4. The weakest link in cybersecurity is often neither technology nor regulation, but people. In an era of AI-enabled phishing, insider threats and social engineering, how should organisations build a culture where cyber resilience becomes everyone’s responsibility rather than the security team’s alone?

I would gently challenge the premise. People are not the weakest link in cybersecurity; they are the most attacked link. Attackers target humans not because humans are foolish, but because it works: why break through a firewall when you can simply ask someone for the key? An untrained workforce is indeed your biggest vulnerability. But a trained, engaged workforce is the largest sensor network you will ever deploy, thousands of eyes that no SOC can replicate.

The problem is that most organisations still run awareness the way we ran it fifteen years ago: an annual e-learning module, a quiz, a certificate, a checkbox for the auditor. Then we act surprised when someone wires money to a fraudster. Compliance-driven awareness produces completion rates, not behaviour change. Culture is what changes behaviour and culture is built differently.

In my experience, four things matter.

Make it personal before you make it professional. Teach people to protect their own families first: their UPI accounts, their children online, their parents against voice-scam calls. An employee who protects their mother from a fake bank call will instinctively question a suspicious vendor email at work. And security lessons delivered in the language people actually think in: for us in India, that means Hindi and regional languages, not just English, travel far deeper than corporate slideware.

Make the secure path the easy path. If a security process is painful, people will route around it, not out of malice, but simply to get their job done. Every workaround is a design failure, not a user failure.

Make it safe to report. This is the one I feel most strongly about. If an employee who clicks a phishing link fears punishment, they will stay silent and your response time dies in that silence. The employee who reports a mistake within five minutes is more valuable than the one who never clicks but never reports either. Aviation transformed its safety record through blameless reporting of near-misses; cybersecurity must do the same. Celebrate the reporter. Never shame the clicker.

Rehearse for the AI era. The old advice: spot the typos and check the grammar, is dead. AI now writes flawless phishing emails and clones voices convincingly enough to fool families, let alone finance teams. The defence must therefore shift from detection to verification: no payment change, credential request or urgent instruction gets acted upon without out-of-band confirmation through a known channel. Process must protect people where perception no longer can.

On insider threats, I hold a balanced view: the answer is trust and verify, not surveillance. Least privilege, separation of duties and anomaly monitoring protect the institution, but so does noticing the disengaged or distressed employee before they become a risk. Many insider incidents begin as human problems long before they become security problems.

And none of this works without tone from the top. The day a CEO refuses to bypass MFA “just this once,” the organisation learns more than any training module can teach. Security champions embedded in business teams carry the message further than any poster on a wall.

Ultimately, culture is what people do when the security team is not watching. Technology can stop a malicious file. Only culture can stop a convincing phone call.

Q5. Regulators worldwide, including the RBI, are placing increasing emphasis on operational resilience, third-party risk and cyber governance. Looking ahead, what capabilities should every large enterprise begin investing in today to remain resilient over the next five years, regardless of how the threat landscape evolves?

If the past five years taught us anything, it is that predicting the threat is a losing game. No risk registers in 2020 anticipated an overnight shift to remote work, the industrialisation of ransomware, or AI writing flawless phishing emails in regional languages. So, when I plan for the next five years, I begin with an honest admission: I do not know what 2031 looks like. Which is precisely why the smartest investments today are threat-agnostic, capabilities that hold their value no matter what shape the next crisis takes.

The regulatory direction actually gives us the map. Whether it is the RBI’s Master Directions here in India, DORA in Europe or disclosure regimes elsewhere, regulators worldwide are converging on the same three themes: resilience over prevention, ecosystem over enterprise, and accountability over delegation. Regulators are not inventing this direction; they are confirming it. Enterprises should invest accordingly.

Start with visibility. It sounds unglamorous, but you cannot protect, recover or govern what you cannot see. Live asset intelligence, complete data mapping, a clear picture of every internet-facing service: this is the foundation everything else stands on. The DPDP Act has quietly turned “where does our personal data live?” from a hygiene question into a legal obligation. Most large enterprises still cannot answer it confidently.

Second, identity. The perimeter is gone; identity is the new control plane. And the challenge is no longer only human: machine identities, API keys, service accounts and now AI agents are multiplying far faster than employees. Strong authentication, least privilege and privileged access governance will matter in five years regardless of how attacks evolve, because most breaches will still begin the same way they do today: with a credential.

Third, rehearsed recovery. Operational resilience means proving you can continue critical services through disruption, not producing a document that says you could. That requires defining impact tolerances for critical business services, testing against severe-but-plausible scenarios, and maintaining immutable, offline backups that are actually restored in drills. A recovery plan that has never been rehearsed is a hypothesis, not a capability.

Fourth, ecosystem assurance. Every cloud provider, fintech partner and API integration is now an extension of your attack surface, and your resilience is only as strong as your weakest critical partner. Third-party risk must graduate from an annual onboarding questionnaire to continuous monitoring, with concentration risk mapped and exit strategies designed before you need them, not after.

Fifth, governance fluency. Boards are now personally accountable for cyber risk, which means they need instruments, not dashboards of vulnerability counts. Enterprises must invest in the ability to quantify cyber exposure in business terms: risk appetite, financial impact, service availability, so that leadership can make defensible decisions rather than fearful ones.

And two horizon investments deserve a head start today. Crypto-agility: quantum computing may be years away, but “harvest now, decrypt later” attacks are already underway, and financial data carries decade-long confidentiality obligations, the cryptographic inventory should begin now. And AI governance: AI is simultaneously our newest tool and our newest attack surface, and institutions that govern its internal use early will adapt far faster than those waiting for a mandate.

Running through all of this is the one capability that compounds rather than depreciates: people. Tools expire in three years; a strong security team and a risk-aware culture appreciate in value every year you invest in them.

Capital adequacy defined banking’s last era. Operational adequacy will define the next. The institutions that thrive over the coming five years will be those that treat resilience not as a compliance cost, but as the new solvency, because in a digital economy, the ability to absorb a shock and keep serving customers is what trust is made of.

Q6. One final question. If you were addressing every CEO, Board Director and CISO in India today with a single message, what would it be? More importantly, what is the one cybersecurity misconception that organisations must abandon immediately if they want to remain resilient in the decade ahead?

If I could leave every CEO, Board Director and CISO in India with a single sentence, it would be this: you can delegate the work of cybersecurity, but you can no longer delegate its ownership.

That one message means something different to each seat at the table.

To the CEO: digital trust is now your product, whatever industry you are in. When a breach happens, customers will not ask who your CISO was, they will ask whether your company kept its promise. Fund cybersecurity the way you fund anything that protects revenue, because that is exactly what it does.

To the Board Director: the RBI’s directions and the DPDP Act have made this personal. “We were not informed” is no longer a defence, it is an admission. Bring cyber risk into the boardroom with the same rigour you bring to credit and liquidity risk: a defined appetite, quantified exposure and questions that go deeper than the colour of a dashboard.

To the CISO: earn the seat you are asking for. Speak the language of business impact, not vulnerability counts. And have the courage to tell leadership the uncomfortable truth rather than the comfortable metric, that is what the role now demands.

As for the misconception that must be abandoned immediately, it is this: compliance equals security.

It does not. Compliance is a floor, not a ceiling. It is a photograph taken on audit day; security is the live feed of every day after. Nearly every major breach in recent memory happened inside an organisation that had passed its audits and held its certificates. Attackers do not read your compliance report, they read your attack surface, and the two are rarely the same document.

The danger of this misconception is subtle: it converts security from a risk discipline into a paperwork exercise. Organisations start managing the auditor instead of the adversary. Controls exist on paper but are never tested under fire. Budgets flow toward whatever produces a certificate rather than whatever reduces actual exposure. It creates institutions that are perfectly documented and poorly defended.

The correction is a change in sequence: build security for the threat, and compliance will follow as a natural byproduct. The reverse is never true. Regulators themselves are signalling this shift, the emphasis moving from “show me your policy” to “show me your recovery,” from certification to demonstration. The institutions that read that signal early will be the resilient ones.

The decade ahead will bring AI-driven attacks, quantum pressure on encryption, and a digital economy more interconnected than anything we have governed before. We cannot predict its threats, but we can choose our posture. India is building one of the world’s great digital economies and every rupee of it moves on trust. The organisations that thrive will not be the ones that never fall. They will be the ones that own their risk, rehearse their recovery, and rise faster than anyone expected.

That is what resilience means. And it is everyone’s job now.

The Risk Awareness Perspective

Cybersecurity is often discussed through the language of technology: AI, ransomware, cloud security and zero trust. Yet Pranay Modi repeatedly returns to a simpler idea: trust.

Trust between customers and institutions. Trust between Boards and their security leaders. Trust that organisations will continue operating even when disruption occurs.

That is why his distinction between compliance and resilience is particularly significant. Compliance may satisfy regulators, but resilience earns customer confidence. As organisations prepare for an era shaped by AI-driven attacks, expanding digital ecosystems and increasingly demanding regulatory expectations, the winners are unlikely to be those that never experience cyber incidents. Rather, they will be those that anticipate disruption, rehearse recovery and emerge stronger from it.

In Pranay Modi’s words, cybersecurity can be delegated, but ownership cannot. And in a digital economy built on trust, that ownership belongs to everyone, from the Boardroom to the front line.

Top