As cyber threats become more intelligent, interconnected and psychologically sophisticated, the future of banking security will increasingly depend on resilience rather than perimeter defence alone.
In the concluding part of this exclusive CXO Dialogue interview with Risk Awareness, Ratan Jyoti shares his perspectives on AI-driven cyber risks, ransomware preparedness, organisational security culture and the emerging blind spots that banking leaders and Indian enterprises must prepare for over the next few years.
Q: Artificial Intelligence is now reshaping both cyber defence and cybercrime. How do you view the opportunities and risks associated with AI-driven cybersecurity, particularly in the context of financial institutions?
Artificial Intelligence is going to reshape cybersecurity significantly over the next few years, both positively and negatively.
On the positive side, AI can substantially improve threat detection, behavioural analytics, fraud monitoring and automated response capabilities. Security teams today deal with massive volumes of alerts and operational data, and AI can help identify suspicious patterns much faster than traditional approaches. AI can also improve efficiency by helping teams prioritise risks better and reduce operational noise.
At the same time, AI is also increasing the sophistication of cybercrime. We are already seeing AI-assisted phishing campaigns, deepfake-enabled fraud attempts and highly personalised social engineering attacks becoming more common.
This is particularly concerning for financial institutions because banking fundamentally operates on trust, identity and transaction integrity.
I remember attending a cyber discussion where an expert demonstrated how convincingly AI could mimic voice patterns and communication styles. What struck me was not the technology itself, but how quickly trust could be manipulated if organisations are not operationally prepared for these kinds of threats.
That is why I believe AI governance will become extremely important going forward. Organisations should not approach AI adoption only from an innovation perspective. Governance around data usage, validation, monitoring, accountability and risk assessment becomes equally critical.
I personally believe AI should support human judgement, not replace it. Technology can improve speed and intelligence, but accountability and decision-making must continue to remain with people.
The institutions that will benefit most from AI will be the ones that adopt it responsibly, with strong governance and a balanced understanding of both opportunities and risks.
Q: With phishing, ransomware and social engineering attacks becoming more sophisticated, do you think Indian organisations are still over-focused on compliance and under-focused on cyber resilience and preparedness?
To some extent, yes. Compliance remains important because it creates baseline governance and control discipline. But cybersecurity cannot become only a checklist-driven exercise.
Threats today evolve much faster than static frameworks. Organisations therefore need to focus much more on resilience, preparedness and operational response capability.
The real test of cybersecurity maturity is not whether an organisation can avoid every attack. In today’s environment, that is unrealistic. The real test is how effectively the organisation can detect, contain, respond and recover when incidents happen.
Phishing and social engineering attacks are becoming far more targeted and psychologically sophisticated. Attackers increasingly exploit trust, urgency and operational gaps rather than only technical vulnerabilities. One thing I have observed across industry incidents is that the challenge is often not the absence of controls, but delayed response, unclear ownership or lack of preparedness during critical situations.
I remember a discussion after a ransomware incident where a senior executive admitted that the organisation technically had backup systems in place, but recovery coordination during the actual disruption was far more difficult than expected because teams had never rehearsed the situation realistically. That is where resilience maturity really gets tested.
Cyber resilience requires operational discipline. Backup readiness, recovery testing, crisis communication planning, decision-making processes and cross-functional coordination all become extremely important during disruptions. Continuous awareness programmes, cyber drills and practical response simulations are therefore essential.
Compliance improves baseline hygiene. Resilience determines whether an organisation can continue operating effectively during a crisis.
Q: As Head of Technology Risk Management & CISO at Ujjivan Small Finance Bank, how do you approach the challenge of building a strong security culture across employees, leadership teams and operational functions?
Building a strong security culture is a continuous process. It cannot be achieved through policies alone or through occasional awareness sessions.
One thing I strongly believe is that cybersecurity should not feel like the responsibility of only the security team. The moment employees across functions start seeing themselves as stakeholders in cyber resilience, the maturity of the organisation improves significantly.
At Ujjivan Small Finance Bank, the focus is on creating awareness, accountability and collaboration across all levels of the organisation.
We conduct regular awareness programmes, phishing simulations, targeted training sessions and leadership discussions so that employees understand the practical relevance of cybersecurity in their daily responsibilities.
I have personally found that people respond much better when they understand the purpose behind security controls rather than viewing them only as restrictions. When employees understand that cybersecurity directly impacts customer trust, operational continuity and institutional reputation, the conversation becomes far more meaningful.
I remember interacting with an operations employee during an awareness session who said, “I used to think cybersecurity was mainly an IT topic until I realised one wrong approval or one rushed action can create real business impact.” Comments like these are important because they show how awareness gradually changes behaviour and ownership.
Leadership involvement is equally important. When senior management actively participates in cyber governance discussions and resilience initiatives, it creates stronger organisation-wide accountability.
Another important aspect is communication. Cybersecurity conversations should not happen only after incidents. Continuous engagement and proactive communication help build long-term awareness and trust.
Culture ultimately develops through consistency, behaviour and leadership example. Over time, cybersecurity should become part of everyday organisational thinking rather than a separate compliance activity.
Q: Looking ahead, what are the emerging cyber-risk trends or blind spots that banking leaders and Indian enterprises must prepare for over the next 3–5 years?
Over the next few years, organisations will face a much more interconnected and complex cyber-risk environment.
AI-driven attacks, deepfake-enabled fraud and identity manipulation are likely to increase significantly. Attackers are becoming faster, more adaptive and far more targeted in the way they exploit both technology and human behaviour.
Third-party and ecosystem risk will also continue growing rapidly. Banks today are deeply interconnected with cloud providers, fintechs, digital platforms and external service partners. A disruption outside the organisation can quickly create operational impact inside the institution itself.
Cloud governance and hybrid-environment security will remain major focus areas, especially around visibility, misconfigurations and shared responsibility challenges.
Identity-based attacks are becoming increasingly common, which means identity protection and access governance will remain critical priorities across the industry. Data privacy and regulatory obligations will also continue evolving rapidly as digital ecosystems expand further.
One area I personally feel organisations still underestimate is operational over-dependence on interconnected digital systems. As institutions become more automated and integrated, even relatively small disruptions can sometimes create disproportionately large operational impact.
I remember an industry discussion where someone described resilience very accurately. He said, “In modern digital ecosystems, complexity itself becomes a risk.” I think that is an important observation because organisations today are managing not only cyber threats but also increasing operational interdependencies.
Another challenge will be the shortage of experienced cybersecurity professionals and the need for stronger cyber-risk understanding at leadership levels. Going forward, organisations will need to move beyond reactive approaches and adopt more intelligence-driven and resilience-focused security strategies.
In the coming years, cybersecurity will increasingly become a defining factor for customer trust, operational stability and long-term institutional credibility.
