Cyber threats are no longer an IT problem — they are a board-level risk. In 2024, India overtook the United States to become the world's most targeted country for cyberattacks. Indian organisations faced an average of 3,201 cyberattacks per week — more than double the global average.

The business case for cybersecurity investment is calculable, not philosophical. IBM's 2025 Cost of a Data Breach Report puts the average cost of a data breach in India at ₹19.5 crore — a figure that includes regulatory penalties, breach notification costs, reputational damage, and customer attrition.

CERT-In now requires breach notification within six hours — one of the shortest windows globally. The DPDPA creates significant liability for data protection failures. SEBI, RBI, and IRDAI all have mandatory cybersecurity requirements for regulated entities. Non-compliance is no longer an option.

Security spending should be calibrated against risk, not benchmarked against peers. The right framework is: identify your highest-value assets and most likely attack vectors, calculate the expected loss from a successful attack, invest in controls that reduce that probability and impact, and measure the reduction.