Beyond Compliance: Why India's Cybersecurity Wake-Up Call Demands People, Process — and Accountability

In an era where breaches persist despite heavy tech investments, the real gap lies beyond tools—in execution and accountability.
Atul Luthra outlines why aligning people, process, and technology is the only way to turn cybersecurity into a true business enabler.

5Tattva operates at the forefront of cybersecurity, delivering end-to-end solutions that strengthen enterprise resilience in an increasingly volatile threat landscape. With expertise spanning audits, Vulnerability Assessment and Penetration Testing (VAPT), and 24x7 Security Operations Centre (SOC) monitoring, the company focuses on moving organizations beyond compliance-driven approaches toward outcome-based security frameworks. Its philosophy positions cybersecurity not as a support function, but as a strategic pillar critical to sustained business growth.

The driving force behind 5Tattva is Atul Luthra, its maverick Co-Founder and the CEO of Zeroday Ops. Atul brings to the table over 25 years of solid experience in cybersecurity, IT governance, and compliance-led transformation. Known for his structured and pragmatic leadership style, he drives 5Tattva with a clear emphasis on aligning security frameworks with business realities. His approach blends technical depth with governance discipline, enabling organizations to not only meet regulatory expectations but also build scalable, security-first architectures. At Zeroday Ops, he further extends this vision by leading innovation in automated VAPT solutions, reinforcing proactive risk management at scale.

In this special SME Channels interaction, Atul deep-dives into the evolving cybersecurity landscape, addressing critical gaps between technology adoption and real-world security outcomes. He tries to offer a grounded perspective on why breaches continue despite rising investments, the growing influence of AI in cyber warfare, and the urgent need for businesses and channel partners to shift from product-centric models to solution-driven strategies. The conversation highlights a key transition underway in the industry—from compliance-led security to resilience-driven, boardroom-priority cybersecurity.

Cutting through the noise of vendor proliferation and compliance fatigue, the discussion  addresses the harder questions: Why do breaches keep rising despite sophisticated tools? How do organisations distinguish genuine security from theatre? What will it take for boardrooms to treat cybersecurity as a growth driver rather than a cost centre? From the role of AI in tilting the attacker-defender dynamic, to India's push for digital sovereignty, to the roadmap for Indian cyber firms eyeing global leadership — Atul offers the unfiltered perspective of a practitioner who has spent decades at the intersection of technology, governance, and enterprise risk. Edited Excerpts…

India’s cybersecurity market today is over-crowded with vendors and point solutions—yet breaches keep rising. Where exactly do you think the industry is failing: technology, implementation, or accountability?

The foundation of robust cybersecurity, as in any successful enterprise, rests on the synergistic interplay of People, Process, and Technology. While technology offers sophisticated solutions, its efficacy is inherently tied to the proficiency of the individuals operating it and the robustness of the processes governing its deployment and maintenance. Therefore, attributing persistent breaches solely to the presence of solutions would be an oversimplification.

Our experience as an auditing organisation reveals numerous instances where organisations invest in technology, presuming it confers complete security. However, technology represents only one facet of the cybersecurity paradigm; its true potential is realised when complemented by skilled personnel and well-defined processes.

Modern cybersecurity tools are remarkably mature. The challenge often lies in their inadequate implementation. Consider the Salesforce breach in 2025, which became public knowledge. This incident stemmed from vulnerabilities in OAuth integrations with Salesforce-Drift, allowing unauthorised access without password compromise. Such a breach could have been averted through stringent validation protocols for third-party OAuth applications—a process fundamentally driven by human oversight and adherence to established procedures.

From an accountability standpoint, this particular breach was not a technical failure but rather a lapse in ownership concerning third-party integrations, leading to critical oversights. Consequently, it is imperative that all three pillars—People, Process, and Technology—are harmonised to fortify organisations against the evolving threat landscape.

"Security theatre prioritises superficial compliance — deploying tools and drafting policies — primarily to pass audits. Real cybersecurity value is measured by an organisation's demonstrable ability to prevent, detect, and recover from actual cyberattacks. The litmus test is a confident 'yes' to the question: Will this system withstand a real-world breach?"

— Atul Luthra, CEO, Zeroday Ops & Co-Founder, 5Tattva

You’ve built businesses in a space driven by fear and compliance. How do you differentiate real cybersecurity value from what many critics call “security theatre”?

The term “security theatre” is indeed a potent descriptor, and regrettably, it often reflects reality. During audits, we frequently observe scenarios where compliance checklists are meticulously completed, and technological solutions are ostensibly in place. For instance, an organisation might affirm the presence of a 24x7 Security Operations Centre (SOC), complete with tools and dedicated personnel. While this satisfies a checklist item, the critical question remains: are the personnel adequately trained and proficient in operating these tools to ensure optimal performance and effective threat mitigation? This aspect, being subjective, often represents the true differentiator.

While such an approach might successfully navigate an audit by ticking boxes, it does not equate to genuine security. “Security theatre” prioritises superficial compliance—deploying tools and drafting policies—primarily to pass audits. In contrast, real cybersecurity value is measured by an organisation’s demonstrable ability to prevent, detect, and recover from actual cyberattacks effectively. The litmus test for genuine security is the confident affirmation to the question: “Will this system withstand a real-world breach?” Organisations that can answer affirmatively are transcending mere “security theatre.”

With AI rapidly reshaping cyberattacks, do you believe defenders still have a technological edge or are we entering into a phase where attackers have a structural advantage?

The dynamic between cyber attackers and defenders often mirrors the classic “cat and mouse game,” where the advantage continually shifts. It is undeniable that Artificial Intelligence (AI) has significantly lowered the barrier for attackers, enabling faster reconnaissance, the creation of highly convincing phishing campaigns, and automated AI-driven attacks with unprecedented ease. However, defenders inherently possess a fundamental advantage: they control their own environment, which they have meticulously designed from the ground up, embedding security policies and controls into the very fabric of their systems. When supported by an ideal alignment of People, Process, and Technology, defenders can consistently maintain a secure posture.

The crucial caveat, however, lies in the adaptation of new technologies in response to a rapidly evolving threat landscape. This adaptation is frequently constrained by budgetary approvals, impeding many organisations from responding with the necessary agility. In the contemporary threat environment, defensive strategies cannot afford to be reactive. Just as attackers leverage AI, organisations must proactively integrate AI-driven detection, adopt identity-first security principles, and implement continuous validation mechanisms to regain and sustain their technological edge.

In essence, while the “cat and mouse game” will persist, proactive adaptation and strategic investment in AI-driven defence mechanisms are paramount for defenders to maintain their advantage.

Many enterprises still treat cybersecurity as a cost centre. What will it take—regulation, breach impact, or leadership mindset—for security to finally become a board-level growth priority?

While cybersecurity is often perceived as a cost centre, particularly within Small and Medium Businesses (SMBs), the perspective within larger enterprises is gradually evolving. The transition from viewing security as an expenditure to a strategic investment is complex, given that organisations operate within regulatory frameworks while attackers face no such constraints. Therefore, a confluence of regulation, breach impact, and leadership mindset is essential to elevate cybersecurity to a board-level growth priority.

Currently, India is witnessing a proliferation of regulations from bodies such as SEBI, RBI, and IRDAI, which mandate a baseline level of cybersecurity. However, these often devolve into mere checklist exercises. Organisations must transcend this checklist mentality and comprehend the underlying objective of each control. If security measures are viewed solely as compliance checkboxes, they will invariably remain a cost centre.

Cybersecurity typically ascends to a boardroom priority either through visionary leadership or, regrettably, in the aftermath of a breach. The latter, while impactful, is clearly undesirable. A significant challenge for Chief Information Security Officers (CISOs) is demonstrating the Return on Investment (ROI) for cybersecurity initiatives. This can be effectively addressed by articulating risk reduction and the cost of avoidance against potential cyber-attack scenarios. Furthermore, showcasing operational efficiencies gained through reduced incident response times and minimised disruptions can underscore security’s value.

Unfortunately, enterprises often re-prioritise security only after experiencing a breach, when the tangible costs of downtime, data loss, and reputational damage become starkly evident. With the accelerating pace of AI advancements and the daily reports of ransomware attacks and breaches, cybersecurity is undeniably becoming a boardroom imperative, albeit at a measured pace.

India is pushing for digital sovereignty and data localization. Do you see this strengthening cybersecurity—or creating fragmented, harder-to-secure ecosystems?

The global trend towards digital sovereignty and data localisation is not unique to India; numerous major economies are pursuing similar objectives. When implemented judiciously, these initiatives can unequivocally strengthen cybersecurity. Data localisation enhances control, improves visibility, and facilitates regulatory enforcement. It also enables faster incident response and bolsters the protection of sensitive data. However, if not managed prudently, it can inadvertently lead to fragmented architectures and duplicated systems, thereby increasing complexity and potentially expanding the attack surface.

Organisations that strategically combine data localisation with standardised security practices and robust governance frameworks can significantly enhance their security posture. Conversely, a lack of integrated management risks creating isolated data silos that are inherently more challenging to secure.

Startups in cybersecurity often struggle to scale globally. What are the biggest barriers Indian cyber firms face in becoming global leaders, and how are you addressing them?

The primary impediment for Indian cybersecurity firms aspiring to global leadership is not a deficit in capability; India possesses exceptional talent and engineering prowess. Rather, the challenges lie in positioning, building trust, demonstrating scalability, and managing the perception of security maturity. Indian firms often struggle to articulate their value proposition effectively in the global market.

We frequently observe Indian cybersecurity firms facing difficulties in securing initial global engagements, as enterprises often favour established international players, despite the strong technical capabilities offered by Indian counterparts. This preference is often driven by the perceived credibility associated with certifications, proven security practices, and extensive real-world case studies.

Furthermore, many Indian organisations remain predominantly service-heavy, which inherently limits global scalability. True global success in cybersecurity stems from offering standardised, secure, and repeatable productised solutions. Challenges also extend to go-to-market strategies and distribution, encompassing the need for local presence, strategic partnerships, and a nuanced understanding of diverse global regulatory and security expectations.

To address these barriers, a multi-pronged approach is essential:

• Focus on secure, outcome-driven solutions, moving beyond mere service provision.
• Build trust through stringent compliance (e.g., ISO Certification, SOC2 Assessment, PCI DSS, HIPAA) and a demonstrably strong security posture.
• Invest strategically in global partnerships and establish a local presence in key markets.
• Standardise offerings to ensure scalability, consistency, and security by design.
• Develop applications with a security-by-design approach, integrating DevSecOps principles across the entire development lifecycle.

In essence, the transformation required for Indian cybersecurity firms to become global leaders involves a shift from being solely technically proficient to being globally trusted, security-first, product-driven, and DevSecOps-enabled.

Channel partners today are expected to move from resellers to trusted advisors. What concrete steps are you taking to enable partners to deliver real security outcomes rather than just products?

The adage, “Do not sell boxes; help solve business problems,” resonates more profoundly today than ever before. Businesses are not merely seeking technology or products; they are seeking solutions that address their core challenges, mitigate hurdles, or accelerate growth. If a technology demonstrably achieves these objectives, businesses will readily invest. Similarly, contemporary businesses now seek partners who can resolve their cybersecurity challenges—whether safeguarding operations or overcoming specific security impediments—rather than simply vending technology. This paradigm shift necessitates channel partners evolving into trusted advisors.

With increasing vendor overlap and shrinking margins, how can partners build sustainable cybersecurity businesses? Where do you see the most profitable opportunities over the next 3–5 years?

In an increasingly saturated market characterised by “tool sprawl” and diminishing margins, the path to sustainable cybersecurity business lies in transitioning from product sales to offering solutions that demonstrably reduce customer risk. Organisations today are actively seeking trusted advisors who can provide comprehensive solutioning, encompassing expert services alongside or independent of specific tools. These solutions must alleviate the client’s cybersecurity burden, allowing them to concentrate on their core business objectives. Furthermore, governance is poised to play a pivotal role, as regulatory compliance continues to expand, and the advent of AI will introduce further complexities.

Over the next three to five years, the proliferation and governance of AI will escalate exponentially, creating a significant demand for specialised expertise to ensure organisational security. This will drive an increased need for compliance with evolving standards, such as ISO 27701 (AIMS), and industry-specific regulations like PCI DSS and HIPAA, which will reshape the current landscape. Consequently, areas requiring deep expertise will become highly profitable. Finally, Cyber Insurance Readiness will emerge as a critical component, with organisations actively seeking trusted partners to assist them in achieving this crucial aspect of risk management.