Securing India's Data Future: A Conversation with Veeam's Security Leaders

In an era marked by rapid technological advancement and an increasingly complex cybersecurity landscape, safeguarding critical data has become paramount for businesses worldwide. India, with its burgeoning digital ecosystem and robust economic growth, stands as a focal point in this global effort.

In an exclusive conversation with Gil Vega, Chief Information Security Officer (CISO) at Veeam Software, and Sandeep Bhambure, Managing Director of Veeam India and SAARC, we delve into the nuances of data protection, the impact of regulatory shifts, and the strategic imperatives shaping the cybersecurity landscape for organizations operating in India. Join us as we gain insights from two leading figures in the realm of cybersecurity, providing valuable perspectives on securing India's digital future.

DQ: Could you please provide an overview of Veeam's operations in India, and the unique challenges and opportunities it presents in this region?

Sandeep Bhambure: Veeam is the world's largest data protection and ransomware recovery company, and we've been recognized as a leader by Gartner for seven consecutive years. IDC also rated us number one in market share in the second half of 2022.

In India, our business performance mirrors our global success. We serve thousands of customers in this region, spanning various sectors including banking, financial services, public sector undertakings, and major manufacturing companies such as Hero MotoCorp and Mahindra. Notable pharmaceutical companies like Granules also rely on Veeam for securing their critical data. It's worth noting that worldwide, 82% of Fortune 500 companies and 73% of Global 2000 companies are among our valued clientele. Our approach is rooted in a 100% channel-oriented strategy, with an extensive network of partners in India. This network encompasses a wide spectrum of industries, collaborating with global system integrators, cloud service providers, and smaller partners who play a crucial role in implementing data protection and ransomware recovery solutions for our customers. Over the past several years, we've experienced consistent double-digit growth in India, and we're poised for further expansion as we step into 2024.

DQ: What are the key growth areas and strategic priorities for Veeam in this region?

Sandeep: We've always prioritized the protection of various workloads, encompassing virtual environments like VMware, Nutanix, and Hyper-V, as well as different types of virtual machines, including traditional and physical workloads. However, what holds particular significance for our customers, especially considering that over 85% of them have faced ransomware attacks in the past 12 months, is our commitment to helping them secure and recover from such threats. This is a critical imperative for our customers in this region, and we're dedicated to providing strategic solutions in this domain.

Another significant area of support we offer to our customers is safeguarding modern workloads, with a primary focus on application modernization, which is a critical initiative across various industries, especially in banking. We take pride in being the world's leading company in protecting Kubernetes and Container workloads through Caston, as well as the world's top company in securing cloud workloads. The adoption of cloud technology in India has been rapidly accelerating, particularly since the pandemic, and we play a vital role in assisting our customers in this transition.

Lastly, but certainly not least, we recognize the growing importance of protecting Software as a Service (SaaS) workloads, including M365 and Salesforce. India has a substantial user base for M365 and Salesforce, and as more customers opt for SaaS-based models, we are dedicated to supporting them in safeguarding their critical data and operations.

DQ: Could you share insights into Veeam's approach to data protection and security for its customers?

Gil Vega: My professional background predominantly stems from working in Washington for the US Federal Government, where I was involved with agencies such as Homeland Security and various intelligence community organizations. In these roles, our primary focus was always on ensuring that our agencies and organizations could maintain their resilience in light of the ever-evolving landscape of cyber threats. This same philosophy is something we actively apply here at Veeam, both in our internal programs aimed at safeguarding the company and its employees, as well as in the products we bring to market. We recognize that the current landscape demands a new level of resiliency. CISOs frequently emphasize the inevitability of breaches and attacks, underscoring the importance of being prepared for them. The ability to recover securely, swiftly, and effectively from such incidents has become increasingly crucial.

It is these guiding principles that have driven the development of our products, empowering our customers to bolster their resilience in the face of a potentially hazardous cyber threat environment.

DQ: How have recent regulations like DPDP (Digital Personal Data Protection Act) influenced organizations' handling of personal data?

Gil: I've read a lot about how India has been working towards this. It's been a long road five year legislative process, they still need to set up the Data Protection Board and oversee the implementation of this law. But what's interesting to me is, India is world's largest democracy and arguably the largest nation in the world depending on which source you listen to. So, with the implementation of this regulation, I think India's influence in data protection regulation will be finally comparable to its to its considerable influence in a lot of other areas.

Sandeep: If 20% of the world's population sits in India, you know how important it is going to be, in fact, in the wake of the DPDP act, I see an increased awareness with the CIO, CTO, and CISO fraternity on the importance of data protection. Earlier, it used to be largely an infrastructure play, but in my conversations with the CISOs, as well as the digital transformation officers within organizations, everyone today is thinking about how to secure, protect data, and also recover from threats like ransomware. There is a provision in the DPDP act wherein customers need to appoint a Data Protection Officer and a Data Consent Officer. Now, the point is not all the organizations will be ready at one go to basically comply with DPDP is going to be a journey, a process, but it has started, and the most important point out there is the accountability of the board of directors. So what is very clearly recognized is that data is your customers' right.

Customers who have been adopting cloud in a big way can simply say that their data is now secure on the cloud, and they need not worry about it. Even hyperscalers like Microsoft and AWS talk about the data security and data ownership to be a joint responsibility. So, all of this is going to come together and basically get IT leaders to think about data protection much more seriously than before because there are provisions of penalties for mishandling data, right.

In the future, organizations will consider data protection, ransomware recovery, and resilience as crucial strategic priorities. This goes beyond mere compliance with local laws or regulations like the DPP. It's about positioning themselves as strong global competitors. As Indian corporations engage with international clients, ensuring compliance and robust customer data security will be paramount. This presents a significant opportunity for companies to adopt advanced technologies like Veeam. Additionally, concepts from GDPR, such as the "right to forget," may be integrated into the broader data protection strategy for Indian customers going forward.

DQ: What challenges do organizations face in complying with data protection regulations, and how have they adapted their strategies to meet these requirements?

Gil: In the United States, Western Europe, and India, cybersecurity has become the primary operational risk managed by public companies at the board level. Companies are acutely aware of the importance of cybersecurity, with many understanding its existential significance. Compliance with regulations is crucial, but it's worth noting that many companies recognized the need for robust cybersecurity measures before regulatory mandates. Failure to maintain pace in cybersecurity can lead to catastrophic breaches. While regulations like the DPDP Act emphasize the importance of compliance, companies have already been prioritizing cybersecurity as a critical business imperative.

DQ: How do these regulations influence the development and implementation of technology practices within organizations?

Gil: These regulations are compelling technology leaders to refocus on building resilience into their technology frameworks. It's crucial to have strategies that not only detect and respond to incidents but also enable rapid recovery. The pace at which adversaries operate is lightning-fast, and companies must ensure their defenses are just as agile. The key for CISOs is to stay ahead of emerging threats and understand the evolving threat landscape to effectively protect their organizations.

DQ: What is the primary responsibility of a CISO in today's digital landscape?

Gil: The role of a CISO has evolved significantly over time, varying depending on industry and organization size. In companies like Veeam and those in financial services, the CISO's role is highly strategic and business-oriented. A significant portion of my time is spent engaging with senior leaders, discussing initiatives, briefing our board, and ensuring adequate investment in cybersecurity programs. It's vital for CISOs to lead strategically within their organizations while also staying attuned to the dynamic technology and threat environment. Staying vigilant and understanding emerging threats is crucial in a landscape where the question is no longer if, but when a breach will occur.

DQ: Can you share any recent developments or initiatives at Veeam related to cybersecurity and data protection in India?

Gil: Over the past year and a half, Veeam has undergone a transformation in both our internal cybersecurity program and our products. We've enhanced our products with significant cybersecurity features to empower CISOs and organizations in achieving data resilience. Another significant focus has been on securing our supply chain, especially in response to regulations in the United States. This ensures that we're a trusted supplier to critical industries such as banking, energy, government, and the military.

Sandeep: Additionally, we've achieved certifications from the Department of Defense, emphasizing our commitment to meeting the stringent standards set by one of the world's largest technology buyers. We've worked closely with the Department of Defense's supply chain Working Group, and Veeam has been recognized as a leader among software companies dedicated to these critical security efforts.

DQ: What are some best practices you would recommend to businesses to enhance their cybersecurity posture?

Gil: Focus on the fundamentals. Patch your applications and operating systems, manage privileged access, implement application whitelisting, and ensure resiliency in your backup and recovery strategy. These basic measures are foundational to a strong cybersecurity posture. By concentrating on these core practices, companies can significantly raise the cost of doing business for attackers, making them less attractive targets.

Sandeep: Additionally, we advocate the "32110” best practice, which emphasizes having two backup copies, one stored offsite in an immutable format, and verifying this copy for zero errors. This ensures that in the event of a ransomware attack, customers have a secure and error-free copy for recovery.

DQ: What are the main benefits and drawbacks of data protection regulation for both consumers and businesses?

Gil: Data protection regulations serve as a reminder to companies to be accountable for implementing best practices in data protection and cybersecurity. This is a significant benefit for both businesses and consumers. However, it's important to acknowledge that regulations can sometimes lead to unintended consequences. Governments should maintain some level of flexibility in enforcement to avoid inadvertently harming businesses or consumers.

DQ: Can you share any success stories or case studies of organizations in this region benefiting from Veeam's solutions in cybersecurity?

Sandeep: Certainly, we have numerous success stories from our diverse customer base. For example, Hero MotoCorp, the world's largest two-wheeler manufacturer, and prominent universities like Power University have implemented Veeam to achieve faster recovery and reduce total cost of ownership. These organizations have experienced tangible benefits in terms of revenue, cost reduction, and risk mitigation.

DQ: What trends do you anticipate in the cybersecurity landscape in the coming years?

Gil: The cybersecurity landscape will continue to face escalating threats, with attackers becoming more sophisticated and innovative. The use of generative artificial intelligence by attackers is a concerning trend, and we need to focus on deploying AI on the defensive side to respond effectively in real-time. Additionally, we foresee a surge in data being pushed to the cloud for protection, especially in India. The protection of SAS workloads, such as M365 and Salesforce, will also gain prominence.

Sandeep: In conclusion, the cybersecurity landscape will evolve dynamically, requiring a proactive approach to stay ahead of emerging threats and protect critical data assets.