A phased, practical action plan for building a DPDP compliance program that actually holds up Parts 1 and 2 of this series gave you the foundation. You know what the DPDP Act is, who it applies to, and what each obligation requires. Now it’s time to answer the question that every practitioner has been sitting with throughout this series: where do I actually start, and how do I build a program that will hold up? This is the CISO’s DPDP Readiness Roadmap. It’s organized the way real compliance programs are actually built — not as a single sprint, but as a phased effort that starts with understanding your current state, moves through building the capabilities you need, and matures into sustained operational discipline. Each phase has specific workstreams, practical guidance, and honest commentary about what’s hard and what’s commonly missed. Use this as a framework and adapt it to your organization’s size, your existing privacy maturity, and your specific risk profile. A 50-person fintech...

What the law actually requires you to do — and how to think about each obligation before the rules are finalized In Part 1, we covered the foundation: what the DPDP Act is, who it applies to, what rights it gives individuals, and why it demands CISO ownership. If you haven’t read Part 1, go back and start there — this article builds directly on it. Here in Part 2, we’re going operational. We’re walking through each major obligation the DPDP Act places on Data Fiduciaries and breaking down what they actually mean in practice. By the end of this article, you should be able to look at your current data program and identify, at a high level, where your gaps are. One important note before we dive in: as of early 2026, India’s Ministry of Electronics and Information Technology is still finalizing the DPDP Rules — the secondary legislation that will spell out specific timelines, formats, technical standards, and procedures. The Act itself is law, but some procedural specifics are still being ...

A plain-English breakdown of India’s landmark data privacy law — and why it belongs on your radar right now If your organization touches the personal data of anyone living in India — a customer, a user, an employee, a job applicant — India’s new data protection law applies to you. It doesn’t matter if your headquarters is in San Jose, London, or Singapore. It doesn’t matter if you have a single office in India or none at all. If you are collecting, storing, or processing digital personal data of Indian residents, you are in scope. That law is called the  Digital Personal Data Protection Act , or the DPDP Act. India’s Parliament passed it in August 2023, and while the supporting rules that will define some operational specifics are still being finalized as of early 2026, the core law is active. Smart CISOs aren’t waiting for the complete rulebook before they start preparing — because when enforcement kicks in, the clock won’t reset and the regulator won’t be sympathetic to organ...

Blog Series: Your First 90 Days as a CISO Post 4 of 4 A Plain-English Guide for New, Aspiring, and Future Security Leaders Here's a truth that many talented security professionals discover too late: you can be technically brilliant, deeply experienced, and genuinely committed to protecting the organization — and still fail as a CISO if you don't have executive support. Security programs require funding. They require organizational authority. They require the ability to make decisions that sometimes create friction for other business units. They require the backing to hold lines when the pressure to cut corners for speed or convenience is intense. None of that happens without the support of the people at the top of the organization. And yet, earning and keeping executive support is exactly the area where security leaders most often struggle. The technical skills that make someone a great security professional don't automatically translate into the c...