InfoSec Made Easy OT Security Leadership | NCSC Guidance Series Why every OT connectivity decision must start with a formal risk conversation — not a technical one There is a moment that every security leader in an operational technology environment eventually faces. A business leader walks in with a compelling case: real-time analytics, remote monitoring, predictive maintenance, integration with the enterprise data platform. The benefits are real, the pressure is genuine, and the timeline is already set. The question that lands on your desk is not "should we connect this?" — it has already been decided. The question is "how do we connect this?" That moment is exactly where Principle 1 of the NCSC's Secure Connectivity Principles for Operational Technology is designed to intervene. The principle is deceptively simple: before you design, before you architect, before you choose a vendor or write a firewall rule, you must be equipped to ma...

A phased, practical action plan for building a DPDP compliance program that actually holds up Parts 1 and 2 of this series gave you the foundation. You know what the DPDP Act is, who it applies to, and what each obligation requires. Now it’s time to answer the question that every practitioner has been sitting with throughout this series: where do I actually start, and how do I build a program that will hold up? This is the CISO’s DPDP Readiness Roadmap. It’s organized the way real compliance programs are actually built — not as a single sprint, but as a phased effort that starts with understanding your current state, moves through building the capabilities you need, and matures into sustained operational discipline. Each phase has specific workstreams, practical guidance, and honest commentary about what’s hard and what’s commonly missed. Use this as a framework and adapt it to your organization’s size, your existing privacy maturity, and your specific risk profile. A 50-person fintech...

What the law actually requires you to do — and how to think about each obligation before the rules are finalized In Part 1, we covered the foundation: what the DPDP Act is, who it applies to, what rights it gives individuals, and why it demands CISO ownership. If you haven’t read Part 1, go back and start there — this article builds directly on it. Here in Part 2, we’re going operational. We’re walking through each major obligation the DPDP Act places on Data Fiduciaries and breaking down what they actually mean in practice. By the end of this article, you should be able to look at your current data program and identify, at a high level, where your gaps are. One important note before we dive in: as of early 2026, India’s Ministry of Electronics and Information Technology is still finalizing the DPDP Rules — the secondary legislation that will spell out specific timelines, formats, technical standards, and procedures. The Act itself is law, but some procedural specifics are still being ...

A plain-English breakdown of India’s landmark data privacy law — and why it belongs on your radar right now If your organization touches the personal data of anyone living in India — a customer, a user, an employee, a job applicant — India’s new data protection law applies to you. It doesn’t matter if your headquarters is in San Jose, London, or Singapore. It doesn’t matter if you have a single office in India or none at all. If you are collecting, storing, or processing digital personal data of Indian residents, you are in scope. That law is called the  Digital Personal Data Protection Act , or the DPDP Act. India’s Parliament passed it in August 2023, and while the supporting rules that will define some operational specifics are still being finalized as of early 2026, the core law is active. Smart CISOs aren’t waiting for the complete rulebook before they start preparing — because when enforcement kicks in, the clock won’t reset and the regulator won’t be sympathetic to organ...