Skip to main content

Posts

India's DPDP Compliance Obligations

What the law actually requires you to do — and how to think about each obligation before the rules are finalized In Part 1, we covered the foundation: what the DPDP Act is, who it applies to, what rights it gives individuals, and why it demands CISO ownership. If you haven’t read Part 1, go back and start there — this article builds directly on it. Here in Part 2, we’re going operational. We’re walking through each major obligation the DPDP Act places on Data Fiduciaries and breaking down what they actually mean in practice. By the end of this article, you should be able to look at your current data program and identify, at a high level, where your gaps are. One important note before we dive in: as of early 2026, India’s Ministry of Electronics and Information Technology is still finalizing the DPDP Rules — the secondary legislation that will spell out specific timelines, formats, technical standards, and procedures. The Act itself is law, but some procedural specifics are still being ...
Read more
Recent posts

Understanding India's DPDP Act

A plain-English breakdown of India’s landmark data privacy law — and why it belongs on your radar right now If your organization touches the personal data of anyone living in India — a customer, a user, an employee, a job applicant — India’s new data protection law applies to you. It doesn’t matter if your headquarters is in San Jose, London, or Singapore. It doesn’t matter if you have a single office in India or none at all. If you are collecting, storing, or processing digital personal data of Indian residents, you are in scope. That law is called the  Digital Personal Data Protection Act , or the DPDP Act. India’s Parliament passed it in August 2023, and while the supporting rules that will define some operational specifics are still being finalized as of early 2026, the core law is active. Smart CISOs aren’t waiting for the complete rulebook before they start preparing — because when enforcement kicks in, the clock won’t reset and the regulator won’t be sympathetic to organ...
Read more

Winning the Room: How to Gain and Keep Executive Support

Blog Series: Your First 90 Days as a CISO Post 4 of 4 A Plain-English Guide for New, Aspiring, and Future Security Leaders Here's a truth that many talented security professionals discover too late: you can be technically brilliant, deeply experienced, and genuinely committed to protecting the organization — and still fail as a CISO if you don't have executive support. Security programs require funding. They require organizational authority. They require the ability to make decisions that sometimes create friction for other business units. They require the backing to hold lines when the pressure to cut corners for speed or convenience is intense. None of that happens without the support of the people at the top of the organization. And yet, earning and keeping executive support is exactly the area where security leaders most often struggle. The technical skills that make someone a great security professional don't automatically translate into the c...
Read more

Days 61–90: Start Executing and Show Early Wins

Blog Series: Your First 90 Days as a CISO Post 3 of 4 A Plain-English Guide for New, Aspiring, and Future Security Leaders You've listened. You've assessed. You've built your roadmap and started making your business case. Now it's time to actually do something — and to do it in a way that builds credibility, creates momentum, and sets the tone for the security program you're building. The final 30 days of your first quarter are where theory meets reality. This is when you shift from being the new CISO who's been asking questions and taking notes to being the CISO who executes. That transition matters. People have been patient. They've given you time to learn. Now they want to see what you're going to do with everything you've learned. The key is to move strategically, not frantically. It's tempting to try to tackle everything at once — you've spent 60 days building a long list of things that need to change, and the p...
Read more

Days 31–60: Assess the Landscape and Build Your Roadmap

Blog Series: Your First 90 Days as a CISO Post 2 of 4 A Plain-English Guide for New, Aspiring, and Future Security Leaders The listening phase is behind you. You've spent your first month meeting people, asking questions, and building a mental model of the organization. Now it's time to put that knowledge to work. Days 31 through 60 are the analytical heart of your first 90 days. This is when you move from gathering impressions to building a structured, evidence-based picture of where the security program actually stands. And critically — this is when you start translating that picture into a plan. A real plan. One with priorities, timelines, and a clear story about where you're taking the security program and why. A word of warning before we dive in: this phase requires intellectual honesty. It's tempting to frame your assessment in whatever light makes the path forward easiest. Maybe you want to avoid bad news that might reflect poorly on you...
Read more

Days 1–30: Listen, Learn, and Don't Break Anything

Blog Series: Your First 90 Days as a CISO Post 1 of 4 A Plain-English Guide for New, Aspiring, and Future Security Leaders Congratulations. You just landed the CISO role. Whether it's your first time in the seat or you're stepping up from a deputy or director position, the moment is real — and so is the pressure that comes with it. Here's the thing nobody tells you in the interview process: the first 30 days aren't really about security. They're about you becoming someone this organization trusts. The technical problems — the vulnerabilities, the policy gaps, the outdated tools — they'll still be there in 60 days. What won't wait is the window you have to establish yourself as a leader who listens, learns, and earns credibility before swinging the axe. This post is going to walk you through exactly how to use those first 30 days to build the foundation your entire tenure will rest on. We'll cover who to meet, what to ask, what t...
Read more