“Technology can be bypassed – a skilled, engaged team can’t be easily replaced” says Santosh Kamane.
Cybersecurity professionals face one of the most challenging jobs in modern businesses, dealing with a constantly evolving threat landscape. Cybersecurity professionals must find ways to effectively navigate challenges and obstacles to get their security posture to where it needs to be. Achieving this goal requires strategic vision and the ability to balance business enablement with risk management.
In this series we will be interviewing cybersecurity professionals from a wide range of backgrounds, industries, and experiences to bring you their unique insights into cybersecurity today, what challenges they are facing currently and expect to face in the near future, the realities of what it takes to defending complex global environments, and what advice they would offer to other CISOs and cybersecurity professionals.
Santosh Kamane is a cybersecurity and data privacy leader with over 20 years of experience across banking, fintech, and enterprise sectors. He has held roles as CISO in global enterprises in India and USA, is a board advisor and founder, and has experience guiding organizations through security strategy, risk management, and regulatory compliance aligned with ISO 27001, ISO 42001, GDPR, and NIST.
As the founder of Rivedix Technology Solutions, he leads cybersecurity consulting and AI governance services, helping organizations build secure and compliant ecosystems. Santosh is also a mentor and educator, known for his CISO masterclasses, ISO 42001 training, and practical approach to developing cybersecurity talent.
We spoke to Santosh Kamane to get his perspective on the challenges of maintaining ongoing cyber resilience. Read on for Santosh’s insightful responses to our questions:
What cybersecurity challenges do your team deal with on a day-to-day basis?
Cybersecurity is a dynamic landscape and is evolving every day. The nature and type of threats have also changed with the evolving technology. However, in a CISO’s regular day, the biggest daily challenge isn’t just technology threats, it’s also managing the human factor. You name it, phishing attempts, social engineering, and poor cyber hygiene all create just as many risks as sophisticated malware. People, process and technology continue to be the key areas where security should be integrated as it can lead to compromise of confidentiality, integrity and availability of the information.
In addition to this, we are also dealing with visibility gaps in hybrid environments (especially in a post-covid world]) with shadow IT and unsanctioned SaaS tools. In past few weeks, our focus has been more on preventing data leakages from shadow AI tools.
How have the challenges you deal with evolved in the last few years?
When I started my career in early 2000’s, the focus was limited to perimeter security—firewalls, antivirus, and VPNs, and then gradually moved to operating systems and applications.
Today, in the world of AI, blockchain, IOTs, web 3.0 and so on, threats are identity-driven and supply-chain-driven. We’re fighting credential theft, deepfake-enabled scams, and risks from AI-generated phishing.
A few years ago, ransomware was opportunistic, now it’s targeted, with attackers spending weeks in reconnaissance before striking.
Also, regulatory complexity has exploded – you see we have already moved into EU AI act, DPDPA, NIS2, DORA and so on.
How have you set your team up for success dealing with these challenges?
We operate on a ‘predict, prevent, detect, respond’ cycle, but the human element is key.
I’ve built cross-functional squads where security analysts work directly with Business as well as Technology – including DevOps, cloud engineers, and even legal. It’s important for team to understand the business context, identify opportunities for security integration and work closely with stakeholders while educating them on their security responsibilities.
For example, when we rolled out Zero Trust, we embedded a security engineer inside each business unit for 3 months to guide them hands-on. That reduced pushback and improved adaptation.
What technologies, partners, and vendors help you when dealing with these challenges?
We don’t believe in a ‘one vendor saves all’ approach. It’s not practically possible. Also, you can’t have too many tools in your infrastructure adding to the complexity and confusion for CISOs.
At a minimum, obviously, EDR/XDR for endpoint security, SIEM & SOAR for correlation , CSPM for cloud posture management, Security awareness platforms, DevSecOps tools have become the backbone of security programs.
How do you evaluate new vendors in the cybersecurity space?
Cybersecurity being the key focus area for businesses, there are several vendors with promising solutions in the market today. The cybersecurity domain requires continuous research and updates or tools would become obsolete in no time, as threats continue to evolve.
We usually follow a three-step approach:
- Problem fit: Does this solve a real gap or is it just shiny tech?
- Integration: Will it work with our existing stack without creating alert fatigue?
- Sustainability: Will the vendor still be around in 3 years, and how quickly do they adapt to new threats?
How do you balance security with business agility?
Security without agility is bureaucracy, and agility without security is chaos. We achieve balance by shifting security left, embedding controls into DevOps pipelines so they’re not an afterthought. Security by design and security by default are founding pillars of any cybersecurity strategy.
Security could be a speed bump, not a roadblock.
In your experience, what are the key factors that separate high-performing security teams from average ones?
There are many key factors:
- Proactivity: Hunting for threats before alerts come in. Don’t wait until it hits you. Know what threats are around you, how relevant they are and put in the right measures before they impact you.
- Business understanding: Knowing how a cyber incident impacts revenue, customers, and compliance—not just systems. And this also requires strong soft skills for cybersecurity experts to effectively communicate and co-ordinate the security initiatives in the organization.
- Continuous learning: High-performing teams treat every incident as a learning exercise and adapt fast.
I’ve seen technically brilliant teams fail because they didn’t communicate risks in business language. The best teams translate ‘CVE-2024-XXXX’ into ‘this could stop online payments for 4 hours and cost X dollars”. Use the language that business understands.
What impact do you see new technologies like AI have on your day-to-day? Do you see AI having a long-term impact?
I have been actively engaged into AI governance advisory, consultancy and implementation, especially in the areas of ISO 42001 and EU AI act. Building responsible AI that is secure and safe is very crucial.
On one hand, we use AI for threat detection, anomaly spotting, and automating repetitive SOC tasks, which frees analysts to focus on complex incidents. On the other hand, attackers are using AI to generate highly convincing phishing emails and deepfake voice calls.
We all know that in the long-term, AI will become a standard part of cyber defense, but organizations will need AI governance frameworks to prevent bias, data leakage, and misuse. That’s what I have been promoting in my ISO 42001 masterclass sessions.
What are the biggest misconceptions organizations have about building secure and responsible AI systems?
The biggest misconception is thinking AI security = AI model security. In reality, AI risk starts at data ingestion; if your training data is poisoned, your model’s decisions are compromised from day one.
Another misconception is underestimating regulatory impact—the EU AI Act, NIST AI RMF, and ISO 42001 are not just for AI companies; they apply to any business embedding AI in products. For anyone building, using, developing AI systems, must work towards building trustworthy AI.
AI security is as much about ethics, transparency, and privacy as it is about algorithms.
What advice would you give to fellow CISOs / industry practitioners?
Speak business, not just security. Your board cares about risk, revenue, and reputation. Give practical solutions as a CISO. Work towards transforming security culture within the organization rather than just focusing on security tools.
CISO’s must spend more time with business than technology teams to ensure important of cybersecurity is embedded into every project discussion.
Prepare for the breach you haven’t seen yet. Assume compromise and build resilience. Follow Zero trust principles. A cyberattack may hit you any moment, be ready with strong incident response.
Invest in your people, not just your tools. Technology can be bypassed – a skilled, engaged team can’t be easily replaced.
And remember—cybersecurity is a team sport. Build trust with IT, DevOps, legal, HR, and even marketing.
Why not read further insights from other CISOs:
