Navigating Cyber Crises in PSUs and Government – A Strategic Imperative: Subhash Chand, CISO, ICAR-IASRI

By Subhash Chand, CISO, ICAR-IASRI

In today’s rapidly evolving digital landscape, government departments and Public Sector Undertakings are undergoing a profound transformation. With increased reliance on digital platforms to deliver public services, the exposure to cyber threats has grown exponentially. As custodians of critical national data and public trust, it is imperative that PSUs and government institutions adopt a comprehensive and forward-looking approach to managing cyber crises.

Understanding the Unique Challenges

Government systems are inherently different from their private sector counterparts—largely due to legacy frameworks, complex hierarchies, and often under-resourced IT environments. Key challenges include:

• Legacy IT Infrastructure: Many departments operate on aging systems that were never designed with modern cybersecurity in mind.
• Skill Gaps: A limited pool of cybersecurity professionals with domain-specific experience in public sector architecture remains a major constraint.
• Delayed Decision-Making: Bureaucratic layers can slow down the response time during a cyber incident, allowing threats to escalate.
• Budgetary Constraints: Competing priorities often mean that cybersecurity doesn’t receive the attention or investment it deserves.
• Awareness Deficit: A significant portion of end users lack basic cyber hygiene training, making them vulnerable to phishing, ransomware, and social engineering attacks.

These challenges must be addressed systematically to prepare for and respond effectively to cyber crises.

Fostering a Robust Digital Culture

Cyber resilience begins with culture. It is not enough to deploy cutting-edge technologies—what’s needed is a change in mindset across all levels of government.

1. Leadership Engagement: Cybersecurity must be viewed as a boardroom issue. Senior officials should champion and fund cyber initiatives.
2. Continuous Awareness Programs: Routine training sessions, simulations, and cyber drills should be conducted to instill readiness.
3. Clear Policies and Governance: Establishing well-defined roles, responsibilities, and escalation mechanisms helps streamline responses during incidents.
4. Integrated Risk Management: Cyber risks must be embedded into the wider enterprise risk frameworks and business continuity plans.

When culture shifts from reactive to proactive, the entire security posture strengthens.

Transitioning from Traditional to Modern Solutions

The traditional model of perimeter security and periodic audits is no longer sufficient. As threats grow in scale and sophistication, PSUs must adopt:

• Extended Detection and Response (XDR) for unified threat visibility across endpoints, cloud, and networks.
• AI-Driven SOCs (Security Operations Centers) that can detect anomalies in real time and reduce dwell time.
• Zero Trust Architecture, where verification is continuous and identity-based, regardless of location or device.
• Automated Incident Response Tools that ensure rapid containment and recovery, even during non-business hours.

This paradigm shift requires investment not just in tools, but also in integration, interoperability, and scalability of cybersecurity platforms.

The Way Forward: Best Practices for Resilience

As a cybersecurity practitioner in the public research domain, I strongly advocate for the following strategies to build lasting resilience:

• Alignment with National Frameworks: All cybersecurity strategies should be in harmony with guidelines from CERT-In, NCIIPC, and MeitY.
• Collaborative Ecosystems: Engage in Public-Private Partnerships (PPPs) for threat intelligence sharing, skill development, and innovation.
• Regular Drills and Red Team Exercises: These stress tests help reveal vulnerabilities before attackers do.
• Comprehensive Data Governance: Ensure that sensitive data is encrypted, backed up, and hosted within national jurisdictions.
• Cyber Crisis Playbooks: Develop and rehearse standard operating procedures for breach scenarios, ensuring clarity of action and accountability.
• Cyber Insurance Readiness: While still nascent in India, cyber insurance can cushion the financial impact of large-scale breaches.

Cybersecurity in government is no longer an IT issue—it is a strategic necessity. In the face of evolving threats, PSUs must modernize, not just their infrastructure, but also their mindset. A digitally secure India can only be realized when governance embraces a culture of resilience, collaboration, and continuous evolution.

As we move forward, it is vital that we treat cybersecurity not as a checkbox compliance exercise, but as an enabler of secure, efficient, and citizen-centric governance.

About Subhash Chand:

Subhash Chand is the Chief Information Security Officer (CISO) at ICAR-IASRI, New Delhi. With over two decades of experience in ICT governance and cybersecurity in public sector research, he has been a key contributor to digital resilience initiatives across agricultural research institutions in India.