Bengaluru, 3rd October 2025: Cybersecurity is no longer just about firewalls and compliance checklists, it’s about people, culture, and continuous vigilance today. Having conducted over 100+ risk assessments across industries like BFSI, Oil & Gas, Telecom, and Travel Tech Mr. Sahil brings a unique perspective shaped by diverse sectoral experience and prestigious certifications like CISM, CISA, and Stanford’s cybersecurity diploma.
Join Mr. Sahil Ajitsaria, Head Cyber Security Operations at slice in an engaging conversation with Mr. Marquis Fernandes who spearheads the India Business at Quantic India, as in this candid conversation, Sahil shares hard, hitting insights on why employees remain the weakest link, how automation and AI are reshaping security practices, the fine balance between compliance and agility, and why building a true culture of security matters more than ever.
In your 100+ risk assessments across sectors like BFSI, Oil & Gas, and Telecom, what recurring security gap have you found that organizations consistently underestimate?
Well, if we really think about it, it is actually quite simple. The strongest and the weakest link of any organization are its employees. Organizations may spend millions and billions of rupees on security tools, however, in case its employees are tricked into social engineering and phishing, even preventive security controls are bound to fail. Maintaining security in any company is not the job of just Risk Department, but complete entity as a whole. Industries need to focus on educating their employees on the phishing, vishing, smishing, whaling with real and interactive sessions/ tests rather than just letting IT/ IS Team run the show in isolation. Leadership needs to realise that they are not different, rather, they are more prone to such attacks. Therefore, instead on focusing on mere compliance, companies should focus on building and inculcating a security culture.
How do you balance regulatory compliance and business agility when managing security for fast, evolving industries like telecom and travel tech?
Automation, Artificial Intelligence and Machine Learning is already here and it is gradually becoming an integral part of the mainstream industry. We are thriving to become agile and moving away from traditional way of doing business. However, the principle of managing the fast evolving industries remains the same, follow risk based, security by design approach with the help of automation in order to reduce manual and moribund work. This also ensures that regulations are taken care of.
For an instance, multiple APIs are in use for both travel and telecom industry. Traditionally, these APIs used to get manually tested and then put into production which used to be really time taking. However, these days, API security testing is directly integrated into CI/CD pipelines using solutions such as SAST/ DAST. In addition, as a part of security by design, (i) secure authentication along with MFA; and (ii) principle of least privilege based on RBAC is applied while building the API. TLS is enforced and data masking/ tokenization is performed for PII/ SPII. In case of public facing APIs, WAF is implemented to ensure application level protection. If we do this, regulatory requirements for API is automatically taken care of.
Security is easy, provided it is approached in the right way. Regulations look tough, but they are mere guardrails to reduce the risk exposure. If we implement security in the right manner, regulations would not look tough at all.
How does your approach to layered security change based on the outcomes of a risk assessment versus a regulatory compliance mandate?
Let’s take a scenario to answer this. Imagine you live in a gated community which has 5 blocks with each block having 5 floors and each floor having 5 apartments. You own a 3 BHK apartment on 5th floor of the 5th block and you possess gold and diamonds which are placed in a locker inside one of your closet.
Now, if a thief has to steal your jewellery, what are layered physical security controls that one needs to bypass? 1st – Gated Community (Perimeter) Security guard; 2nd – 5th Block Security Guard at ground floor reception; 3rd – Your apartment’s main door on the 5th floor; 4th – Your room’s access which has the almirah; 5th – Access to your almirah inside the room; and 6th – Your locker inside the closet. However, from a compliance perspective, you may just put your jewellery in the closet without any locks thinking who would actually bypass the security guards and the main door which would obviously be locked.
The thief, instead of coming at day light, comes post midnight, during the weekend when you’re vacationing. Instead of going through the perimeter gate, thief climbs the perimeter wall, gets inside the gated community, climbs through pipes to 5th floor of 5th block, and through your balcony, enters your apartment, goes to the room, opens up the closet and steals the jewellery. Now, one may think, this is very rare and does not happen in real life. Well, it does happen and there are numerous cases around it.
Therefore, in any organization of any industry, it is vital to (i) first understand the critical assets/ information assets based on a risk assessment; (ii) evaluate the risk on them based on probability and impact; and then (iii) apply layered security controls in order to prevent from getting compromised. Depending upon the type of industry, security related compliance requirement(s) may or may not exist. Even if they exist, they may be bare minimal, especially in the new age tech. However, protecting what is vital to us is our responsibility. Regulations should be treated as guardrails rather than roadblocks. If the risk based approach is embedded in our systems, then regulations would rather become easier to attain.
I would also like to point out, that few highly regulated/ supervised entities falling under the ambit of regulators such as RBI, SEBI or IRDAI may sometimes feel that regulators are a bit unreasonable in asking for implementation of layered security controls and they may contemplate whether they should focus on their business or manage regulators. In this scenario, what we might be failing to realise is, whenever large scale public interest(s)/money/data is involved, nation’s interest comes first that is, we, the people who form integral part of the nation. Hence ensuring public interest is paramount.
You’ve transitioned across industries like BFSI, IT, travel, and oil & gas. How has working in such diverse sectors shaped your philosophy towards cybersecurity?
Frankly speaking, cyber security is easy irrespective of the industry. It’s just about understanding the technology in use, identification of critical assets/ information assets, understanding of corresponding risks involved and implementation of guardrails (both preventive and detective) in order to reduce the overall exposure. However, it’s a continuous process, not one time or a continual one.
Having earned prestigious certifications like CISM, CISA, and a Stanford cyber security diploma. How do you stay motivated and continually upskill in such a demanding field?
Well, simply put, it has always been a need of the hour. Just like doctors, cyber security is all about understanding new tech and upskilling yourself so that security can be applied accordingly. If you stop learning, you’re out of your game.
What was one moment in your career where you felt your work had a meaningful impact on protecting a business or its customers?
When I started working with a Bank, I felt not just responsible, rather accountable for protecting the bank’ customers’ money and data. Customer(s) deposit their hard earned money in their Bank by having faith in them, believing that their money would be safe and that Bank would help them at time of their need. It’s a VERY BIG responsibility and expectation to keep up with. Imagine a 70+ woman having saved her hard earned money with us and just when she needs it, she gets to know that her account does not have funds, just because the Bank couldn’t have secure systems to safeguard her money. The day we realise how important our job is, it doesn’t stay a job anymore. It becomes a responsibility which drives us automatically.
As this conversation with Mr. Sahil Ajitsaria highlights, cybersecurity is ultimately about responsibility towards organizations, regulators, and most importantly, people. From demystifying layered security to emphasizing a culture beyond compliance, Sahil reminds us that technology alone cannot safeguard, what matters most is responsibility paired with awareness, vigilance, and accountability. His journey across diverse industries and his candid reflections reinforce a simple but powerful truth: security is not a checkbox, it’s a continuous commitment. And in an era where threats evolve daily, that commitment is what will define truly resilient organizations.
