NTT Data's Sheetal Mehta on mitigating shadow AI and other security gaps

Global IT services firm NTT DATA's cybersecurity arm is experiencing significant growth in recent times, generating $2 billion in revenue across 45 countries, including India. In a recent visit to India, Sheetal Mehta. Senior Vice President and Global Head of Cybersecurity at NTT Data explains to TechCircle the security challenges of increased AI adoption, strategies for closing the cyber skills gap, and how the company helps organisations combat evolving AI-driven threats. He also believes that the company’s "glocal" model, combining global resources with local partnerships, is a key differentiator, allowing them to leverage a global ecosystem while providing tailored solutions based on local needs. Edited excerpts.

What are the key cybersecurity challenges enterprises are facing, especially with increased AI adoption?

Enterprises consistently face cybersecurity gaps in a number of areas. First, the human element remains the weakest link, requiring companies to cultivate a culture of security. Second, security complexity, driven by fragmented tools that is overwhelming for CISOs and CIOs. Third, boards lack business-relevant visibility into cyber risk, hindering informed decision-making. Finally, silos between security and business teams impede alignment and focus on business outcomes.

Today's CISOs grapple with shadow IT, a challenge now mirrored in AI adoption. Unlike well-controlled core IT, shadow AI lacks visibility, creating security blind spots. A primary concern for CISOs is discovering these unknown AI applications within their organisations. The industry challenge lies in CISOs often being brought in too late, treated as gatekeepers rather than enablers.

AI also introduces a new attack surface, creating vulnerabilities, risks, and threats for enterprises to manage. For example, poisoning AI-driven repositories on platforms like GitHub could cause significant supply chain disruptions. Additionally, deepfakes are transforming phishing attacks, enabling more effective enterprise breaches. These scenarios illustrate how AI can create real threats to enterprise systems.

Do you also see AI eliminating some of the earlier problems that cybersecurity enterprises were facing? What were the changes?

While AI hasn't eliminated these fundamental issues, it has accelerated the pace of transformation. Board visibility has improved due to regulations holding senior management accountable for cyber incidents, leading to increased CISO funding, especially in regulated industries. However, the core challenges persist: building a lasting security culture, simplifying enterprise cybersecurity, driving top-down alignment, and ensuring CISOs communicate business value. In the AI era, security must enable speed and agility, rather than impede them.

How can organisations defend against the evolving AI-driven threats?

Indian CISOs should prioritise discovering unknown AI usage, followed by establishing a formal AI security policy aligned with business strategy. This alignment ensures both security and business acceleration progress in tandem. Equally important is embedding security and resilience by design, encompassing threat and vulnerability coverage and robust data handling policies, including content-based authorisation. Say, as organisations accelerate GenAI adoption, cybersecurity must be embedded from the outset to reinforce resilience. Finally, enterprises require a formal policy for managing non-human identities such as AI agents, addressing access and control as the number of AI agents grows.

With the skills gap in cybersecurity, how are you addressing the need for extensive training in cloud, network security, and generative AI?

We are integrating new tools with standard learning techniques to support future skill development. Our teams are gaining expertise in areas like cloud, network, and generative AI, along with cybersecurity knowledge and AI tools. This combination of standard learning and practical application is facilitated by a co-build ecosystem.

Our cybersecurity program offers structured advancement with required certifications. Employees gain foundational knowledge, while specialists receive tailored training for career growth (e.g., threat management, digital identity). Broad training in cloud, containers, networks, and LLMs is supplemented by tools for customer support and future readiness. We also partner with academic institutions globally through our fresher and lateral programs. Our global Gen AI practice has trained hundreds of employees worldwide in basic AI skills, treating AI proficiency as a fundamental requirement, similar to Python.

How can companies manage to strike a balance between the IT-OT security challenges?

Many enterprises maintain strong security across their core IT infrastructure. However, security often weakens in extended infrastructure like manufacturing or operational technology (OT) environments due to challenges like legacy systems and inconsistent patching. NTT DATA addresses this IT-OT security gap with a three-pronged approach. 

First, we help customers assess their OT security baseline to understand their current risk posture. Second, we enforce security controls tailored to legacy environments, minimising disruption while deploying necessary protections. Finally, we provide continuous 24/7 monitoring to maintain OT environment security and proactively address evolving threats and vulnerabilities. In short, we offer comprehensive lifecycle management for OT environments.

What is your focus in India in the next one year?

Our global strategy focuses on making cybersecurity a business enabler by offering advisory and strategic approaches to transformation and modernisation. We also emphasise building trust by embedding resilience within enterprise ecosystems, acknowledging the inevitability of cyber incidents. Therefore, we help customers build cyber resilience alongside enabling their business. 

In India, we leverage our global capabilities by expanding our presence and running deliveries and operations, including establishing Security Operations Centres and Security Experience Centres. While serving various verticals, including financial services, our primary focus is on helping Indian customers transform through modernisation, resilience building, improved visibility, and strong recovery controls. We assist them in innovating and transforming, working on POC and POV initiatives around AI for security and security for AI.

In what ways do you have an edge over your competition?

One unique advantage we bring, which many others don’t, is our ownership of data centres. This allows us to deploy solutions, including large language models, directly within our infrastructure. Additionally, we handle a massive volume of internet traffic through our own networks, which gives us deep threat visibility, another critical differentiator. Altogether, our full-stack capability and infrastructure backbone offer significant value to our customers. 

Finally, our platform-centric approach is a key differentiator in the AI ecosystem, leading to superior revenue per resource compared to traditional, people-based GSIs. This platform focus, along with a significant customer base already utilising our platforms, sets us apart. Furthermore, our balanced local and global delivery model, particularly crucial in cyber, provides customers with the necessary local support backed by global expertise. NTT DATA's structure strongly supports this local delivery capability.