India’s city-level CISO mandate: Building a cyber-resilient urban future
As India’s cities become increasingly digitised, the need for robust cybersecurity at the local level has become critical. The Union Home Ministry has mandated the appointment of Chief Information Security Officers (CISOs) in cities to enhance urban cybersecurity. This marks a major shift in India’s cyber-governance strategy, placing security leadership at the centre of city administration.
Mandate objectives
The directive minimises reliance on external experts by building in-house cyber capabilities. Institutionalising the CISO within city governments embeds cybersecurity leadership into the local governance. CISOs will conduct periodic audits and real-time monitoring to secure command hubs and smart-city data flows. They will also manage digital grievance redressal and helplines for online abuse.
Standard Operating Procedures (SOPs) across states will guide threat classification, escalation and inter-agency cooperation. The government is bringing together a decentralised yet interoperable cybersecurity framework that integrates with central bodies such as CERT-In, UIDAI and the Intelligence Bureau.
City-level CISOs are critical
Smart Cities rely on complex IoT infrastructures, and each node, from water meters and traffic lights to surveillance cameras and citizen registers, is a potential threat. Given their familiarity with municipal operations, city-level CISOs can adjust cyber policies to local needs, ranging from water-treatment SCADA systems to real-time traffic management.
In the event of a ransomware attack, they can involve law enforcement, technical staff and public health or safety departments to ensure continuity. Permanent CISOs ensure accountability and faster crisis response. They will facilitate communication between state and central agencies, sharing intelligence on platforms such as the National Cyber Coordination Centre (NCCC).
Coverage of state assets
The mandate goes beyond municipalities to strategic state-owned assets. City-level CISOs will secure State Data Centres (DCs) using network segmentation and zero-trust models. They will also protect State Wide Area Networks (SWANs) by conducting security audits, encrypting data in transit and monitoring access logs for anomalies.
In state secretariat systems, CISOs will manage secure communication channels and privileged access for senior officials. They will lead incident-response drills to prepare teams for real-world threats. Local CISOs will train Common Service Centres (CSCs) operators in phishing awareness and enforce secure digital authentication practices. Public Sector Undertakings (PSUs) and academic institutions will appoint deputy CISOs to handle patch management, log monitoring and vulnerability assessments.
Coverage includes police databases and school systems, ensuring continuous cyber surveillance across critical infrastructure.
Mandate for state SOCs and security audit compliance
States must establish 24×7 Security Operations Centres (SOCs) to support city CISOs with analytics, threat intelligence and forensics. Standardised playbooks will also help respond to ransomware attacks, data breaches and insider threats. Per CERT-In’s updated breach notification requirements, breaches must be reported within six hours of detection.
Annual third-party audits will follow MeitY and the National Critical Information Infrastructure Protection Centre (NCIIPC) guidelines. The findings will be shared with city-level CISOs for remediation. Non-compliant departments will be penalised and must submit corrective plans under state-specific cyber governance policies.
Smart cities and cybersecurity readiness
India’s Smart Cities have rapidly expanded in digital infrastructure, but this growth has also increased exposure to cyberthreats. Legacy IoT setups lack strong authentication, exposing them to botnets and DDoS attacks. Sensitive data, including biometric and geospatial information, demands robust governance to avert breaches.
City CISOs will maintain command centres’ continuity, patch IoT firmware and align practices with CERT-In’s Smart City Cybersecurity Guidelines.
Building cybersecurity capacity
India is developing a robust talent pipeline through institutional initiatives and strategic collaboration. Under the Cyber Surakshit Bharat programme, the National e-Governance Division (NeGD) and leading technology firms have trained 1,662 CISOs and PSUs’ IT officials.
Rural Engineering Colleges (REC) and Industrial Training Institutes (ITI) now offer diplomas in network security, cryptography and incident handling, building grassroots SOC’s capacity. Initiatives such as citywide cyber drills, tabletop exercises and hackathons provide hands-on experience in threat modelling and response.
Towards national integration
Integration efforts are now unifying defences to overcome the risks of fragmented practices. Cities now feed real-time incident data into a centralised repository, enabling unified threat intelligence, predictive analytics and malware trend tracking. Standardisation is another priority, with nationwide adoption of encryption protocols and vulnerability assessments.
Frameworks such as ISO 27001 and MeitY advisories enable cross-jurisdictional audits and collaboration. Smart-city Special Purpose Vehicles (SPVs) are being repurposed as cyber excellence hubs, turning local expertise into scalable solutions.
The government’s high-impact moves to make India digitally self-reliant are evident in various initiatives, such as the Bharat National Cybersecurity Exercise 2025. This specific response programme focused on Industrial Control Systems (ICS) security and AI-driven risks with hands-on modules covering SOC operations, API security, malware reverse engineering and digital forensics.
These efforts are equipping cybersecurity teams with practical experiences, sharpening incident response capabilities and building a more prepared defence ecosystem. Such measures will ensure that India is prepared for emerging threats while advancing towards a secure, innovation-led digital future.
India’s move to appoint CISOs in every city is a strategic jump towards proactive cybersecurity. By placing cybersecurity leadership locally, the country is moving closer to its vision of smart, sustainable and cyber-resilient cities.
Digvijaysinh Chudasama,
Partner, Deloitte India
Next Article