Security is no longer just an IT issue; it’s a business problem: Upwind Security exec

As Indian enterprises accelerate migration to the cloud and regulators tighten data governance requirements, security is increasingly being treated as a business risk rather than an infrastructure task. In a conversation with TechCircle, Lavi Ferdman, Co-Founder and SVP of Growth at Upwind Security, discusses how that shift is playing out on the ground in India, and what the rapid adoption of AI means for the security posture of large organisations. 

Edited Excerpts: 

How are you reading the current moment in India's cloud journey?

Based on my background working in the Indian market for more than ten years, I've watched this shift unfold in stages. When we founded Spot.io in 2015, the cloud was already becoming dominant in India, and the early momentum came from startups and digital-native companies building their applications and businesses on cloud infrastructure. Then something significant happened around COVID. From 2020 onwards, we saw a strong pushback as real business-critical applications, even at the largest enterprises, began migrating to the cloud. Every new application was built on a cloud-native architecture to help enterprises extract the best outcomes from cloud technology.

These days at Upwind, with our focus on cloud security, we see just how central cloud has become for large enterprises. The Indian market is investing tens of billions of dollars in cloud and AI technology. All the major cloud providers, AWS, Azure, and Google Cloud, are actively building out infrastructure in India. The government is supporting that with tax incentives and regulations. And with the rise of AI in the last two years, we see even stronger momentum for enterprises to migrate existing applications, build new ones, and keep themselves relevant in the AI era.

Are Indian enterprises approaching cloud security differently compared to markets like the US or Europe? Where are the biggest gaps or opportunities?

When it comes to how the Indian market is tackling security, I think the biggest challenge starts with regulation. Regulation driven by both government requirements and financial consequences is pushing organisations to invest more in cloud security.

The gap I observe is that there is a rapid move toward cloud, and until recently, security practice was largely built around compliance frameworks, NIST, CIS, HIPAA, and GDPR, which organisations follow as a checklist. But in today's fast-changing cloud environments, where new threats and zero-day vulnerabilities emerge almost daily, organisations need to shift to something that can keep pace with that footprint.

Two priorities stand out. First, data residency and data security have become a major challenge; organisations need to know where their sensitive data is, who is using it, where it is exposed, and whether it is travelling outside their estate or outside the country, because that creates regulatory exposure. Second, detecting threats as they happen. As attackers grow more sophisticated with AI and automation, organisations need the capability to detect, respond to, and even automatically prevent threats in real time. We see organisations suffering security incidents, losing money, and losing reputation. It is about following the right practices to stay secure from a regulatory and financial standpoint.

Cloud security is increasingly described as a boardroom concern rather than a CIO concern. What has driven that shift over the past two to three years?

Looking back two to three years, organisations, and especially CIO and CEO-level leadership, wanted assurance that a security programme existed that met regulatory obligations. Everything was very focused on compliance. The question was: Are we following NIST, CIS, HIPAA, and GDPR? Is our personal data secured? That was the frame.

Today, the problem is that you cannot be secure anymore simply by following regulations and industry frameworks. That is now only the baseline. What boards and CEOs understand is that security is no longer an IT problem that the CIO needs to deal with. It is a whole business problem.

If an attacker gets hold of sensitive data, it is not just that your systems are exposed or your reputation is at risk; there is a significant financial impact that can be disruptive and cause serious losses. So the conversation has shifted toward: what capabilities do we have to detect risks and respond to them? How do we prioritise those risks?

When I sit in board meetings with large enterprises in India, the presentation is no longer about compliance status alone. It is about showing where the organisation could be exposed, demonstrating that detection and response practices are in place, and, increasingly, showing alignment with strengthened compliance and resilience frameworks. Board members and CEOs now want to see that security is continuously monitored and implemented across the whole organisation, not just that systems are configured correctly.

On the investment side, breach costs in India have reportedly reached around 200 million. How are CSO-level executives reframing their security budgets?

The figure is accurate, the average has crossed the 200 million mark, and in extreme cases, it goes to a billion or more. CSOs have understood that they cannot rely on fragmented practices to tackle security effectively.

They are now focusing their budgets on consolidating tools and putting platforms in place that provide genuine security coverage, not just insurance in their processes, but systems that can actively understand risk and act on it. The reason breach costs have risen so sharply is that attackers are exploiting the fact that business data has become the most important asset. It is no longer just physical assets that matter. With the rapid change in AI and cloud, data has become the primary asset, and securing it has become the top priority.

We see CSOs shifting budget toward cloud security rather than traditional security tools alone. They are building strategies around cloud-native application protection platforms, often called CNAPPs, and data security platforms, to ensure that everything built and run in the cloud environment is both built securely and continuously monitored at runtime. As average breach costs rise, security budgets follow. That creates a significant challenge for businesses that have to allocate spending they did not anticipate, but they understand it is necessary.

How exactly is AI adoption expanding the attack surface from a security standpoint?

When I speak with enterprise CISOs today, AI has become their biggest concern. It has created a new attack surface that no one was prepared for.

The core challenge is visibility. CISOs have almost zero visibility into who in the organisation is using AI and what that usage is exposing. Every employee, whether a developer, an accountant, or anyone else, now has access to AI agents. CISOs have no control over what data is being sent through prompts to those tools. That makes securing data extremely difficult.

On the development side, we are shipping code and building applications faster than ever before. That is significant from a business outcome perspective, but it also means applications are deployed to production very rapidly, and it becomes hard to keep security controls in pace.

Then there is the external dimension. Attackers and hackers are also using AI, not to secure environments, but to find sophisticated ways into them. They are using AI tools to remain hidden, to identify zero-day vulnerabilities almost daily, and then to exploit them before organisations can respond. The attack surface has become very complicated: you have an internal threat from employees using AI, and you have attackers using AI. The challenge evolves faster than most organisations can track.

Two concepts matter here: securing AI and using AI for security. Security vendors, including Upwind, are investing heavily in AI technology both to address AI-generated threats and to inject AI-driven security capabilities into cloud security platforms. The goal is to keep pace with the attack surface, to be faster and smarter than attackers in using AI to protect environments.

Where are the most vulnerable points for enterprises running AI workloads in cloud-native environments?

We are still in a phase where market education is needed. Every CISO at a large enterprise can say they want to be secured from AI threats, but very few yet fully understand what that means in practice. Most are allocating budget, but are still working through what they actually need to put in place.

Vulnerability tends to come from two angles. First, the applications organisations build in the cloud environment. Second, how internal employees are using AI, organisations have largely lost track of what is happening across the business with AI usage, and there is no clear strategy yet for securing AI the way there is for securing a network or an endpoint.

If you ask a CISO whether they know how to secure their network or endpoints, they will say yes. If you ask whether they know what they need to do to be secure from AI threats specifically, most do not. The most exposed assets are employee endpoints being used with AI agents, and AI applications being deployed to production, where the organisation does not have a clear picture of what threats they are introducing. Attackers can leverage those entry points to access data and exfiltrate it.

This is a global challenge, not specific to India. However, because India is a fast-moving adopter of the latest technology, the problem is growing faster here. Traditional businesses that are slower to adopt AI and shift to AI agents are not yet exposed at the same scale, but they will need to deal with it later. In India, the fast pace of cloud and AI adoption means the risk surface is expanding faster.

What does real-time cloud security mean in practice, and why is it becoming critical now?

A few years ago, when organisations started moving applications to the cloud, the primary concern was visibility and posture management — making sure configurations were correct, and controls were in place. But as applications became more cloud-native, based on containers and AI workloads, a new type of threat emerged: one that moves at the speed of what is happening right now.

When you look at cloud environments today, everything happens in real time. If you want to secure your environment and not just know where you are exposed, you need to know what is happening in real time, at runtime — and this is especially true for AI workloads, which are ephemeral.

Understanding runtime context serves two purposes. First, it allows far better prioritisation. A vulnerability in your environment may be critical in the abstract, but whether it actually poses a critical risk to your specific workloads depends on how your application is configured and running in practice. By understanding runtime context, we can reduce alert noise by more than 95%, because we can tell you whether a misconfiguration or vulnerability is actually dangerous in your environment, not just theoretically dangerous.

Second, it enables true threat detection as events unfold. You do not want to learn about a threat only after the fact. At Upwind, we monitor every execution, every network flow, every file access, so we can detect threats as they happen, connect the dots, and reconstruct the chain of events an attacker used to enter the environment. That lets us respond, contain the situation, and automatically prevent recurrence. That combination, static posture visibility and real-time runtime awareness, is what allows organisations to address both known exposures and modern threats, including those coming through AI.

How are you planning to scale in India — partner-led, direct enterprise, or something else?

It is definitely ecosystem-driven. We have recruited a ground team in India, including a country manager, a growing sales team, customer success support, and an engineering team. We have our backend running on an Indian data centre to support regulatory and data residency requirements.

For scaling the business, the strategy is built around partnerships. We recently announced a strategic partnership with AWS through the Security Hub extended programme, where Upwind is available as a first-party integration inside AWS Security Hub, meaning Indian customers can purchase Upwind directly from the AWS console. We are also working on a similar strategic partnership with Microsoft, which was recently announced. Beyond that, we are expanding channel partnerships with value-added resellers, managed security service providers, managed service providers, and global system integrators to grow the business together.

Are we heading toward a world of self-healing, fully autonomous cloud security systems, or is that still far off?

I can speak to what we are building at Upwind. We are developing autonomous agents to support security teams, one to handle threat detection work similar to a SOC (Security Operations Centre) analyst, one to assist with the work of a security architect and automate investigation tasks, and one to perform dynamic testing on the environment to autonomously identify threats.

That said, enterprise security is a traditionally cautious space. Security leaders and their teams still want to keep their hands on decisions and remain in control. They want agents to assist, guide, and advise them — but they still want to approve actions before those actions are taken.

In the short term, I think fully autonomous security is somewhat far-fetched. What we will see is security teams broadly leveraging AI for investigation, triage, and insight, while retaining control over final decisions. Long-term, as security leaders build greater trust in AI systems operating independently within enterprise environments, we will see more and more autonomous actions. But how far out that is, I genuinely cannot say. AI is evolving fast enough that the timeline is uncertain.