The second day of the Gartner Security & Risk Management Summit 2026 India in Mumbai highlighted the growing complexity of cybersecurity leadership as organizations confront expanding third-party risks, identity-related threats, and evolving privacy regulations. Industry experts from Gartner outlined how chief information security officers (CISOs) must rethink security investments, strengthen identity and access management, and build adaptable privacy programs to meet future challenges.
Information security spending in India to reach $3.4 billion in 2026
Analysts at Gartner forecast that information security spending in India will reach $3.4 billion in 2026 as enterprises expand investments to protect digital infrastructure, manage third-party risks, and comply with regulatory requirements.
The surge in spending reflects rising cyber threats, increasing reliance on cloud platforms, and the rapid adoption of artificial intelligence and digital services across industries.
CISOs urged to modernize third-party cyber risk management
In a session on third-party cyber risk management (TPCRM), Rahul Balakrishnan, Senior Director Analyst at Gartner, said organizations must rethink how they manage risks associated with external vendors and partners.
As disruptions caused by third-party cyber incidents increase in both frequency and impact, many existing TPCRM programs are failing to address the complexity of modern supply chains and digital ecosystems.
Rahul Balakrishnan advised CISOs to transform regulatory mandates into clear business requirements that guide cybersecurity investment strategies. He also recommended combining indirect monitoring techniques to detect potential risks in vendors’ security posture with direct monitoring of internally exposed services.
According to Gartner, by 2028, half of all TPCRM programs will shift toward continuous monitoring models. This approach will allow organizations to redirect due diligence resources toward higher-value risk mitigation initiatives.
The growing use of generative AI also introduces new risks. Many enterprises rely on third-party large language models or GenAI-enabled software-as-a-service platforms. As a result, CISOs must ensure that these vendors maintain strong data security controls to safeguard enterprise data stored in external environments.
Gartner predicts that by 2028, 70 percent of organizations and vendors will use generative AI to complete and analyze TPCRM questionnaires. This could reduce the reliability of such assessments, making human validation essential for evaluating critical vendors.
Identity-first security becomes central to IAM strategies
Another key theme on Day 2 was the evolution of identity and access management (IAM). During her session, Sarah Almond, Director Analyst at Gartner, explained that identity-first security is becoming the foundation of modern cybersecurity frameworks.
As corporate networks become increasingly decentralized, traditional perimeter-based defenses are no longer sufficient. Instead, organizations must secure every identity, including both human users and machine identities such as devices, applications, and workloads.
Sarah Almond emphasized that effective identity-first security requires consistency, contextual awareness, and continuous monitoring. She noted that traditional IAM systems designed primarily for human users often fail to address the growing number of machine identities operating in modern IT environments.
To address this challenge, organizations are adopting identity visibility and intelligence platforms (IVIP). These platforms unify IAM data, activities, relationships, and configurations into a single view, enabling security teams to better understand their identity attack surface.
Gartner predicts that by 2028, 70 percent of CISOs will deploy IVIP solutions to reduce identity-related risks and strengthen their cybersecurity posture.
Privacy programs must adapt to new regulations
Privacy and data governance were also central themes during Day 2. Shadrock Roberts, Director Analyst at Gartner, discussed how organizations can build privacy programs capable of adapting to rapid regulatory and technological change.
With the introduction of the Digital Personal Data Protection Act, India has joined a growing global ecosystem of modern privacy regulations. According to analysts, about 75 percent of the world’s population is now protected by contemporary data privacy laws.
Shadrock Roberts highlighted that success in this evolving landscape requires organizational agility, strategic planning, and strong cross-functional collaboration across legal, security, and business teams.
He also emphasized that privacy should not be treated merely as a compliance exercise. Organizations that integrate privacy into their business strategy can build customer trust, differentiate themselves in the market, and reduce the risk of costly operational disruptions.
To establish a strong privacy foundation under India’s DPDP framework, organizations should focus on core principles such as purpose limitation, data minimization, transparency, security, and accountability.
Cybersecurity leaders rethink strategy for the next phase
The discussions at the Gartner Security & Risk Management Summit 2026 India reflect how cybersecurity leadership is shifting from reactive protection to proactive risk management and strategic governance.
As organizations accelerate digital transformation, CISOs are increasingly required to manage complex vendor ecosystems, secure diverse identities, and ensure compliance with rapidly evolving privacy regulations while maintaining business agility.
