24 versus 5 – these two numbers perfectly encapsulate the dilemma of the traditional backup and disaster recovery world. Management assumes that systems and data will be back online within five days at the latest. But that was before cyber events became such a huge reality. On average, however, it takes 24 days. This gaping hole not only erodes trust in IT capabilities but also erodes revenue, customer confidence, and sometimes even the very existence of the company.

Companies can no longer trust their data during a cyber incident – not even their backups. Current statistics indicate that hackers remain in their target networks for an average of over 200 days, manipulating dozens of systems. Backup systems are a prime target, as they can render a ransomware attack ineffective.

So, what is the right approach? IT security and infrastructure teams must work closely together during an ongoing attack to examine data integrity before restoring data from backups. This process requires companies to have air-gapped backup data in a secured location. This data must first be systematically examined in an isolated environment like a cleanroom, searched for attack artifacts, and then cleaned if required, before being restored. All of this is incredibly time-consuming and resource intensive, which is not an ideal outcome in a cyber crisis.

We must therefore move beyond the pure Recovery Time Objective (RTO) and Recovery Point Objective (RPO) discussion and consider the entire cyber resilience process. We call this analysis and the average time to complete recovery Mean Time to Clean Recovery, or MTCR. Essentially, MTCR defines the average time it takes for IT security and infrastructure teams to restore previously defined critical business applications and the underlying systems, infrastructure, and associated clean, validated data after a cyberattack. It encompasses the entire process from start to finish.

Those who follow this approach will be able to accurately measure the size of the resilience gap and discuss realistic scenarios with management – and better argue why the existing backup environment needs to be modernized into a true cyber resilience environment.

India’s cybersecurity market is on a sustained growth trajectory with no signs of plateauing. According to IDC’s Worldwide Security Spending Guide (v1,2026), total security spending in India across hardware, software, and services is projected to grow from $3.2 billion in 2024 to $6.2 billion by 2029 at a strong 14.4% CAGR over five years. Software and hardware are the fastest-growing segments, while services, already the largest piece of the pie, continues to expand at a steady clip. This isn’t budget inflation. It reflects a fundamental shift in how Indian enterprises are treating security: less as a cost center, more as a strategic capability. The scale of investment signals that CISOs are finally getting the boardroom backing to move beyond reactive posturing.

The biggest forcing function behind this spend is Artificial Intelligence (AI), specifically, AI in adversarial hands. As per IDC’s latest research on India Market, the threat that keeps practitioners up at night isn’t your traditional malware or phishing campaign. It’s the weaponization of AI at scale. LLM prompt injection and jailbreaking of AI assistants top the concern list at 68%, followed by model poisoning during AI training at 60%, and AI-powered ransomware with real-time extortion capabilities at 58%. Synthetic identity fraud and AI-driven vulnerability discovery both clock in at 55%. What’s striking is the breadth. These aren’t fringe concerns, they’re operationally real risks that Indian security teams are actively tracking. The adversary has access to the same AI stack that defenders do, and in many cases is moving faster.

On the defensive side, organizations are scrambling to secure their own AI pipelines. As per IDC’s latest research on India Market, 80% of India’s CISOs are using access control and segmentation specifically for GenAI infrastructure, 78% are anonymizing or de-identifying datasets used in AI training, and 73% are encrypting training data. Data masking and synthetic data generation are also at an all-time high. But controls alone are no longer enough. Forward-looking security teams are beginning to adopt AI Bill of Materials (AI BOM) frameworks, a systematic inventory of every model, dataset, dependency, and third-party component that feeds an AI system. Much like software composition analysis transformed application security, AI BOM traceability is emerging as a foundational practice for understanding what’s inside the AI stack before an adversary exploits it. Taken together, these trends reflect a maturing awareness that AI systems are themselves an attack surface, not just tools for defense. The implication for vendors is significant: security for AI, not just security with AI, is becoming a distinct and growing purchasing category in India.

When it comes to where the money is actually going over the next 12–18 months, the picture is telling. As per IDC’s latest research on India Market, Managed Security Services, Professional Security Services, Network Security, and Security Analytics platforms are emerging as the dominant spending priorities, reflecting a market that is simultaneously outsourcing complexity and doubling down on visibility. Organizations are leaning on MSSPs and MDR providers to close the talent gap, while continuing to fortify network perimeters against an expanding threat surface. The appetite for security analytics signals a deeper shift: Indian enterprises are done flying blind, they want detection that is predictive, not just reactive. Underneath it all, the message is consistent: India’s security leaders are building for resilience and operational maturity, not just checking compliance boxes.

One headwind worth watching: AI deployment is hitting friction. Among organizations that have deployed AI on only a limited basis, 56% cite security and compliance restrictions as the primary constraint, with high costs and digital sovereignty concerns also ranking high. This creates a paradox: AI is both the most significant threat vector and the most constrained defensive tool. India’s regulatory environment, including the evolving DPDP framework, is increasingly shaping what AI-driven security capabilities organizations can actually deploy, not just what they want. The vendors and MSSPs that crack the compliance-plus-capability equation, delivering AI-powered security that satisfies data residency and governance requirements, will have a structural advantage in India’s market through 2029 and beyond.

For CISOs, the mandate is equally clear: security strategy can no longer be built around tools alone. The organizations that will lead are those that treat AI governance, workforce capability, and vendor accountability as core security disciplines, not afterthoughts.