When it comes to navigating the complex world of cybersecurity, compliance, and privacy in India, Sanjiv Arora is a name that resonates with experience and trust. With over three decades of work behind him, he has not just seen the industry evolve; he has actively shaped it. From the early days of IT leadership to now advising CXOs, regulators, and startups alike, Sanjiv has been a steady hand helping organizations build secure, compliant, and resilient digital environments. His journey reflects a passion for learning, a knack for simplifying the complex, and an unwavering commitment to mentoring the next generation of cyber professionals.
Who is Sanjiv Arora?
Sanjiv Arora is a cybersecurity and risk management expert who wears many hats such as Virtual CISO, DPO, AI auditor, and mentor. He currently leads Cystech Controls Pvt. Ltd. as Executive Director and has spent years guiding organizations on how to stay compliant with regulations like RBI, IRDA, SEBI, GDPR, and now India’s DPDPA. With globally respected certifications like CISA, CDPSE, CISM, and more, Sanjiv brings deep technical knowledge and practical insight to the table. Beyond his consulting roles, he has also served as President of the ISACA New Delhi Chapter and is deeply committed to helping young professionals break into and grow in cybersecurity. Simply put, Sanjiv combines boardroom strategy with hands-on technical know-how, and does it all with a clear focus on making organizations safer and smarter.
Q1. What inspired your transition into cybersecurity and privacy from a more traditional IT and systems background?
Sanjiv: It all started in 2000, a partner in E&Y guided me to get the unheard-of CISA qualification, now a globally recognized certification since 1978, by ISACA. CISA qualification got me recognition, respect in the industry, and handled challenging assignments since, delivering secure IT solutions for organizations. The vision expanded to 360 degrees learning Business Risks, Security controls, compliance to international standards and the regulator guidelines. I was born curious, deep dive was my thing starting with dismantling toys at early age. Cut to today- A dire need for organizations to protect the confidentiality and Privacy of data to ensure business growth. Aided with hands-on Software Development, IT operations experience spanning TWO decades, subsequently gaining CDPSE, CHPSE, CISM, CGEIT certifications, places my expertise as consultant at right place at the right time.
Q2. What do you like most about DPDPA?
Sanjiv: The emphasis DPDP places on business entities, associates of their accountability and responsibility to protect the Personal data of individuals with utmost care, with consequences if failing to do so.
Individual data has long been exposed through abundant sharing of data in the past, both by ourselves on FREE social platforms and companies we trusted our individual data with. We expect DPDP to drive mass-scale Privacy protection awareness to people at large.
Q3. What do you dislike most about DPDPA?
Sanjiv: The DPDP covers most of the important aspects like Data Protection Rules, guidelines, audits, and penalties. At this moment, the implementation timelines are not published. The DPDP should not become a law on paper, mired in documentation and checklists with tick-marks only.
DPDP does not segregate companies by size and category to enable better control over entities collecting data. A published Data Privacy maturity matrix by organization, industry, region is not part of plan.
Q4. DPDPA introduces a new role of Consent Manager. How do you see this integrating with existing privacy governance frameworks?
Sanjiv: Consent Manager (CM) may be Internal or Third Party. It is a mandatory requirement to integrate with multiple business processes, storage data repositories, applications uses and access. It is extremely important that consent manager works seamlessly across the technical and operational boundaries of systems. Trusting a third-party CM would help in cross-functional, organizational or industry controls. Integration with CM through trusted APIs can fast-track and ease the implementation.
Q5. How do you interpret the intent behind India’s Digital Personal Data Protection Act (DPDPA)? What major mindset shifts does it demand from Indian businesses?
Sanjiv: Interesting one from an Indian point of view. Intent is in place. As a nation, we are weak at the implementation of the given mandates, general rules at all levels of societal living.
Respect of laws, responsibility has to stem out and start with every individual up to the top cadres of society and industry.
Q6. What are some practical challenges Indian organizations face when preparing for DPDPA compliance, especially in highly regulated sectors like BFSI?
Sanjiv: The practical challenge would be to manage privacy within low or not allocated budgets, lack of a holistic approach across functions and it may end up as getting away with patch work and just add-on solutions. Risk would be lots of data leakages opportunities.
Q7. What are the top three priorities you recommend to any Indian company starting its DPDPA compliance journey?
Sanjiv: Start with the most competent, qualified consultants who can commit, communicate and hand-hold to deliver results. Next assess current state and go-to state goals. Thirdly, implement secure privacy controls, with quality at reasonable investments.
Q8. In your experience, what controls should organizations prioritize for DPDPA compliance that they often overlook?
Sanjiv: Data that’s acquired from research, marketing, analytics, customer databases require big focus. Privacy should be implemented by Design and not patch work, specially inside business application data, collected in a B2B or B2C process, sharing and communication architectures.
Q9. What’s one underrated but highly effective control you recommend to enhance DPDPA readiness across departments?
Sanjiv: Use of strong Project Risk Management oversight while planning and implementation of Data Privacy controls and principles. This shall ensure that the teams doing onground implementations are well monitored and guided.
Q10. How do you incorporate cyber risk management into broader enterprise risk frameworks, especially when advising CXOs?
Sanjiv: CXOs get too busy in day-to-day operations to learn new concepts. They must attend orchestrated session (few hours) by SMEs to get on top of Cyber, Data management and Industry risks to be able to drive the goals of their expectations.
Q11. What role should virtual CISOs or DPOs play in helping SMBs or regulated sectors like BFSI navigate DPDPA compliance effectively?
Sanjiv: CISO and DPO lead the way using the technical, soft skills for ALL inclusive data privacy implementation. The positions should be occupied by qualified people, and not just filled in slots. Such skills are in short supply – only large companies find and can afford CISO, DPO, CTO in BFSI. SMB should take the Fractional or Virtual expert route for higher benefits at lower investments.
Q12. What advice would you give to someone looking to become a virtual CISO or DPO?
Sanjiv: The role requires maturity of thought process, business acumen, ability to become that critical link between management and technology. While adding certifications will help, do a deep dive into data privacy inventories, storages and data breach protection strategies. Become a leader using AI will make good business case in most organizations.
Q13. You’ve trained and mentored many cybersecurity professionals. What gaps do you see in India’s current cybersecurity talent pipeline?
Sanjiv: Today, there are over 500 certifications in the Information Security domain. Aspirants are adding multiple certifications to profile. Aligning individual skills, proficiency with a certificate will gel better with industry demands and expectations of vacant positions. Going for well-thought-out out desirable certifications is the key to success in career advancement.
Q14. What emerging technologies or regulatory shifts do you think Indian organizations are least prepared for in the next 3–5 years?
Sanjiv: New technologies present many opportunities, challenges specially using AI / ML, AR/VR, Quantum computing at 5G, 6G speeds. The biggest challenge is that the complexity to assess, implement privacy controls is similar irrespective to the size of the organization. The SMB sector must allocate higher budgets, resources to remain compliant to DPDP.
Q15. If you could add one missing requirement to DPDPA to strengthen it, what would that be and why?
Sanjiv: Enhance the DPDP rules providing additional details including
- ‘HOW’ a breach will qualify for the related penalties. If left without clarity, most organizations may not contest the penalty levied by Data Protection Authority (DPA).
- Defining ‘Must do’ like minimum controls – Encryption, Anonymization or / and Masking
- Well-defined explanation of ‘What constitutes a breach?’ and
Closing Summary
Sanjiv Arora’s vision for cybersecurity and data privacy goes far beyond ticking off compliance boxes. He champions cultural change, informed leadership, and strong mentorship. Whether he’s helping BFSI firms strengthen their risk controls or guiding young professionals into cybersecurity, his influence is felt across India’s digital transformation.
At a time when organizations are trying to make sense of DPDPA, Sanjiv offers real-world insights, deep experience, and a clear belief that privacy and business growth must move together. As he puts it, data protection isn’t just a tech task it’s a leadership responsibility that needs clarity and commitment from top to bottom.
