Cyber resilience is a mindset, says Rubrik co-founder on AI risks

Rubrik co-founder Arvind Nithrakashyap discusses cyber resilience, AI-driven risks, India's cybersecurity landscape, and how organisations are preparing for future quantum computing threats

NYSE-listed cyber security firm Rubrik has been expanding its footprint in India. The company, which started operations in India in 2017 and now boasts an employee base in the thousands, has made India an integral part of its global portfolio with some of its products built here. Arvind Nithrakashyap, co-founder and chief technology officer tells Shivani Shinde in an interview about the evolving cybersecurity landscape, the role of resilience and identity in companies' security roadmaps, and quantum computing. Edited excerpts:

 

Q: Cyber resilience is a term that keeps coming up. Can organisations truly become cyber resilient in an increasingly volatile global economy?

 

A: Cyber resilience is really a mindset. If you look at the last decade, cyberattacks have increased significantly. One of the key reasons is that everything is now connected — organisations operate globally, and most activities are digital.

 

Earlier, breaking into systems was complex due to the physical and centralised nature of technology. Today, even a teenager sitting anywhere can attempt attacks on systems across the world. The other aspect is that the workforce has become more global and also remote, basically work from anywhere. Our research shows that about 80 per cent of cyberattacks start with credential compromise.

 

Over the last few years there has been huge realisation that identity has become a major source of attacks. Add to this AI, and everybody now has access to coding. You no longer need to have sophisticated cyber hacker. Hence, organisations need to assume that a breach will happen and prepare for it.

 

Q: Cyber security seems to be still an afterthought, at least when we look at some of the incidents, such as M&S and Jaguar Land Rover. How is AI changing the cybersecurity landscape?

 

A: Often, organisations are still trying to understand what is possible with AI and the new ideas coming in. In many cases, things that seemed impossible even three months ago are now achievable.

 

There is a lot of internal discussion around how to adopt AI agents effectively — how to deploy them, and more importantly, how to govern and manage them.

 

Historically, the challenge with cybersecurity has been that fixing issues is extremely complex. You are dealing with live systems, and making changes requires significant effort — whether it is modifying how applications are deployed, upgrading infrastructure, or addressing systemic issues such as secrets and password management. In some cases, it may even require rewriting applications. All of this makes it a resource-intensive exercise.

 

As a result, while boards agree on the importance of cybersecurity, organisations tend to prioritise selectively. What is interesting now is that while AI increases the attack surface, it also enables organisations to move much faster in addressing these challenges. Tasks that earlier might have taken two to three years can now potentially be completed in a few months. This is already visible with coding agents and automation tools.

 

Security teams, if they harness AI effectively, can achieve significantly more without proportionally increasing headcount. It allows them to address vulnerabilities faster and more comprehensively.

 

There will always be a gap because attackers are evolving as well. But if organisations identify vulnerabilities in their cybersecurity posture today, it is becoming easier to act on them quickly—closing gaps that would previously have taken years.

 

We are likely to see this acceleration continue, with new tools and capabilities emerging rapidly. Over the next year, both attack and defence mechanisms will evolve, and organisations will need to adapt to newer risks. For instance, even authentication methods like face ID can now be spoofed, requiring more advanced security approaches.

 

Q: Where are Indian enterprises when it comes to cybersecurity? 

A: I think in India there has definitely been a strong push towards digitisation. Over the last 15 years, the pace of digital adoption has been quite significant.

 

This is especially visible in critical sectors like payments and financial services, where digitisation has been very rapid. A large part of this has also been driven by regulation. From our observation, regulators such as the RBI have significantly raised the bar in terms of expectations from banks and financial institutions.

 

More broadly, there is continued digitisation across industries, and regulators are also working on additional frameworks. What is interesting is the balance in India’s regulatory approach—there are clear guidelines and expectations, but organisations are given the flexibility to decide how best to achieve them, while still being held accountable for outcomes.

 

At the same time, AI is becoming a major focus area in India. Global technology providers are actively targeting the market given its scale. As adoption accelerates, organisations will have to manage the associated risks.

 

Overall, I don’t think there is a lack of awareness in India when it comes to cybersecurity.

 

Q: Looking ahead, what impact will quantum computing have on cybersecurity? 

A: The challenge with quantum computing is that techniques we currently believe are secure may no longer hold. The industry is already preparing for this shift, with the first major focus being on encryption. There is a move towards adopting post-quantum or quantum-safe encryption algorithms. Standards are already emerging, and organisations, including us, are beginning to incorporate these into our products to ensure that data secured today remains protected against future quantum attacks.

 

There is growing seriousness across the industry. Software vendors are adopting these standards, and organisations are increasingly asking about quantum readiness.

 

While timelines remain uncertain — whether it is 2030 or later — the proof points are beginning to emerge, and it is clear that this is a reality we need to prepare for.

 

The biggest challenge lies in encryption, particularly around digital certificates and cryptographic systems, which will need to transition to quantum-safe models over time.