To understand how organisations can build resilience by adopting a human-centric approach to security, BW Security World spoke with Sumit Dhawan, Chief Executive Officer, Proofpoint
As cyber threats grow more sophisticated and deeply targeted, enterprises are realising that the weakest—and most frequently targeted—link in the cybersecurity chain is no longer technology alone but people. Whether it’s phishing, business email compromise, or accidental data leakage, human behaviour plays a pivotal role in most cyber incidents today.
To understand how organisations can build resilience by adopting a human-centric approach to security, BW Security World spoke with Sumit Dhawan, Chief Executive Officer, Proofpoint. A seasoned leader in cybersecurity, Sumit shares his perspectives on evolving threats, India’s data protection framework, the risk of zero-day attacks, and the growing role of AI in modern cyber defence.
Human-centric security is becoming a recurring theme in the industry. What does this term mean to you, and why is it more important now than ever?
Human-centric security is essentially a recognition that the majority of cyber threats today exploit people, not just technology. In fact, more than 90 per cent of attacks involve some form of human interaction—phishing emails, social engineering, credential theft, or data mismanagement.
Traditionally, organisations focused their defences on endpoints, networks, and servers. But attackers have evolved. They’re targeting employees with highly personalised attacks, often designed to bypass conventional security layers. Human-centric security shifts the focus to protecting individuals—by understanding behaviour, spotting anomalies, and building contextual defences around them. In today’s landscape, if you don’t secure your people, you’re leaving the door wide open.
Phishing remains a persistent and potent threat. What are the downstream consequences of a successful phishing attack?
Phishing is often just the beginning. A single click on a malicious email can result in stolen credentials, financial fraud, or provide attackers with access to sensitive systems. Once inside, they can move laterally, escalate privileges, and plant ransomware or exfiltrate data.
These attacks are getting more targeted and harder to detect—especially with attackers now using AI to personalise content and mimic trusted identities. The risks go beyond financial loss. Reputational damage, regulatory penalties, and erosion of customer trust can have long-term effects. That’s why it’s vital to combine strong detection tools with continuous user awareness and behavioural analytics.
India’s Digital Personal Data Protection (DPDP) Act has brought a regulatory shift. What does this mean for enterprise security?
The DPDP Act is a watershed moment for Indian data privacy. It brings clarity on how organisations must handle personal data—mandating consent, accountability, and breach notification, among other provisions. From a security standpoint, this creates a clear mandate: organisations must not only prevent data breaches but also prove that they’ve taken adequate measures to safeguard personal information.
We’re now seeing Indian companies reevaluating how they classify, store, and secure data. Cybersecurity is no longer just about threat prevention; it’s about compliance, governance, and transparency. That’s where integrated data protection tools and employee-centric controls are becoming essential.
How would you characterise the current threat landscape in India? Are there local nuances worth highlighting?
India’s threat landscape is evolving rapidly. While global threats like ransomware and phishing are prevalent, what makes India unique is the pace of digital adoption across sectors—from banking to manufacturing to government services. This rapid transformation has increased the attack surface.
We’re also witnessing highly targeted attacks—sometimes politically or financially motivated—aimed at specific individuals, sectors, or data types. Another factor is the widespread use of mobile and cloud platforms, which brings additional exposure if not configured securely. The lack of uniform cyber hygiene across organisations further adds to the challenge. In short, the threats are global, but the vulnerabilities are often local.
Zero-day vulnerabilities are notoriously difficult to prevent. What’s your approach to mitigating this risk?
Zero-days are challenging because by definition, no known patch or signature exists when the vulnerability is first exploited. However, they’re not impossible to defend against. Behavioural detection plays a huge role here. Instead of relying only on known indicators of compromise, we look for deviations in behaviour—like unexpected file movements, anomalous login patterns, or suspicious internal communication.
We also operate on a “community defence” model. If a threat is detected targeting one user or system, that intelligence is immediately shared across the wider network. This real-time intelligence sharing helps to contain zero-day threats before they escalate. Prevention is ideal, but early detection and rapid response are just as critical.
With most enterprises now operating in multi-cloud environments, how do you ensure consistent data security across platforms?
Multi-cloud environments bring flexibility and scalability—but also complexity. Different platforms have different policies, access models, and security controls. That’s why visibility becomes paramount. You can’t protect what you can’t see.
Our focus is on delivering security that travels with the data—whether it’s in AWS, Azure, Google Cloud, or hybrid environments. We protect both structured and unstructured data, ensure policy enforcement across collaboration tools, and integrate with identity and access management systems. The goal is to maintain consistent security posture without slowing down business operations.
What foundational elements should CISOs prioritise while designing their cybersecurity architecture?
I believe a strong cybersecurity foundation rests on three pillars:
Perimeter Protection through frameworks like Zero Trust and secure access controls;
Detection and Response using extended detection and response (XDR) systems to quickly identify and remediate threats;
People-centric Defence—because if people are the primary target, they must be at the centre of your strategy.
While these pillars work individually, their effectiveness multiplies when they are integrated. A unified approach that brings together endpoint, cloud, and identity controls helps reduce complexity and improves both visibility and speed of response.
AI is transforming both attack and defence. How are you using AI to strengthen cybersecurity?
AI is at the core of modern cybersecurity. We’re using machine learning to understand intent—particularly in email communications. If an attacker changes the wording or structure of a phishing message, AI can still detect it based on underlying patterns, even if it’s a first-time threat.
We also use AI to create behavioural baselines for each user—so if their actions suddenly deviate, we can detect potential account compromise early. Beyond detection, AI helps us automate triage, reduce false positives, and respond faster. That said, we also recognise that attackers are using AI—so staying ahead means continuously training models on fresh threat intelligence.
Security tools can sometimes affect user experience. How do you ensure protection without disrupting productivity?
This is where design philosophy matters. We believe in “Zen” cybersecurity—where users feel secure, not restricted. That means creating security workflows that are intuitive and minimally intrusive.
For example, if a user is about to send sensitive data externally, they receive a gentle prompt to double-check. This kind of micro-intervention improves behaviour over time. The idea is to embed security into the natural flow of work—whether in email, collaboration tools, or cloud apps—so that it becomes a seamless part of the digital experience.
Finally, what advice would you offer to Indian enterprises looking to modernise their cyber defences?
My advice is to think strategically and avoid siloed tools. Many organisations accumulate point solutions over time, which leads to inefficiencies and blind spots. Instead, invest in a platform-based approach that brings together threat intelligence, data protection, and user behaviour insights.
Also, security must align with business priorities. Understand what data or processes are most critical and protect them with a layered defence strategy. With regulations tightening and threats becoming more targeted, the future belongs to those who can integrate prevention, detection, and response around people—the new perimeter.
