Barracuda Network’s new CEO, Rohit Ghai reflects, in a freewheeling conversation with ETCISO, on how AI is reshaping cybersecurity — not just technologically, but strategically. From compliance pressures to nation-state threats, from under-resourced CISOs to autonomous agents, Ghai believes the industry is entering a defining phase.

His prescription: simplify security through AI, protect AI itself, and build cyber resilience grounded in both technology and human expertise.

But in his view, the real risk isn’t just AI-powered attacks — it’s “agent sprawl” and fragmented security responses. Ghai outlines why platformization is non-negotiable, why data resilience trumps protection, and why humans must remain in the loop — at least for the next five years.

Below are edited excerpts from the conversation.

You’re about 120 days into your role. With AI now central to enterprise conversations globally, how does Barracuda position itself at this moment?

AI presents a unique opportunity to rebalance cybersecurity’s historic asymmetry — where attackers need to be right once and defenders must be right every time. AI can help the good guys.

But it’s a double-edged sword. Attackers are using AI to accelerate and sophisticate their methods. So our vision at Barracuda is to build a cyber resilience platform powered by people and enhanced by AI.

For at least the next five years, humans must remain in the loop. Cybersecurity is a strategic chess game. There’s a human strategist behind the attacks — and we need human expertise on the defense side too.

You have spoken about platformization. Many CISOs question whether platforms are truly a panacea. Why are you so emphatic about this approach?Rohit Ghai:I’ll make a provocative statement: Anything short of platformization in the AI era is a disservice. In the pre-AI world, tool sprawl meant fragmented dashboards and integration headaches. In the AI era, that becomes agent sprawl — or worse, “agent brawl.”

Imagine entering a room full of experts who don’t agree with each other. Now imagine those experts are autonomous agents acting on your behalf. If their actions conflict, security weakens.

We need harmonized intelligence — not competing agents. That’s why we’re executing on a platform strategy built around a unified AI capability rather than adding to fragmentation.

But doesn’t AI itself introduce new risks — rogue agents, new attack surfaces?

Absolutely. So, that is why there’s AI for security and security for AI.

We think of our AI strategy in three phases:

Phase 1: Make cybersecurity easier.

CISOs are overwhelmed — alert fatigue, resource shortages, tool complexity. Before automating the world, we must automate ourselves. Apply AI to reduce operational burden.

Phase 2: Secure AI itself.

GenAI introduces data leakage risks — shadow AI, sensitive data exposure, PII/PHI misuse. Then comes agentic AI, where applications become conversational and autonomous. That changes the attack surface entirely.

So first, focus on data security posture management. Next, think about agent security posture management.

Phase 3: Automate security operations.

Use AI for XDR, SOAR, autonomous tiered analysis — but keep humans in the loop. AI cycles move fast; five years in AI is like fifty in traditional tech. But today, we still need human oversight.

Compliance complexity is rising — DPDP in India, EU AI Act, GDPR and over 130 global data protection laws. How does Barracuda Networks help CISOs navigate this?

CISOs face a dual challenge: security and compliance. And in the AI era, data is the fuel.

But this isn’t just regulatory — it’s competitive. If foundational AI models have universal knowledge, what differentiates a company? Its proprietary data. We have moved from talking about data protection to data resilience.

That means tagging data in two dimensions:

Compliance criticality — What must be protected under law?

Business criticality — What forms your competitive moat?

Not all data is equal. Instead of backing up everything uniformly, prioritize what’s existential — legally and strategically. Success in cyber isn’t keeping attackers out forever. It’s reducing impact when they get in. That’s resilience.

How data-resilient would you say Indian enterprises are today?

On a scale of 0 to 100? Less than 50. Possibly closer to 25–30%.

Most organizations have been compliance-centric. They haven’t fully internalized the business-critical lens of data. And this isn’t uniquely Indian — globally, maturity levels are similar. The AI era demands a shift in mindset.

What are the top cybersecurity trends you see shaping India over the next year?

Firstly, India will emerge as a product innovation powerhouse.

India is no longer just services-driven. There’s explosive product innovation. That means security must be designed from inception. The government’s increasing cyber maturity trajectory reflects this shift.

We will see a proactive regulatory ecosystem.

CERT-In has become more prescriptive — not just telling organizations what to care about, but guiding the how. That’s a positive evolution.

India’s geopolitical role in cyber norms has potential.

In a fragmented global environment, India — as the world’s largest democracy — can shape responsible nation-state cyber conduct. Nation-state threats form a significant portion of cyber risk. Defining “good behavior” globally is critical.

You have emphasized resource-constrained organizations. Why is that a priority?

Cybersecurity is like climate change — unless everyone participates, progress stalls. The weakest link becomes the entry point. Many smaller organizations lack dedicated cybersecurity staff. Yet the risks they face are existential.

Our mission is to build enterprise-scale platforms that are operationally manageable even for resource-constrained organizations. If we lift all boats, the ecosystem strengthens.

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!