CIO CIO

Digital India Foundation, a policy think tank working in the areas of technology policy, digital inclusion, ethics of AI, supply-chain security, and governance of critical and emerging technologies. Dr. Arvind Gupta, Head and Co-founder, Digital India Foundation (DIF) talks in detail on security roadmap, impact of AI, best practices for CISOs and future outlook for technology. Q. What are the key factors for Indian companies to prioritise their security roadmap and related investments? Dr. Arvind: Indian companies must prioritize regulatory compliance under the DPDP, 2023, using encryption and audits to meet data protection laws and align with RBI, SEBI, and GDPR. AI disruption requires securing AI systems while leveraging them for threat detection amid regulatory shifts. Supply chain shocks from geopolitical factors, worsened by USA tariff wars (e.g., 25% on Mexico/Canada, 20% on China), escalate costs and disruptions, necessitating vendor assessments and localized threat monitoring to counter trade conflicts and regional tensions. source

To drive democratization, we follow ECTERS, which is educate, coach, train the trainer, empower, reinforce, and support, which helps nurture and embed internal AI talent. For ChatGPT Enterprise, for example, we use town halls to educate employees about AI use cases, coached through the establishment of an early adopter AI Champions group, and provide power users with advanced training. For empowerment, we’ve introduced prompt engineering guides and access to an AI knowledge hub, and we reinforce training through AI forums about high-value use cases. We also provide support through dedicated AI phone-a-friend peer communities and office hours. What is the role of the CIO in our age of AI? A key part is to educate. We’re creating a new environment that empowers the business to leverage data better. These business discussions are much better if everyone understands how AI works, what’s possible, and how to apply a functional domain lens to a problem set in order to create solutions they never thought were possible, and in a relatively short period of time. Another part of the role is to drive momentum. Your new job is to create, support, and nurture that innovation wheel so as new AI tools come onto the market, you can rotate the wheel and keep the momentum going. With AI, we can now deliver the wow factor, which increases momentum and shows the power of the wheel to the entire enterprise. In IT, we’re no longer ticket-takers; we’re momentum creators. A third key aspect is being facilitators of the future. By democratizing AI innovation, IT can now share its responsibility to anticipate future customer behavior with the entire organization by bringing new tools and information to the business user, and then training them to leverage that power. This takes a different way of thinking than a traditional CIO role. source

As artificial intelligence (AI) services, particularly generative AI (genAI), become increasingly integral to modern enterprises, establishing a robust financial operations (FinOps) strategy is essential. AI services require high resources like CPU/GPU and memory and hence cloud providers like Amazon AWS, Microsoft Azure and Google Cloud provide many AI services including features for genAI. When using these services, it is imperative that we keep an eye on the consumption as cost overhead in using AI services can be costly for an organization. The advent of AI services, particularly genAI, has revolutionized various industries, enhancing capabilities and driving innovation. However, the financial complexities posed by these advanced technologies necessitate a robust FinOps strategy to ensure cost efficiency and sustainability. Establishing a governance model and cost management strategy for AI services plays a vital role in the AI strategy. FinOps provides the structure to achieve cost transparency, cost management and cost optimization, ensuring that AI services are not only effective but also economically sustainable. This article delves into developing FinOps solutions tailored for AI services, highlighting the unique considerations and strategic approaches necessary. source

8. Ensure resource continuity One of the most common issues with IT supplier relationships and other partnerships is a lack of resource continuity, particularly when key individuals involved change. After all, with IT’s high turnover rate, personnel changes are inevitable in any supplier partnership. Provisions that ensure resource continuity, particularly regarding key personnel, will keep work flowing smoothly. “People will inevitably change over the course of your relationship with a supplier,” says George Nellist, director and CIO at Ascend Agency. “But if you have the right framework in place, these changes don’t have to disrupt your processes and outcomes, particularly when both sides are involved in coordinating the change. The right onboarding for new personnel and ensuring the partnership continues to get the same level of priority will keep everyone aligned and focused so your output doesn’t take a step back.” 9. Incorporate an onboarding plan As an extension of ensuring resource continuity, businesses must also account for relationships with IT suppliers as part of their onboarding process with new hires. All team members and stakeholders involved with the supplier relationship should be onboarded to the partnership, with materials and guidance adapted to their roles. A consistent yet adaptable approach to onboarding that highlights the vision, guiding principles, required skills, desired outcomes, and mindset associated with the partnership will keep things running smoothly, even as new hires are onboarded. Better relationship management, better IT outcomes CIOs who improve their ability to manage relationships with IT suppliers can drastically improve outcomes for their business. With stronger relationship management, you can ensure full alignment between your organization and its IT suppliers, enhance productivity, and drive meaningful progress toward your IT goals. A framework that strengthens the relationship between both parties will create the necessary win-wins for lasting relationship success. source

00:00 Hi everybody, welcome to DEMO, the show where companies come in and showcase their latest products and services. Today, I’m joined by Simon Wijckmans. He is the CEO and founder of c/side. Welcome to the show, Simon. 00:10Thanks for having me. 00:11You’re coming all the way from the U.K., so I appreciate you making the trip. Tell us a little bit about c/side and what you’re going to be showing us today. 00:18So c/side stands for “client side”—we basically do client-side security. It’s a logical step, since we’ve worked to protect our infrastructure, buying firewalls and all that kind of stuff. Now, we also protect open source dependencies on registries like Node Package Manager. There are all kinds of attacks looking for less monitored places to execute—and of course, the browser is one of those. So that’s what we do. 00:40When we ask who this is designed for, I’m pretty sure you just said “attacks” and “security.” So this is aimed at security professionals within companies, correct? 00:49Yeah, mostly. I’d say companies in the e-commerce space or those that generate significant revenue through their websites—whether by accepting credit card information or running ads. In line with that, PCI DSS now requires client-side security, since the majority of credit card theft these days happens via client-side attacks. 01:06What problem are you solving here? Why should companies care about this issue? When we talked before the show, you mentioned things I wasn’t even aware of—especially regarding third-party scripts. 01:17Correct. The thing is, we don’t actually know what’s happening in a user’s browser. When you build a website, you add all kinds of dependencies, many of which make fetch requests when loaded in the browser—and you don’t see any of that happening. So when we talk about client-side attacks, it could be anything: crypto mining, stealing credit card information or login credentials, capturing sensitive information from input forms—you name it. Anything you can do in a browser for legitimate reasons, you can also do for illegitimate reasons. 01:46So what would companies be doing if they didn’t have c/side? Would they only find out about an attack after the fact, once they’re already in trouble? Or is there another way to monitor for this? 02:01There are a couple of open-source options to help limit risk—like using Content Security Policies or being very selective about the client-side fetches you allow. But even then, there’s often a significant gap. What we see is that, when a client-side security incident occurs, it can take days, weeks, even months before it’s discovered. For example, in the case of credit card theft, session tokens might be stolen, bucketed, and resold on the dark web—making it very hard to trace the origin. Many companies don’t even know they’ve suffered a client-side attack. The Polyfill incident last June was a great example—a script on over 500,000 websites was potentially doing things we still don’t fully understand. 02:46Wow. That’s intense. All right, show me the cool demo you’ve got. 02:51Sure. We built a website for a fictitious company called Beverage Ltd. It’s a drinks company, and like most websites, it asks for your email to sign up for a newsletter. You can also buy products on it. If you go to the cart, you can enter your credit card info. We’ve added some analytics tools—if you inspect the site’s <head> tag, you’ll see it’s built on Webflow. We’ve also added PostHog, Google Analytics, ServerCell Analytics, Clicky, PartnerStack, and Intercom—the common support chat widget. Now, even if I don’t submit a form, anything I type is being keylogged. I’ll refresh the page and show you. Here are things I typed yesterday—”help, help, help.” A script on this site is actively stealing that information and sending it elsewhere. In fact, there’s even a crypto miner running on this website—it’s mining crypto in users’ browsers. Definitely a site with major client-side issues.Now I’m going to implement c/side. There are multiple ways to do this depending on the framework. This site is built on Webflow, but if you’re using React, Next.js, or another modern framework, we recommend our NPM package—it provides the highest level of security. I’ll paste the c/side script into the Webflow settings and publish. After a few seconds, the site will update. Now, if we reload the page—you’ll see the scripts are rerouted through c/side. For example, domains now go through proxy.cipher.dev, one of our testing URLs. These scripts now flow through us, so we can inspect and block malicious activity. You’ll notice my laptop fan has stopped spinning—it’s no longer crypto mining, because that’s now blocked. Let’s go into the c/side dashboard. Here, you can see your site, the scripts that were blocked, and those flagged for review. The browser is a bit of a wild west—people do things with JavaScript that aren’t necessarily malicious, but are unconventional. So we have three paths: block the script, flag it for review, or allow it if we know it’s safe.Now let me show you a blocked script—the crypto miner. This one’s heavily obfuscated to avoid detection. It uses eval, spikes CPU usage, and was flagged by our AI classifier. We parse the code and run it through an LLM to determine intent. As you can see, this script was blocked by c/side, triggered by our obfuscation and script rules. Here are other scripts running on the site—like analytics tools—that didn’t raise concerns. But during onboarding, customers are often surprised by how many scripts are running. That’s because a client-side script often loads more scripts, which load even more—creating a noisy and complex environment. As I mentioned, PCI DSS version 4 now requires monitoring of credit card payment pages for client-side scripts. We built a compliance portal to support that. PCI DSS asks you to justify why each script is on the page. Here’s a list of all scripts on the payment page—like Intercom, JSDelivr—and you can provide justifications. For PostHog, for example, I can write one manually or click “Get AI Review Suggestion.”

Imagine one of your Agile teams is six months deep into a strategic digital initiative when they realize the solution isn’t working. Maybe it isn’t meeting customer requirements, or there is insufficient visibility into the project to specify where things are going off track. That’s not an uncommon scenario, according to The Agile Advantage study, in which 42% of Agile practitioners cited “unclear project requirements or scope changes” as top reasons for rework. A lack of visibility and clarity can cause teams to fall back to Waterfall approaches rather than engaging in the Agile methods your organization has in place.  Not only that, but a lack of visibility into successful practices of other teams makes it difficult to replicate those practices across your Agile groups. Lucid Software’s new Agile Accelerator is designed to help organizations scale Agile practices by sharing standardized, yet flexible ways of working. It surfaces qualitative insights about team confidence and health, and helps teams to respond to change with agility by performing data-driven scenario planning. Product, engineering, and portfolio manager leaders can use the Agile Accelerator to speed up and scale Agile practices, product road-mapping, and big-room planning. Why acceleration and agility go hand-in-hand The business depends on innovation for competitive advantage. That puts pressure on development operations (devops) and engineering teams to speed up processes like writing code, development, and deployment. However, accelerating innovation isn’t just about increased productivity and faster processes. For example, if your teams are more aligned and can foresee roadblocks, dependencies, and issues earlier, then they can make strategic decisions and take swift action. Make Agile teams even more agile Lucid Software helps organizations better scale Agile practices to improve team performance, as well as increase visibility for teams and leaders with the Agile Accelerator. Its capabilities include: Scalability for best practices and resources: Many organizations struggle to ensure that all teams have access to a set of the latest and most successful processes and templates, especially as they grow to 50, 100, 200, or more teams. Having that many groups also makes it difficult for Scrum Masters or Agile coaches to gain visibility into progress and help influence collaboration. With the Agile Accelerator, team leaders can automatically create team hubs and blueprints—which are a set of templates—to quickly share proven ways of working. Blueprints speed up work by providing teams with a starting point to conduct their sprint, big-room planning, or new product discovery. They also have the ability to customize templates as they see fit, making it easier to follow processes without feeling restricted to doing things a certain way. Collect and surface qualitative insights: Agile leaders often have quantitative datapoints to meet, such as a percentage rate for project completion. Yet, what is the team’s confidence level that they’ll actually get there—and on time? When team leaders deploy a blueprint with the Agile Accelerator, they can include confidence determinants, sentiment check-ins, as well as potential project risks and blockers. These datapoints are then integrated into an insights dashboard, allowing leaders and their teams to review and drill into the most critical information to answer questions and deepen collaboration. Make better decisions with scenario planning: Agile leaders need to quickly make data-driven decisions on staffing and scope adjustments while ensuring accurate planning and avoiding potential errors. With the Agile Accelerator, team leaders can test data-backed scenarios safely and visualize impact before making permanent changes. For example, by pausing the data sync between Lucid and Jira or ADO, they can work through a scenario without changing data in their system of record. They can also see how changes in scope and assignments affect the scenario by adding a team’s capacity to a dynamic table. Take the next step to true agility By enhancing visibility, surfacing critical insights, and enabling data-driven decision-making, the Agile Accelerator empowers teams to scale Agile practices effectively—ensuring alignment, adaptability, and transparency. Take the fast track to transformation. Learn more about the Lucid Software Agile Accelerator here. source

As AI continues to evolve and mature, organizations are beginning to deploy AI agents, which behave very differently from other forms of AI. Unlike generative or traditional AI, which act in response to a human prompt or request, AI agents independently perform complex tasks that require multi-step strategies. To accomplish their goals, agents must collect data from myriad sources and interact with internal and external systems. Machine identities far outnumber humans in enterprise networks, and machine identity management becomes very complex, very quickly. Unfortunately, many of the permissions given to AI agents are far too broad. If agents are compromised, attackers can use them to move laterally across the network, escalate their privileges to steal data, deploy malware and hijack critical internal systems. When employees find they can’t do their jobs because they don’t have broad enough permissions, they complain, and it gets fixed. Machines, on the other hand, don’t complain. They just break, which creates issues that IT must investigate. Every IT department is overtaxed, so administrators are likely to err on the side of giving the AI agent overly broad privileges. This may make managing AI agents easier in the short term, but it increases the long-term security risk. Let’s say IT has deployed an AI agent that acts as a chatbot to help sales representatives find information quickly about prospects and customers. This agent will need access to CRM data, but an admin might mistakenly give it broad read-write access to many enterprise databases. “With these privileges, if bad actors compromise the agent, they could delete records, drop entire databases, take over applications and execute a serious data breach,” says Phil Calvin, chief product officer at Delinea. The ease of spinning AI agents creates other issues: primarily, shadow AI and agent sprawl. It has become possible, even simple, for non-technical employees to download an agent from open-source sites, spin it up, and connect to data sources — all without any input or awareness from IT. To properly manage AI agent identities, IT needs to continuously discover all agents in the environment, a process that should be automated and continuous, so IT can become aware of new agents as they appear. Next, IT needs a unified view of all machine identities and their permissions for efficient management. Agent permissions should default to read-only. Those agents that need the ability to create, update or delete data should each be handled individually and with great care. Next, adhere to the principle of least privilege. If an agent is deployed to provide employees with easier access to information in the knowledge bases, then there’s no reason it should have read access to customer information in the CRM. Restrict access only to the data sources the agent needs to accomplish its tasks. Delinea has built a cloud-native identity security platform that runs on a global scale to continuously discover, provision, and govern all machine and human identities, including AI agents. IT gains a coherent, comprehensive view of all identities — even those not under IT’s direct control —via a single pane of glass. “As an industry, we tend overcomplicate identity management for our customers,” Calvin said. “At its most basic, an AI agent is just an account, and you need to understand the account sprawl and permissions. We give the customer an easy-to-comprehend view into all of that, which exponentially simplifies management.” Learn more about how Delinea can help your organization gain control over and reduce the risk posed by AI agents. source

Sovereign AI refers to a national or regional effort to develop and control artificial intelligence (AI) systems, independent of the large non-EU foreign private tech platforms that currently dominate the field. It represents a strategic push by countries or regions to ensure they retain control over their AI capabilities, align them with national values, and mitigate dependence on foreign organizations. There are two main considerations associated with the fundamentals of sovereign AI: 1) Control of the algorithms and the data on the basis of which the AI is trained and developed; and 2) the sovereignty of the infrastructure on which the AI resides and operates. Core principles of sovereign AI Strategic autonomy and security Countries, whether individually or collectively, want to develop AI systems that are not controlled by foreign entities, especially for critical infrastructure, national security, and economic stability. This is essential for strategic autonomy or reliance on potentially biased or insecure AI models developed elsewhere​​. Cultural relevance and inclusivity Governments aim to develop AI systems that reflect local cultural norms, languages, and ethical frameworks. This ensures AI decisions align with local social values, reducing the risk of bias, discrimination, or misinterpretation of data​​. Data sovereignty and privacy With data being a key driver of AI development, countries prioritize keeping their data within their borders. This ensures data privacy, security, and compliance with national laws, particularly concerning sensitive information​​. It is also a way to protect from extra-jurisdictional application of foreign laws. Economic growth and innovation Sovereign AI offers the opportunity to boost domestic AI innovation, improve competitiveness, and protect intellectual property from foreign control. This allows countries to maintain leadership in emerging technologies and create economic opportunities​. Ethics and governance Governments are concerned about the ethical implications of AI, particularly in areas such as privacy, human rights, economic dislocation, and fairness. Ensuring that AI systems are transparent, accountable, and aligned with national laws is a key priority​​. Core EU regulations beyond GDPR impacting sovereign AI Broadcom EU AI Act (Artificial Intelligence Act) The EU AI Act, which is slated for full enforcement in 2025, is one of the first comprehensive regulatory frameworks for AI at the global level. It is a risk-based regulatory framework that aims to ensure that AI is used safely, ethically, and in a way that respects fundamental rights. The AI Act establishes a classification system for AI systems based on their risk level, ranging from low-risk applications to high-risk AI systems used in critical areas such as healthcare, transportation, and law enforcement​​. The EU AI Act will shape how AI algorithmic systems are built and used within national borders, particularly countries that plan to deploy high-risk AI systems like facial recognition or AI in healthcare. Compliance with the AI Act ensures that AI systems adhere to safety, transparency, accountability, and fairness principles.  High-risk AI systems must undergo rigorous testing and certification before deployment. Transparency requirements mandate that users understand how AI models make decisions. Accountability means clear chains of responsibility in the event of harms caused by AI systems​​. ​​EU Data Act ​​The EU Data Act, which went into effect in 2023, plays a key role in shaping the framework for Sovereign AI by improving data accessibility and governance across Europe. The Data Act aims to create new markets by making available device data not just to manufacturers but also users and third parties, it regulates among other things fair contract terms for data sharing and specific requirements to enable switching between cloud providers. The Data Act framework creates new possibilities to access data that could be used for AI training and development. It also regulates the terms under which organisations can avoid lock-in with a particular cloud provider, which is a key consideration when developing AI capabilities .  By focusing on data sharing and access, the Data Act helps organizations and governments unlock the potential of data-driven innovations, including AI. This is crucial for reducing risks related to AI training and enhancing the ability to develop competitive AI solutions by facilitating AI training through the availability of relevant data for a particular jurisdiction’s AI systems. Cybersecurity Act (NIS2 Directive) The NIS2 Directive focuses on improving the overall cybersecurity resilience of the EU by setting common cybersecurity standards across member states. The act applies to critical infrastructure sectors, including energy, transport, and digital services, and mandates that entities adopt stronger cybersecurity measures and report major incidents to authorities. Whilst nations develop Sovereign AI systems, the NIS2 Directive will enforce robust cybersecurity standards for AI technologies, particularly those deployed in critical infrastructure. Ensuring that AI systems are protected against cyber threats is crucial, especially for those involved in national security, health, or transportation​​. ​​Digital Operational Resilience Act (DORA) DORA significantly impacts Sovereign AI by establishing robust requirements for operational resilience, cybersecurity, and risk management within digital infrastructures of the financial industry and across their supply chain. As Sovereign AI systems increasingly become integral to critical sectors like finance, DORA ensures that these systems are resilient to cyber threats and operational disruptions and places a number of requirements on the downstream supply chain of the financial industry, ranging from operational resilience (including testing thereof), to transparency, performance monitoring and detailed contractual terms.  By enforcing standardized risk management protocols and incident reporting requirements, DORA effectively complements the EU AI Act by safeguarding the stability and security of critical AI-driven services delivered to a broad definition of the financial industry and across different service providers. Core challenges for sovereign AI Resource constraints Developing and maintaining sovereign AI systems requires significant investments in infrastructure, including hardware (e.g., high-performance computing GPU), data centers, and energy. Many countries face challenges in acquiring or developing the necessary resources, particularly hardware and energy to support AI capabilities​​. Talent shortages AI development requires specialized knowledge in machine learning, data science, and engineering. Countries must invest in education and workforce development to ensure they have the skills needed to compete in the global AI race​. Global interdependence and cooperation AI development relies on global

Many procurement teams are struggling to optimize spend while effectively managing supplier relationships, mitigating supply chain disruptions, and maintaining compliance. Traditional procurement processes – often manual and siloed – can’t keep up. To increase competitiveness, organizations are turning to AI-driven solutions that transform the procurement function with automation and intelligence. By implementing AI technologies purpose-built for procurement, CIOs can help their organizations overcome procurement challenges while enhancing the function end to end. Key challenges for procurement teams Many procurement teams struggle with poor data quality and inadequate analytics capabilities, making data-driven decision-making impossible. “Procurement is limited by siloed systems and isolated processes,” says Alex Zhong, global product marketing leader at GEP. “They don’t have global visibility into their operations, and the data they do have isn’t real-time; it reflects what’s happened in the past.” A lack of visibility into spend and approval processes can lead to maverick spending, making it harder for procurement teams to enforce compliance and control costs. At the same time, workflows are often inefficient, complicated, and confusing, causing delays and frustration. Without modern tools, procurement also struggles to manage supplier relationships. Optimizing with AI-powered procurement By investing in AI-powered solutions designed to deliver the visibility and intelligence today’s procurement teams require, organizations can overcome these challenges, achieving quantifiable cost savings while mitigating risks and improving quality. “Procurement isn’t just about finding the lowest price,” Zhong explains. “It often involves complex, specialized purchases — like sourcing varying grades of steel from around the world. Navigating that requires intelligent decision-making around timing, quantity, and supplier selection.” Leading solutions deliver on that front, enabling organizations to achieve total procurement orchestration while shattering data silos, streamlining workflows, and providing full-spectrum visibility into processes. By leveraging AI tools specific to procurement, teams can make rapid, data-driven decisions in real time, working efficiently with suppliers and internal teams to unlock the full potential of the procurement function. “It’s important to see that procurement is part of the supply chain,” Zhong says. “To unlock its full potential, procurement must be tightly aligned with both suppliers and downstream partners.” Procurement orchestration starts with a well-designed, user-friendly platform that streamlines intake. Automation tools help teams reduce manual efforts and rapidly surface data-driven insights to improve decision-making and bake in efficiency across the procurement lifecycle. With a centralized space for collaboration, procurement can also work effectively with both internal and external partners. “The problem in the past is that everyone worked in silos due to the lack of collaborative tools and visibility,” Zhong says. “With new AI capabilities — and new technologies like low-code — these platforms make collaboration a lot easier and faster.” The impact of total procurement orchestration can be transformative. One GEP customer reduced lead time on order-to-ship-to-receipt velocity by 20%, accelerated issue resolution time by 40%, and increased order management and warehousing productivity by 30%. “This isn’t incremental change — it’s a paradigm shift and a complete revolution,” Zhong concludes. “Procurement leaders must shift their mindset to match the moment, or risk being left behind.” Read GEP’s 2025 Outlook Report now. source

These education platforms essentially serve as testing grounds for more responsible AI implementation models that could transfer to enterprise settings. The Socratic questioning in Anthropic’s Learning Mode and OpenAI’s focus on deeper engagement suggest a fundamental shift in AI design philosophy, from tools that provide answers to tools that enhance human capabilities. “To counter cognitive atrophy, organizations must design for active engagement: Teams should be encouraged to interrogate AI outputs, not just accept them. Think ‘copilot,’ not ‘autopilot,’“ Sengar said. He suggested that businesses adopt techniques inspired by AI-driven education models. These include Socratic prompting that encourages critical thinking, progressive disclosure of information rather than immediate answers, and requiring decision rationales to ensure human judgment remains sharp. Each of these approaches mirrors what’s being pioneered in educational settings but with adaptation for workplace contexts where preserving institutional knowledge is particularly crucial. source