In an era where digital transformation is accelerating at an unprecedented pace, organizations are confronting a new reality: cybersecurity is no longer a technical function operating in the background but a foundational driver of enterprise resilience. India’s manufacturing giants, with their vast OT estates and expanding digital footprints, face elevated risk as cyberattacks grow both in scale and sophistication. At the Godrej Enterprises Group (GEG), this shift has triggered a company-wide rethinking of how security must be woven into every layer of operations, from factory floors to cloud applications to AI deployments. This mindset shift—from compliance to strategy—is shaping how the 128-year-old conglomerate is preparing for the next decade of digital change.
“At the Godrej Enterprises Group, cybersecurity is no longer seen as a regulatory requirement,” says Ambarish Kumar Singh, Chief Information Security Officer (CISO). “It is a strategic necessity that underpins business continuity, operational resilience, and responsible digital transformation.”
From Checklist to Core Strategy
The past decade has seen cyber risks intensify dramatically. For the GEG, this has meant moving from periodic compliance exercises to embedding security into people, processes, and technologies across the organization. Awareness programs now emphasize the business impact of cybersecurity risks. Vulnerability management, third-party risk assessments, OT security measures, and data protection frameworks are being strengthened as part of a broader push toward Zero Trust Network Access (ZTNA).
The shift is not only operational but cultural. Security has become an integral part of how innovation is designed and deployed. Singh explains that the GEG is exploring AI-driven threat detection tools to stay ahead of adversaries and build future-ready cyber resilience.
Integrating Cybersecurity into Every Business Decision
The elevation of cybersecurity to a board-level priority has ensured that security considerations now accompany every major investment and transformation program. Singh emphasizes this integration, noting, “Digital transformation and cybersecurity are two sides of the same coin. We ensure security is part of the journey from ideation to deployment.”
The GEG has institutionalized a culture of continuous cyber awareness. Each year, the company conducts extensive in-person training across manufacturing locations, supports employees with regular cybersecurity and privacy communication, hosts expert-led discussions on emerging threats, delivers mandatory simulation-based e-learning programs, and carries out periodic phishing simulations to reinforce user vigilance. Gamified training is used to drive lasting behavioral change, making security more relatable in day-to-day operations.
The company is also experimenting with AI-powered cyber defense agents that continuously evolve with the threat landscape. This dual approach—using AI for cybersecurity while ensuring cybersecurity for AI—reflects the GEG’s philosophy of responsible innovation.
Unifying IT and OT Security with Global Frameworks
The GEG’s extensive industrial footprint—spanning 30 factories, 14 business units, and 48 lines of business—adds complexity to its cyber defense strategy. OT environments often operate on older systems, require specialized OEM access, and involve costly upgrades. As IT–OT convergence increases in smart factory setups, these environments become more vulnerable to cyberattacks.
To harmonize security across these worlds, the group follows the Purdue Enterprise Reference Architecture (PERA) for OT systems, adopts NIST 2.0 to build resilience across IT, and maintains ISO 27001:2022 certification for its data center. Singh notes that the company reinforces these frameworks with continuous awareness, governance mechanisms and process controls so that business teams understand cyber risks while planning investments or operational changes.
At the technological level, adaptive defenses—particularly AI-driven detection systems—are being deployed to improve response times and anticipate emerging threats. As Singh puts it, “These layers ensure cybersecurity is considered at the point of investment, design, and deployment.”
Advancing the Zero Trust Journey Across the Enterprise
The GEG’s Zero Trust approach spans networks, identities, applications, and external partners. The company applies ZTNA to minimize implicit trust and implements strict segmentation between IT, OT, and partner zones. Identity governance is reinforced through strong controls, role-based access, and frequent reviews to ensure privileges remain tightly aligned to user responsibilities.
Third-party risk management has become especially critical. Singh highlights that every significant vendor or partner undergoes structured assessments, along with mandatory vulnerability assessments and penetration testing, before integration into GEG’s systems. This ensures that the supply chain does not become an inadvertent source of risk.
Aligning DPDP Compliance with Global Privacy Standards
With businesses spanning B2B and B2C models, GEG treats privacy as a strategic enabler of trust rather than a compliance checkbox. As India prepares for the implementation of the Digital Personal Data Protection Act (DPDP), GEG has already engaged privacy partners, initiated assessments across all its businesses, and built a roadmap for gap identification and readiness.
Singh explains, “Compliance should strengthen innovation—not restrict it.” The company is continuously monitoring regulatory developments and participating in industry forums to stay ahead of evolving requirements. By aligning DPDP mandates with global standards such as GDPR, GEG is ensuring that privacy by design and security by design remain core business principles.
Balancing AI Innovation with Security Governance
The rapid adoption of AI across marketing, customer experience, sales, and brand communication has brought new opportunities—but also new risks. Singh highlights the need for a balanced approach as organizations embrace generative AI, copilots, and autonomous agents.
The GEG conducts extensive awareness sessions before onboarding any AI platform, detailing the risks, dos, and don’ts for employees. The company has instituted strong data and IP protection measures, and all new technologies must pass through the Tech Architecture Governance Board (TAGB) before implementation. Additionally, functions handling confidential or restricted data operate under multi-layered controls that govern process workflows, access rights, system architecture, and security mechanisms.
This careful, structured approach allows GEG to benefit from AI-driven insights while maintaining rigorous safeguards.
Security as a Catalyst for Responsible Growth
Godrej Enterprises Group’s cybersecurity model reflects the new reality facing modern enterprises: security is no longer a cost center—it is a strategic differentiator. By embedding security into every business decision, harmonizing global frameworks across IT and OT, strengthening identity and third-party controls, and aligning privacy with global standards, GEG has created a mature, future-ready cybersecurity posture.
Singh summarizes this vision succinctly: “Our goal is to create a cyber-resilient enterprise that secures our ecosystem of partners, customers, and stakeholders while accelerating innovation.”