In an era where cyberattacks are faster, more targeted, and increasingly AI-driven, the difference between business survival and collapse lies in one crucial capability: recovery. CIO&Leader spoke with Balaji Rao, Area Vice President, India & SAARC, Commvault, about how enterprises must redefine cyber resilience for today’s threat landscape. From the launch of Arlie—Commvault’s AI-powered assistant that automates recovery and threat detection—to strategies like “the ‘Minimum Viable Company'” approach for continuity, Rao emphasizes that recovery readiness is no longer an IT function but a boardroom priority. He explains why Indian CIOs must embed resilience into growth strategies to thrive in 2025 and beyond.
Area Vice President, India & SAARC
Commvault
CIO&Leader: How are you leveraging generative AI (e.g., Arlie AI) to bring end-to-end automation in recovery, threat detection, or decision-making for infrastructure teams?
Balaji Rao: Commvault’s Arlie, in short for “Autonomous Resilience,” is our round-the-clock AI assistant, designed to deliver actionable insights, helping enterprises save time, swiftly resolve threats, tackle complexities, and enhance cyber resiliency.
Arlie is designed to automate IT operations and is natively embedded in our platform, Commvault Cloud. It’s available where teams already work – through the $20 billion conglomerate, with interests in automobiles, farm equipment, finance, IT, hospitality, energy, and logistics, has institutionalized AI through a dedicated entity, Mahindra.ai. The aim is to make AI a strategic lever across every business, from the shop floor to the boardroom, while ensuring governance, ethics, and responsibility remain at the core.
Building, Not Buying AI
At the heart of this strategy is the belief that AI must be built, not merely bought. Lodha emphasized that the actual value lies in combining AI with enterprise data, rather than public datasets available to everyone. To achieve this, Mahindra has focused on building reusable AI assets, nurturing future-ready talent, reducing adoption barriers across various functions, and centralizing governance to ensure that AI is always deployed in an ethical, secure, and responsible manner.
Reinventing Manufacturing
Lodha showcased how AI is already creating a measurable impact within Mahindra’s automotive arm. Manufacturing has been redefined by four pillars: Energy.AI for reducing energy per vehicle, Agility.AI for dynamically adapting to supply and demand shocks, Uptime.AI for proactive maintenance, and Quality.AI for computer vision–based quality checks.
At the Chakan plant, AI now optimizes production in real-time when supply shortages occur, while automated vision systems have replaced manual paint inspections, improving accuracy and freeing up resources. Engine testing has been reduced from 100 percent to less than 10 percent, resulting in zero field failures and significant cost and carbon savings. Even shop-floor engineers now rely on an AI copilot trained on manuals and troubleshooting logs, which reduces downtime and improves productivity.
Transforming Customer Experiences
Customer-facing processes are also being reshaped. Mahindra’s WhatsApp-based AI bots for the XUV700 guide buyers through features, test drives, and dealer visits, something a call center agent would struggle to deliver seamlessly. Generative AI is being used to create personalized engagement, such as customer selfies transformed into branded vehicle images. At the same time, sales consultants now rely on automatic conversation summaries that help them recall customer interactions instantly.
Vehicle manuals have been reimagined as conversational “vehicle GPTs” embedded in apps, allowing service technicians to use AI copilots for step-by-step repair guidance in their preferred language. Even vehicle inspections have gone digital, with AI-powered cameras detecting dents and scratches more accurately, improving trust and unlocking new revenue opportunities for dealers.
Beyond Automobiles
The AI story extends beyond cars. Mahindra Finance has integrated AI-powered bots into its app to cater to rural customers across multiple Indian languages, with over 100,000 users already engaged. At Mahindra Holidays resorts, AI-enabled facial recognition technology enables seamless pre-check-ins, allowing guests to bypass paperwork and proceed directly to their rooms.
Empowering Employees With GenAI
Internally, Mahindra has democratized AI for employees through a secure “model garden” sandbox, which provides access to models such as Gemini, GPT, and LLaMA. This ensures everyone, from factory operators to CXOs, can leverage GenAI safely with enterprise data while staying compliant with security norms.
Governance at the Core
Governance remains a critical focus. Mahindra defines its AI principles around being ethical, responsible, and secure. This translates into clear boundaries; for instance, humans always handle roadside assistance calls, while bots handle routine dealership queries. Lodha underscored that responsible deployment is as important as innovation itself.
Lessons from the Journey
Reflecting on Mahindra’s AI journey, Lodha highlighted five lessons. AI is a build-first journey, not a plug-and-play purchase. It is expensive, requiring investments in talent, compute, and integration, making prioritization critical. It is inherently crossfunctional, demanding collaboration between IT, business, and risk leaders. It cannot be treated as just another project, but must be embedded into the company’s strategic fabric. And above all, it must show ROI, whether in customer experience, topline growth, or operational efficiency.
The Road Ahead
For Mahindra, AI is not a buzzword. It is a future-defining capability already delivering tangible results. As Lodha summed up: the actual unlock of AI will come not from public data, but from harnessing enterprise data to serve customers better and transform processes from within.
csole, chatbot, or API workflows. It scales across cloud, on-prem, hybrid, and air-gapped environments without disrupting existing architecture, which means real-time insights, more intelligent workflows, and fewer errors.
Some of the key capabilities that Arlie delivers are:
- Real-time operational insights-Arlie provides real-time visibility into operational failures, highlighting what matters most to enterprises. Instead of sorting through numerous filters and reports, users receive the most pressing and actionable information directly, enabling faster decision-making and responses.
- “No-code” integration and automation: Arlie offers a “no-code” experience for building integrations or coding actions. Users describe the task they want to perform, and Arlie generates the required code instantly using Commvault APIs, eliminating the need for deep technical expertise.
- Context-sensitive, guided walkthroughs: Setting up and customizing Commvault Cloud is made easier with Arlie’s context-aware, guided product walkthroughs. Users can ask “how to” questions and receive step-by-step documentation, including annotated screenshots tailored to their environment and task.
- Advanced troubleshooting and optimization: Arlie helps identify operational issues and offers real-time fixes along with optimization recommendations. With easy-to-understand resolution summaries and actionable steps, enterprises can resolve problems quickly while strengthening their cyber resilience.
AI in IT needs to be scalable, accurate, adaptive, and designed to be secure – ready to perform under pressure and evolve with increasing complexity. That’s precisely what Commvault delivers.
CIO&Leader: Ransomware has moved from an IT concern to the boardroom agenda. What are CIOs still underestimating about recovery and continuity planning?
Balaji Rao: Recovery is often the most underestimated yet crucial component of a cyber resilience strategy. Traditional backup solutions no longer address today’s threat landscape as attackers now compromise data, applications, and configurations, leaving organizations with corrupted restore points.
Despite comprehensive planning, organizations continue to struggle with the operational complexity of recovery processes. This “preparedness gap” exists largely because recovery planning is typically technology-led rather than business-driven.
What CIOs and CISOs need is to focus on what keeps the business running even when everything else is down. This includes identifying the minimum viable company – a modern approach to disaster recovery that prioritizes, in advance, the essential systems, applications, processes, and environments needed to resume business operations quickly. Along with MVC, regularly running recovery drills and having the ability to rebuild critical systems in a clean, isolated environment are also crucial.
For digital-native organizations and startups, even a few hours of disruption is unacceptable. With customer confidence, revenue streams, and brand reputation directly dependent on always-on digital services, the ability to recover quickly and keep core services operational has become as critical as protection itself.
Commvault helps enable this through advanced capabilities, such as Cleanroom Recovery, Cloud Rewind, and immutable storage, allowing organizations to recover quickly and confidently across hybrid and multi-cloud environments. These technologies transform recoveries by, in part, helping not only to recover the data rapidly but also to recover the cloud applications that power that data. All of this helps digital-native companies stay resilient.
CIO&Leader: Despite massive investments in backup and DR, many CIOs find their actual recovery readiness is poor. Where is the disconnect – in architecture, culture, or testing?
Balaji Rao: Many organizations only discover gaps in their recovery strategy when faced with a real incident. There’s often an assumption that simply having backups and disaster recovery tools in place is enough for business continuity. In reality, that’s not the case. Recovering from a natural disaster is very different than recovering from a cyber incident where data is infected.
Following a cyberattack, instead of asking, Do we have a backup,’ the question that should be asked is ‘How quickly can we cleanly recover?’. Without clean, isolated recovery environments and validated restore points, traditional backups can’t be fully trusted in the aftermath of an attack.
Just as critical is the culture around recovery. Often, recovery planning is viewed as a tabletop exercise focused on IT rather than a business priority. Conducting regular recovery drills and real-world simulations that bring together crossfunctional IT and security teams helps ensure that processes and decision-making remain robust when it matters most.
Developing a cyber-resilient mindset is critical to successful recoveries in this AI and cyber era. Built on the Minimum Viable Company (MVC) model, this mindset emphasizes the ability to maintain essential operations, protect brand reputation, and sustain strategic direction, even in the event of a cyberattack.
Equally important is having the right tools at hand during recovery. For instance, Commvault’s Cloud Rewind allows organizations to dynamically rebuild cloud environments from clean copies of data and application images within minutes, rather than relying on a pre-created landing zone. This not only accelerates recovery but also ensures the restored environments are up-to-date and free from configuration drift, enhancing both agility and confidence in recovery outcomes.
Ultimately, the ability to continue functioning, even in a limited capacity during an attack, can be the decisive factor between business survival and failure.
CIO & Leader: Shadow IT and cloud sprawl continue to pose a challenge. What’s your take on the most overlooked risks in decentralized IT ecosystems?
Balaji Rao: The shift to cloud and SaaS has created highly decentralized IT ecosystems where data and workloads are spread across multiple platforms. In these environments, one of the most overlooked risks is the lack of visibility. When teams adopt services outside central IT governance, critical data often resides in silos with inconsistent security, backup, and compliance controls.
Another risk is assuming that cloud providers are responsible for all aspects of protection. The shared responsibility model requires organizations to ensure data resilience, retention, and recovery, even when applications run on third-party platforms.
Gaps in configuration, access controls, and recovery planning often surface only during an outage or cyberattack. These blind spots can then lead to compliance exposure, higher cost of recovery, and operational disruption. Addressing them requires more substantial alignment between IT and business teams so that shadow IT is brought under a unified governance and resilience framework.
Commvault helps address these risks by providing a unified platform – Commvault Cloud – that delivers a single pane of glass view for organizational data across all applications, clouds, and workloads. It also provides consistent protection and recovery across on-premises, hybrid, and multi-cloud environments. With built-in automation and policy-based continuous testing, organizations can eliminate blind spots and strengthen resilience, even in distributed IT environments.
CIO&Leader: How can startups view cyber resilience as a growth enabler, rather than just a safeguard?
Balaji Rao: AI-driven attacks are key cyber threats that are faster, more targeted, and harder to predict. Startups often run lean, move fast, and operate entirely on digital platforms, which means that they can’t afford prolonged downtime or reputational damage. Resilience becomes the foundation that allows them to recover quickly, maintain continuity, and keep delivering to customers, even under attack.
Embedding resilience from the start not only allows startups to scale confidently but also reduces the risk of downtime, protects intellectual property, and strengthens credibility with customers, partners, and investors. A strong resilience posture helps open doors to newer markets, especially in regulated industries where security and compliance are prerequisites for growth.
Commvault Clumio is a cloud native cyber resilience solution built on AWS that enables rapid backup and recovery of Amazon S3 buckets and DynamoDB at petabyte scale. Advanced capabilities, such as Cloud Rewind, enable application rebuild and rapid rollback to a safe point in time after an attack. Meanwhile, Cleanroom environments provide a secure space to test, recover, and validate recovery strategies during good times, helping startups stay prepared for the bad times.
This excellent combination of spcity, security, and scalability turns resilience for digital natives into a growth enabler, helping them move faster, enter new markets, and build lasting trust with customers.
CIO&Leader: How should enterprises redefine business continuity amid today’s evolving threat landscape?
Balaji Rao: Today, business continuity needs to evolve beyond static recovery plans. The increasing speed and complexity of threats means continuity now depends on how quickly a business can identify what really matters, protect it, and bring it back online without chaos when an incident happens. This is why, instead of just focusing on business continuity, Commvault is focused on helping organizations remain in a state of continuous business.
A key element of continuous business is embracing a Minimum Viable Company (MVC) approach. This approach provides a blueprint for sustaining critical functions under pressure, enabling organizations to operate through disruption and aligning business and IT on what must remain operational to prevent paralysis. We work with our partners to help customers think through this and prepare.
Given the pervasive nature of modern IT across hybrid, multi-cloud, and edge environments, it is also essential to prepare for future cryptographic threats with post-quantum encryption. Technology on its own is not enough; it is equally important to strengthen readiness across the organization through clearly defined roles, crossfunctional drills, and shared decision-making.
CIO&Leader: How are CIOs in India shifting their data protection priorities for 2025?
Balaji Rao: CIOs in India are moving away from treating data protection as a purely technical exercise. The focus has shifted to embedding resilience, compliance, and privacy into the organization’s operations. With rising cyber threats and the enforcement of the DPDP Act, priorities are expanding beyond backups to include privacy by design, stronger data, and clear accountability.
There is a clear emphasis on building zero-trust architectures, using automation and AI-driven redetection to help ensure that recovery can be fast, verified, and secure across hybrid and multi-cloud environments. CIOs are also prioritizing operational readiness, with regular simulations, defined roles, and closer alignment between IT, business, and compliance teams.
This shift reflects a broader recognition that data protection is now a fundamental aspect of maintaining trust, ensuring business continuity, and fostering growth in an increasingly complex digital environment.