Security Belongs on the Blueprint

A global enterprise signs the lease on a new India centre. The floor plan is agreed, the workstations ordered, the network designed, the launch date circled in red. Somewhere in month four, with the fit-out already underway, someone in a project review asks the question that should have been asked first: is this site actually secure? The security adviser is called in, handed a building that is three-quarters built, and asked to make it safe without moving a wall, a door, or a server. He can do something. He cannot do much.

Why does security so often arrive last, when its leverage is greatest at the start?

The timing has rarely mattered more. India now hosts 2,117 Global Capability Centres, employing 2.36 million people and generating close to USD 98 billion a year, according to the NASSCOM–Zinnov GCC landscape for FY2026. New centres are opening at a rate of more than two a week. Each one is a fresh building, a fresh network, and a fresh concentration of people, intellectual property, and personal data — in other words, a fresh security problem, built from scratch. And from 13 May 2027, the Digital Personal Data Protection Rules require every such operation to demonstrate 'reasonable security safeguards' for the personal data it holds, with penalties reaching ₹250 crore for the failures that follow a breach. The clock is not hypothetical; it is notified.

Security has a design window, and it closes. Every project manager knows the principle even if they have never named it: a change costs a rupee on the drawing board, ten during construction, and a hundred once the building is occupied. Security obeys the same curve, and more steeply, because so many of its controls are physical facts set in concrete — where the server room sits, how the loading bay meets the lobby, whether the visitor route ever crosses the secure floor. These are decisions, not products. Once the slab is poured, the cheap options are gone, and what remains is compensation: guards where geometry would have served, cameras where a wall would have served, process where design would have served. You cannot fortify a position after the firefight has begun.

Four windows, in sequence. Over years of building and assessing these programmes, I have found it useful to think of a build-out as four windows that open and close in order. Miss one, and you pay for it in the next.

Site. Before the lease is signed — the decision that is purely commercial yet sets the entire threat picture. Neighbourhood and approach, adjacencies, single points of failure in power and access, a proper threat and risk assessment of the location itself. This window closes at signature, and most organisations sign before security has seen the address.

Shell. During base build and civil works. Perimeter and standoff, ingress and egress, the placement of the control room and the server room, the routing of cable and conduit, the principles of Crime Prevention Through Environmental Design (CPTED) that make a building quietly defensible without looking like a fortress. This window closes at handover.

Systems. During fit-out. Access control, surveillance, intrusion detection — and the point at which physical and cyber stop being two conversations. A badge that opens a door and a credential that opens a database are, increasingly, one control governing one person. Under the DPDP regime, who can physically reach a server is a data-protection question, not merely a facilities one. This window closes at go-live.

Steady-state. Operations: people, process, drills, governance, audit. This is the only window that never fully closes — which is precisely why organisations lean on it to carry the weight the first three were meant to bear. Steady-state should refine a sound design, not rescue a poor one.

Convergence is no longer a philosophy; it is a compliance fact. The DPDP Rules ask for reasonable safeguards and breach notification within seventy-two hours. You cannot honour either if your physical access logs and your data access logs live in two unconnected worlds, owned by two teams who meet twice a year. Treating physical and cyber risk as one problem is not the adviser's preference. It is what the law, read plainly, now assumes.

What this means in practice. For any leader planning, scaling, or relocating an India operation:

• Bring security into the site-selection conversation, not the fit-out one. The TRA belongs before the lease, not after the launch.

• Put the server room and control room on the floor plan deliberately, not wherever space is left over.

• Make one person accountable for physical and cyber risk together, even in a small setup. Two owners means no owner.

• Map your personal-data flows now and work back to the physical controls that protect them. The May 2027 deadline will not wait for your construction schedule.

• Design for the threat you have assessed, not the brochure of products a vendor is selling.

• Treat operations as the place to sustain a good design, not to buy your way out of a bad one.

The best security on an India build-out is the kind no one notices, because it was drawn in before the building existed. The walls are going up at the rate of two a week. The only real question is whether the security goes up with them — or arrives, clipboard in hand, to a site that has already decided most of its answers.

GCC figures: NASSCOM–Zinnov, "GCC Value Orbit" / India GCC Landscape FY2026 (2,117 GCCs; 2.36 mn professionals; ~USD 98.4 bn; data as of 31 Mar 2026).

DPDP: Digital Personal Data Protection Rules, 2025 (MeitY, notified 14 Nov 2025); substantive obligations — security safeguards, breach notification, retention — effective 13 May 2027; maximum penalty ₹250 crore per the DPDP Act, 2023.

Sandeep Kumar is the Founder and CEO of NirVyn Consulting, a senior-led security and risk advisory for GCCs and multinationals operating in India. He writes occasionally on security, risk, and what good practice looks like on the ground in India.

nirvyn.com · bit.ly/CdrSandeep · https://www.linkedin.com/in/cdrsandeep/