A Marquee Security Hire for a Major IT Services Firm
Hexaware Technologies, the Chennai-based IT services provider, has appointed cybersecurity veteran Sunil Varkey as Executive Vice President and Chief Information Security Officer. In his new role he will oversee information security governance, enterprise risk management, security architecture, and resilience initiatives. On paper that is a standard CISO charter. In practice, at a firm of Hexaware's scale and client footprint, it is one of the more consequential security mandates in the Indian IT services sector, and the choice of who fills it tells us how seriously the company is treating the threat landscape it now operates in.
Varkey brings more than 30 years in cybersecurity leadership, and the depth of that tenure is the headline. This is not a promotion of a capable manager into a stretch role; it is the recruitment of an operator who has run security at institutional scale across multiple high-stakes industries. For an IT services company whose reputation rises and falls on the trust of enterprise clients, hiring a leader with that kind of track record is less about filling a vacancy and more about signaling, to customers and prospects alike, that security sits at the top of the organizational agenda.
A Resume Built at Scale
The specifics of Varkey's background explain the appointment. He served as Global CISO at Wipro, where he was responsible for protecting an environment of more than 200,000 end users. He was CISO at Idea Cellular, where the stakes were measured in roughly 120 million subscribers whose data and connectivity depended on the security program he ran. And at HSBC he led roughly 300 security professionals as Managing Director and Global Head of Cyber Security Assessments. Each of those roles demanded the ability to operate security at a scale where small failures compound quickly into systemic exposure.
His path also runs through the vendor and financial-services worlds, with past roles spanning Symantec, Forescout, Barclays, and GE Capital. Most recently he served as a Cyber Security Consultant and Advisor at TAHAKOM in Riyadh, from June 2023 to March 2025. We find this breadth meaningful. A leader who has sat on the vendor side understands the tools market from the inside, and one who has defended banks and telecom networks has internalized the regulatory and reputational consequences of getting security wrong. That combination of perspectives is exactly what an IT services CISO needs, because the job touches all of those worlds at once.
Why an IT Services CISO Is a Different Job
Readers should appreciate a structural point that distinguishes this role from a typical enterprise CISO posting. When you secure a single enterprise, your boundary is your own estate. When you secure an IT services firm, your responsibility extends, by implication, into the many client environments your company touches through delivery, integration, and managed services work. A compromise of the services provider can become a vector into dozens of customer networks, as the industry has learned repeatedly through supply-chain attacks. The blast radius of a failure is therefore far larger, and the trust being defended is not only the firm's own but its clients' as well.
That is why a leader with Varkey's institutional-scale experience is a logical fit. The defensive posture required at Hexaware is closer to what he managed at Wipro, where the workforce and client base created an expansive and porous attack surface, than to a tidy single-tenant enterprise. We would argue that the bar for an IT services CISO is structurally higher than the title alone suggests, and that boards evaluating their service providers should ask pointed questions about who holds this role and what authority they actually wield. Hexaware appears to have answered that question with intent.
Reading the AI and Cloud Subtext
While the company did not publish detailed commentary, the timing and seniority of the hire let us read the subtext with reasonable confidence. Enterprise security stakes are rising on several fronts at once: generative AI is introducing new categories of risk around data leakage and model misuse, cloud-native architectures are dispersing the perimeter, and DevSecOps is pushing security responsibility earlier into delivery pipelines. An IT services provider that wants to sell into security-conscious enterprises must demonstrate maturity across all of these, and a senior, credentialed CISO is the most visible proof point a firm can offer.
We interpret this appointment as Hexaware doubling down on exactly those areas: AI security, DevSecOps, and cloud security governance. The framing is ours, not the company's, but the logic is hard to dispute. Clients are increasingly making security maturity a procurement criterion, not an afterthought, and they want to see that their provider's own house is in order before trusting it with sensitive workloads. Elevating a 30-year veteran into an EVP and CISO role is a credible way to make that case, and we expect Hexaware to use it as a differentiator in competitive deals where security governance tips the decision.
What Enterprise Buyers Should Watch
For CIOs and CISOs on the client side, this kind of appointment is a useful prompt to revisit how you assess your service partners. It is easy to treat a provider's security as a checkbox in due diligence, satisfied by certifications and a questionnaire. The more rigorous approach is to understand who leads security at the firm, how much organizational authority that person carries, and whether security is represented at the executive level or buried beneath delivery leadership. Hexaware placing its CISO at the EVP tier is a signal worth noting, because seniority correlates with the ability to enforce hard security decisions against commercial pressure.
The harder question, which no announcement can answer on day one, is whether the mandate comes with real teeth. A CISO can hold an impressive title and still be overruled when security collides with margin or delivery deadlines. We will be watching, over the coming year, for evidence that the role translates into demonstrable program maturity: stronger resilience posture, visible investment in AI and cloud security controls, and a governance model that clients can inspect. The hire is a strong opening move. Whether it becomes a durable advantage depends on the authority and resources that sit behind the title.
Our Assessment
On balance, this is a confident, well-aimed appointment. Hexaware did not reach for a rising manager or an internal promotion to satisfy an org-chart gap; it recruited a leader whose career was built defending exactly the kind of large, distributed, high-trust environments that an IT services firm represents. The match between Varkey's experience and the structural demands of the role is unusually clean, and that alignment is the most reassuring thing about the news. Good security hires are often about fit more than flash, and on the fit dimension this one scores well.
The work, of course, begins now. A resume defends nothing on its own; programs, controls, and culture do. We will judge the appointment ultimately by what changes in Hexaware's security posture and in the confidence its clients place in it. For now, our read is positive: bringing a three-decade veteran into the C-suite to own governance, risk, architecture, and resilience is the right instinct at a moment when enterprise security stakes have rarely been higher. It is the kind of move that signals an organization taking its own and its clients' exposure seriously.
