Introduction
In June 1991, India stood at an economic precipice. A new Prime Minister, Pamulaparti Venkata Narasimha Rao, inherited a country with foreign exchange reserves adequate for fewer than three weeks of imports, a sovereign credit rating on the verge of junk, and a four-decade-old system of industrial licensing — the so-called Licence Raj — that had stifled entrepreneurship, insulated incumbents, and made India one of the most closed major economies in the world. The question was not whether to reform, but whether any leader possessed the political courage and strategic intelligence to do so.
Rao had both. Working with Finance Minister Manmohan Singh, he launched what became known as the LPG reforms — Liberalisation, Privatisation, Globalisation — in a series of bold, phased moves that dismantled the licence regime, opened the economy to foreign direct investment, devalued the rupee, and laid the institutional foundations for India's subsequent emergence as a global economic power. The reforms were not perfect, and Rao himself was the first to acknowledge their limitations. But they were durable, and they were real.
I am writing this essay because I believe that the story of 1991 holds urgent lessons for a different kind of crisis unfolding in organisations today: the cloud security transition. As a cybersecurity author and practitioner, I have spent years watching organisations struggle with the same structural problem that confronted India in 1991 — an inherited system that once made sense but has become an impediment to survival, defended by bureaucratic inertia and the interests of those who benefit from the status quo. The parallels are not merely rhetorical. They are structural, strategic, and deeply instructive.
The lesson of 1991 is not that liberalisation is always the answer. It is that when the system you have inherited is no longer capable of protecting what it was built to protect, the most dangerous thing you can do is nothing. — Professor Kai London
The 1991 Crisis and Its Parallel Today
The Indian balance of payments crisis of 1991 had structural roots that had been accumulating for decades. The Licence Raj, established in the aftermath of independence to protect domestic industry and allocate scarce resources through central planning, had served its purpose in a particular historical moment. By the 1980s, it had become a system for entrenching incumbents, enabling rent-seeking, and preventing the kind of creative destruction that drives economic dynamism. The crisis of 1991 was the moment when the accumulated dysfunction became impossible to ignore.
The crisis facing organisations today in the realm of cybersecurity has a strikingly similar structure. The perimeter security model — built around the assumption that an organisation's data and systems resided within a defined network boundary that could be defended by firewalls, intrusion detection systems, and access controls at the edge — made sense in its historical moment. When data lived in on-premises data centres, when employees worked from fixed offices on managed devices, and when the threat landscape consisted primarily of external attackers attempting to breach a well-defined perimeter, the model was adequate.
That historical moment is over. Cloud adoption has distributed data across multiple providers and geographies. Remote and hybrid working has dissolved the network perimeter. The attack surface has expanded exponentially. And the legacy perimeter security model — like the Licence Raj — has become not merely inadequate but actively dangerous, creating the illusion of security while leaving organisations vulnerable to lateral movement, supply chain attacks, and insider threats that the perimeter model was never designed to address.
| Dimension | India 1991 — Licence Raj | Cloud Security Transition |
|---|---|---|
| Inherited system | Industrial licensing and import controls | On-premises perimeter security model |
| Original rationale | Protect domestic industry; allocate scarce resources | Defend a defined network boundary against external threats |
| Why it failed | Globalisation changed the competitive environment; bureaucratic capture | Cloud, remote work, and modern threats dissolved the perimeter |
| Illusion created | Stability and protection of domestic producers | Security through network boundary control |
| Real effect | Stifled growth; enabled rent-seeking; delayed inevitable adjustment | Lateral movement risk; insider threats; supply chain vulnerability |
| Crisis trigger | Balance of payments collapse; IMF intervention | High-profile breaches; ransomware; regulatory enforcement |
The organisations that are most vulnerable today are not those that lack security investment. They are often those that have invested heavily — in the wrong model. Like the Indian economy of the late 1980s, they have doubled down on the Licence Raj of IT: more firewalls, more VPNs, more perimeter controls, at the precise moment when the perimeter has ceased to exist in any meaningful sense.
Dismantling the Perimeter — Ending the Licence Raj of IT
The most politically difficult aspect of Rao's 1991 reforms was not the technical content — economists broadly agreed on what needed to be done — but the act of dismantling structures that had powerful constituencies invested in their continuation. Industrial licensees, import quota holders, public sector enterprises with protected markets: all had something to lose from liberalisation, and all had mechanisms for expressing that opposition within the Congress party and the bureaucracy. Rao's achievement was to dismantle these structures faster than their defenders could mobilise.
The CISO navigating a cloud security transition faces an analogous set of entrenched interests. The network operations team that built and maintains the perimeter infrastructure has professional identity and departmental budget invested in its continuation. The compliance function has mapped its requirements to the existing control framework. The audit committee has approved a three-year security strategy premised on perimeter defence. The vendors who supply firewall hardware and VPN appliances have account relationships and renewal cycles that create institutional inertia. These are not corrupt or ill-intentioned actors — they are people and organisations operating rationally within the incentive structures they inhabit. But they constitute a Licence Raj of IT that must be dismantled if the organisation is to move to a security posture adequate to the actual threat environment.
Narasimha Rao understood that the people defending the Licence Raj were not defending corruption. They were defending certainty. The CISO's task is the same: to replace one form of certainty with a better-grounded one, not to win an argument but to deliver a transition. — Professor Kai London
The strategic parallel with 1991 is instructive here. Rao did not attempt a frontal assault on every protected sector simultaneously. He identified the areas where reform was most urgent and where resistance was weakest, moved quickly there, and used the early successes to build political capital for subsequent, harder moves. The abolition of import licensing on capital goods and components for export industries was less contested than reform of public sector enterprises; the former moved first, creating growth that made the latter more politically survivable.
For the CISO, the equivalent sequencing might prioritise identity and access management — the Zero Trust principle of verifying every user and device before granting access — before tackling the harder problem of network segmentation or the politically charged question of cloud-first procurement. Early wins in identity governance create a track record and a coalition that makes subsequent, more disruptive changes achievable.
Zero Trust architecture, the dominant security paradigm for cloud environments, requires exactly the same kind of assumption-dismantling that Rao performed in 1991. The foundational principle — never trust, always verify — is a direct repudiation of the perimeter model's core assumption that traffic inside the network boundary is trustworthy. Adopting Zero Trust is not an upgrade to the existing system; it is the replacement of one system with another, built on different foundational assumptions. This is precisely what made the 1991 reforms so difficult, and precisely why the same political intelligence that Rao brought to economic reform is required of today's security leaders.
Phased Liberalisation as Security Strategy
One of the most persistent misreadings of the 1991 reforms is to characterise them as a sudden, radical shift — a big bang liberalisation on the model of Eastern Europe's post-communist transitions. They were not. Rao and Singh were pragmatists, not ideologues, and they understood that reforms that move faster than political institutions can absorb tend to generate backlash that reverses the gains. The art of 1991 was sequencing: knowing which reforms to implement immediately, which to phase over months, and which to defer until the early wins had built sufficient political capital.
The immediate moves — devaluation, the first round of tariff reduction, the abolition of industrial licensing for the bulk of manufacturing sectors — were implemented within weeks of taking office, while the political mandate was fresh and the crisis provided justification. Subsequent reforms — further tariff reduction, privatisation, financial sector liberalisation — were phased over the remainder of the five-year term. Some reforms, including full capital account convertibility, were explicitly deferred because the institutional infrastructure to manage them safely did not yet exist.
This phased approach was not timidity. It was strategic intelligence. Rao understood that reform sequencing must match institutional capacity, that each phase must build the infrastructure — regulatory, political, human capital — required for the next. The devaluation worked because the Reserve Bank of India had the capacity to manage its consequences. Tariff reduction worked because Indian manufacturers had sufficient time, signalled in advance, to begin adjusting. Each reform created the conditions for the next.
Cloud security transitions that fail typically do so because they attempt to implement too much simultaneously, or because they implement technical controls without the organisational and governance infrastructure to support them. The CISO who deploys a Cloud Access Security Broker without first establishing a cloud governance policy, or who implements multi-factor authentication without a process for managing exceptions, is repeating the mistakes of the big-bang liberalisers — moving faster than institutional capacity can absorb.
The phased approach Rao used maps onto a cloud security roadmap with considerable precision. Phase one establishes the foundational identity infrastructure: multi-factor authentication, privileged access management, identity governance. This is the equivalent of currency devaluation — it corrects the most dangerous immediate vulnerability without requiring the full institutional apparatus of the new system. Phase two addresses data governance: classifying data by sensitivity, implementing data loss prevention, establishing cloud-native logging and monitoring. Phase three tackles network architecture: micro-segmentation, Zero Trust network access, replacing legacy VPN infrastructure. Phase four, deferred until the preceding phases have created the institutional capacity to manage it, addresses the full cloud-native security stack: SASE, cloud workload protection, continuous compliance.
At each phase, the sequencing principle holds: move at the speed of the slowest critical dependency, not at the speed of technical possibility. Rao did not liberalise Indian capital markets until the Securities and Exchange Board of India had the capacity to regulate them. The CISO should not implement cloud-native security architecture until the organisation has the cloud governance maturity to manage it. The constraint is not technical; it is institutional.
The most important thing Rao did in 1991 was to build consensus before each significant step, not after. He understood that reforms implemented without political legitimacy are reforms that will be reversed by the next government. The CISO who implements security changes without stakeholder buy-in is making the same error: achieving technical progress that the organisation will undo at the next leadership transition. — Professor Kai London
The consensus-building dimension of Rao's approach deserves particular emphasis for security leaders. Rao was not a charismatic populist; he was a consensus-builder who worked through institutions, briefed key stakeholders before making moves public, and was scrupulous about ensuring that those who would bear the costs of reform were given sufficient notice and support to adjust. The CISO who presents a Zero Trust roadmap to the board as a fait accompli will encounter the same resistance that confronted reformers who tried to move without building political foundations. The CISO who has briefed the CFO on cost implications, the COO on operational impact, the General Counsel on compliance dimensions, and the CEO on strategic rationale before making any public announcement is operating in the Rao tradition — and is far more likely to see the programme survive its first serious obstacle.
Conclusion
P.V. Narasimha Rao has not always received the recognition his achievement deserves. For years, the narrative of 1991 foregrounded Finance Minister Manmohan Singh and the technical content of the budget, while the political genius that made the reforms possible — the sequencing, the consensus-building, the management of opponents, the extraordinary political courage of a Prime Minister who had been expected merely to hold the fort until elections — was attributed to the general dynamics of crisis rather than to the specific intelligence of the man who navigated it.
I have written this essay in part to correct that imbalance, and in part because I believe that what Rao did in 1991 is genuinely instructive for practitioners in cybersecurity today. The structural parallels between India's licence raj and the perimeter security model are not coincidental; they reflect a common dynamic in which inherited systems, however rational in their original context, become impediments to survival as the environment changes. The political parallels between economic liberalisation and cloud security transition are equally real: both require dismantling entrenched interests, building consensus before moving, sequencing changes to match institutional capacity, and sustaining the reform programme across the political cycles that will inevitably produce resistance and reversal attempts.
Rao's legacy in economic terms is clear: the India of 2026 is unimaginable without 1991. The software industry that has made India a global technology power, the manufacturing base that is increasingly competitive on world markets, the financial sector that has intermediated four decades of investment — all trace their origins to the reforms that a 69-year-old politician, newly in office and widely expected to fail, had the courage and intelligence to implement.
The cybersecurity leaders who navigate the cloud security transition with similar courage, intelligence, and strategic patience will, I believe, look back on this period as their 1991 moment — the point at which they chose to dismantle what was inherited and build what was necessary. The organisations that fail to make that choice will face their own balance of payments crisis: a breach, a regulatory enforcement action, or a systemic failure that makes the costs of inaction unmistakably clear.
Liberalise or perish. Rao understood this in 1991. The question for today's security leaders is whether they will understand it in time.