In March, Taylor Swift (TayTay) was knee deep in her Eras tour, delivering sold out performances in various Australian cities, before moving on to Singapore, inspiring friendships, joy, small earthquakes, economic uptick for host cities, and of course, cyber incidents. Like TayTay, I went on my own whirlwind tour in Southeast Asia. My job: to deliver roundtables to CISOs in Hong Kong, Malaysia, Indonesia and Singapore. Unlike TayTay, as I dragged 35kg of luggage around 4 countries in 5 days, I reflected that while my tour lacked TayTay’s tour’s glamour, money, fans and global acclaim, it was full of intensity, passion, connection and learning – for myself and our attendees.
Our dynamic meetings featured esteemed CISOs and security leaders from the largest organizations. Our discussions delved into the top cybersecurity threats in 2023, lessons learned from 2022’s most notable breaches, top recommendations for security programs in 2023 and 2024, and of course, Predictions 2024: Cybersecurity, Risk, And Privacy. It should come as no surprise that the challenges and opportunities differed from country to country. Region-specific factors can vastly impact cybersecurity threats and practices such as business cultural norms, language, geopolitical issues, regulatory landscape, and cybersecurity maturity.
The luxury of physical presence, and time, meant that I learned things which I simply can’t intuit from press reports, or even virtual calls. In this blog, I will share my key learnings and takeaways of the key challenges and opportunities for CISOs in Southeast Asia:
- Narrative attacks and deepfakes are front of mind. With 2024 touted as “Asia’s year of elections”, with 7 highly-populous Asian countries holding elections, narrative attacks are expected to be especially popular here. Indonesia saw this when an AI-generated deepfake video of late President Suharto that cloned his face and voice, trying to influence a political agenda, went viral. Speaking of deepfakes: according to a Sumsub report, deepfakes surged by 1,530% in APAC! We discussed the Hong Kong Finance who worker attended a video call where deepfake technology was used to imitate his colleagues, part of a scheme to prompt him to transfer $USD25M. We also discussed the concern about the use of deepfakes in biometrics, with security leaders bringing to my attention banking victims identified in Vietnam and Thailand.
- Human element and AI software supply chain threats are no-brainers. GenAI’s talent for breaking down language barriers means that non-English speaking countries will no longer be able to avoid some human-related attacks, such as BEC, and other forms of social engineering (for example, Japan saw a 35% y-o-y increase of BEC attempts). The security leaders we spoke to agreed that they anticipate a significant rise in human-related attacks. Another imminent threat related to AI and the software supply chain. Forrester predicted that in 2024, at least three data breaches will be publicly blamed on AI-generated code.
- A chaotically evolving regulatory landscape consumes CISO resources. Regulators in APAC could no longer ignore these breaches. Between 2022/23, Australian regulators announced amendments to the Privacy and Telecommunications Acts also Australia refreshed the Federal Government’s Essential Eight threat mitigation strategies and strengthened industry-focused regulations such as Security of Critical Infrastructure.
The Indian Parliament passed the much- awaited Digital Personal Data Protection (DPDP) bill.Singapore amended its Personal Data Protection Act; even Japan strengthened its Act for Protection of Personal Information; and Indonesia passed its first ever Personal Data Protection (PDP) Law. This is causing not only havoc to CISOs in these regions, who shared with us what they called ‘a significant regulatory burden’ – these compliance activities consume precious resources, time and energy; all of which CISOs wish could be diverted into more strategic initiatives.
- Southeast Asia CISOs move to protect themselves and their teams. All of the above dynamics, combined with low budgets, still emerging levels of organizational influence, a widening cybersecurity workforce gap (one which increased by 11.8% in APAC this year), and many CISOs in the region still reporting to technology departments, led to discussions about how CISOs will protect themselves and their teams.
Cybersecurity burnout started rearing its ugly head particularly in our Singapore and Hong Kong discussions, an issue discussed only in hushed tones in previous visits. Leaders discussed the feasibility of retaining their own counsel to negotiate compensation and insurance, and for consultation when making decisions as a senior security leader. They also discussed retaining, and upskilling existing talent.
- Like everybody else, SEA CISOs grapple with GenAI aspirations. Security leaders discussed how they have been supporting their organizations with adopting GenAI safely, their wish to protect the organization without being relegated to the department of no, and some even spoke about warning their firms against being too GenAI-conservative, and advising their firms on the many business and productivity benefits of GenAI. All of them wanted to know how to engage and influence their organisation on the appropriate behaviors of using GenAI (such as what can and cannot be shared with GenAI), particularly as employees embrace the technology, creating a shadow GenAI situation.
- While Zero Trust becomes a regional reality, adoption continues to vary wildly. Forrester predicted that in 2024, roles with ZT titles will double across public and private sectors in some countries, and emerge in others. This was not a popular prediction which our attendees were preparing for, at least not in the short term. While our research shows that ZT is finally moving from concept to reality in Asia Pacific, there was still a broad range of sentiment and skepticism in the deep discussions.
Let’s Connect
Forrester Security and Risk clients in Asia Pacific, or in Multi-national global organizations, who have questions about the key trends facing this region, and how to best uplift their security capabilities to anticipate these trends, can reach out to me via inquiry or guidance session.