In March, Taylor Swift (TayTay) was knee-deep in her “Eras Tour,” delivering sold-out performances in various Australian cities before moving on to Singapore, inspiring friendships, joy, small earthquakes, an economic uptick for host cities, and, of course, cyber incidents. Like TayTay, I went on my own whirlwind tour in Southeast Asia. My job: to deliver roundtables to CISOs in Hong Kong, Malaysia, Indonesia, and Singapore. Unlike TayTay, as I dragged 35 kg. of luggage around four countries in five days, I reflected that, while my tour lacked TayTay’s tour’s glamour, money, fans, and global acclaim, it was full of intensity, passion, connection, and learning — for myself and our attendees.

Our dynamic meetings featured esteemed CISOs and security leaders from the largest organizations. Our discussions delved into the top cybersecurity threats in 2023, lessons learned from 2022’s most notable breaches, top recommendations for security programs in 2023 and 2024, and, of course, our Predictions 2024: Cybersecurity, Risk, And Privacy report. It should come as no surprise that the challenges and opportunities differed from country to country. Region-specific factors can vastly impact cybersecurity threats and practices such as business cultural norms, language, geopolitical issues, the regulatory landscape, and cybersecurity maturity.

The luxury of physical presence and time meant that I learned things I simply can’t intuit from press reports or even virtual calls. In this blog, I will share my key learnings and takeaways from the key challenges and opportunities for CISOs in Southeast Asia:

  • Narrative attacks and deepfakes are front of mind. With 2024 touted as “Asia’s year of elections,” with seven highly populous Asian countries holding elections, narrative attacks are expected to be especially popular here. Indonesia saw this when an AI-generated deepfake video of late President Suharto that cloned his face and voice, trying to influence a political agenda, went viral. Speaking of deepfakes: According to a Sumsub report, deepfakes surged by 1,530% in APAC! We discussed the Hong Kong finance worker who attended a video call in which deepfake technology was used to imitate his colleagues, part of a scheme to prompt him to transfer US$25 million. We also discussed the concern about the use of deepfakes in biometrics, with security leaders bringing to my attention banking victims identified in Vietnam and Thailand.
  • Human element and AI software supply chain threats are no-brainers. Generative AI’s talent for breaking down language barriers means that non-English-speaking countries will no longer be able to avoid some human-related attacks such as business email compromise (BEC) and other forms of social engineering (for example, Japan saw a 35% year-over-year increase in BEC attempts). The security leaders we spoke to agreed that they anticipate a significant rise in human-related attacks. Another imminent threat related to AI and the software supply chain: Forrester predicted that in 2024, at least three data breaches will be publicly blamed on AI-generated code.
  • A chaotically evolving regulatory landscape consumes CISO resources. Regulators in APAC can no longer ignore these breaches. In 2022–23, Australian regulators announced amendments to the Privacy and Telecommunications Acts, and Australia also refreshed the federal government’s Essential Eight threat mitigation strategies and strengthened industry-focused regulations such as Security of Critical Infrastructure Act.

The Indian Parliament passed the much-awaited Digital Personal Data Protection bill. Singapore amended its Personal Data Protection Act, Indonesia passed its first ever Personal Data Protection Law, and even Japan strengthened its Act on the Protection of Personal Information. This is causing havoc for CISOs in these regions, who shared with us what they called “a significant regulatory burden” — these compliance activities consume precious resources, time, and energy, all of which CISOs wish could be diverted into more strategic initiatives.

  • Southeast Asia CISOs move to protect themselves and their teams. All of the above dynamics — combined with low budgets, still emerging levels of organizational influence, a widening cybersecurity workforce gap (one that increased by 11.8% in APAC this year), and many CISOs in the region still reporting to technology departments — led to discussions about how CISOs will protect themselves and their teams.

Cybersecurity burnout started rearing its ugly head, particularly in our Singapore and Hong Kong discussions, an issue discussed only in hushed tones in previous visits. Leaders discussed the feasibility of retaining their own counsel to negotiate compensation and insurance, as well as for consultation when making decisions as a senior security leader. They also discussed retaining and upskilling existing talent.

  • Like everybody else, Southeast Asian CISOs grapple with generative AI aspirations. Security leaders discussed how they have been supporting their organizations to adopt generative AI (genAI) safely and their wishes to protect their organizations without getting relegated to being seen as the “department of no,” while some even spoke about warning their firms against being too genAI-conservative and advising their firms on the many business and productivity benefits of genAI. All of them wanted to know how to engage and influence their organizations on the appropriate behaviors of using genAI (such as what can and cannot be shared with genAI), particularly as employees embrace the technology, creating a shadow genAI situation.
  • While Zero Trust becomes a regional reality, adoption continues to vary wildly. Forrester predicted that in 2024, roles with Zero Trust (ZT) titles will double across public and private sectors in some countries and emerge in others. This was not a popular prediction for which our attendees have been preparing, at least not in the short term. While our research shows that ZT is finally moving from concept to reality in Asia Pacific, there was still a broad range of sentiment and skepticism in the deep discussions.

Let’s Connect

Forrester security and risk clients in Asia Pacific or in multinational global organizations who have questions about the key trends facing this region and how to best uplift their security capabilities to anticipate these trends can reach out to me via inquiry or guidance session.