Organisations in Singapore and the ASEAN region are making significant strides in adopting cybersecurity frameworks, particularly the NIST Cybersecurity Framework (CSF). The Cyber Security Agency of Singapore (CSA) has been instrumental in promoting this framework, providing guidelines and resources to facilitate its implementation.
According to Jiana Edades, cybersecurity consulting analyst at Frost & Sullivan, “The NIST CSF has become a core part of the cybersecurity strategy for many Singaporean organisations, especially in key sectors like finance, healthcare, and critical infrastructure.” The CSA's efforts have not only helped local organisations but have also set a precedent for ASEAN member states, promoting the NIST CSF as a model for national cybersecurity frameworks.
Regional cooperation and capacity building
The ASEAN Cybersecurity Cooperation Strategy has endorsed the NIST CSF for member states, encouraging them to adopt similar frameworks. Institutions like the ASEAN-Singapore Cybersecurity Centre of Excellence have been pivotal in providing training and capacity-building programs, helping organisations across the region to understand and implement the NIST CSF effectively. Countries such as Malaysia, the Philippines, and Thailand are beginning to recognise the importance of this framework, using it as a reference in their national cybersecurity strategies.
Challenges in cohesion and implementation
Despite the positive developments, organisations face significant challenges in framework execution and enforcement. A major issue is the lack of cohesion in regulations and standards across the ASEAN region.
Edades highlights that “the varying levels of cybersecurity maturity among ASEAN member states create a complex landscape that hinders effective enforcement and adoption of these frameworks.”
Jiana Edades
“While countries like Singapore have adopted comprehensive cybersecurity measures, others still operate with a minimalistic approach, which creates critical gaps in defences. This fragmentation results in a patchwork of security controls that leaves organisations vulnerable to cyber threats.” Jiana Edades
The need for a unified strategy
The absence of a unified cybersecurity strategy across ASEAN poses a significant concern for Chief Information Security Officers (CISOs), opines Edades. She points out that the differing regulations complicate the implementation of consistent security measures, ultimately leading to vulnerabilities that can be exploited by attackers.
Emphasising the importance of a collaborative approach, she elaborates: “By taking a holistic approach to cybersecurity, CISOs can help bridge the maturity gaps in ASEAN and create a more secure and resilient digital landscape for the region.”
“While there is progress in security framework adoption, the region must address regulatory fragmentation and pursue greater collaboration to enhance its overall cybersecurity posture.” Jiana Edades
Challenges in compliance-focused approaches
In many ASEAN organisations, CISOs and leadership often emphasise compliance, primarily aiming to meet the minimum regulatory requirements. This focus is frequently driven by budget constraints and the desire to avoid penalties. “While compliance is crucial, particularly in heavily regulated sectors like finance and healthcare, it is increasingly inadequate against evolving cyber threats,” she continues.
To effectively protect their organisations, CISOs must shift their focus from mere compliance to proactively aligning security frameworks with unique risk profiles and business objectives. Edades states, “CISOs need to go beyond doing what is required and ensure that their security frameworks are tailored to the specific risks their organisations face.”
Steps for effective alignment
CISOs can enhance their security posture by following these key steps:
Conduct Thorough Risk Assessments: Identify the organisation’s most critical assets and map them against the specific threats they encounter. Understanding these risks helps prioritise efforts beyond regulatory requirements.
Customise the NIST Cybersecurity Framework: Utilise the NIST CSF as a flexible tool. Specific actions include:
Identify: Focus on critical business processes and the associated risks.
Protect: Implement tailored protective measures based on identified risks, such as enhancing cloud security for organisations reliant on cloud services.
Detect: Invest in advanced threat detection capabilities suited to the organisation’s unique threats, like AI-driven tools for sectors vulnerable to sophisticated attacks.
Respond: Develop incident response plans that align with business continuity goals, considering specific incidents that could disrupt operations.
Recover: Establish recovery protocols aimed at minimising downtime and ensuring a swift return to critical operations. Regularly test these protocols through relevant simulations.
By following these steps, organisations can create a more resilient security framework that not only complies with regulations but also addresses the specific risks they face in a dynamic threat landscape.
Educating stakeholders on cybersecurity frameworks
Current Gaps in Education: Security teams in many organisations are often falling short in educating key stakeholders—executives, IT teams, and employees—about the importance of cybersecurity frameworks. While securing senior leadership buy-in is essential, inadequate communication and training can hinder effective framework implementation.
Insufficient Communication: Security teams frequently struggle to convey the relevance of cybersecurity frameworks beyond the IT department. Without a clear understanding of how these frameworks protect the organisation, stakeholders may perceive them as unnecessary bureaucratic hurdles.
Lack of Tailored Training: Generic training is insufficient for diverse roles within the organisation. Edades notes, “Security teams must develop targeted training programs that address the specific roles and responsibilities of each stakeholder group,” emphasising the need for tailored education for executives, IT teams, and employees alike.
Resource Constraints: Many security teams face limitations in budget and personnel, which can lead to a focus on immediate tasks rather than proactive education initiatives. According to Edades, this lack of resources can further deepen the disconnect between security efforts and stakeholder awareness.
Siloed Operations: Often, security teams operate in isolation, prioritising their objectives without integrating the broader organisational context. She cautions that this siloed approach can exacerbate communication issues and hinder effective stakeholder engagement.
Best practices for implementing a new framework
When modernising a security framework, organisations should adopt a phased approach rather than a "big bang" implementation, suggests Edades. She opines that most regulations allow for a transition period, making it feasible to gradually implement the new framework while testing and refining processes.
Key steps for phased implementation
Conduct comprehensive risk assessments: Identify critical assets and threats to inform the phased approach.
Engage stakeholders early: Involve key stakeholders in the planning process to ensure their insights and buy-in.
Define clear milestones: Break implementation into manageable phases with specific, measurable objectives.
Develop the human element: Implement targeted training programs to foster a culture of security awareness.
Monitor and adapt: Gather feedback and assess effectiveness after each phase to make necessary adjustments.
Measuring framework effectiveness
To ensure the framework is effective, Edades suggests organisations implement Key Performance Indicators (KPIs) and regular security audits, including:
Track specific metrics: Monitor response times to threats and compliance levels.
Conduct audits: Schedule internal and external audits for unbiased evaluations.
Monitor user behaviour: Use behavioural analytics to detect anomalies that could indicate security issues.
Ensuring adaptability to evolving threats
“Organisations must ensure their cybersecurity frameworks evolve with changing threats and technologies,” says Edades. Her lists of best practices include:
Establish a threat intelligence program: Gather and analyse threat data to inform framework updates.
Conduct regular threat assessments: Evaluate exposure to new threats and adjust the framework accordingly.
Engage in collaborative initiatives: Participate in industry-specific cybersecurity efforts to share insights.
Invest in continuous learning: Provide training opportunities for cybersecurity professionals.
Embrace agile methodologies: Adopt agile practices for rapid adjustments based on feedback and changing requirements.
Create a Cybersecurity Innovation Program: Focus on evaluating new technologies to enhance security posture. By following these practices, Edades believes organisations can ensure their cybersecurity frameworks remain robust and effective in the face of evolving challenges.
Allan is Group Editor-in-Chief for CXOCIETY writing for FutureIoT, FutureCIO and FutureCFO. He supports content marketing engagements for CXOCIETY clients, as well as moderates senior-level discussions and speaks at events.
Previous Roles
He served as Group Editor-in-Chief for Questex Asia concurrent to the Regional Content and Strategy Director role.
He was the Director of Technology Practice at Hill+Knowlton in Hong Kong and Director of Client Services at EBA Communications.
He also served as Marketing Director for Asia at Hitachi Data Systems and served as Country Sales Manager for HDS’ Philippines. Other sales roles include Encore Computer and First International Computer.
He was a Senior Industry Analyst at Dataquest (Gartner Group) covering IT Professional Services for Asia-Pacific.
He moved to Hong Kong as a Network Specialist and later MIS Manager at Imagineering/Tech Pacific.
He holds a Bachelor of Science in Electronics and Communications Engineering degree and is a certified PICK programmer.
