At the 2024 FutureCISO conference, 80% of security professionals cited data security as the top focus for their departments. Cloud security came in second at 69%, and data privacy third at 51%. Organisations recognise the critical need to protect sensitive information in an increasingly digital landscape.
With threats evolving, a robust data security strategy is essential for safeguarding assets, ensuring compliance, and maintaining customer trust. This emphasis on data security reflects a broader shift towards prioritising resilience in cybersecurity frameworks, positioning it as a foundational pillar in organisational security strategies.
FutureCISO spoke to three cybersecurity leaders to get their perspectives on these pressing challenges.
The escalating threat landscape
Cybersecurity professionals have long been aware of the increasing complexity of threats. As Ben Goodman, SVP and general manager of Okta Asia Pacific & Japan, pointed out, "Leaders now recognise that GenAI has the potential to be immensely impactful in the cybersecurity space."
The regulatory environment is becoming more intricate, requiring organisations to allocate significant resources to ensure compliance while avoiding penalties.
ESET's global cybersecurity advisor, Jake Moore, echoed these sentiments, noting that "CISOs have faced growing challenges stemming from the dual pressures of compliance and evolving technology." The rise of AI-driven tools, which adversaries leverage to launch sophisticated attacks, adds another layer of complexity.
Elaborating on these challenges, Zscaler's CISO-in-residence, Asia Pacific & Japan, Heng Mok, stated that "Sophisticated cyberattacks characterise the rapidly evolving threat landscape." He highlighted the geopolitical environment, particularly in the Middle East and the ongoing Ukraine-Russia conflict, as key drivers of this complexity.
Evolving threat intelligence practices
In response to these challenges, organisations are adapting their threat intelligence practices. Mok explained that "organisations increasingly incorporate advanced analytics and machine learning to detect and respond to threats more rapidly." This includes investing in real-time monitoring and automated response systems to mitigate risks proactively.
"Organisations now prioritise proactive threat hunting, using behavioural analytics and AI/ML for faster, more accurate attack detection," observed Goodman. Collaborative initiatives, such as threat intelligence sharing platforms, have improved response times and fostered a united front against cyber adversaries.
Moore remarked, "Threat intelligence practices have evolved significantly, with automation and AI playing pivotal roles." Machine learning enables organisations to analyse vast amounts of data in real-time, identifying patterns and anomalies that signal potential threats.
The Impact of Cybercrime-as-a-Service
The rise of Cybercrime-as-a-Service (CaaS) models is another significant factor in the evolving threat landscape. HKCERT defines CaaS as the trend where individuals or groups with malicious intent provide cybercriminal tools, infrastructure, and services to other criminals for a fee.
Goodman elaborated on the implications of CaaS, stating, "By making cybercrime tools and services widely available, CaaS lowers the barriers for malicious actors." He mentioned that services such as ransomware-as-a-service and phishing kits are becoming increasingly prevalent, leading to a rise in the frequency and variety of cyberattacks.
CaaS makes sophisticated cyberattacks more accessible to less skilled criminals. Mok believes this will force CISOs to enhance threat detection and response capabilities.
Assessing vulnerability to emerging threats
As organisations navigate this complex landscape, assessing vulnerability to emerging attack vectors is crucial. Zscaler's Mok highlighted the importance of regular risk assessments and investing in red teams to proactively hunt for vulnerabilities. He stated, "Combining this with collective defence strategies...is essential."
Moore recommended a risk-based approach, adding that "vulnerability assessments tailored to regional threats" are vital. He emphasised the need for continuous control testing and a comprehensive threat view across the supply chain.
Okta's Goodman reiterated the necessity of regular vulnerability assessments and penetration testing, stressing that integrating local threat intelligence into defensive measures is crucial. He also highlighted the significance of cybersecurity awareness training tailored to cultural nuances.
Monitoring and responding to ransomware tactics
Ransomware remains a dominant threat, necessitating effective monitoring and response strategies.
ESET's Moore suggested adopting a multi-layered defence strategy, explaining that "deploying advanced endpoint detection and response (EDR) tools to monitor and mitigate threats in real-time" is crucial. He also emphasised the importance of network segmentation and strict access controls to mitigate the risk of unauthorised access.
Goodman advocates continuous monitoring through advanced threat detection systems and integrating threat intelligence from industry sources.
Ben Goodman
“Monitoring supply chain risks, enforcing vendor cybersecurity standards, and preparing robust incident response plans are key strategies for mitigating potential damages. These steps collectively help organisations stay resilient against evolving cyber threats.” Ben Goodman
Mok reminds us that systems are only as good as the organisation’s weakest link: “It is paramount that we train employees to recognise phishing and social engineering tactics.” He also advocates practising response and building muscle memory, which he believes ensures efficient processes during a control failure.
Integrating digital and physical security
The convergence of digital and physical security measures is becoming increasingly crucial. Jake Moore called for organisations to implement systems integrating cybersecurity monitoring tools with physical security measures. He posits the importance of augmenting CCTV systems with AI-driven facial recognition and access control solutions linked to identity management platforms.
Mok emphasised the need for a unified security strategy addressing digital and physical threats.
Heng Mok
"CISOs should implement an integrated system for access controls and surveillance. Collaboration between IT, security, and other departments is vital for maintaining effective security." Heng Mok
Goodman reiterated the importance of adopting a holistic risk assessment framework, noting that "organisations should ensure that IoT devices and surveillance systems are secured against cyber threats." Continuous training is essential for ensuring staff understand the overlapping risks.
Anticipating future threats
The executives shared their predictions for the most prevalent threats in 2025. Mok identified sophisticated ransomware attacks and insider threats as key concerns, emphasising that "robust cybersecurity measures, including threat detection and employee training, will be essential in mitigating these risks."
Moore warned of escalating supply chain attacks and the rise of AI-driven phishing campaigns, stating that ransomware, including ransomware-as-a-service (RaaS), will continue to dominate.
Goodman claimed that most newcomers trying to earn their spot in the RaaS ecosystem will likely code their encryptors in Rust or Go to allow wider spread of platforms to target with a single code.
Jake Moore
"RaaS is a competitive cybercriminal environment where gangs often develop innovations and changes to their affiliate programs to attract more partners and grow profitability." Jake Moore
He also highlighted the emergence of device-based attacks as a growing threat, and cautioned that attackers are finding new ways to compromise users' devices, making it essential for organisations to remain vigilant.
Embracing emerging technologies
Organisations must adopt emerging technologies to enhance their cybersecurity posture. Moore advocated for AI-driven threat detection as an essential defence mechanism moving forward. Zscaler's Mok suggested a range of technologies, including Zero Trust Architecture, for strict access controls.
Goodman emphasised the integral role of AI and ML in improving cybersecurity, remarking that "these technologies enable real-time data analysis, helping to detect threats and identify anomalies." He also recommended adopting phishing-resistant authentication methods.
Conclusion
As we move into 2025, cybersecurity remains a top priority for Asian organisations. IDC forecasts that Asia Pacific and Japan's security spending will reach US$52 billion, underscoring the urgency of investing in advanced cybersecurity measures.
The evolving threat landscape, characterised by sophisticated attacks and compliance challenges, necessitates a proactive approach.
By adopting advanced technologies, enhancing threat intelligence practices, and fostering collaboration, organisations can strengthen their cybersecurity posture and mitigate risks. The insights from industry leaders provide a roadmap for CISOs and heads of security to navigate the complexities of cybersecurity in the year ahead.
Allan is Group Editor-in-Chief for CXOCIETY writing for FutureIoT, FutureCIO and FutureCFO. He supports content marketing engagements for CXOCIETY clients, as well as moderates senior-level discussions and speaks at events.
Previous Roles
He served as Group Editor-in-Chief for Questex Asia concurrent to the Regional Content and Strategy Director role.
He was the Director of Technology Practice at Hill+Knowlton in Hong Kong and Director of Client Services at EBA Communications.
He also served as Marketing Director for Asia at Hitachi Data Systems and served as Country Sales Manager for HDS’ Philippines. Other sales roles include Encore Computer and First International Computer.
He was a Senior Industry Analyst at Dataquest (Gartner Group) covering IT Professional Services for Asia-Pacific.
He moved to Hong Kong as a Network Specialist and later MIS Manager at Imagineering/Tech Pacific.
He holds a Bachelor of Science in Electronics and Communications Engineering degree and is a certified PICK programmer.