As enterprises in Asia embrace digital transformation in 2025, fostering a security-aware culture becomes paramount. The rapid adoption of artificial intelligence has heightened both innovation and vulnerability, making organisations prime targets for sophisticated cyberattacks.
With the APAC region experiencing a significant surge in cyber threats, integrating cybersecurity into everyday operations is essential. By adopting Zero Trust principles and emphasising employee involvement, organisations can build resilient defences.
Vincent Lomba, chief technical security officer at Alcatel-Lucent Enterprise, says the most common human error associated with breaches comes down to clicking on ‘bad links’. While he acknowledged that this is very easy to prevent, it still happens. The other incident is less of a breach but more money collected in a bad way.
“With the bad links, typically, you will have your credentials stolen somewhere, whereas the president scam is more directly linked to money collected in a bad way. That's the most common one, and that's always something for which employees are afraid and are a little bit ashamed to have been phished or to have successfully answered to a president scam attack,” he elaborated.
Carrot or stick
Asked whether a stick or a carrot is more effective in building a cybersecurity-aware culture, Lomba favours offering positive actions to encourage participation in culture-building, and that blaming people or taking coercive action does not bring value.
He reminds us that employees are also vulnerable in their private lives, therefore, explaining the benefits not only for the company but for themselves, is much more efficient in the long term.
Asked whether organisations are doing a good job of educating and creating awareness with a view towards cementing a cybersecurity-aware culture, Lomba believes that training and other efforts will need to continue to evolve.
“There are already some good things done, but we are not yet at the final stage where all the people are fully trained and aware with the minimum kind of awareness on all those kinds of considerations,” opined Lomba.
He believes that training should continue but he also thinks people don’t need to become experts as this should not be the goal of training. “Not all people will have to become experts in cybersecurity, but real-life awareness, yes. We need to continue to evolve on that and to invest,” he continues.
Best practices in culture building
Asked what strategies organisations can employ to encourage employees to report—identify and report—security incidents without causing fear that people will lose their jobs.
Lomba reiterates his strategy of engaging with a positive stance. He reveals that Alcatel Lucent-Enterprise uses role-playing games to train its people.
“Putting them in the situation—in a real-life situation—showing them what an attack is and what the potential consequences are, and then explaining to them that when we are suffering from an attack, we don't care about the initial step,” he adds.
He comments that identifying who did the bad thing is not the purpose. “The purpose is to minimise the risk and explain to people that they can be much more confident knowing that they could potentially have been the first weak element that has allowed this attack to occur,” he continues.
He reminds us that an important point is how everyone can contribute positively to reduce this capability of being attacked.
He suggests running people into role-playing games, letting them experience events like fire drills and then explaining to them the process, what is done, what they have to do, how they have to behave, etc. For Lomba, such drill exercises are one of the most effective approaches for instilling awareness and changing attitudes.
From buy-in and into adoption
Asked if he has further comments on how CISOs can ensure that cybersecurity policies are understood and followed by everyone in the organisation, Lomba notes that in addition to the training, organisations must have policies and processes, to guide people on appropriate steps to take in the event something happens.
“Processes and policies are absolutely key so that people can be much more confident, not relying on what they think they should do, but saying, ‘I know I've done something bad, but I can rely on an existing process. And if so, there is no reason I could be blamed for that, because the processes are there to help me and help the company to prevent a potential attack from occurring or being successful.’ Vincent Lomba
What to expect in 2025
With a backdrop of evolving regulations, rapid technological change and adoption, what role will, must, leadership take on to foster a security-aware culture?
Lomba believes leadership will play a crucial role, in driving the cultural shift towards prioritising security and influencing the overall strategy. “If leaders don't take this into account, their organisations will undoubtedly face consequences,” he warns.
He acknowledges that AI itself is a cybersecurity concern. “We don't fully understand the accuracy of AI outputs, and we don't know how the information we feed into large language models (LLMs), for example, might be used,” he continues.
He pauses and declares that: “it's not just about awareness, but also about confidently and positively embracing new technologies while managing the associated risks. Leaders and stakeholders need to guide and reassure their teams, encouraging them to innovate responsibly with AI while remaining cautious.”
“We need to foster a culture of continuous learning and innovation. It can be challenging initially to grasp that innovation and cybersecurity aren't at odds. We must consider the risks that new technologies, habits, and tools like AI introduce. AI is becoming ubiquitous and offers significant benefits, increasing efficiency for many employees. We can't ignore it; we need to engage with it.” Vincent Lomba
He reiterates the need to understand the limitations of AI, not just in terms of accuracy, but also the cyber risks it presents. On the topic of compliance (with laws), he cites the surge in new cybersecurity laws in recent years.
“These are generally positive, raising awareness of the need to protect entities, enterprises, and organisations. They elevate the overall level of security awareness by imposing legal obligations,” he posits. “However, keeping up with and understanding all these regulations is a significant task that we didn't have to deal with just a few years ago. This evolving legal landscape presents new challenges.”
He suggests that individuals need to collaborate more closely together and that CXOs need to prioritise these legal aspects, working closely with legal departments. He adds that legal teams, in turn, need to rely on security experts to understand these laws, their implications, and how to comply. Conceding the effort to be a considerable challenge, he strongly feels it is a necessary one because, at the end of the day, it is about protecting companies and individuals.