Talent crunches, evolving threats, emerging technologies, and regulatory sprawl are the conventional problems that have plagued security leaders for decades, but in 2023 in the APAC security space, these problems have collided.
Until recently, APAC has largely avoided global breach headlines and regulator attention ā until 2021 and 2022, when 31% of the 55 most notable breaches in our research were from APAC. Regulators in APAC could no longer ignore these breaches, with Australia, India, Singapore, and Japan strengthening their regs. Then of course, emerging tech in the form of generative AI emerged to make things even more interesting.
Expectations
APAC CISOs are dealing with these dynamics on the smell of an oily rag ā constrained budgets, a resource gap, and, often, a lack of buy-in. In this environment, theyāre leaning on their consulting providers to help them address these myriad, different but interlinked, challenges and expect them to:
- Be commercial enough but not too commercial that they forget about the customerās interest. CISOs donāt expect their providers to be a charity, but God helps the consultant who prioritizes its own commercial interest before fully putting their customer, their business, geography, or industry first. For a long time, CISOs have expected partnership from their security service providers in APAC, but they are now very specific on what this partnership means and wonāt settle for anything less.
- Have enough juniors to make them affordable but not too many, as they need experience.Ā In the first APAC cybersecurity consulting services evaluation we ran in 2019, there was āsurpriseā among providers as to why we cared about diversity, equity, and inclusion (DEI) matters. In 2023, though, they are the words du jour, with each provider boasting many DEI programs, scholarships, and academies. Outcomes are still hard to come by, however, with most plagued by a significant gender imbalance in the name of āBut we are in line with the industry!ā Not only is this becoming unacceptable for CISOs, but whatās also unacceptable is the overload of junior resourcing and a hidden expectation that CISOs end up training the providerās teams.
- Be strategic enough but no āPowerPoint as a strategy,ā thank you ā they need tech capability.Ā PowerPoint as a strategy went out of fashion years ago, but the line between strategic and operational, business and technical, and other euphemisms once used to describe and pigeonhole people, teams, and providers is now very blurry. Providers need depth and technical competency while not shying away from delivering vision and translating technical and operational matters into business speak.
Originally posted on Forrester