“Digitalisation and cybersecurity are thus two sides of the same coin. As we push for digitalisation, we must also raise our cybersecurity levels to protect ourselves from new technological exploits and malicious actors.” Lee Hsien Loong, October 2021, The Singapore Cybersecurity Strategy
The rapid digital transformation across Asia, fuelled by advancements in AI and cloud computing, necessitates the development of robust cybersecurity frameworks. As organisations increasingly adopt digital technologies, they become vulnerable to cyber threats, with reports indicating that 51% of Asia-Pacific organisations cite cloud-related threats as a primary concern.
What organisations are getting right
The need for a comprehensive cybersecurity strategy is underscored by incidents like high-profile data breaches, which erode public trust and threaten economic stability. A well-structured framework can enhance resilience, promote user awareness, and integrate advanced technologies, ensuring that nations can safeguard their digital futures while fostering innovation and growth in a secure environment.
Mel Migriño, Southeast Asia regional director – Information security and regulatory alliance – PH country representative at Gogolook, says adopting a security framework is essential for structuring and organising cybersecurity operations and their related business and technology processes.
She noted that practitioners typically customise various frameworks to align with their specific risk appetite and applicable controls.
Mel Migrino
“Usually, organisations adopt more in implementing technical controls and measures, this could range from certain security configurations, development of scripts to customise and or automate detection and security processes to put in place an out-of-the-box security tool to detect and or block suspicious/ malicious activities. There is a high reliance on technology security.” Mel Migriño
She cautioned, however, that governance is often the weakest aspect, requiring extensive documentation, coordination on policies and standards, and thorough risk assessments and compliance audits to ensure effectiveness. In less regulated enterprises, the complete implementation of all phases in a security framework, such as the NIST CSF, may not be consistently followed.
Zscaler’s CISO-in-residence for Asia-Pacific, and Japan, Heng Mok, notes that organisations in Singapore and the ASEAN region are advancing in adopting security frameworks and achieving compliance, reflecting increased cybersecurity maturity. They are implementing local regulations like the Personal Data Protection Act (PDPA) while aligning with global frameworks such as NIST and ISO. Public sector support is evident through initiatives like the Monetary Authority of Singapore's Technology Risk Management Guidelines, and organisations are investing in Information Security Management Systems and adopting advanced technologies like AI and automation for enhanced threat detection.
Align security framework with organisational objectives
Migriño emphasized that seasoned cybersecurity practitioners customise security frameworks based on enterprise risk assessments, prioritising elements according to assets and risk landscape. “The adoption of the security framework is rooted in the risk profile, business objectives, and applicable regulations,” she noted. For industries like Power and Oil and Gas, specialized frameworks such as NERC CIP, the NIST Guide to Operational Technology Security, and IEC 62443 are often implemented, with careful planning and execution due to their critical role in supporting national infrastructure.
Mok opined that a key task for any CISO and IT leadership team is to tailor the security framework to the organisation's unique risk profile and business objectives. He reminded us that security frameworks cannot be a one-size-fits-all solution, as each company has distinct opportunities and challenges.
Heng Mok
“For effective alignment, CISOs must have a seat in the boardroom to understand objectives, priorities, and risk appetite through regular communication. Identifying critical assets and understanding business processes is essential for implementing effective security measures.” Heng Mok
“With full visibility, teams can develop a tailored security strategy that integrates security into all business processes. Additionally, CISOs should stay updated on the evolving threat landscape and ensure that the cyber strategy adapts continuously to changing threats, regulations, and business needs, fostering collaboration across departments,” he added.
Education and awareness
With the accelerating pace of technology development, security continues to lag the pace of technical innovation. The result is a vulnerability window that widens with each innovation.
Mok warns that organisations that are still adopting the “one-size-fits-all” form of cybersecurity education will be running into problems when they try to get leadership buy-ins.
“It is important to focus on role-specific training tailored to the specific roles and responsibilities of different stakeholders. Executives, IT teams, and general employees have different needs and levels of technical understanding,” he suggested.
Migriño, for her part, believes that education is a long process. “We need to be creative on how we aim to educate the different pillars of the enterprise,” she suggested. While reminding us that it is everyone’s responsibility regardless of role in the organisation, as attacks how are scaling faster because of AI abuse and becoming more sophisticated, we need to have a continuous education that is catered to our way of work, way of life in general on the new threats and its impact to the organisation and us as digital users.
Securing new initiatives
It is said that artificial intelligence is driving digital transformation initiatives, particularly in areas such as automation, data analytics and customer experience. Migriño cautions that with the fast assimilation of digital services in most industries, the way organisations practice cybersecurity and information protection should also evolve.
“A phased approach is usually better. Zeroing in on areas with the most risk should be the priority. Also, another point of consideration is on the readiness in terms of funding, manpower and capabilities present in the workforce,” she continued.
Mok agrees that a big bang approach should only be used as a last resort. He advocates for gradual implementation, which effectively manages and mitigates risks while allowing for continuous feedback and adjustments.
“Businesses can only absorb limited change at once, making strategic change management essential,” he notes. A key best practice is to initiate a pilot phase in a specific department to test the framework before a broader rollout. Organisations should gradually expand implementation and establish continuous improvement processes to adapt to evolving threats and regulatory requirements.
Measuring the effectiveness of a framework
When organisations begin their security journey, uplifting their security posture is crucial. Zscaler’s Mok emphasises that utilising an international framework like the NIST Cybersecurity Framework (CSF) helps assess maturity and benchmark against industry peers, aligning with their risk appetite.
He notes, “Compliance can free up capital in operational risk reserves, enhancing cash flow.” Certifying against ISO 27001 can create new business opportunities, and organisations increasingly require minimum security baselines from supply chain partners.
Mok adds, “Using tactics, procedures, and frameworks like MITRE enhances overall risk management.” By defining clear objectives and conducting regular assessments, CISOs can effectively measure their security framework’s effectiveness and demonstrate value to stakeholders.
Migriño suggests that each domain in the security framework be measured from various perspectives and should apply to data, applications and the hybrid infrastructure.
Adapt framework for evolving threats and tech
CISOs should prioritise continuous threat intelligence and analysis in their security frameworks. Mok emphasises the need to integrate reputable threat intelligence feeds and subscribe to local CERT advisories. He notes that analysing near-misses and building a community for industry threat intelligence sharing helps teams stay informed about evolving threats.
However, simply knowing the threats isn't enough. “CISOs must encourage their teams to learn through training and certifications continuously,” he opines – especially in rapidly changing areas like cloud security and AI/ML. Mok also highlights the importance of using data-driven approaches with AI/ML to enhance team effectiveness.
Furthermore, he stresses that management must understand the evolving threat landscape, advocating for sustainable funding for threat mitigation as an integral part of the operating model. This proactive approach will help maintain a robust security posture.
Allan is Group Editor-in-Chief for CXOCIETY writing for FutureIoT, FutureCIO and FutureCFO. He supports content marketing engagements for CXOCIETY clients, as well as moderates senior-level discussions and speaks at events.
Previous Roles
He served as Group Editor-in-Chief for Questex Asia concurrent to the Regional Content and Strategy Director role.
He was the Director of Technology Practice at Hill+Knowlton in Hong Kong and Director of Client Services at EBA Communications.
He also served as Marketing Director for Asia at Hitachi Data Systems and served as Country Sales Manager for HDS’ Philippines. Other sales roles include Encore Computer and First International Computer.
He was a Senior Industry Analyst at Dataquest (Gartner Group) covering IT Professional Services for Asia-Pacific.
He moved to Hong Kong as a Network Specialist and later MIS Manager at Imagineering/Tech Pacific.
He holds a Bachelor of Science in Electronics and Communications Engineering degree and is a certified PICK programmer.
