As 2024 draws to a close, businesses are undergoing significant transformations through digital initiatives, mergers and acquisitions, and shifts in workforce dynamics. At the same time, cybersecurity strategies must evolve to ensure that security protocols do not impede operational agility.
Organisations need to be able to pivot quickly in response to market demands, technological advancements, or unforeseen disruptions while maintaining a robust security posture. This balance is essential for minimising risks and protecting against potential cyber threats that may exploit vulnerabilities during periods of change.
The focus on cybersecurity has intensified significantly across the Asia Pacific (APAC) region in recent years. As organisations navigate the complexities of digital transformation, cybersecurity has become a critical investment priority, with budgets poised for further expansion in 2024.
PwC estimates that Asia Pacific’s security spending has steadily grown at a CAGR of 12.8% since 2022 and is expected to top out at US$52bn by 2027 as multiple cyber threats bear down on digitalising companies.
According to the 2024 edition of PwC’s annual Digital Trust Insights (DTI) survey, 84% of business and technology executives in APAC anticipate increases in their cybersecurity budgets, underscoring the urgent need for enhanced protective measures.
For CISOs, the rush to digitalisation of business processes has come with a price: the challenge of managing security exposures in a constantly evolving threat environment. Mark Jobbins, chief technology officer & vice president for Asia Pacific & Japan at Pure Storage, observes a 15% year-on-year growth in the threat level across APAC.
“The question is whether organisations are aware that they are being targeted by threats and whether they are prepared to respond,” Jobbins notes. “With attacks becoming more sophisticated and frequent, it is crucial for organisations to have the right infrastructure and policies in place, especially with their increasing dependence on data.”
In a landscape characterised by interconnected risks, the Forrester Predictions 2024: Cybersecurity, Risk, and Privacy report advises security, risk, and privacy leaders to balance innovation speed with governance and accountability beyond mere regulatory compliance.
Understanding resilience in cybersecurity
The World Economic Forum (WEF) defines resilience as being prepared for an inevitable cybersecurity breach and recognising that every system has potential vulnerabilities.
“It encompasses the ability of an organisation to maintain its core functions – not just in the face of attacks but also during recovery from them. It is about being prepared for the inevitable breach, and recognising that every system, no matter how robust, has potential vulnerabilities.” WEF
Jobbins adds that resilience means the ability to recover quickly in today’s fast-paced environment. While data backup was historically viewed as an insurance policy, he emphasises that organisations must now frequently recover critical applications to ensure business continuity.
He advocates for a tiered recovery approach, prioritising essential systems first, followed by less critical ones.
“Companies that are well-prepared for potential attacks use tiered recovery strategies, including rapid recovery options like immutable snapshots replicated to secondary environments. For maximum protection, data is often stored in resiliency bunkers as a last defence, ensuring robust multi-tiered recovery capabilities.” Mark Jobbins
Agility in the context of cybersecurity
The National Institute for Standards and Technology (NIST) define agility as the ability of a system to be reconfigured, allowing resources to be reallocated and components repurposed. Jobbins argues that organisations must first address existing data silos, which complicate the ability of CISOs to respond effectively to sophisticated threats.
“CISOs need to be vigilant, focusing on their security systems and ensuring that data storage and protection are prioritised rather than treated as secondary,” he stresses.
Prioritising risks
Given the rapid pace of technological and operational changes, how should CISOs assess and prioritise risks? Jobbins notes that national institutions are collaborating with vendors like Pure Storage to develop frameworks that help organisations minimise risks while maximising visibility into changes in their environments.
“The more data CISOs have regarding what constitutes normal operations and expected changes, the stronger their ability to respond quickly to threats before they escalate. Visibility and resilience are critical in these situations,” he elaborates.
Choosing security frameworks
Organisations with operations in multiple countries must comply with local security standards. According to Jobbins, adopting the right security frameworks is essential for ensuring compliance while remaining flexible.
These frameworks should emphasise observability and predefined responses for recovery. Jobbins suggests that CISOs integrate local regulations into their organisational strategies. While local requirements may differ, fundamental practices in the IT industry—such as establishing procedures, identifying changes, and implementing proven recovery plans—are becoming increasingly important.
Jobbins highlights that apart from Singapore’s Cybersecurity Act, Australia’s Security of Critical Infrastructure (SOCI) Act mandates that organisations in critical sectors have established procedures in place. “It’s essential to consider both overarching frameworks and localised governance,” he notes.
Cybersecurity is a team effort
From a security perspective, how can organisations integrate security into agile development processes without hindering innovation? Jobbins emphasises that education is key to ensuring teams collaborate effectively by understanding potential threats.
He suggests simplifying storage environments to reduce errors. “Leveraging generative AI can provide operations teams with insights into storage vulnerabilities and security gaps, enabling quicker responses,” Jobbins states.
He concludes that a focus on streamlined operations and rapid recovery is critical for C-suite executives aiming to maintain business continuity.
Staying ahead of the threat
The threat landscape will continue to evolve, and it's clear that the same technology used to defend critical infrastructure can also be exploited by attackers targeting vulnerable systems. So, how should CISOs architect a cyber resilience strategy to stay ahead in this escalating warfare?
Jobbins suggests CISOs remain vigilant, constantly anticipating new threats and leveraging AI to stay proactive. However, bad actors also utilise advanced technologies, making cybersecurity a high-stakes challenge.
He suggests staying connected to government programs that highlight emerging risks is crucial, but foundational strategies, such as a robust defence-in-depth approach, remain a top priority.
A defence-in-depth strategy involves multiple layers of protection, including physical security, network security, operating system safeguards, and data protection.
“The final line of defence is having immutable, unchangeable copies of critical data. While most components of an organisation's IT infrastructure can be rebuilt, data is unique and irreplaceable. Although maintaining security is a difficult balancing act, a defence-in-depth strategy helps mitigate potential threats effectively.” Mark Jobbins
Click on the PodChats player to hear Jobbins go into the details of how to balance agility with security during periods of significant change.
- Given us a state of the cybersecurity landscape in Asia in 2024.
- How should a CISO define cybersecurity resilience?
- What is agility in the context of cybersecurity from the perspective of a CISO?
- How should CISOs assess and prioritise risks associated with rapid changes in technology or business operations?
- What security frameworks and standards should organisations adopt to ensure compliance while remaining flexible, and without compromising agility?
- How can organisations integrate security into their agile development processes without slowing down innovation (or creating unnecessary friction between operations, development and security teams)?
- With the threat landscape continuing to escalate threat and both sides (attackers and defenders) having access to the same technologies, how should CISOs architect the company’s cyber resilience strategy to stay ahead of the threat?
- Balancing agility with security during periods of significant change, as a Chief Technology Officer, can you share your views/expectations around security and resiliency in 2025?