In 2024, FutureCISO dialogues with C-suite leaders, including CISOs and cybersecurity practices, highlight key trends in the region, including AI-driven threats, increased board-level engagement, and a focus on compliance and data privacy.
In 2025, Southeast Asia's cybersecurity landscape demands that CISOs, and CIOs consider integrating cybersecurity with business objectives.
CISOs must frame cybersecurity as a business enabler, demonstrating ROI through narratives emphasising resilience, regulatory alignment, and sustained growth in Asia's hyperconnected economy. In other words, CISOs must articulate their cybersecurity strategies in business terms, ensuring that security is a core element of growth and risk management.
Cybersecurity as risk management and business enabler
The National Institute of Standards and Technology (NIST) published its Cybersecurity Framework 2.0, offering CISOs a resource to understand, assess, prioritise, and communicate cybersecurity risks; it is beneficial for fostering internal and external communication across teams and integrating with broader risk management strategies.
FutureCISO asked James McLeary, the Group CIO and CISO of Bumrungrad International Hospital in Thailand, to suggest that cybersecurity posture be considered fundamentally risk management.
"Organisations must determine how much cyber risk they are willing to tolerate, and which risks must be avoided, especially when protecting critical assets such as patient medical records in healthcare," he continues.
He emphasises that a robust cybersecurity posture leads to risk avoidance, which builds greater confidence in the business, protects revenue streams, and enhances brand reputation.
"If you hear that a company has had a cyber breach in the market, you intuitively lose confidence in that brand. If an organisation is known as being very secure and robust in its practice, then that leads to strong brand recognition," McLeary explains.
This perspective underscores cybersecurity's role as a business enabler rather than just a cost centre. For healthcare providers like Bumrungrad Hospital, patients are critical stakeholders who demand assurance that their data and safety are protected. This customer trust is a vital intangible asset that cybersecurity helps safeguard.
Aligning cybersecurity investment with business objectives
In Southeast Asia, regulatory compliance remains essential but is not the sole driver of cybersecurity investment. McLeary notes that while regulations such as HIPAA in the US are stringent, the Asia-Pacific region requires a more practical demonstration of business value:
James McLeary
"It's not enough to just say we must comply with the regulation. We have to demonstrate within the APAC region that there is business value in compliance and that we will mitigate risk." James McLeary
This means CISOs must present cybersecurity spending as both a "stick" (regulatory necessity) and a "carrot" (business improvement and risk mitigation) to secure board support.
McLeary advocates for cybersecurity strategies that adapt to evolving business priorities, such as new product launches, market expansions, and emerging technologies like AI.
For example, integrating AI in healthcare diagnostics is transformative but requires foundational security controls before scaling. CISOs and CIOs must work closely to ensure cybersecurity investments support these business innovations securely and effectively.
Quantifying Return on Investment (ROI) in cybersecurity
Quantifying cybersecurity ROI can be challenging due to risk calculations' complexity and assumption-based nature. McLeary suggests focusing on how investments protect critical assets, ensure regulatory compliance, and enable effective incident response.
This approach shifts cybersecurity from a reactive firefighting model to a proactive, optimised function. Human analysts focus on high-value tasks, while AI handles routine alerts. Such efficiencies translate into tangible business benefits by reducing downtime, preventing breaches, and maintaining operational continuity.
Addressing increasing complexity with AI
The increasing complexity of IT and Operational Technology (OT) environments, especially in healthcare, presents new cybersecurity challenges. Medical devices such as CT scanners and robotic surgery machines are increasingly interconnected and AI-enabled, expanding the attack surface. McLeary highlights the need for integrated IT-OT security visibility and controls to manage these risks effectively.
He foresees AI playing a dual role in cybersecurity: enhancing defence capabilities while also being exploited by adversaries. The rise of "shadow AI" - AI solutions adopted without central oversight - poses additional risks that CISOs must manage to prevent organisational exposure.
McLeary predicts that the cybersecurity field will soon transition from the AI to the quantum age, bringing new challenges and opportunities.
Strategic advice for CISOs and CIOs
McLeary advises CISOs and CIOs to invest significant effort in educating the board and C-level executives in business terms rather than technical jargon. "If you go to them (Board and other C-suite colleagues) with, you know, we've got X number of vulnerabilities, or you explain the detail of a ransomware attack, it's not going to resonate," he advises.
"You have to be able to articulate it very much in a real-life context of what it means for patient safety, or whatever the main driver is within your industry." James McLeary
He also stresses the importance of collaboration between CIOs and CISOs, whether the roles are combined or separate. A unified strategy is essential to safeguarding the organisation effectively and aligning cybersecurity with business goals.
These insights align with broader industry trends in 2025. Gartner predicts that 80% of CIOs will be measured on their ability to contribute to revenue growth, highlighting the imperative for technology leaders to demonstrate business value beyond cost management.
IDC's Franco Chiam emphasises embedding AI into business DNA as a strategic ally to address challenges and opportunities, reinforcing McLeary's point on AI's transformative role.
Furthermore, Southeast Asia's cybersecurity landscape is shaped by rising AI-driven threats and increasing board-level engagement, requiring CISOs to articulate security investments in resilience, regulatory alignment, and growth potential. The region's hyperconnected economies demand that cybersecurity be integrated with business objectives to maintain competitive advantage and operational continuity.
Conclusion
In 2025, articulating the business value of cybersecurity requires CISOs and CIOs to move beyond technical metrics and frame security as a strategic enabler of business resilience, compliance, and growth.
McLeary's experience at Bumrungrad International Hospital illustrates how healthcare organisations and other sectors can achieve this by focusing on risk management, aligning cybersecurity investments with evolving business priorities, leveraging AI for operational efficiency, and engaging executives with clear, business-focused communication.
This approach protects critical assets and revenue and builds trust with customers, investors, and regulators, securing a strong brand reputation in an increasingly complex and digitalised world.
Click on the link for the whole discourse with McLeary on his views on how to articulate the business value of security in 2025.
Define cybersecurity posture for us.
What are the long-term business benefits of maintaining a robust cybersecurity posture, and how can these be articulated to stakeholders? Who are the stakeholders who should be keen/interested in cybersecurity posture?
What role does compliance with regulations play in justifying cybersecurity spending, and how can/should CISOs present this to the board?
Speaking of justification, how can CISOs/CIOs quantify their cybersecurity initiatives' return on investment (ROI) to demonstrate their value to stakeholders?
Can cybersecurity investments be aligned to support the organisation's broader business objectives?
Cite 3 (max) examples of how prevention offers tangible ROI of cybersecurity investments.
Cite an example of a successful cyber risk narrative that CISOs can use to illustrate the business value of cybersecurity investments.
IT and OT processes are increasing in complexity. Do you anticipate cybersecurity solutions and processes?
What is your prognosis for cybersecurity as a technology and practice in 2025 and the coming years?
What is your advice to both the CIO and CISO to be more effective in the delivery of cybersecurity's value to the business?
Allan is Group Editor-in-Chief for CXOCIETY writing for FutureIoT, FutureCIO and FutureCFO. He supports content marketing engagements for CXOCIETY clients, as well as moderates senior-level discussions and speaks at events.
Previous Roles
He served as Group Editor-in-Chief for Questex Asia concurrent to the Regional Content and Strategy Director role.
He was the Director of Technology Practice at Hill+Knowlton in Hong Kong and Director of Client Services at EBA Communications.
He also served as Marketing Director for Asia at Hitachi Data Systems and served as Country Sales Manager for HDS’ Philippines. Other sales roles include Encore Computer and First International Computer.
He was a Senior Industry Analyst at Dataquest (Gartner Group) covering IT Professional Services for Asia-Pacific.
He moved to Hong Kong as a Network Specialist and later MIS Manager at Imagineering/Tech Pacific.
He holds a Bachelor of Science in Electronics and Communications Engineering degree and is a certified PICK programmer.
