In 2025, the cybersecurity landscape across Southeast Asia and Hong Kong is being reshaped by rapid digitalisation, the explosive adoption of artificial intelligence (AI), and an increasingly complex web of regulatory demands.
Authorities such as Singapore’s Monetary Authority (MAS) and South Korea’s National AI Committee are tightening enforcement, introducing robust frameworks for data privacy, AI governance, and cyber risk oversight.
Organisations now operate in a high-stakes environment where compliance is not optional — it’s existential.
Businesses face relentless threats: ransomware attacks are more disruptive than ever, advanced persistent threats (APTs) are leveraging AI to evade detection, and supply chain vulnerabilities have become prime attack vectors.
Industry reports warn of a widening cyber resilience gap, with smaller enterprises especially vulnerable. This growing “cyber inequity” underscores the urgent need for stronger recovery capabilities and accessible security solutions — driving demand for Cybersecurity-as-a-Service (CaaS) and managed Security Operations Centres (SOCs).
Regulation: Patchwork, not uniform
The regulatory terrain across Asia-Pacific is increasingly fragmented, posing a major challenge for multinational organisations. As Sean Duca, CTO for customer experience at Cisco for Asia-Pacific and Japan, observes: “When I look at Asia-Pacific as a whole, the regulatory environment is really becoming increasingly fragmented.”
From Singapore’s PDPA to India’s DPDP Act, organisations must navigate divergent data protection laws, cross-border data flow restrictions, and emerging AI model transparency requirements.
“We need to start thinking about how do we map these particular requirements to those other jurisdictional requirements that are actually out there,” stresses Duca.
Without a unified compliance strategy, businesses risk non-compliance, fines, and reputational damage.
Secure by design, always
To combat evolving threats, Duca advocates for a fundamental shift: security must be embedded from the outset. His three strategic pillars for resilience are clear — secure by design, unified threat correlation, and third-party visibility.
Secure by design means integrating security into the software development lifecycle, ensuring secure coding practices, and building systems capable of self-remediation.
“We need to think about how do we start to ingest telemetry from all signals… endpoints, cloud, DNS systems,” Duca explains.
But he cautions: “It’s not simply a case of let’s just consume everything for the sake of consuming it. It’s the right type of information that needs to be ingested.”
This focus on quality over quantity enables faster threat detection, root cause analysis, and predictive defence.
Zero Trust, full automation
In hybrid and multi-cloud environments — still dominant across the region — the perimeter is obsolete. “Identity is the new perimeter,” Duca asserts. Manual identity and access management (IAM) processes are too slow and error-prone for today’s scale and complexity.
Organisations must automate access controls, enforce least privilege, and dynamically respond to risk signals like anomalous logins or abnormal application usage.
“It’s when people start to implement zero trust and provide that least privilege access, that’s where they’re really getting ahead,” Duca says.
Automation reduces human error, accelerates user experience, and strengthens defences — especially as AI-driven enterprises scale.
Quantum risk, act now
While some dismiss quantum computing as a distant threat, Duca warns against complacency: “Quantum computing really threatens the long-term confidentiality of sensitive information.”
Legacy cryptographic algorithms could soon be broken, exposing years of stored data. “This is not one of those future projects,” he insists.
Organisations must conduct a cryptographic inventory, identify vulnerable algorithms, and begin transitioning to post-quantum cryptography (PQC).
“Five years ago, if I told people to get ahead of AI, some would have put it on the back burner,” Duca reflects. “I think quantum is that thing for me that an organisation has to be thinking about today.”
AI & Edge: New frontiers
AI-powered applications and edge computing are expanding the attack surface and creating data gravity challenges — especially under strict data sovereignty laws in countries like Australia (CPS 234) and India (DPDP).
Duca highlights the need for end-to-end observability and sovereign control: “Observability for me is probably the one area that every organisation needs to focus on.”
Without full visibility across on-prem, cloud, and edge environments, blind spots emerge — and breaches go undetected.
Cisco’s approach, he notes, is to build secure-by-design infrastructure that spans network, compute, storage, and security layers — ensuring protection wherever data resides.
CISO & CIO: Unite now
Blame games after a breach are costly and avoidable. Duca calls for joint ownership between CISOs, CIOs, and compliance officers:
“The strategic value is really trying to ensure that we can improve the resilience of our own initiatives.” Sean Duca
Collaboration must be built on shared principles — zero trust, automation, platform-based security — to eliminate silos and ensure cohesive incident readiness.
“We need to provide that assurance across the board around future-proofing our cybersecurity strategy,” he says.
Build resilience, not just defence
For Duca, resilience means more than protection — it’s about anticipating, withstanding, and recovering from threats without disrupting business operations.
His roadmap for CISOs and CIOs begins with a maturity assessment using frameworks like NIST, identifying gaps in people, processes, and technology. Then, establish guiding principles: reduce tool sprawl, prioritise automation, and extend protection beyond the data centre.
Finally, classify assets by business criticality, build threat models around crown jewels, and secure the entire data pipeline — especially in AI-driven environments. “Build, operate, recover with security always built in,” Duca concludes.
In 2025 and beyond, resilience isn’t a goal — it’s the foundation.
Click on the PodChats player to learn more from Duca on his take around developing a resilient cybersecurity roadmap.
- How will evolving AI, cloud security, and data privacy regulations across Asia-Pacific affect CISO’s multi-cloud governance and compliance frameworks?
- What strategies can CISOs/organisations adopt to defend against increasingly sophisticated ransomware, supply chain attacks, and network-based intrusions?
- How do CISOs/CIOs secure hybrid and multi-cloud environments effectively, leveraging generative AI tools to automate identity and access management while reducing manual overhead?
- Some say quantum computing is still years away. That said, people are talking about post-quantum cryptography today. Can you share any best practice for implementing quantum-resistant encryption and network security protocols to mitigate emerging quantum computing threats?
- How can CISOs ensure robust security and compliance for AI-powered cloud applications and edge computing infrastructure under diverse data sovereignty laws? How should the CISO work with the CIO and the risk/compliance officers of the organization?
- Recapping what we’ve covered so far: our topic is Developing a Resilient Cybersecurity Roadmap. Can you offer some recommendations for CISOs and CIOs in developing their resilient cybersecurity roadmap?