As 2026 unfolds, Southeast Asia stands at a cybersecurity crossroads. Governments and critical infrastructure providers across the region are accelerating digital transformation while contending with a volatile threat landscape shaped by AI, state-aligned actors, and persistent legacy vulnerabilities.
With public administration the most targeted sector in the Asia-Pacific (APAC) region—accounting for 25% of espionage-driven incidents, according to the Verizon 2024 Data Breach Investigations Report—CISOs are under immense pressure to move beyond compliance and build genuine resilience.
"Cybersecurity must be brought into the core of the business and treated as a whole-of-community responsibility led by boards, risk/audit committees and senior leadership, not an IT tick-box exercise," offers Aaron Bugal, field CISO for APJ at Sophos.
The future of cyber defence in Asia hinges not on tools alone, but on culture, preparation, and strategic alignment with national outcomes.
From compliance to continuous resilience
For years, many government agencies in Southeast Asia have approached cybersecurity through regulatory checklists. But in 2026, that mindset is dangerously outdated.
Bugal stresses that "real resilience comes from preparation before an incident – rehearsed roles, decision rights, continuity and recovery paths."
Without live exercises and adaptive policies, leaders risk making "heat of battle" decisions during crises—decisions that can compromise citizen services or national security.
This shift requires embedding cyber resilience into service delivery itself. Metrics must evolve to reflect "practised readiness, recovery speed, and continuity of citizen services, not static documentation," notes Bugal.
Back in 2023, Gartner predicted that by 2026, 50% of C-suite executives would have performance metrics tied to cybersecurity risk. Government CISOs in the region must urgently align their KPIs with outcomes such as service uptime, incident containment time, and citizen trust—not just audit pass rates.
Securing the unreplaceable: Legacy systems under siege
Many Southeast Asian governments still rely on decades-old systems that underpin national operations—from customs clearance to power grids. Replacing them is neither feasible nor immediate.
Bugal advises adopting a "critical infrastructure mindset," focusing not on replacing legacy platforms but on "strengthening the peripheral – surrounding controls and operational practices that reduce impact without destabilising fragile platforms."
This means investing in network segmentation, enhanced monitoring, and disciplined operational protocols around these systems. "Treat the environment supporting the legacy system… as the primary lever to preserve function, minimise blast radius, and manage risk over long transition timelines," he explains.
Accountability must be elevated beyond a single IT team; risk ownership should be organisation-wide.
The AI tightrope: Productivity vs. protection
Artificial intelligence offers powerful defensive capabilities—but also unprecedented risks. IDC forecasts that by 2026, 70% of organisations will factor environmental sustainability into cloud purchasing decisions, reflecting growing scrutiny of AI's compute and carbon footprint.
Yet in parallel, threat actors are weaponising AI for hyper-realistic phishing, voice cloning, and deepfake disinformation.
Bugal warns against uncontrolled AI adoption: "Scrutinising ROI and necessity, avoiding unsanctioned AI agent proliferation… is essential."
At Sophos, internal Copilot-style tools are permitted—but feeding sensitive data into public large language models (LLMs) is strictly forbidden. Governments must adopt similar guardrails, leveraging frameworks from bodies like NIST and national cybersecurity centres to govern AI use ethically and securely.
Compounding the challenge, IDC also reports that 76.5% of Asia/Pacific enterprises lack confidence in detecting AI-powered attacks—a gap that demands urgent redress through telemetry, policy controls, and human-in-the-loop validation.
Supply chains and sovereignty: Proof, not promises
Southeast Asia's digital public services increasingly depend on complex, cloud-native ecosystems involving dozens of third-party vendors. Yet Gartner predicts that 45% of global organisations will experience a software supply chain attack by 2025—a threat that persists into 2026.
Bugal's advice is unequivocal: "Require proof, not promises." CISOs must use procurement leverage to demand "transparent trust centres, certifications and attestations, third-party validation," and enforce contractual clauses that mandate continuous assurance—not just point-in-time compliance. In public-sector procurement, this means embedding data sovereignty, a forward security posture, and auditability into every agreement.
This is especially critical in jurisdictions with strict data-localisation laws, such as Indonesia and Vietnam. Cybersecurity can no longer be outsourced on faith; it must be verified at every layer of the service lifecycle.
Talent, burnout, and the human firewall
No strategy succeeds without skilled people—and Asia faces a widening cyber talent gap. Governments struggle to compete with private-sector salaries, leading to high churn and burnout.
Bugal advocates against rigid role definitions: "Match people to diverse disciplines… use trials and internal mobility to discover fit." Flexibility in hiring and career paths, he argues, "directly combats pervasive burnout" while retaining institutional knowledge.
Crucially, he reminds leaders that "people, process, and technology are a continuous journey, not a finish line, with the human element decisive amid specialised systems and sensitive data." Investing in psychological well-being, live-fire exercises, and peer learning isn't optional—it's foundational to operational resilience.
Regional collaboration offers another talent multiplier. Mature information-sharing bodies in Singapore and Australia already enable CISOs to "connect with regional and global partners," participate in monthly threat retrospectives, and access actionable intelligence.
Bugal encourages broader APAC participation: "These forums… build peer networks that strengthen local programs."
Click on the PodChats player to hear the details of Bugal's recommendations for strengthening Asia's cyber defences in 2025.
- How can government CISOs effectively measure and improve their cybersecurity resilience, moving beyond compliance-based checklists to ensure the continuous delivery of essential citizen services during an attack?
- What strategies have proven most effective for securing legacy systems that remain critical to national operations, given that they cannot be immediately replaced?
- With Gartner highlighting that by 2026, 50% of C-level executives will have performance requirements tied to cybersecurity risk, how can government CISOs best align their security metrics with national-level outcomes?
- How can CISOs proactively defend against state-aligned (sponsored) actors who are increasingly targeting digital public services and critical infrastructure for espionage and disruption?
- Name one CISO strategy for managing third-party and supply chain risk, particularly as organisations, both private and public, rely on an ecosystem of partners to deliver complex, cloud-native government services?
- Given IDC's prediction that by 2026, 70% of organisations will consider environmental sustainability in their cloud purchase decisions, how can CISOs balance security, sovereignty, and sustainability in their technology procurements?
- How are government CISOs addressing the critical cybersecurity skills gap, and what new models for talent acquisition and retention must be developed to compete with the private sector? How to avoid burnout?
- To what extent have CISOs integrated security into the entire application lifecycle (DevSecOps) for their national digital identity and other citizen-facing platforms?
- Name a governance and technical framework for the safe and ethical adoption of AI, both to enhance a government's cyber defences and to mitigate its potential malicious use by threat actors?
- How are government CISOs collaborating with regional counterparts and international bodies to share threat intelligence and establish coordinated response protocols for cross-border cyber incidents?
- What is that one final piece of advice for government CISOs as they update their cybersecurity strategies for 2026? No endgame in sight?
