Asia's CISOs and CIOs face a uniquely complex cyber landscape in 2025. The convergence of AI-driven attacks and deepfakes intensifies disinformation and social engineering threats, demanding adaptive strategies. Simultaneously, securing sprawling IoT ecosystems against supply chain vulnerabilities requires more adaptive, scalable, and resilient solutions.
Regional disparities in 5G and cloud adoption create systemic resilience gaps, necessitating stronger public-private partnerships to address these gaps. The ethical deployment of autonomous response systems and safeguarding AI algorithms against poisoning are crucial.
CISOs must also navigate stringent data localisation laws amidst a cyber skills shortage, balancing AI orchestration with upskilling. Quantifying the return on investment (ROI) of resilience investments in emerging technologies remains a key priority for justifying essential budgets.
Convergence is reshaping the threat landscape
The past two years have seen a surge in AI-driven attacks and deepfake-enabled disinformation, fundamentally altering the threat landscape. As Sunny Tan, head of security business for AMEA, BT Business, explains:
"AI is increasingly embedding itself into the way we conduct our business, the way we run operations, and certainly in cybersecurity as well… AI is being used by all parties, including actors who have the intent to damage our business and perhaps to extract some economic value by using it for ransomware and so on."
Deepfakes are now being used in highly convincing phishing, CEO fraud, and social engineering campaigns, with the Asia-Pacific region being particularly vulnerable due to its high digital adoption and diverse language landscape. According to Trend Micro, 75% of organisations in the Asia-Pacific region have experienced AI-enhanced phishing or social engineering attempts in the past year.
Blockchain for supply chain security in IoT ecosystems
With supply chain vulnerabilities becoming more prominent, blockchain technology offers a promising solution—particularly in securing IoT ecosystems across Asia's manufacturing and logistics sectors.
Tan notes: "Blockchain in itself is tamper-proof and irreversible," making it particularly valuable for verifying data and telemetry from connected IoT systems.
While blockchain adoption for the Internet of Things (IoT) is still in its early stages, research papers suggest its potential to ensure data integrity throughout the supply chain—from tracking organic produce to monitoring industrial equipment. However, widespread implementation remains limited due to fragmented protocols and lack of standardisation.
Systemic risks and public-private collaboration
Uneven 5G rollouts and varying levels of cloud adoption across Asia create systemic risks that leave organisations vulnerable. These disparities fragment security models and hinder visibility into threats, especially in remote locations where network connectivity is inconsistent.
Tan highlights the importance of public-private partnerships in addressing these gaps, noting that "About 75–80% of business leaders agree that cross-sector partnerships are crucial for keeping pace with cyber risks."
BT's Cyber Agile Report supports this view, identifying six dimensions of cyber agility—awareness, compliance, connectivity, strategy, skills, and innovation—that organisations must master to build comprehensive resilience.
Ethical deployment of autonomous response systems
As AI-powered autonomous response systems gain traction, ethical considerations become paramount. CISOs must ensure these systems don't inadvertently escalate cyber incidents.
"I don't think we are there yet where we can fully trust autonomous decision where the impact of making a wrong decision by AI is far more severe than the attack itself." Sunny Tan
A human-in-the-loop model remains crucial in preventing unintended consequences. This cautious approach acknowledges both the promise and limitations of current AI capabilities in high-stakes cybersecurity scenarios.
Securing AI training data and algorithms against poisoning
With organisations increasingly relying on machine learning for predictive analytics, securing training data against poisoning attacks has become essential. Traditional data protection approaches still apply but now require additional scrutiny regarding how AI agents will use the data.
As Tan explains: "AI models are only as good as the data they have trained on," reinforcing the need for rigorous data validation and access controls.
Organisations must ensure that data ingress points are secured and that models are continuously monitored for anomalies or biases introduced through corrupted datasets.
Navigating data localisation laws in multinational operations
Striking a balance between compliance and operational efficiency is a growing concern for CISOs in markets such as China and India, where stringent data localisation laws are in effect.
"It always boils down to policy-driven network architecture… to make sure that data travels in a way that is entirely compliant with the data localisation laws," observes Tan.
This includes designing enterprise architectures that define where data is generated, processed, and stored, ensuring alignment with sovereign regulations while supporting regional cloud strategies.
Talent shortage: AI orchestration vs upskilling
Amidst a persistent shortage of skilled cybersecurity professionals, organisations face difficult choices between investing in AI-driven security orchestration or upskilling programs. Sunny Tan advocates for a balanced approach:
"My belief is organisations should invest in AI to take care of the security triaging and the lower-level capabilities… [while] skilled cybersecurity professionals focus on higher-level analysis." Sunny Tan
This hybrid model reduces burnout among Level 1 analysts, allowing experienced teams to focus on strategic threat assessment and incident response.
Measuring ROI on cyber resilience investments
Quantifying the return on investment (ROI) for cyber resilience initiatives remains a key priority for CISOs seeking to justify budgets for emerging technologies, such as deception platforms and homomorphic encryption. Strategic CISOs are adopting metrics that translate technical performance into business risk language understandable to boards and CFOs.
As Tan points out: "Security investments should be defined as enterprise risk measures. In other words, a dollar investment in a cybersecurity initiative actually burns off an X amount of risk to the organisation."
Technical metrics, such as mean time to detect (MTTD) and mean time to respond (MTTR), along with frameworks like the 1-10-60 model (detect in 1 minute, analyse in 10, resolve in 60 minutes), provide measurable benchmarks.
Final advice for CISOs in 2025
Given the prevailing uncertainties in 2025—including geopolitical tensions and rapidly evolving threats—Tan advises CISOs to embrace the concept of cyber agility as outlined in BT's Cyber Agile Report. Organisations demonstrating high maturity across all six dimensions showed significantly better business outcomes than those lagging in these areas.
"There was a demonstrated and stark difference between those who thought they were cyber agile and having a high maturity in cyber agility and resilience versus those that thought they had a long way to go."
Click on the PodChats player to hear more about Tan's perspective on unlocking cyber resilience essentials for Asia's CISOs and CIOs.
- How has the convergence of AI-driven attacks and deepfake technologies reshaped the threat landscape, and what adaptive strategies must CISOs prioritise to counter disinformation and social engineering?
- In what ways can blockchain architectures mitigate supply chain vulnerabilities, particularly in securing IoT ecosystems across Asia's manufacturing and logistics sectors?
- How do regional disparities in digital infrastructure—such as uneven 5G rollout or cloud adoption—create systemic risks, and what role should public-private partnerships play in bridging resilience gaps?
- As AI-powered autonomous response systems gain traction, how can CISOs ensure the ethical deployment of these systems to prevent unintended escalation during cyber incidents?
- What safeguards are necessary to secure AI training data and algorithms against poisoning attacks, particularly as organisations rely on machine learning for predictive analytics?
- How can CISOs reconcile stringent data localisation laws in markets like China and India with the operational demands of multinational businesses seeking regional cloud solutions?
- Amid a shortage of skilled cyber professionals, should organisations prioritise AI-driven security orchestration or invest in upskilling programmes to build human-machine synergies?
- What metrics should CISOs use to quantify the ROI of cyber resilience investments, particularly when justifying budgets for emerging technologies such as deception platforms or homomorphic encryption?
- What final advice would you give to CISOs in light of the prevailing uncertainties in 2025?