For ASEAN enterprises, the digital future is not a choice between legacy and cloud, but a complex convergence of both. In this hybrid reality, cybersecurity cannot rely on monolithic, perimeter-based defences.
The new imperative is a dynamic, intelligent security posture that protects data and access wherever they reside. This is where two powerful concepts—Zero Trust Network Architecture and Cybersecurity Mesh Architecture (CSMA)—evolve from competing concepts into a symbiotic dual shield.
As Steve Riley, vice president and field CTO at Netskope, clarifies, the first step is understanding their distinct roles. "We need to differentiate between zero trust as a strategy and zero trust network access as a market," he states.
Zero Trust is the overarching philosophy: "ensuring that the right people have the right access to the right resources at the right times for the right reasons." Cybersecurity Mesh Architecture, meanwhile, is the enabling framework that allows security tools to interoperate and share the critical signals needed to make that strategy work.
The ASEAN imperative: Agility amidst regulation
The drive toward this model in ASEAN is not merely theoretical; it's operational. Regulatory mandates from Singapore's MAS TRM, Malaysia's BNM CSF, Indonesia's OJK, and Thailand's PDPA demand granular control over data residency and access. This creates a complex tension: the pressure to innovate and adopt cloud technologies at speed, against the absolute necessity of compliance.
Riley observes a positive shift in this landscape. In his interactions with customers in Southeast Asia and Africa, he sees "a renewed awareness and desire to finally stop analysing too much and start deploying."
The prevailing sentiment is that within their specific regulatory frameworks, organisations can "make some interesting use of cloud technologies and the emerging artificial intelligence." The question is no longer if they will adopt the cloud, but how they will do so securely.
Striking the balance: From Department of "No" to "OK"
The core challenge for CISOs and CIOs is balancing security with business agility. The goal, as Riley puts it, is "striking the right balance between staying secure and getting work done."
Historically, security was often seen as the "department of NO," a friction point that impeded productivity. Zero Trust, powered by a mesh, flips this script.
The magic lies in granular, adaptive access control. Riley provides a compelling example: an employee on a managed corporate device may have full access to public, private, and confidential data.
If that same employee switches to an unmanaged personal device, the security system—using combined signals about device posture and data sensitivity—can dynamically adjust access. Public data remains fully accessible, private data becomes read-only, and confidential data is blocked entirely.
"This is sort of one example of being able to provide some agility that didn't exist when it wasn't possible to evaluate and combine these signals," Riley explains. This nuanced approach enables the business without introducing undue risk, transforming the security team into the "department of OK."
CSMA: The nervous system for a zero trust strategy
A Zero Trust strategy is only as good as the data it runs on. It requires a constant stream of signals—user identity, device behaviour, data location, application type—to generate the context for access decisions. This is where Cybersecurity Mesh Architecture proves its value.
CSMA acts as the nervous system, allowing different security tools to share information seamlessly.
"The more that tools can communicate amongst themselves, the greater volume of signals we'll have," says Riley. "I want as many signals as possible to allow me to have the best and the most refined sets of policies."
Netskope's Cloud Exchange is a practical manifestation of this. It provides modules for sharing threat intelligence (Threat Exchange) and risk data (Risk Exchange) with other vendor tools. "In a way, you could say that our cloud exchange is the beginning of a CSMA," Riley notes.
This interoperability is crucial. It allows, for instance, a security tool to use an API from Zoom to analyse video frames for deepfakes, and then instruct the application to remove a detected threat—a powerful example of tools and applications collaborating in real time to mitigate risk.
The new adversary: Mitigating AI-amplified risks
The rise of AI introduces a new dimension of risk that this dual shield is uniquely positioned to address. Riley highlights two key concerns. First, AI-powered adversaries can attack at unprecedented scale and speed. Second, and more immediately, the proliferation of AI in enterprise SaaS applications creates new data exposure points.
"One recommendation I have for any purchaser of a SAS app that includes AI is to ask, well, what are those AI models within the SAS app?" Riley advises. Using a public AI model that ingests corporate data is a significant risk.
Furthermore, the emergence of AI "agent frameworks" that autonomously execute tasks and access data represents a new form of "prolific shadow IT." Security platforms must now be able to track what these agents are doing, which models they connect to, and what data they share.
The Roadmap: Platforms and interoperability over point solutions
Faced with these challenges and budget constraints, how can CISOs and CIOs build a realistic roadmap? Riley advocates for a platform approach, moving away from dozens of disjointed point solutions.
He suggests focusing on four key platform types:
- An Identity Platform (including governance).
- An Endpoint Protection Platform (beyond just anti-malware).
- A Network and Data Security Platform (that handles all traffic consistently).
- An Analytics and Threat Response Platform (combining SIEM and SOAR).
However, the most critical evaluation criterion is not features, but interoperability. "It's more important to evaluate how the platforms interact with each other than the features of the platforms themselves," Riley emphasises.
"Don't buy that network and data security platform even though it has the best features, because it doesn't interact with anything else. You can't build a mesh architecture with that thing." Steve Riley
This focus on interoperability is the bedrock upon which an effective CSMA—and, by extension, a powerful Zero Trust strategy—is built.
The ROI of this consolidated, platform-based approach is clear: increased agility through finer-grained control, reduced risk as employees are guided toward secure behaviours, and optimised costs by consolidating vendor sprawl.
For ASEAN leaders, the path forward is clear. By weaving together the strategic philosophy of Zero Trust with the interoperable framework of a Cybersecurity Mesh, they can construct a resilient, adaptive security posture.
This dual shield does not just protect the modern hybrid enterprise; it actively enables it to innovate and grow with confidence in a regulated, AI-driven world.
Click the PodChats player and listen as Riley explains how zero trust and cybersecurity together form the dual shield for cloud security.
- How can CISOs effectively integrate Zero Trust Network Access (ZTNA) principles to secure access in multi-cloud environments without impeding business agility?
- In what ways might Cybersecurity Mesh Architecture (CSMA) unify its fragmented security tools across hybrid IT infrastructures?
- What role will AI and emerging technologies play in amplifying cloud security risks, and how can CIOs/CISOs mitigate them proactively?
- What has worked regarding how organisations approach ZTNA and CSMA?
- Any recommendation for quantifying the ROI of shifting from perimeter-based firewalls to a zero-trust + mesh model—not just in cost savings, but in risk reduction?
- What long-term metrics should CISOs track to evaluate the success of their cloud security strategy in a rapidly changing Southeast Asian landscape?
- Why platforms in cybersecurity? How does it map to defence-in-depth?
- How will we address the increased complexity of managing a distributed security model while adhering to Zero Trust principles?
- What would be a realistic roadmap for evolving security posture to embrace both CSMA and Zero Trust?
