In 2025, Singapore's cybersecurity landscape presents a complex interplay of challenges, risks, and opportunities for CISOs and security professionals, as revealed by the ISACA Singapore Chapter-Frost & Sullivan survey.
Source: Frost-ISACA Singapore Chapter, 2025
Echoing 2024 trends, skills and resource shortages remain acute (44% of respondents), compounded by difficulties in justifying budgets (47%) and balancing regulatory compliance with customer needs (43%).
Third-party vulnerabilities emerge as a top concern (46%), amplifying risks from supply chain attacks, insider threats (24%), and data sovereignty issues amid accelerating digital adoption.
Risks are heightened by rapid AI integration, with 70% of organisations adopting more AI tools in the past year, potentially exposing untested gaps in edge security and operational resilience. Incidents increasingly impact reputation (66%), revenue (52%), and productivity (41%).
Yet opportunities abound: 79% favour cybersecurity modernisation, with 17% embedding AI into security operations to enhance controls. Proactive strategies, including board-level engagement (36%) and advanced technologies, have reduced concerns for 83% of adopters.
By prioritising AI-driven threat management and upskilling, CISOs can navigate these dynamics, fostering sustainable resilience akin to 2024's emphasis on aligned, risk-based approaches.
Shifting investments to platforms and governance
CISOs in Singapore are adapting to AI's dominance by moving away from isolated controls towards integrated platforms and governance, particularly in AI and cloud environments. Yap Lip Keong, president of ISACA Singapore Chapter, observes: "They are shifting from point controls in the AI investment space to platform and governance, because the AI and cloud are two of their main concerns today... "
He acknowledges that Singaporean organisations are evolving their investments to platforms and governance in both areas. "Adopting AI guardrails, cloud security posture, because most of the AI solutions that they are adopting today are actually in the cloud," he continues.
This shift reflects the prevalence of cloud-based AI adoption via SaaS or cloud service providers (CSPs), with a focus on third-party risk controls. Yap adds: "We don't see a lot of investment to house the AI system on-prem, other than the banks or FSI. We're doing some of this, not many of them. Government, I guess. Government will do some on-prem."
Kenny Yeo, director of ICT and head of Asia Pacific cyber security practice at Frost & Sullivan, highlights the underlying drivers: "The main issues are around complexity as well as around the lack of workforce and expertise... organisations are starting to look at ways to modernise their tooling, because the solution sets that they already have in the organisation, there has been a vast wave of innovation... there's so much incorporation of AI now into security tools."
Early-stage AI strategies signal governance gaps
The survey indicates that many Singapore companies have early-stage AI strategies, suggesting immature governance of AI risks. Commenting on the response, Yap explains an early-stage AI strategy: "What it really means to a degree is adoption is facing ahead of assurance."
"I think most CISOs are now trying to anchor or mature their environment using more practical mechanisms. They'll see whatever's available out there. NIST, CISA, and even the CSA have provided some guidelines." Yap Lip Keong
Yeo concurs: "It's really organisations jumping because the hype of AI is real. They have to do something around AI transformation... there's a lag between the jumping to AI and the protection of the AI and the data and everything that comes around it."
To support AI-driven innovation while protecting sensitive data, CISOs must implement data-centric guardrails. Yap advises: "What we call the data-centric grab rails is something that the organisation will need to adopt... There needs to be some level of data classification, and what is so-called AI-allowed data... The other element is least privileged access to those systems... where that data needs to be set for training, you possibly can ask for those instances to at least still be in Singapore."
He also stresses tools like data loss prevention: "You need to have a mechanism to stop, you know, personal data or sensitive data from leaving the user... So, I think the solution is already there." Additionally, alignment with laws like PDPC is crucial: "It needs to be aligned to the law that is prevalent in Singapore, what PDP has already outlined."
Yeo ties this to business goals:
Kenny Yeo
"The root of all this excitement is around customer outcomes... But the problem is, as you are so excited to jump into this AI... many do not put in very concrete measures for data and data security." Kenny Yeo
Integrating AI-enabled security without added complexity
With 65% of organisations exploring AI-enabled cybersecurity tools, CISOs focus on targeted integration.
Yap notes: "Most CISOs... are already looking into an AI-enabled tool... They are looking at particular use cases where it can augment their team... They are also looking at transparency in their use of those tools... I think CISOs are also doing pilots... when the tools are integrated, they are already integrated into existing tooling."
Yeo emphasises platforms: "The way that the industry is going now, it seems very much that we are more open to a platform approach... using AI to help to find out, to get a sense of summarising all this content together... Another one is really around using AI to help the people... organisations just need to give it a POC and give it a trial."
Reshaping teams for an AI-driven future
CISOs must refresh roles and competencies.
Yap says: "What the CSO need to look at... is to actually so-called refresh the role families... Things like the events involving these AI systems... then require a new role called an AI security engineer... It is a very specialised skill... You need to provide them training or time if you want to upscale your existing team."
For resilience, Yap suggests outsourcing: "You need to look at MSSP... you outsource and, you know, get your team to deal with the more critical elements... because all the money is going to the AI side."
Yeo adds: "The CISOs are also going to face... a lot more pressure from the AI-enabled attacks... The level of expertise is different... priorities always would have to focus back to the business."
The state of cyber hygiene and monitoring
With 60% of organisations at risk, cyber hygiene remains uneven.
Yap states: "Many organisations are still operating with partial controls and uneven monitoring... The skills are not there; the people are not there... Most of them implement about 70% of essential measures... But it cannot be just a checkbox exercise every year... you need to have a mechanism to monitor whether or not those control elements... are still effective on an ongoing basis."
Yeo stresses detection: "We have to go towards detection and response so that you can actively see if something's going on instead of just another annual test."
Translating risks for board buy-in
To secure support, CISOs quantify impacts. Yap recommends: "Turning some of these impact findings into board rating risk narrative... You know, this business disruption in terms of hour of outage times revenue... the CISO will need to be brave enough to say... if I lose this customer and this customer, our annual value with this customer is this much."
Yeo notes: "The ability for CISO to translate actual technical risk into business terms, I think that's the important part."
Effective communication on governance
Successful communication involves regular briefings. Yap highlights: "The board today... has more IT-savvy board members... they've managed to secure regular briefing to senior management and board... choosing the right metrics and reporting those metrics consistently actually helps."
Yeo credits government efforts: "Singapore and the government are really taking proactive steps... because of awareness... the view of cybersecurity and digital risk is improving."
Strengthening supply chain assurance
For extended ecosystems, tier suppliers. Yap advises: "Tier the suppliers... The other element is to contract by security outcomes... for your more critical vendor, you need to do that continuously... Give me your SOC 2 report... align the third-party controls with what is cloud reality."
Yap explains: "The certification at least shows to you that the person who obtains it has gone through the body of knowledge... nothing can replace experience... From the user's point of view... You basically allow the employee to upgrade their skills... That certification at least gives you credibility."
Allan is Group Editor-in-Chief for CXOCIETY writing for FutureIoT, FutureCIO and FutureCFO. He supports content marketing engagements for CXOCIETY clients, as well as moderates senior-level discussions and speaks at events.
Previous Roles
He served as Group Editor-in-Chief for Questex Asia concurrent to the Regional Content and Strategy Director role.
He was the Director of Technology Practice at Hill+Knowlton in Hong Kong and Director of Client Services at EBA Communications.
He also served as Marketing Director for Asia at Hitachi Data Systems and served as Country Sales Manager for HDS’ Philippines. Other sales roles include Encore Computer and First International Computer.
He was a Senior Industry Analyst at Dataquest (Gartner Group) covering IT Professional Services for Asia-Pacific.
He moved to Hong Kong as a Network Specialist and later MIS Manager at Imagineering/Tech Pacific.
He holds a Bachelor of Science in Electronics and Communications Engineering degree and is a certified PICK programmer.
