It should come as no surprise that the challenges and opportunities differed from country to country. Region-specific factors can vastly impact cybersecurity threats and practices such as business cultural norms, language, geopolitical issues, the regulatory landscape, and cybersecurity maturity.
The luxury of physical presence and time meant that I learned things I simply can’t intuit from press reports or even virtual calls. In this blog, I will share my key learnings and takeaways from the key challenges and opportunities for CISOs in Southeast Asia:
Narrative attacks and deepfakes
With 2024 touted as “Asia’s year of elections,” with seven highly populous Asian countries holding elections, narrative attacks are expected to be especially popular here. Indonesia saw this when an AI-generated deepfake video of late President Suharto that cloned his face and voice, trying to influence a political agenda, went viral. Speaking of deepfakes: According to a Sumsub report, deepfakes surged by 1,530% in APAC! We discussed the Hong Kong finance worker who attended a video call in which deepfake technology was used to imitate his colleagues, part of a scheme to prompt him to transfer US$25 million. We also discussed the concern about the use of deepfakes in biometrics, with security leaders bringing to my attention banking victims identified in Vietnam and Thailand.
Human element and AI software supply chain threats
Generative AI’s talent for breaking down language barriers means that non-English-speaking countries will no longer be able to avoid some human-related attacks such as business email compromise (BEC) and other forms of social engineering (for example, Japan saw a 35% year-over-year increase in BEC attempts). The security leaders we spoke to agreed that they anticipate a significant rise in human-related attacks. Another imminent threat related to AI and the software supply chain: Forrester predicted that in 2024, at least three data breaches will be publicly blamed on AI-generated code.
A chaotically evolving regulatory landscape
Regulators in APAC can no longer ignore these breaches. In 2022–23, Australian regulators announced amendments to the Privacy and Telecommunications Acts, and Australia also refreshed the federal government’s Essential Eight threat mitigation strategies and strengthened industry-focused regulations such as Security of Critical Infrastructure Act.
The Indian Parliament passed the much-awaited Digital Personal Data Protection bill. Singapore amended its Personal Data Protection Act, Indonesia passed its first ever Personal Data Protection Law, and even Japan strengthened its Act on the Protection of Personal Information. This is causing havoc for CISOs in these regions, who shared with us what they called “a significant regulatory burden” — these compliance activities consume precious resources, time, and energy, all of which CISOs wish could be diverted into more strategic initiatives.
Protecting CISOs and their teams
All of the above dynamics — combined with low budgets, still emerging levels of organizational influence, a widening cybersecurity workforce gap (one that increased by 11.8% in APAC this year), and many CISOs in the region still reporting to technology departments — led to discussions about how CISOs will protect themselves and their teams.
Cybersecurity burnout started rearing its ugly head, particularly in our Singapore and Hong Kong discussions, an issue discussed only in hushed tones in previous visits. Leaders discussed the feasibility of retaining their own counsel to negotiate compensation and insurance, as well as for consultation when making decisions as a senior security leader. They also discussed retaining and upskilling existing talent.
Generative AI aspirations
Security leaders discussed how they have been supporting their organizations to adopt generative AI (genAI) safely and their wishes to protect their organizations without getting relegated to being seen as the “department of no,” while some even spoke about warning their firms against being too genAI-conservative and advising their firms on the many business and productivity benefits of genAI. All of them wanted to know how to engage and influence their organizations on the appropriate behaviors of using genAI (such as what can and cannot be shared with genAI), particularly as employees embrace the technology, creating a shadow genAI situation.
Zero trust
Forrester predicted that in 2024, roles with Zero Trust (ZT) titles will double across public and private sectors in some countries and emerge in others. This was not a popular prediction for which our attendees have been preparing, at least not in the short term. While our research shows that ZT is finally moving from concept to reality in Asia Pacific, there was still a broad range of sentiment and skepticism in the deep discussions.
Originally posted on Forrester