The developed and western markets have arguably always been a step ahead in complying with cyber regulations, given the industry benchmarks are shaped by Europe’s General Data Protection Regulation (GDPR) and the strict cyber laws in the US.
But the latest EY Global Information Security Survey 2019-2020, reveals that Asia-Pacific has now caught up in security protection terms, with only 53% of respondents from the region seeing an increase in the number of destructive attacks over the past 12 months – compared with 41% from global respondents.
Asia-Pacific is now also at a similar level as the rest of the world for level of board and executive understanding on the needs and value of cybersecurity – with more than half of both global (58%) and Asia-Pacific (54%) respondents agreeing. In addition, 57% of global respondents claim their cybersecurity subcommittees now hold briefings with executive boards on a regular basis, with Asia-Pacific following closely at 52%. Results suggest that Asia-Pacific is now better-equipped and more prepared to respond to cyber threats.
Focus shifting to recognizing and managing risk
In the midst of Asia-Pacific’s increasingly favorable standing in cybersecurity across the globe, a new type of cyber threat driven by social activism is creating new challenges for organizations and CISOs. Activists
(sometimes referred to as “hactivists”), are now responsible for the highest number of disruptive cyber threats to organizations in Asia-Pacific at 19%, while traditional crime gangs are responsible for 18%. These results suggest a move away from traditional cyber attack motives such as financial gain.
Activist threats illustrate a new challenge for CISOs, who now have to recognize and be ready to manage this new threat motive. Such motives require proactive risk mitigation, which means CISOs are required to move beyond the defensive, reactive roles they might have played in the past, and those who are not well integrated with the wider business will be unable to anticipate new threats and respond appropriately. Currently, 41% of Asia-Pacific respondents say their cybersecurity teams are involved in new business initiatives right from the start, compared with only 36% from global respondents.
A new CISO role is being defined
CISOs need to continue closing the gap with executive boards. While 69% of boards see cyber risk as significant, only 48% of CISOs think their boards have the required understanding to really evaluate cyber risks. When considering activist threats, there is a disconnect between boards and CISOs, and CISOs are not always kept in the loop with related business conversations to prepare and protect proactively. Only less than half or respondents from Asia-Pacific say their organizations regularly schedule cybersecurity in their agendas. 47% of respondents in Asia-Pacific say that their head of cybersecurity is a member of their organization’s board or executive management team. Comparatively, only 36% of global respondents say so.
Currently, the most challenging aspect of managing cybersecurity operations in Asia-Pacific is “procuring or justifying budget” (16%), followed by “proving to the board / C-suite that cybersecurity is performing in line with expectations” (15%). The new skills required from the CISO, which includes commercial expertise, will be accompanied well with strong communication skills, allowing them to work collaboratively within an organization to communicate the value of cybersecurity by setting up clear key performance indicators and board reporting systems.
This year’s Global Information Security Survey is based on a survey of senior leaders at almost 1,300 organizations carried out by EY teams between August and October 2019. This was a global survey with Europe, Middle East, India & Africa (EMEIA) accounting for 47% of respondents, the Americas 29%, and the Asia-Pacific region 24%. Respondents included CISOs or their equivalents from across every industry sector. Click here to download the full report, or visit ey.com for more information.