The future of CISOs in APAC

This is a guest post by Geoffrey Coley, regional chief technology officer for Asia-Pacific at Veritas Technologies

The pace at which the cyber threat landscape is evolving with the use of malicious software, the mobilisation of cyber criminal gangs, global conflict, and economic uncertainty, have all contributed to what may be deemed as the perfect storm for bad actors to operate.

According to the World Economic Forum, nowhere is this threat more prevalent than in the Asia-Pacific (APAC) region, which has emerged as the new centre for cyber crime. According to a report by Check Point Research, the region saw the highest year-over-year increase in weekly cyber attacks during the first quarter of 2023, averaging 1,835 attacks per organisation. This concerning trend not only raises concerns about the measures that companies need to deploy, but also the role of the chief information security officer (CISO), their team and nominated privacy officers and how they address growing cyber threats in the region.

In today’s digital landscape, the role of CISO has become increasingly critical. With escalating cyber threats and data breaches, the need for effective cyber security measures and privacy controls have never been more important. However, with the rapid advancement of technology, it is essential to explore how the role of the CISO will continue to evolve and adapt to a rapidly changing outside world.

Traditionally, the CISO’s main responsibility has been to assess cyber risks, communicate them upwards, and implement measures to mitigate those risks. This fundamental objective remains unchanged. The CISO acts as a guardian of a company’s sensitive data, applying the principles of:

(1) Confidentiality, preventing unauthorised access
(2) Integrity, ensuring that data is reliable and accurate and
(3) Availability, by making data available when needed.

While talked about in many security frameworks, these three process areas aim to ensure protection from malicious actors seeking to exploit vulnerabilities.

However, the way CISOs work and the challenges they face are changing. With the emergence of technologies such as artificial intelligence (AI) and machine learning (ML), the cyber security landscape is undergoing profound transformation. CISOs must adapt to these changes and leverage technological advancements to safeguard their organisations effectively.

In terms of trends that are shaping the future role of the CISO, AI and ML technologies offer significant potential for enhancing cyber security capabilities and evolving staid IT operating models. CISOs will need to understand these technologies and incorporate them into their strategies. AI-powered threat detection, anomaly detection, and predictive analytics can help identify and respond to threats effectively, enabling more robust proactive defence mechanisms.  Most organisations must develop the ability to alert early upon changes in IT service usage patterns or trends, aggregate and correlate these, and AI and ML plays a key role in this regard.

As cyber security has now become a board-level concern, CISOs must improve their communication with executives and board members. The ability to articulate complex security concepts will be crucial for gaining support and resources. CISOs should provide regular updates on the company’s cyber security position and the effectiveness of its security measures, whilst also being an active member as part of governance, risk and compliance practices, teams or boards.

Across the globe, but also closer to home in APAC, governments and regulatory bodies are enacting stricter data protection and privacy regulations. For example, Australia’s Privacy Act review, which indicates a significantly revised privacy regime that follows aspects of Europe’s General Data Protection Regulation (GDPR), is likely to go before parliament in 2024.

CISOs will face increasing pressure to be a partner to the business through increased collaboration with legal, compliance and privacy teams to ensure conformance with these regulations. They also have to factor new controls, policies and procedures relating to what’s coming over the horizon, namely, privacy by design, which puts privacy, security and risk analysis together, inspecting how data is managed across a lifecycle, applicable to an IT service, and factoring consent, data transfer and disposal. The role of the CISO is ever so more than technologies and tools.

In 2023, we have witnessed a raft of cyber threats across APAC that are not confined to individual organisations but span industries and sectors. In fact, the risks posed by cyber threats will only grow with the rise of hybrid working, as organisations are increasingly reliant on cloud-based technologies to get their tasks done. However, with the rise of major cloud outages, such as the latest incident occurring in Australia, it is critical for organisations to understand that they are responsible for protecting their data and applications in the cloud under defined shared responsibility models. Failing to do so leaves critical data vulnerable to data loss or other cyber incidents.  It’s equally important that cloud resilience is tested as recent regional outages have also shown us that PaaS (platform-as-a-service) offerings can also suffer from configuration drift, leading to downtime.

Hence, in today’s complex multi-cloud environment, providing CISOs with transparency about how data flows within their own company can help map areas to improve security infrastructure, protocols and anticipate threats before they break the perimeter. Data maps or flows are not just a technological optic – they follow information from the point of collection, throughout the organisation and externally to vendors and third-parties and also consider the likes of retention. In many cases, the age of data and its exposure following cyber events is rapidly drawing the ire of regulators. CISOs will increasingly need to collaborate and share intelligence with industry peers, government bodies and the wider cyber security network. Working in tandem this way can enhance the collective ability to detect, respond to, and mitigate impending threats effectively.

Finally, it is worth touching on how human error and insider threats remain significant cyber security risks. CISOs must continue to prioritise cyber security awareness training, establish a strong security culture throughout the organisation, and implement robust identity and access management strategies to mitigate these risks.

The future of the CISO role is intricately linked to the evolving cyber security landscape. CISOs must adapt to emerging technologies, such as AI and ML, to strengthen their company’s security posture. Effective communication with the board, regulatory compliance, partnership, and a focus on human factors will be critical components of the CISO’s responsibilities. By embracing emerging trends and continuously evolving their skills and strategies, CISOs can play a chief role in safeguarding organisations against evolving cyber threats and ensuring a secure digital future.