Over the last six years I have worked in Thailand and in the South East Asian region one of the things that grabbed me is how the maturity of Cyber Security/Information Security programs in the region are so wildly different.
Whilst most of South-East Asia (SEA) countries like Singapore, Malaysia and Philippines have some quite mature Data Protection Laws in place, mostly based on GDPR, some have only just been introduced like in Thailand last year with PDPA.
Reporting of breaches can be viewed primarily as an instrument to enforce reporting of the loss of PII and is the main driver behind a lot of cyber security programmes. The world’s population will have it’s privacy protected up from 10% in 2020 to a predicted 75%. Regulatory reporting may also drive the need to disclose exposure especially where critical infrastructure is concerned. Of course other regulations like banking and healthcare also define organisations to have a minimal control set deployed along with strong reporting guidelines.
So what does all this mean in real terms?
Most organisations that I have recently been involved with seem to struggle with the fundamentals of security. In its basic form it’s Managing Cyber Risk. This is primarily because security teams are being born out of other closely related fields like infrastructure or networking professionals as there are simply neither the required people or skills available in the market.
This is a real phenomenon with an estimated 3.4 million openings . This has been plaguing the Security field for quite a number of years and become a bottleneck when trying to build out a team and you’re looking for people with the right skills (there are strategies to overcome this which I will discuss in another post).
I also see a lack of articulation to the board of directors on what needs to be done to keep their organisations safe along with no way to formulate meaningful metrics. Organisations are good at engaging external consultants to come and evaluate them but then struggle to operationalise the findings and act of the observations. Having a security leader with experience in Cyber, Privacy, Information Security and Risk Management is important and I see this becoming a pressing need in the near future here. Until organisations understand that they need a senior leader to steer Cyber Security there will be a struggle to actually create an effective cyber security and cyber risk programme and will remain at a low maturity levels.
Maturity Model White 2010