Asia's Source for Enterprise Network Knowledge

Sunday, June 25th, 2017


It is Time to Invite the CISO into the Boardroom

In many ways, cyber security is the new cold war. An invisible battle fought by organisations and governments alike to ensure that the technologies we rely on to do business and live our daily lives do not become our worst nightmare. 

Within the Asia Pacific, we are seeing spending on cyber security growing at an unprecedented speed. With the region adopting new technologies at a blistering speed, it should be no surprise that the market also leads the world in terms of investment in cyber security. According to IDC, Asia Pacific is expected to grow the fastest in terms of cyber security spending by 2020. 

It is increasingly clear that cyber security is quickly evolving into a top priority for organisations across Asia Pacific. One could argue that recent major cyber security incidents have spooked organizations, causing them to view security with more levity. This includes the likes of Taiwan’s infamous ATM heist back in 2016, which saw ATMs from Taiwan’s First Commercial banks hacked through the use of malware leading to US$ 2 million in cash being stolen. A clear example of how a cyber-attack can negatively affect consumer trust and cause substantial business loss.

Today, more and more security leaders are sitting on executive boards and playing key roles in shaping overall company strategy. Security has evolved into one of the most important functions for any company, impacting all aspects of the business. And with it, the role of the security professional has undergone a drastic transformation. 

While cybersecurity is recognised as a top priority, many security leaders still lack the resources, teams and influence that they require in order to make a substantial difference. With the increasing cost of security technology and complexity of cyberthreats, security leaders need to be allocated new resources and support. In a recent IBM survey, only 70 percent of CISOs said they strongly agree that they are receiving the organisational support needed to do their jobs effectively.

In diverse and complex markets like Asia Pacific, the job of a CISO is even more challenging as the security maturity of organizations vary significantly across the region. According to our latest APAC State of Malware report, emerging markets in Asia namely the Philippines, Thailand, and Indonesia are seen to be more vulnerable towards malware infections while more developed countries like Singapore, Japan and South Korea are relatively safe from malware infections. 

To compound matters more revenue was lost due to cyber-attacks carried out in Asia Pacific, as compared to any other region. In 2014 to 2015, Asia Pacific lost $81.1 billion in revenue due to cyber-attacks. This was $20 billion more than North America and Europe, according to the Financial Times. As such we can expect CISOs in Asia Pacific to face bigger and tougher challenges than any other regions in the future. 

In today’s digital economy, security professionals need to operate under the assumption that everything the organisation cares about has already been compromised. It does not help that company data is stored both internally and externally in SaaS services and cloud infrastructures. CISOs need to ensure that a company’s data is secure in every environment.

The Future of the CISO

While there’s still a lot of work to be done, the demand for CISO and CSO level professionals is the highest it has ever been. Many cyber security professionals are being brought on as consultants and the diverse nature of their responsibilities is skyrocketing. In fact, the role of the CISO is now one of the most broadly scoped roles in any organisation. Security leaders are tasked with assisting legal and human resources, product development, risk management, finance, business enablement, identity management, threat protection, business continuity, and so much more.

The question remains, how can CISO and CSO professionals maintain the level of security when they are working across many different departments and how the organisation can best equip and empower their security leaders to succeed?

There needs to be a crucial shift in how security departments interact with other company functions. Traditionally, security has reported to IT. By flipping this on its head, and having IT report to security, all technology decisions within a company are made with a security mindset. 

As threats continue to evolve to impact more aspects of business, security leaders need to evolve with it. For security professionals, their biggest asset is being able to show how impactful and beneficial their work is for a company’s bottom-line.  We have come a long way, but there is still much work to be done. Constantly striving to ensure that every consumer and every business is protected is the heavy burden every CISO has to bear.

Perhaps it is time for us to recognize the need to invite security professionals into the boardroom and equip them with the financial backing they need to fully staff their teams and deploy the modern security solutions required to keep the business safe. 


Justin Dolly, Chief Security Officer & CIO, Malwarebytes