Cybersecurity culture in a fragmented geopolitical world

- Advertisement -

In an age where no organisation is immune to the vagaries of regional geopolitics, the cybersecurity and threat landscape is constantly evolving. Understanding cyber tactics requires a specific set of tools, skills, and knowledge; one must be able to think like a cybercriminal and possess an intuitive grasp of technology.

The dynamic geopolitical landscape is also compelling cybersecurity leaders to re-evaluate how they operate and strategise. As companies strive to build a future-fit cybersecurity leadership team that aligns with the current political climate, C-level decision-makers emphasise the urgency of talent that can swiftly adapt to legislative and regulatory changes, and leverage digital tools and platforms to maximise proactivity and execution. The rapid evolution of organisational threats necessitates cybersecurity leaders with both broad and specialised skill sets. This has led to a cybersecurity “skills gap,” evidenced by the dearth of competent cybersecurity talent in Asia-Pacific (APAC).

According to a recent estimate by the International Information System Security Certification Consortium, the APAC cybersecurity workforce gap has reached a record high, with 2.6 million professionals needed to adequately safeguard digital assets.

Meeting the demand for cybersecurity in an era marked by geopolitics requires breaking down cybersecurity expertise into component skills and qualities that can be clearly identified and cultivated. Equally important is fostering an organisational culture and mindset that addresses the changing threat landscape. The latter often underlies systemic causes of cybersecurity leadership gaps. Additionally, the accelerating impact of AI is compounding cyber challenges, and human capital requirements are not keeping pace.

Why APAC is lagging behind in cybersecurity leadership

Surprisingly, cybersecurity is still not at the top of the agenda for many boards and CEOs in APAC. In many cases, AI and cybersecurity have yet to become major discussion topics due to their emerging influence within organisations. Many cybersecurity leaders in the region continue to report to internal technology departments, which is in stark contrast to the crucial intersectional role some cyber leaders play, incorporating risk, operations, and finance to drive business decisions.

Moreover, cybersecurity teams are often under-resourced, which can lead to burnout, especially given the geopolitics-driven threat landscape. A significant skills gap exists, with many former IT leaders being “rebadged” as Chief Information Security Officers (CISOs). This approach does not provide the depth of capability required, and many are still not prepared for the complexity of the role. Cybersecurity must evolve beyond being perceived as the “department of no.” It’s important for cybersecurity teams to be strategic business partners that empower growth and innovation, while continuing the brilliant basics of providing oversight and accountability, developing protocol, ensuring external collaborators adhere to protocols, and effectively managing cybersecurity incidents. Even with strong partners in place, as evidenced by recent high-profile incidents, cybersecurity should never be viewed as an “outsourced” function but rather as a fundamentally strategic one.

Global C-suites recognising cybersecurity as a growing challenge

With the increased geopolitical complexities of today’s world, we are seeing a much deeper focus on cybersecurity from governments and regulators in APAC, which is putting pressure on transforming human capital. A prime example is the Digital First Frontier Team, introduced by Japan’s Digital Agency, which has pushed more organisations to appoint new CISO talent.

In our annual Global Leadership Monitor survey, we asked leaders what they believed would most impact their businesses over the next 12-18 months and how prepared they felt to deal with those issues. Respondents ranked cybersecurity as a definite challenge, but also rated their ability to manage it highly. However, this doesn’t tell the full story.

With over half the world heading to the polls this year, 2024 is rife with uncertainty surrounding administrative turnovers and their policy implications. This uncertainty around policy and legal framework implications makes it challenging for executives to make shorter-term decisions and continue focusing on broader business operations.

The expectations of cybersecurity leadership in APAC today

While cybersecurity capabilities are critical, programme leadership is equally important. According to our research, cybersecurity leaders must be able to:

  1. Partner effectively across the organisation (with technology and well beyond into the business).
  1. Develop a roadmap and strategy that aligns with the digital, technology, and operational technology (OT) strategy and evolution of the enterprise.
  1. Build an effective team with opportunities for growth and well-thought-out succession planning across key roles.
  1. Work closely with the board and leadership team, fostering rapport and partnership with open communication lines, and effectively articulating key risks and security topics to all audiences.

This goes beyond the technical skills of a cybersecurity leader; it extends to internal and external organisational dynamics.

Cybersecurity as a function, but also as an organisational culture and mindset

Attracting, retaining, and developing top cybersecurity leadership and talent requires fostering cybersecurity as both a function and an organisational culture and mindset. We have observed that employing a matrix approach effectively guides conversations and evaluates an organisation’s cybersecurity function. This includes assessing whether the organisational dynamics, culture, and mindset support the potential for a world-class cybersecurity operation to thrive.

A screenshot of a website

Description automatically generated
RRA’s Cyber Leadership Index

The next frontier: Geopolitics, AI, and the evolving threat landscape

As innovations like AI continue to complicate laws and regulations, globally intertwined armed conflicts become more frequent, and issues such as economic recessions, cyberthreats, cross-border regulations, and trade conflicts grow more nuanced. Cybersecurity leaders must enhance their decision-making capabilities amidst ambiguity, as well as develop swift crisis response strategies. This requires balancing near-term political and economic realities with the longer-term “domino effect” of geopolitical events that can have global repercussions.

Support from the board cannot be overlooked, as boards play a key role in governance, overseeing cybersecurity strategies and ensuring adequate measures are in place to protect the organisation’s interest in the face of AI adoption. Overall, leaders are most pessimistic regarding board members’ ability to embrace generative AI, with only 21% of CEOs agreeing that their board has the right expertise to advise on generative AI implementation.

However, our Leadership Confidence Index observes that board members tend to be more confident in their executive leadership teams’ abilities than leaders at other levels. The disconnect between board and executive perceptions may be due to board members taking a broader, long-term view or because they’re removed from the day-to-day of business functions. In this case, it may also be due to a lack of familiarity with generative AI themselves.

Organisations are increasingly recognising the necessity of incorporating board members with expertise in cybersecurity and AI. Many organisations opt to establish advisory board positions to effectively leverage external expertise. This strategic move ensures informed decision-making and proactive risk management in an evolving digital landscape, reinforcing the organisation’s resilience and competitive edge. Regardless of whether there are formally installed board members with the capability or the establishment of an attached advisory, it is crucial for the boards to be equally aware of generative AI’s implications and their organisation’s preparedness to face opportunities as well as security risks. As geopolitics and AI intersect to impact the threat landscape, cybersecurity must function as a dynamic organisational culture and mindset.