Emerging economies getting with the cybersecurity programme: RSA
By Benjamin Cher March 14, 2016
- Growth opportunities driven by factors such as the Asean Economic Community
- Detection and response categories will see increased investment this year
WHEN it comes to cybersecurity, the regulatory standards and practices in emerging economies have been a bit looser, with little punishment for infractions.
But globalisation means no economy is an island, and emerging economies – especially within South-East Asia – are stepping up to the plate.
And this means growth opportunity for the security industry in the coming year, according to Edward Lim, managing director of South-East Asia at RSA, part of EMC Corp.
“Those [security companies] involved in helping customers mitigate against threats and minimise loss, as well as those involved in anti-fraud, governance, risk and compliance, are expecting to grow more than 30% in the region,” Lim told Digital News Asia (DNA) on the sidelines of the recent RSA Conference 2016.
“In some countries, that will be even higher,” he added.
Singapore remains the biggest cybersecurity market in South-East Asia, but others are catching up thanks to various initiatives, according to Lim. Following closely on the island-republic’s heels are Thailand, Malaysia and Indonesia.
“Different markets are being driven by different initiatives – some are being driven by the Asean (the Association of South-East Asian Nations) free trade agreement or the Asean Economic Community (AEC),” said Lim.
With the AEC, “companies need to keep up with the regulatory requirements or industry standards other countries adopt,” he added.
In Vietnam, for instance, the central bank has ordered banks to be Basel II compliant by 2018, but the more advanced banks are looking to be a step ahead and be Basel III compliant instead. [The Basel Accords are sets of recommended regulations for the banking industry].
Within the Asean bloc, there are varying degrees of Basel compliance – for instance, Thailand is Basel III compliant while Myanmar is not.
SEA security spending
Sid Deshpande, principal research analyst at Gartner, agreed with Lim that South-East Asia will see growth in cybersecurity spending.
“The security market will continue to grow in South-East Asia at healthy rate of 11%,” he told DNA via email.
“This is being driven by regulations in specific industries and verticals, as well as national-level data residency and data privacy laws.
“Apart from the more direct and prescriptive impact of regulation on security spending, there is also an indirect impact by virtue of the awareness that is created by these regulations amongst commercial organisations and users,” Deshpande added.
Vu Anh Tien, ICT industry analyst at Frost & Sullivan Asia Pacific, concurred, predicting growth despite the weak business climate in some countries.
“This growth could be attributed to some key factors, including the increased number of security breach incidents occurring across verticals in the region,” he told DNA via email.
Governments are set to lead the cybersecurity charge, according to RSA’s Lim (pic).
“The government sector has the resources to invest in defence, and cybersecurity is on top of every government’s list,” said Lim.
Frost & Sullivan’s Vu agreed, saying that governments will spearhead greater adoption of cybersecurity among businesses.
“In particular, governments in the region have focused on strengthening their cybersecurity strategies and infrastructure to combat the constantly evolving cyberthreats,” he said.
“Most of the governments in the region have introduced policies for information protection in cyberspace, which will drive the greater adoption of security initiatives across the region in the future,” he added.
With IT infrastructure not only growing but also evolving into new areas, cybersecurity too has to evolve to encompass non-traditional endpoints like POS (point of sales) machines and Automatic Teller Machines (ATMs), Lim argued.
Vu concurred, saying that this would continue to drive spending in the region, taking into account DDoS (Distributed Denial of Service) and APT (Advanced Persistent Threat) attacks, apps, the cloud, and the IoT (Internet of Things).
“Likewise, the investment in Industrial Control Systems (ICS) security is anticipated to increase tremendously due to the strong focus on national critical infrastructure security by governments in the region,” he said.
Security as competitive edge
Companies will also be using cybersecurity as a competitive advantage, Lim argued, citing banking as an example.
“Countries limit the transaction amount in the e-commerce and financial space if they do not have a good cyberdefence in place,” he said.
“The more enlightened financial institutions will use that to gain market share in South-East Asia as the market continues to open up,” he added.
Investments in cybersecurity could lead to the disruption of current market leaders, Lim argued, with more secure banks being allowed to conduct higher transaction amounts, and also being able to win the trust of more customers.
“A Tier 2 bank today with not as many branches or ATMs can be a No 1 bank tomorrow if it invests and targets the market correctly,” he said.
Frost & Sullivan’s Vu (pic) meanwhile sees enterprises spending more to deal with unknown threats in order to safeguard customer data and trust.
“In addition to investments in technologies, regional enterprises are also set to spend more on cloud-based and managed security services because of the need to have strong domain knowledge and expertise in dealing with unknown advanced threats that go beyond the capabilities of their internal resources,” he said.
“This is particularly true when the demand for professional services such as threat intelligence, risk management, forensics and incident response have become increasingly important to every enterprise,” he added.
In the last 10 years, companies have been mainly concerned with preventing attacks. But today, with disappearing perimeters and increasing attack surfaces, a change in strategy is necessary, and detection and response are gaining in importance.
And with even common cybercriminals having access to advanced threat tools, “this cat-and-mouse game will continue,” said RSA’s Lim.
“RSA has been telling the industry that the prevention approach against threats no longer works, however strong your preventive perimeter defence.
“What is important is the detection and response you need to invest adequately in,” he added.
South-East Asia is waking up to this reality, according to Gartner’s Deshpande.
“We are seeing a gradual shift in security spending from prevention-only approaches to include detection and response approaches as well,” he said.
“The more mature verticals like financial services and government are leading the way here, but in general, there is an increased awareness about the need to focus on detection and response across verticals.
“In some countries, organisations are culturally more aligned towards preventive approaches, so it would take time for mindsets to shift,” he added.
In fact, organisations in the region are increasingly seeing the need to adopt a holistic approach to cybersecurity, according to Frost & Sullivan’s Vu.
“Though prevention remains the highest priority for most companies and organisations, we have seen an increasing number of organisations starting to focus more on detection and remediation capabilities,” he said.
“The emergence of advanced threats such as APTs, advanced malware, ransomware and other kinds of state-sponsored cyber-attack campaigns are the key motivation for the shift in the security paradigm.
“At the same time, many companies have started to leverage on threat intelligence exchanged among the industry stakeholders.
“With the emergence of these sophisticated threats, organisations find it vital to have capabilities to identify the unknown threats that other legacy preventive solutions fail to do,” Vu added.
Compared with a year ago, companies in South-East Asia are increasingly seeing a need to invest in detection and response, according to RSA’s Lim.
This is because high-profile breaches have happened in companies with preventive perimeter defences, he added.
Meanwhile, Vu (pic) said he expects investments in detection and response to see significant growth in the coming years.
“In general, demand for remediation and incident response is getting higher due to the need for risk management and threat response to maintain business operations and service continuity, as well as compliance at both the business and government levels,” he said.
“Frost & Sullivan forecasts that investments in incident response services will increase significantly at a CAGR (compound annual growth rate) of around 17.5% from 2014-2019,” he added.
However, Vu said that while investments on detection and response will increase, response will likely be neglected in lieu of detection.
“At this stage, we believe that the majority of organisations remains focused on detection rather than remediation as the requirements for the latter may vary among them,” he said.
Even with the promise of new technologies such as machine learning and analytics in detection and response, companies would still need to exercise caution in adoption, warned Gartner’s Deshpande.
“Security buyers need to exercise caution while evaluating the outcomes that these approaches can provide, and filter through the hype to see how an analytics approach can benefit their organisation’s security strategy.
“Analytics in the security context is more of a feature rather than a separate product category.
“Improved breach detection and user behaviour analytics are two key security outcomes that organisations are more immediately considering as benefits of analytics-driven approaches,” he added.
SEA talent shortage
At RSA Conference 2016, RSA president Amit Yoran called on organisations to raise cybersecurity talent from within their ranks.
Lim was not particularly optimistic about that happening in South-East Asia.
“The skill level is still not here [in South-East Asia] – there are not enough skilled analysts in the marketplace,” he said.
“We see that as a need in the next five years. While some of our customers have our experts on site as a means of skill transfer, there will continue to be a need and we don’t see that slowing down,” he added.
Deshpande (pic) was sceptical of organisations being able to raise the talent levels internally, and believes that it may not be sustainable in the short- to mid-term.
“Yes, that is a feasible approach for the long term but does not suffice in itself, and it takes time for these skills to develop inside organisations,” he said.
There are obvious measures that organisations can take, such as professional training and certifications for internal employees.
But apart from this, “one of the strategies that can help to work is that when external service providers are engaged, there should be a formal knowledge retention mechanism where the internal security team is able to transfer knowledge from the provider to their organisation.
“This would help grow internal skills, and also offer organisations better programme continuity in case their security services provider changes,” he added.
The talent shortage is made more acute by the fact that it is not only enterprises seeking to shore up their defences, but governments too, noted Frost & Sullivan’s Vu.
Benjamin Cher reports from the RSA Security Conference in San Francisco, at the invitation of RSA. All editorials are independent.
Cybersecurity industry facing AI, privacy and trust issues: RSA president
Cybersecurity: It’s about visibility and analytics, these days
Cybersecurity: Time for public and private sectors to step up
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.