Asia-Pacific now on par with the rest of the world in cybersecurity standards
The Chief Information Security Officers’ role is evolving, facing new threats from social activists, and
continues to tackle challenges with budgets and proving performance results
Summary of key trends:
• Asia-Pacific has matched the rest of the world in meeting cybersecurity standards, and is now
better-equipped than ever in responding to threats (53% of Asia-Pacific respondents haven’t seen
an increase in number of destructive attacks over the past 12 months, compared with 41%
• The largest drivers of cyber attacks in Asia-Pacific are now by social activists (19%), creating new
challenges for organizations, exemplifying a shift away from traditional financial motives
• The role of Chief Information Security Officers (CISOs) is changing, with higher demands for
proactive “security by design” approaches, business acumen and more communication between
board members (only 48% of CISOs think their boards have the understanding they need to really
evaluate cyber risk).
• The most challenging aspect of managing cybersecurity operations in Asia-Pacific is procuring
budget or justifying budget (16%) and proving to C-suite that cybersecurity is performing in line
with expectations (15%).
February 21, 2020 – The developed and western markets have arguably always been a step ahead in
complying with cyber regulations, given the industry benchmarks are shaped by Europe’s General Data
Protection Regulation (GDPR) and the strict cyber laws in the US. But the latest EY Global Information
Security Survey 2019-2020, reveals that Asia-Pacific has now caught up in security protection terms, with
only 53% of respondents from the region seeing an increase in the number of destructive attacks over the
past 12 months – compared with 41% from global respondents.
Asia-Pacific is now also at a similar level as the rest of the world for level of board and executive
understanding on the needs and value of cybersecurity – with more than half of both global (58%) and
Asia-Pacific (54%) respondents agreeing. In addition, 57% of global respondents claim their cybersecurity
subcommittees now hold briefings with executive boards on a regular basis, with Asia-Pacific following
closely at 52%. Results suggest that Asia-Pacific is now better-equipped and more prepared to respond
to cyber threats.
Focus shifting to recognizing and managing risk
Kris Lovejoy, EY Global Advisory Cybersecurity Leader, comments: “The good news is that boards
and senior management are engaging more intimately with cybersecurity and privacy matters. In this era
of transformation, senior leaders are acutely conscious of their organizations’ vulnerabilities and the
potentially existential dangers posed by attackers.”
Richard Watson, EY Asia-Pacific Cybersecurity Risk Advisory Leader, adds: “But there is work to do.
Not only is cybersecurity an evolving risk, it also has to be confronted in the context of innovation and
In the midst of Asia-Pacific’s increasingly favorable standing in cybersecurity across the globe, a new type
of cyber threat driven by social activism is creating new challenges for organizations and CISOs. Activists
(sometimes referred to as “hactivists”), are now responsible for the highest number of disruptive cyber
threats to organizations in Asia-Pacific at 19%, while traditional crime gangs are responsible for 18%.
These results suggest a move away from traditional cyber attack motives such as financial gain.
Activist threats illustrate a new challenge for CISOs, who now have to recognize and be ready to manage
this new threat motive. Such motives require proactive risk mitigation, which means CISOs are required to
move beyond the defensive, reactive roles they might have played in the past, and those who are not well
integrated with the wider business will be unable to anticipate new threats and respond appropriately.
Currently, 41% of Asia-Pacific respondents say their cybersecurity teams are involved in new business
initiatives right from the start, compared with only 36% from global respondents.
A new CISO role is being defined
Richard Watson, comments: “Adapting a ‘Security by Design’ approach means that CISOs and their
colleagues across the organization – including functions such as marketing, R&D and sales – need to
form much closer relationships in order to improve overall business understanding of cybersecurity.”
CISOs need to continue closing the gap with executive boards. While 69% of boards see cyber risk as
significant, only 48% of CISOs think their boards have the required understanding to really evaluate cyber
risks. When considering activist threats, there is a disconnect between boards and CISOs, and CISOs are
not always kept in the loop with related business conversations to prepare and protect proactively. Only
less than half or respondents from Asia-Pacific say their organizations regularly schedule cybersecurity in
their agendas. 47% of respondents in Asia-Pacific say that their head of cybersecurity is a member of
their organization’s board or executive management team. Comparatively, only 36% of global
respondents say so.
Keith Yuen, EY Greater China Advisory Cybersecurity Leader, comments: “Bringing cybersecurity
into the planning stage of every new business initiative is the optimal model as it reduces the energy and
expense of triaging issues after-the-fact and builds trust into a product or service from the start. The new
CISO will require commercial expertise, strong communication skills and an ability to work
Currently, the most challenging aspect of managing cybersecurity operations in Asia-Pacific is “procuring
or justifying budget” (16%), followed by “proving to the board / C-suite that cybersecurity is performing in
line with expectations” (15%). The new skills required from the CISO, which includes commercial
expertise, will be accompanied well with strong communication skills, allowing them to work
collaboratively within an organization to communicate the value of cybersecurity by setting up clear key
performance indicators and board reporting systems.
Richard Watson, comments: “Organizations need to start developing a set of key performance
indicators and key risk indicators that can be used to communicate a risk-centric view in executive and
For any queries and interview requests, please contact Roanna Leung (T: +852 2837 4786 / E:
[email protected]) or Tiffany Lau (T: +852 2837 4725 / E: [email protected]) Vikki
Tang (T: 3756 8641 / E: [email protected]).
About EY Global Information Security Survey 2019-2020
This year’s Global Information Security Survey is based on a survey of senior leaders at almost 1,300
organizations carried out by EY teams between August and October 2019. This was a global survey with
Europe, Middle East, India & Africa (EMEIA) accounting for 47% of respondents, the Americas 29%, and
the Asia-Pacific region 24%. Respondents included CISOs or their equivalents from across every industry
sector. Click here to download the full report, or visit ey.com for more information.
EY | Assurance | Tax | Transactions | Advisory
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services
we deliver help build trust and confidence in the capital markets and in economies the world over. We
develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing,
we play a critical role in building a better working world for our people, for our clients and for our
communities. EY refers to the global organization, and may refer to one or more, of the member firms of
Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK
company limited by guarantee, does not provide services to clients. Information about how EY collects
and uses personal data and a description of the rights individuals have under data protection legislation
are available via ey.com/privacy. For more information about our organization, please visit ey.com.
© 2020 EYGM Limited. All Rights Reserved.
EYG no. 000823-20Gbl
This material has been prepared for general informational purposes only and is not intended to be relied
upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.