I have just spent the last week in Singapore delivering speeches and meeting a multitude of clients in a series of what turned out to be back-to-back meetings. In the same way that I love traveling, exploring new cultures, eating different foods, and losing myself in the company of friends, I love doing the same in my profession. I thoroughly enjoyed the opportunity to engage in these conversations, learn about the security culture (or as much as one can learn without living in it), and see firsthand the challenges and opportunities my fellow practitioners face on their side of the pond.
As I head out to the airport to say goodbye to a terrific week, I wanted to capture some of these learnings, because I deeply believe that the world has so much to learn from Asia Pacific, and visa versa. I have never appreciated the amount of innovation and opportunity that exists here until I started visiting and meeting people here. I am so committed to building that bridge in whatever way I can in my new role.
Here are my key reflections. I welcome my more experienced traveler friends’ thoughts on the below — I know these must seem incomplete to you. To my less-traveled friends in this region, I hope this gives you some color on the insights I gained this week.

  • Vendors are speaking a progressive language. I delivered two speeches at two very different, equally formidable events: Trend Micro’s 1,000-people-plus conference on freedom and Forgerock’s intimate and unique event on trust. The vendors in the region are definitely speaking a higher, more business-aligned language. Phew! Language matters, as do images. Goodbye locks and keys; hello freedom.
  • The cybersecurity skills shortage is hurting. The skills shortage in Singapore came up in almost every single conversation that I had. For example, organizations such as Singapore’s Cyber Security Agency and vendors such as Cisco and Tata briefed me on their efforts to close the gap in the region. (I’m sure there are countless more, but I wanted to acknowledge those who shared solutions with me.)
  • The Singhealth breach is on everyone’s lips. And there are so many theories about threat attributions (some are convinced it was an insider job; others, a nation state). There were also many “theories” about the solution that would’ve prevented it. Hmmmmm . . .
  • What does the future CISO and team look like? I loved the many conversations around the role of the CISO and the different types of CISOs that currently exist. Many of our clients, though, are still deciding how to structure their security teams.
  • The state of GDPR in APAC remains uncertain. Most leaders I spoke to mentioned a level of confusion and frustration with understanding how to deal with GDPR.
  • Compliance-as-a-strategy continues to frustrate. Speaking of compliance, many expressed a very real frustration at compliance-as-a-strategy.
  • There’s a gap between FS and the rest. Thanks to the MSA and other regulators, many years dealing with security risk, and $$ being easily understood, the FS folk that I spoke to seemed so well funded, proactive, and forward-thinking, as has typically been the case for FS the world over.
  • OT security!!!!! Everyone’s talking about it; no one yet knows what to do about it. Is it different? Is it the same?
  • Incident response is recognized as crucial. There is recognition, by almost everyone I spoke to, that incident response is where the effort needs to be invested, but anecdotally, I feel this conversation is still at its start.
  • Boards’ expectations of security are being discussed. Some CISOs have direct and regular connections to their boards, and for others, this is still a new conversation.
  • Many operational security issues are being discussed. This covered security metrics, awareness campaigns, security maturity assessments, threat intelligence products, and data protection.

I also had an enlightening conversation with my dear technology management colleagues at Forrester in the region about the role of security in manufacturing. I was initially confused about why we’ve picked manufacturing (given that I certainly don’t focus on industries). I was reminded that in APAC, manufacturing is big, it’s undergoing technological transformation, and (derrrr) . . . that needs security to ensure integrity. I will dive deeper into this over time.
On a personal note, I loved everything about Singapore. Its weather, e-scooters (they’re everywhere), food, hawker markets, rooftop bars, people, and cleanliness. And last but not least, I want to acknowledge our amazing team at Forrester that made it possible for me to meet all these terrific people, and looked after me (made sure I was fed, watered, transported) with so much generosity and patience, in spite of their crazy schedule.
Thank you, Singapore!