It has taken me 15 months and a LOT of travel, listening, and talking to feel confident enough to write this research for APAC. APAC is a unique region in its cultural, geographic, regulatory, security maturity, and economic diversity. Writing anything APAC-related (at least for me) meant that I needed to understand the region with its idiosyncrasies, challenges, and opportunities at a much deeper level than I did when I first joined Forrester. I have toiled away at this by engaging with many of you over the last months. I have spoken to CISOs, practitioners, colleagues, and vendors. Thank you for your generosity in time, insights, wisdom, and input. Thanks for listening and speaking to me.

As I wrote this research, I remained acutely aware of the uniqueness of each country within the APAC region in how they practice and spend on cybersecurity. Ultimately, for the purposes of being concise, I did make generalizations for APAC as a region. I’m always happy to discuss the nuances that I see every day in each different country within the region. And because I’m lucky enough to be part of a global security and risk team and speak to our clients in North America, Europe, and the Middle East, I was able to join the dots and analyze how global patterns are translated here, and visa versa.

Forrester clients can see the research here. I wanted to share some key takeaways in this blog, though:

  • Forty-seven percent of security technology leaders at enterprises in Asia Pacific expected their overall information/IT security budget to increase.
  • APAC CISOs favor tech over staffing, although adoption of security services is making inroads.
  • APAC CISOs remain largely technical and operational, even as budgets increase with a lack of prioritization and with security remaining firmly in the realm of IT. Security still largely reports to IT, and spending decisions are made largely without business consultation.
  • Leaders’ top strategic priorities of risk and culture reflect the early stages of transformation. This will set up the foundation to enable the region’s cybersecurity capabilities to undergo a much-needed transformation of its cybersecurity capabilities after years of neglect.

As the region transforms, I expect to see more creative recruitment, with a stronger and well-needed focus on diversity. I do expect us to become more savvy users of security services. And I expect the continued evolution of a CISO from the traditional security manager to a business executive.