Infosec in APAC – A Very Summarised View

I spent a total of 16 years working in infosec in APAC – across the region as a whole except for India and mainland China. I was based initially in a pen test/research lab in Thailand with regional customers, and then later spent some time with big-4 in Thailand, before moving base to Jakarta for what will probably be my final stint in the region. As well as the aforementioned places i spent lots of time in Singapore, Taiwan, and HK. Less so in Malaysia, and i never worked in either of Vietnam, Cambodia, Laos, Myanmar, or the Philippines.

I was in APAC for most of the period between 1999 and 2013. My time with the consultancy which was based in Bangkok (although there was only one client account in Thailand) made up the formative, simulated-attack experience of my career – not a bad place to start. There were some brief spells away in the UK and Czech Republic (the best blue team experience one can hope to find). Overall i was lucky with the places I worked in, and especially the people I worked with – some of whom quit infosec not long after the Great Early Noughties Infosec Brain Drain. 

Appetite for risk is high in APAC – just look at the stats for insurance sales in the region. What results in infosec, even in banking and finance though, is exactly the same as the west – base compliance only. The difference is something like this: western CEOs showed interest and worried about cyber at some point in time, but when they went looking for answers they didn’t find any, other than buzzwords from CISSPs – result: base compliance – aka lets just get thru the audit. In Asia the CEOs didn’t go looking for answers – its just base compliance, do not pass go. But before you pass judgment on this statement – read on.

Where APAC countries were better was the lack of any pretence around GRC. You will never hear anything along the lines “security is not about IT” – i.e. there is no community of self-serving non-technical GRC folk spouting acronyms. Western countries blow billions down the dunny on this nonsense.

So both regions have poor security. Both face a significant threat. But if you measure security performance in terms of how much is spent, versus the results – there’s a clear winner, and that is APAC. Both have poor security, but one spends more for poor security than the other.