Cybersecurity’s hard truths for Asia-Pacific

Cybersecurity’s hard truths for Asia-Pacific

Cybersecurity’s hard truths for Asia-Pacific

https://www.frontier-enterprise.com/cybersecuritys-hard-truths-for-asia-pacific/

Publish Date: 2026-07-08 06:40:00

Source Domain: www.frontier-enterprise.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

“Cybersecurity is foundationally, fundamentally, and systemically broken.”

That was how Andrew Rubin, founder and CEO of Illumio, opened a standing-room-only panel featuring an impressive line-up of security leaders at RSAC 2026. While the discussion took place in Silicon Valley, the implications discussed extend far beyond the United States

For organisations across Asia-Pacific, the diagnosis will feel familiar. The region is now among the most targeted in the world. Critical infrastructure, financial services, and government agencies from Singapore to Sydney are contending with breaches that move faster, cost more, and prove harder to contain with every passing year.

The panel, “Hard Truths in Cybersecurity: Fear, Liability, and the Industry’s Biggest Lies,” brought together Theresa Payton, former White House CIO; Sherrod DeGrippo, Microsoft’s head of threat intelligence; Tim Brown, CISO of SolarWinds; and David Boda, Chief Security Officer of Nationwide Building Society. Rubin chaired a conversation that pulled few punches.

Across the region, security budgets have grown consistently. Teams are larger, tooling is more sophisticated, and vendor categories have multiplied to address increasingly specific threats. On paper, the industry has been doing its job.

The data tells a different story. Breaches are not slowing. They are spreading further, hitting harder, and exposing assumptions about secure environments that were never tested until it was too late. According to IBM’s 2025 Cost of a Data Breach Report, the average breach now costs ASEAN organisations US$3.67 million, with detection and containment times remaining stubbornly high.

The pace of change is staggering. Just a few months ago at RSAC, systems like Mythos were not part of the conversation. Today, AI capabilities are advancing so quickly that organisations are struggling to keep pace, further raising the stakes for security teams.

What the panel made clear is that the industry has been optimising for the wrong things. Prevention has dominated investment and thinking for years. Containment, the ability to limit what an attacker can reach once they are already inside, has been treated as secondary. That has to change.

The four takeaways below set out why the current model is not working and what a more honest security strategy looks like for APAC organisations in 2026.

1. Activity isn’t the same as progress

The panellists agreed the industry hasn’t struggled from lack of effort. It has been optimising for the wrong outcomes.

Tim Brown said, “Maturity oftentimes is measured in terms of activity instead of reduction of threat surface.”

The distinction matters. Security teams stay busy, implement controls, follow frameworks, and fill dashboards with alerts. To the board, it can look like progress. But breaches happen in the gaps between controls, not in dashboards. There is a real difference between checking a box and actually reducing exposure.

Compliance quietly reinforces the problem. Frameworks bring structure but also false confidence. Organisations meet requirements, pass audits, and still face the incidents those controls were meant to prevent.

If success only means stopping every attack, every breach looks like failure. Shift the definition to include limiting fallout, and the focus moves to reducing how far an attacker can go.

2. Risk isn’t binary, so why do we treat it that way?

Rubin pressed on a deeper problem: The industry still treats outcomes as binary. You are either secure or you are breached.

In most disciplines, risk lives on a spectrum. Rubin used the analogy of a doctor’s diagnosis. A cold gets treated as a cold. A more serious condition demands a more serious response. Cybersecurity has not adopted that mindset, with strategies still built around eliminating all risk, even though that is not achievable.

David Boda approached it from a resilience perspective. “We’re not always able to secure. We’re building our ability to be resilient in the face of the threats that come.”

Resilience changes how organisations prepare. It means designing systems that absorb disruption without letting it spread, and it aligns directly with containment strategies that keep incidents small rather than allowing them to escalate.

3. Protecting everything is a strategy that doesn’t exist

Theresa Payton brought a perspective shaped by environments where the stakes are immediate. At the White House, protection cannot be applied evenly across every asset.

“It’s impossible to protect everything,” she said.

That constraint forces clarity. Teams must decide what matters most, whether that is regulatory exposure, customer trust, or proprietary data, and focus accordingly. Without visibility across the environment, that prioritisation becomes guesswork. Payton compared it to “Monty Python’s search for the holy grail,” which drew a laugh but made the point.

When teams do have clarity, they can isolate critical systems, restrict communication paths, and tightly control access. If something goes wrong, the damage stays contained rather than spreading across the environment.

4. AI is handing attackers a serious advantage

Sherrod DeGrippo described where the threat landscape is heading: “I believe we will see the advent very soon of the unicorn threat actor — an apex-level threat actor that has incredible capability with one human.”

Tasks that once required coordinated teams can now be handled by individuals using AI-driven tools. The barrier to entry keeps dropping while potential impact keeps rising.

Tim Brown tied it back to incentives. “You still can make plenty of money and not go to jail.”

AI enables long-running, patient campaigns that observe systems over time, adapt, and strike when the moment is right. Detection remains important, but it is no longer enough. The question leaders need to answer is what happens after an attacker gains access, and how far that access can extend.

The industry needs a new definition of success

More tools and more activity have not reduced the overall impact of breaches. AI is adding speed and scale to an already difficult problem, and the current model is not changing outcomes. For organisations across APAC, where attack volumes are rising and regulatory pressure is tightening, the gap between activity and impact is one the region can no longer afford to ignore.

What the panel made clear is that success must include the ability to withstand attacks and keep operating, to limit the spread of an incident, and to protect what matters most. Containment belongs at the centre of modern security strategy, not as an afterthought to prevention.

Cybersecurity changes when organisations stop measuring activity and start measuring impact. In Asia-Pacific, that shift is overdue.

– Advertisement –