As RSA Conference Asia Pacific & Japan draws near, we sat down with RSA Conference Advisory Board member Todd Inskeep, Principal, Commercial Consulting, Booz Allen Hamilton, to talk about the cybersecurity landscape in Asia, and why RSA Conference APJ is more relevant now for attendees than ever before.
RSA Conference: What’s unique about the APJ cybersecurity landscape?
Inskeep: APJ cybersecurity covers a broad range of organizational maturity. While the larger companies in the U.S. have gotten more consistent, based on the big headlines really hitting boards and executives, we see companies in APJ that vary much more in their capabilities and practices. The maturity and size difference between banks in Japan and Singapore vs. Indonesia, Myanmar, and other countries can be extensive—there’s a large gap in capability and funding even with similar sized institutions. Beyond financial services, other industry verticals are less connected to cybersecurity risk and require even more tailoring of products and services to the maturity and capability of specific markets. The attack on Bank of Bangladesh is starting to drive more awareness and attention that’s been missing in APJ where executives haven’t been giving cyber the attention it gets from news around breaches at Target, JP Morgan and others big in the U.S. and Europe. There’s more emphasis on checklists and compliance in this region, while other regions have done more to adjust to managing risk—and recognizing that events will happen.
RSA Conference: What are the greatest cybersecurity challenges facing the APJ region?
Inskeep: For many APJ countries, building cybersecurity capability is happening at the same time as more general economic modernization. This makes it challenging to stay abreast and contextualize cyber security solutions to the needs of these countries. They are still focused on the basics, buying cyber security products for network, endpoint, and perimeter defense. At the same time, cybercrime is becoming increasingly commoditized. If the criminals have trouble going big (e.g., Target), then they go broad. The cost of propagating attacks across huge swathes of the industry, especially when the companies are still quite basic in their capability, has its own economic appeal for threat actors.
The more advanced countries are investing heavily in talent (e.g., degree programs), awareness (e.g., conferences), national agencies (e.g., CSA in Singapore), applying the threat information-sharing model of FS-ISAC to multiple industries, and doubling down on ICS/SCADA (i.e., industrial cyber security) as investments in IoT/IoE continue to balloon. How these tie together at the company or nation level is still an open question, variously labeled cyber dome, ASOC, next gen SOC, etc. At RSA Conference in the U.S. this year there was an emphasis on moving from advanced detection to hunting teams. In APJ that’s lagging a bit, but the most sophisticated companies are thinking in that direction.
This talent investment is draining countries like Vietnam, Indonesia, or Malaysia—their professionals can, and do, get jobs in Singapore, Japan, China, and Hong Kong.
There are also some geo-political considerations—studies have shown that hacking activities rise significantly where and when political tensions are higher. Various political tensions are playing out in APJ.
RSA Conference: Why does RSA Conference have an event in Singapore?
Inskeep: Singapore has long positioned itself as the gateway to Asia. North American and European companies hoping to do business in ASEAN, China, India, etc., have used Singapore as their launch pad. This has started to go in both directions. In many ways, Singapore is becoming the launch pad to North America and Europe for Asian companies. If you are an Indian, Chinese, Singaporean, or Japanese firm, the presence of so many MNO headquarters in Singapore, the tech-savvy and English-speaking labor force, and Singapore’s status as a travel and transport hub, are powerful enablers. Singapore is also an area with a strong interest in technology from several perspectives, and therefore is keenly interested in the information security and cybersecurity topics covered by RSA Conference.
Singapore becomes a testing ground to reach wider markets, and it is also the third largest financial center on Earth according to the Global Financial Centers Index. There’s a natural fit between the needs of the tech marketplace around the region and the many regional players with capability, interest, and resources to drive and grow information security maturity in the region.
RSA Conference: Who should attend RSA Conference AJP?
Inskeep: RSA Conference APJ is much more than just a trade conference. It is an education opportunity for people who are interested in getting beyond compliance to real security and risk management for their organizations. The tracks give attendees a chance to talk with real practitioners both as speakers, and as fellow attendees. One of the opportunities unique to RSA Conference AJP is the mix of regional and international talent presenting to, and attending the conference. Not every idea from other regions is applicable, but gaining a new perspective, and hearing ideas outside traditional and common practices in the region is one of the unique aspects of APJ.
If you want to know what is happening in cybersecurity, then you attend RSAC. If you want to see the other side of the coin, and understand how cyber criminals can challenge the solutions you see at RSAC, the Threats and Threat Actors track provides a view similar to conferences that are more focused on pure hacking.
RSA Conference: What do you think RSA Conference can bring to attendees that they wouldn’t be able to get elsewhere?
Inskeep: From a cybersecurity angle, the world is becoming smaller. Threat actors do not care where a company is headquartered. RSAC helps connect cybersecurity professionals across the globe. It gets their products and services in front of one another and potential customers. It helps them reach the world stage.
RSAC APJ offers a unique combination in the region—experts from all over the world with a focus on the implementation of cybersecurity for companies operating in the region. The combination of tracks and keynotes provides a broad overview of the evolution in the industry over the last year and looking toward the remainder of 2016 and 2017. The expo also features a who’s who of regional and global security companies offering a broad range of technology solutions—technologies that require people and process to integrate fully into corporate systems to manage and reduce risk. Few conferences help connect people, process, and technology the way RSA Conference APJ does to provide real examples and worked solutions.
RSA Conference: If you are attending, what are you most excited about at this year’s RSAC APJ?
Inskeep: I’m not attending, but some of my colleagues are. They are most excited about tracks that help bridge the gap between the best of what cybersecurity can offer and how these products and services can be contextualized to meet the needs and resources of countries in region. As a market, the potential is huge. It is simply a matter of figuring out how to take a world-class capability and apply it to an emergent environment.
Will you join is in Singapore? This year’s conference will be held July 20-22, 2016, at the Marina Bay Sands in Singapore. You can find out more about RSA Conference Asia Pacific & Japan 2016, check out our agenda and register here.