25 on 2025: APAC security thought leaders share their predictions and aspirations

Athikom Kanchanavibhu – Chief Information Security Officer (Mitr Phol) 2025 feels like a sci-fi novel where agentic AI transforms business operations. Yet – like any story – there’s a twist: cyber-attackers are also levelling up, wielding AI in ways we’ve yet to imagine. Even with defences such as extended detection and response (XDR), secure access service edge (SASE), and next-generation firewalls; organisations must pause and ask: “Are we ready for this new chapter?” The challenge is twofold – using AI to supercharge internal security and defending against AI-powered threats while new attack vectors emerge around AI stacks, resembling a new battlefield. 2025 calls for rethinking, recalibrating, and staying sharp – those who embrace the future won’t just keep pace but pull ahead.
Carol Lee – Deputy General Manager, Cyber Security & Risk Management (Hang Lung Group) As we look ahead to 2025, the role of cybersecurity professionals will increasingly encompass broader responsibilities, particularly in data privacy and AI governance. The convergence of these fields demands that we not only safeguard our digital assets but also ensure ethical practices in AI development and deployment. Consequently, we can anticipate a widening skills gap, necessitating the creation and availability of certification programs to equip professionals with the necessary competencies. This evolution will be critical, as organizations will require CISO who can navigate the complex interplay between security, privacy, and emerging technologies, further underscoring the urgency of this focus globally.
Cezary Piekarski – Interim Global Head ICS and Global Head, ICS Protect (Standard Chartered Bank) 2025 will expose the gap between vendors’ willingness to combine AI solutions into software, businesses’ appetite to adopt AI enhancements at pace, and the ability of technology teams to secure new solutions. This will be the year of exploration as early adopters learn painful lessons but new best practices will emerge.
 
Maturity of deep-fake technologies will continue to accelerate in disinformation and cybercriminal operations, further diminishing trust in digital channels. Organisations will initially respond with, usually futile, detections to then pivot towards new authentication mechanisms that will redefine boundaries of trust.
 
AI will reduce time-to-exploitation for new vulnerabilities, pushing organisations to rethink approaches for resiliency as patching before exploitation becomes inadequate. Organisations will need to rearchitect key systems, to increase their ability to isolate and remediate at pace without disrupting business processes (potentially with the aid of AI).
Dominic Grunden – Advisory Board Member and CISO (Smile Technology) Traditional threats (ransomware, digital extortion, and social engineering) will continue to increase, posing major risks to organisations. Malicious actors will use GenAI to improve efficiency, efficacy, and threat vectors. Most of these threats will come from the deep and dark web where they discuss and monetise the use of large language models (LLMs) and synthetic media.

Geopolitical developments and cyber warfare will significantly impact the cyber threat landscape, continuing the pattern of increased convergence between the cyber and geopolitical ecosystems. Malicious actors will continue to operate with political partisanship, with cybercriminal groups aligning on either side of the geopolitical dispute.

Some organisations will evolve the CISO role with increasing responsibilities – into the Chief Digital Security, Risk, and Resilience Officer or Chief Security and Resilience Officer.

Irfan Amer bin Mohd Ismail – Chief Information Security Officer (AEON Bank) The cybersecurity landscape in Southeast Asia will be significantly shaped by AI-driven threats, leading to a heightened focus on cloud security and adherence to stricter data privacy regulations. Consequently, I expect Boards to adopt a more proactive approach, posing challenging questions about cyber resilience, data security and ensuring that strategies align with business objectives. While AI offers robust defensive capabilities, it also introduces ethical dilemmas and the risk of false positives, which must be addressed thoughtfully. As a CISO, my primary challenge this year will be balancing compliance and innovation to keep up with the ever-evolving threat landscape.
John Ang – Group Chief Technology Officer (EtonHouse International Education Group) This year, cybersecurity will focus on combating AI-powered attacks and deepfake threats, which can harm organizational reputations. Tools (e.g., CrowdStrike) are key for AI-driven threat detection, while zero-trust frameworks like Microsoft’s Zero Trust offer “strong” defenses.
 
Ransomware continues to evolve, and managing multi-cloud security complexity requires unified solutions. Adequate protection isn’t just about staff training—it starts at the top. At EtonHouse, we’ve kicked off the year with cyber training for our board and management, reinforcing a security culture from leadership to frontline staff. Proactivity is critical in 2025.
Lim Kah-Wee – Director – Payment Fraud Disruption (Visa) AI will play a crucial role in enhancing cyberfraud detection and personalizing payment experiences. Deep learning algorithms are becoming more sophisticated, allowing real-time transaction analysis for potential risk. The potential for the next generation of AI to transform the payments ecosystem – making it safer, smarter, and more seamless – is vast and a critical factor for success of payments and other industries in 2025 and beyond.

In payments, identity is the new encryption, setting standards for secure, seamless transactions. Biometric authentication, like fingerprint or facial recognition, offers improved security and convenience, displacing traditional authentication methods.

Michael Saw – Regional CSO, Asia Pacific (Siemens Energy) Cybercriminals are expected to exploit personal data and AI to carry out more sophisticated attacks. Data breaches from previous years have provided cybercriminals with access to significantly more personal data. When combined with AI-generated deep fakes, this data will enable more realistic and effective phishing and spear-phishing campaigns in 2025. As human vulnerabilities continue to be the weakest security link, these attacks are likely to result in additional data breaches or the compromise of critical control systems. Successful spear-phishing attacks can have severe consequences, especially considering the privileged access employees often have to sensitive data, financial transactions, and physical systems.
Ricky Woo – Executive Director, CISO and Technology Security (DBS Bank) The cybersecurity landscape in 2025 will see a heightened focus on AI-driven threats and supply chain vulnerabilities. Adversaries are expected to leverage AI for hyper-personalized social engineering campaigns and adaptive malware, challenging traditional defenses. The rise of Ransomware-as-a-Service will expand the reach of sophisticated attacks, particularly targeting resource-limited organizations. Supply chain risks will draw increased scrutiny as attackers exploit trusted relationships and vulnerabilities in widely used software. Additionally, early experimentation with quantum-resistant technologies signals a paradigm shift, emphasizing the need for proactive, multi-layered defenses. Organizations must prioritize innovation, collaboration, and advanced threat detection to navigate this evolving landscape.
Saiful Bakhtiar Osman – Head of IT – Shared Services (PNB Commercial) For 2025, we shall be prioritizing IT Security investments to better align with the company’s vision and mission. Extra focus will be given to the information and data security. All IT projects which involve data processing will include the business users, as they are the data owner. This synergy is expected to drive business ahead, and materialised the expected ROI committed to the Management. Concurrently, we will continue to enhance the IT Security ecosystem, with reactive and proactive defence. Similarly, continuous education to all users on the latest cyber security threats is essential to build a strong IT Awareness culture.
Sakshi Grover – Senior Research Manager (IDC) By 2027, only 25% of consumer-facing companies in the Asia-Pacific (excluding Japan) region will use AI-powered identity access management (IAM) for personalized, secure user experience due to continued difficulties with process integration and cost concerns.

Learn more here:
IDC FutureScape: Worldwide Security and Trust 2025 Predictions — Asia Pacific (Excluding Japan) Implications

AI-Powered Cybersecurity: Navigating the Expanding Attack Landscape, Asia/Pacific CISO’s Concerns, Priorities and Investment Areas, and Strategic Vendor Support

Sam Goh – Chief Information Security Officer (DataX) An AI divide will emerge as domain experts keeping up with AI and successfully implementing it in their industry will be more competitive than traditional businesses without the help of AI.
 
Meanwhile, hyperscalers are achieving new breakthroughs in their AI research – particularly in the agentic workflow and AGI, creating the next wave of AI capabilities. All businesses will be busy figuring out how to capitalise AI capabilities to achieve productivity gains by displacing white collar roles to cut costs and improve profitability in an increasingly volatile market.
 
However, the cyber criminals will also increasingly deploy these AI capabilities (since they don’t have much to lose or restricted by regulation to do AI Security testing) to generate more real-world impact and bring forth a new generation of smarter AI-enabled attacks.
Shankar Karthikason – Group Head of Cyber Security Strategy, Operation & Advisory (Averis) 2025 will see Quantum-Resistant Cryptography become important as groups get ready for quantum computing. The APAC  will also pay more attention to AI-driven threat detection and response systems to fight changing cyber threats. Additionally, supply chain security will get more attention, with governments and companies putting in place stricter rules to reduce third-party risks. Cyber resilience, rather than just prevention, will be the new focus as businesses work to reduce downtime and keep operations running even during advanced persistent threats.
Shishir Kumar Singh – Group Head of Information Security & Interim Group Data Privacy Officer (Advance Intelligence Group) AI-Driven Security Evolution: Both attackers and defenders will use AI to innovate, making the use of adaptive threat intelligence essential for detecting and responding to evolving threats.
Zero Trust as a Standard: Adoption will extend into OT, IoT, and cloud ecosystems, driven by regulatory and operational demands.
Resilience Amid Complexity: Cyber resilience will become a board-level priority, emphasizing recovery and continuity.
Global Regulations: Stricter rules on AI and data privacy will challenge organizations to stay compliant.
Collaborative Security: Increased industry partnerships for intelligence sharing and tackling supply chain vulnerabilities.
Silvia Lam Ihensekhien – Director of Information Security and Risk Management (Swire Coca-Cola) This year, I anticipate significant growth in Zero Trust Architecture as organizations prioritize minimizing risks from insider threats and data breaches. The focus on supply chain security will increase due to the rising number of cyber incidents targeting third-party vendors. Furthermore, we will see a scenario of “AI vs. AI,” where AI enhances threat detection and response capabilities, but is also weaponized by attackers. New regulations on data privacy will emerge, resulting in businesses adopting more robust compliance measures. Finally, the rise of remote work will continue to drive demand for secure collaboration tools and enhanced endpoint security solutions.
Suresh Sankaran Srinivasan – Group Head – Cyber Security & Data Privacy (Axiata) In 2025, the explosion of attack surfaces driven by AI-powered technologies, APIs,  5G+, and IoT will significantly challenge organizational defenses. This surge will compel enterprises to rethink their strategies around attack surface and vulnerability management. Regulatory scrutiny will intensify, particularly in ASEAN and South Asia, emphasizing the need for stronger alignment with industry standards like NIST CSF 2.0. Organizations will also focus on integrating cybersecurity and data privacy, addressing the dual imperatives of protecting sensitive data and maintaining operational resilience. Finally, organizations will need to make a critical shift from incident response to proactive threat response to reduce response fatigue and enhance cyber resilience.
Yohannes Glen Dwipajana – SVP Head of Enterprise Security (Indosat) The continuation of AI-based scams will be more widely known. Take over account technique using Bypass-KYC-as-a-service will be more common supporting by three elements: inadvertent exposed biometrics, data leaked and breached PII (particularly from ransomware attacks or other hacking activities), and misuse growing capabilities of AI. This is a threat into individual digital impersonation by using new technology as it advances, the fraudsters will keep finding new social engineering way and combine with AI capabilities which helps them to be more efficient and timelier when performing their actions.
Yuen Chee Lung – CISO, Technology Risk Management & BCM (AIA) In 2025, the development of cybersecurity leadership will focus on strengthening skills that extend beyond technical expertise. Organizations will aim to shape leaders who can clearly convey cybersecurity risks, strategies, and implications to senior executives and board members. These leaders must also demonstrate strong capabilities in risk management and strategic planning to ensure cybersecurity priorities are aligned with broader organizational goals. By fostering such leadership qualities, organizations will be better positioned to address emerging threats, navigate regulatory requirements, and achieve sustainable growth in an increasingly complex digital and regulatory environment.