Cybersecurity in ASEAN An Urgent Call to Action

Cybersecurity in ASEAN: An Urgent Call to Action

ASEAN countries are currently underspending on cybersecurity. A step-up in investment is

needed to raise cybersecurity spending to benchmark levels (see figure 21). If each ASEAN

country spends between 0.35 and 0.61 percent of GDP annually on cybersecurity between

2017 and 2025, spending would be in line with best-in-class countries. Our estimates suggest

that this translates into a $171 billion collective spend for the region in the period spanning

2017 to 2025. This represents a justifiable and manageable investment, considering the

value-at-risk and that individual governments spend on average 1.8 percent and up to 3.4

percent of GDP on defense.

Notes: Mature market average includes the United States, the United Kingdom, and Germany.

Best in class is based on spend levels as a percentage of GDP for Israel. Rest of ASEAN is Laos, Brunei, Cambodia, and Myanmar.

Sources: Gartner, International Data Corporation; A.T. Kearney analysis

Figure

Target cumulative cybersecurity spend,

Against mature market average benchmark

billion

Against best-in-class benchmark

billion

 billion

Rest of ASEAN

Vietnam

Singapore

Philippines

Thailand

Malaysia

Indonesia

 billion

Rest of ASEAN

Vietnam

Singapore

Philippines

Thailand

Malaysia

Indonesia

World Bank data for Malaysia, Singapore, Indonesia, Thailand, Vietnam, and the Philippines

Indonesia stands out as potentially requiring a significant investment as the share of its digital

economy is expected to grow significantly in the coming years.

3.2.2Defineand trackcybersecuritymetrics throughasector-level cyber-hygienedashboard

Barriers to trust and transparency emanate partly from a lack of structured mechanisms to

collect data, measure performance, and share intelligence. The lack of consistently defined and

applied cybersecurity metrics and mechanisms within each country to collect and share the

output data makes it difficult to assess the effectiveness of a cyber program and drive

continuous improvement.

In sectors such as financial services, identifying and tracking meaningful metrics can provide

an enhanced level of transparency while also improving performance on these metrics over

time. A few metrics can help focus the cybersecurity agenda on the areas that matter most

(see figure 22 on page 33). The onus is on regulators to identify metrics that have the most

relevance to their respective sectors and ensure consistent, up-to-date definitions.

Establishing metrics at a sectoral level requires a consultative approach while keeping in

mind organizational constraints and different business needs.