The Asia-Pacific (APAC) region has recently become a hotspot for cybercrime, with 35 percent of organizations in the region reporting data breaches over the past three years, costing anywhere from US$1 million to US$20 million per incident. The financial and reputational risk of data breaches is so significant, that it has prompted organizations to rethink their approach to cybersecurity and risk management. This urgency is further heightened by government action across the region, as regulations are tightening to hold organizations accountable for protecting personal data.
In Singapore, for example, the Personal Data Protection Act (PDPA) mandates that organizations implement reasonable security arrangements to protect personal data, with increasing penalties for non-compliance. Meanwhile, in Australia, the Privacy Act 1988 sets similar requirements, and recent amendments have raised the penalties for serious or repeated breaches.
While these cases highlight the growing accountability for inadequate cyber governance, many companies still struggle to secure the board-level buy-in needed to strengthen their cybersecurity efforts.
Traditionally, cybersecurity has been seen as the responsibility of IT teams, but the stakes have grown too high for boards to remain passive. Our recent report found that 88 percent of S&P 500 companies lack a board member with specialized cybersecurity expertise to guide risk mitigation efforts. This raises a critical question for tech leaders: how can they drive meaningful change when their boards lack the expertise to understand and counter cyber threats?
Elevating cybersecurity to a board-level priority
Research shows that nearly all cybersecurity incidents in Singapore lead to negative outcomes, with 99% of affected organizations reporting business impacts such as disruption (48%), data loss (46%), and reputational damage (43%). Despite this, many boards still treat cybersecurity as an operational issue rather than a strategic risk.
Tech leaders must shift this mindset, driving home the message that cybersecurity is a fundamental risk that directly impacts an organization’s reputation, finances, and competitive standing. Framing cybersecurity as a core business concern can help push cybersecurity to a permanent item on the board’s agenda. To do this, tech leaders should tap on real-world scenarios and financial data to better illustrate the costs of cyberattacks, and demonstrate why proactive measures are critical.
Additionally, boards should understand that strong cyber governance is not just about preventing breaches but also about safeguarding the company’s ability to grow and innovate. Frequent, data-driven updates on cyber posture can help the board make more informed decisions.
Speak the board’s language – or teach them how to speak yours
A key challenge tech executives face in securing board buy-in is translation: effectively communicating the complexities of cybersecurity in a way that resonates with board members. Many directors view cybersecurity as a “black box” and don’t know where the organization stands until an incident occurs. The solution lies in framing cybersecurity within the organization’s broader risk management strategy.
Instead of diving into technical details, tech leaders should focus on the business impact. How could a breach harm the company’s reputation, disrupt operations, or lead to regulatory penalties? Use clear metrics that align with the board’s strategic, business-oriented concerns. Tools like real-time cyber risk scorecards can help simplify complex information, providing a clear view of threats, vulnerabilities, and compliance statuses, allowing boards to see where the gaps are and why addressing them is essential.
While boards prioritize growth and innovation, these objectives can only be realized with a robust cyber governance framework in place. Reframing cybersecurity as a critical enabler of business continuity will foster a more proactive approach. This shift in perception – from cybersecurity as a cost center to a value creator – helps ensure that cyber investments are seen as integral to long-term success.
Upskilling the board: Cyber literacy is key
Even with clear communication, the onus to upskill and keep pace with evolving cyber risk trends is still on boards. After all, how can they make the right decisions if they don’t fully grasp the risks? Just as they expect their teams to stay up-to-date on skills, board directors should also commit to continuous learning – particularly when it comes to cybersecurity.
This doesn’t mean board members need to become experts, but they do need a working knowledge of cyber governance. Enrolling in cybersecurity governance programs can help them understand the policies, risks, and emerging challenges their organizations face.
Certifications in cybersecurity and even emerging technologies like AI can equip board members to handle not only today’s risks but also the ethical dilemmas and compliance challenges that come with new technologies. The more they know, the better prepared they’ll be to steer their organizations through these challenges.
As cyber threats grow more sophisticated, the pressure on APAC organizations to strengthen their defenses will only increase. For tech executives in APAC, managing cyber risks themselves is only half the challenge – getting the board to buy into the cause is just as critical. Elevating cybersecurity as a permanent item on the board’s agenda, simplifying complex issues into business terms, and aligning cyber strategies with broader company goals are three of the key steps in achieving this.
Securing the board’s support in these efforts will be the ultimate difference-maker when it comes to companies closing the cyber governance gap in APAC.
Simon Berglund is Senior Vice President & General Manager (APAC), Diligent.
Simon is responsible for leading passionate, smart, and creative colleagues who want to make the world a more sustainable, equitable, and better place with Diligent’s technology solutions for Governance, Risk & Compliance (GRC) and Environmental & Social Governance (ESG).
An executive-level management veteran with over 30 years of experience, Simon is an accomplished neo-generalist, having mastered a broad span of expertise over multiple disciplines and multiple industries.
TNGlobal INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.
Strengthening cybersecurity in Malaysian businesses: The imperative of employee training