Cyber resilience defined by integration, not spend

PETALING JAYA: Higher cybersecurity spending alone is not enough to strengthen Malaysia’s cyber resilience, as fragmented technology environments, the rapid pace of digitalisation, and a shortage of specialised talent continue to limit organisations’ cybersecurity maturity, according to US-based cybersecurity company Palo Alto Networks.
Its Malaysia country director, Sarene Lee, said many organisations have accumulated multiple cybersecurity tools over successive waves of digital transformation, creating visibility gaps, operational inefficiencies and slower responses to cyber incidents despite higher investment.
“One of the key factors is fragmentation. Many organisations have accumulated multiple security tools over time, often in response to different waves of digital transformation.
“While each tool may solve a specific problem, the lack of integration can create visibility gaps, operational inefficiencies and slower response times when incidents occur,” she told SunBiz.
Lee said the challenge is being intensified by the speed at which organisations are embracing cloud computing, artificial intelligence (AI), hybrid work environments and digital platforms, with security architecture often failing to keep pace with business transformation.
“As organisations expand into the cloud, adopt AI and modernise critical systems, they are creating increasingly distributed digital environments.
“In many cases, security is still catching up to this pace of change, resulting in fragmented visibility, greater operational complexity and a larger attack surface,” she said.
Lee said the cybersecurity industry is also facing a persistent shortage of highly specialised professionals in areas such as cloud security, AI security and threat intelligence, limiting organisations’ ability to fully utilise their cybersecurity investments.
“The demand for these skills continues to outpace supply,” Lee said.
She noted that industry forecasts project cybersecurity spending to grow at more than twice the pace of overall ICT expenditure over the next five years, while Malaysia’s national digital initiatives have highlighted the need for thousands more cybersecurity professionals.
Lee said cybersecurity maturity should no longer be measured by how much organisations spend on security products, but by how effectively they integrate security across their digital ecosystems.
“Ultimately, cybersecurity maturity is increasingly defined not by spend but by how effectively organisations can unify visibility, reduce complexity and operationalise security across the entire digital ecosystem.”
In recent years, Malaysia has emerged as one of Southeast Asia’s fastest-growing destinations for hyperscale data centres and AI infrastructure, attracting major investments from global technology companies seeking regional capacity.
Lee said the country’s expanding digital infrastructure is reshaping cybersecurity priorities, with organisations increasingly recognising that security must be embedded into digital infrastructure from the design stage rather than added after deployment.
“What we are seeing is a structural shift in how security is being approached.
“Security is no longer being treated as a separate layer added after transformation, but increasingly embedded into the design of digital infrastructure from the outset.”
As AI workloads continue to expand across cloud, edge, and hybrid environments, organisations are also showing greater interest in platform-based cybersecurity approaches that provide consistent visibility and policy enforcement across increasingly complex IT environments.
While declining to disclose Palo Alto Networks’ financial performance in Malaysia, Lee said cybersecurity investment is rising alongside the country’s growing role as a regional AI and data-centre hub.
“Malaysia continues to strengthen its position as a regional digital and data hub, and cybersecurity investment is rising in tandem with the complexity and scale of these digital ecosystems.”
She said demand is strongest among organisations operating critical digital infrastructure, particularly the public sector, banking and financial services, telecommunications companies and data-centre operators.
Lee said cybersecurity spending is becoming more strategic, with organisations no longer investing solely to guard against cyber threats but increasingly using security to support business expansion, strengthen resilience and accelerate digital transformation.
“The most significant spending isn’t coming from companies trying to stop an inevitable breach, but from forward-thinking organisations utilising integrated security platforms as a strategic springboard.
“By reducing architectural complexity, these organisations are improving operational resilience while enabling innovation and growth.”
Since taking over as Malaysia country director in 2024, Lee said customer conversations have shifted noticeably, with cybersecurity becoming an integral component of digital transformation planning instead of a downstream technical consideration.
Customers are increasingly prioritising the protection of cloud infrastructure, digital identities and AI-driven workloads as cyber threats become more sophisticated and significantly faster.
She cited Palo Alto Networks’ threat intelligence, which found that the fastest 25% of cyber intrusions reached the data exfiltration stage in just over one hour, compared with 4.8 hours a year earlier.
The company’s Unit 42 threat researchers have also demonstrated through AI-assisted attack simulations that emerging frontier AI models could potentially compress that window to as little as 25 minutes, giving security teams substantially less time to detect and contain attacks before sensitive information is compromised.
“This compressed attack lifecycle means adversaries are exploiting vulnerabilities and exfiltrating data faster than ever before.”
Lee said organisations are therefore placing greater emphasis on simplifying security operations through integrated platforms that improve visibility across hybrid environments while enabling faster detection and automated response.
On the regulatory front, Lee described Malaysia’s Cyber Security Act as an important milestone in strengthening governance, accountability and the protection of critical national digital infrastructure.
She said the legislation comes at a time when cyber-enabled fraud and scams have become a significant economic issue.
“In Malaysia alone, reported losses from cyber scams reached approximately RM54 billion in 2024, underscoring that cyber risk is no longer just a technical issue but a broader national and economic concern.”
Lee said the legislation has helped elevate cybersecurity discussions to the board level, encouraging organisations to reassess their governance structures, risk management frameworks and resilience planning.
However, she noted that organisations remain at varying levels of cybersecurity maturity.
“Some organisations are already operating with a proactive, risk-based approach, while others are still in an earlier phase where compliance remains the primary driver of cybersecurity investment.”
She said the long-term value of regulation lies not simply in meeting compliance requirements, but in encouraging organisations to adopt adaptive, risk-based security models capable of responding to increasingly sophisticated AI-driven cyber threats.
“The lesson many organisations are learning is that security cannot be treated as an afterthought to digital transformation,” Lee said.
“Whether organisations are expanding into cloud, adopting AI or modernising critical systems, security needs to be embedded from the outset rather than added later.
“This is particularly important as AI adoption accelerates, which is why we advocate a Secure AI by Design approach that builds governance, visibility and security into AI deployments from day one.”