A cyber security perfect storm in Indonesia
Andang Nugroho
by Andang Nugroho
A “cyber security perfect storm” happens in regions around the globe with a mix of global, regional, and domestic factors that exacerbate cyber-security risks. Indonesia, with its rapidly expanding digital economy and significant population, has its own challenges, and must find quick remedies to continue on the path to becoming Asia’s economic powerhouse. Some of the most significant factors to resolve are explained below.
Cyber security workforce gap
The International Information System Security Certification Consortium’s (ISC2) Global Cybersecurity Workforce Survey 2023 placed the gap at close to 4 million worldwide, an increase of more than 12% from last year. Asia Pacific has a shortage of 2.67 million cyber-security workers. Naturally, the situation is quite dire in Indonesia where hiring a capable cyber-security professional might take 6 to 8 months, and then talent retention is equally challenging. Suffice to say, many internal cyber-security teams will be somewhat understaffed.
2. Booming digital economy
Indonesia is still in its demographic bonus phase, dominated by a relatively young population, with around 200 million internet users. According to the report e-Conomy SEA 2023 by Google, Temasek and Bain & Company, Indonesia’s digital economy is already the largest in the region and is expected to grow quickly to reach USD 110 billion by 2025, and to double in size by 2030.
Nowadays, customers expect almost everything to be digital, online, and mobile-based. Organisations are transforming their services to digital, increasing their exposure to the internet, and expanding their attack space and risks to cyber crime.
3. Low public awareness and education
The 2024 survey by APJII (Indonesia’s Association of Internet Service Providers) highlights common cyber-crime risks perceived by its internet users. The highest number of respondents (42.5%) said “I don’t know”. This is a big concern with the rising sophistication of spear-phishing, social engineering, and other recurring cyber attacks.
Is there hope on the horizon?
Given the challenges, chief information security officers (CISOs) in Indonesia face an increasingly rugged landscape. Growing the digital economy will attract hackers and other types of cyber criminals. People, processes, and technological controls to counter the risks need to be put in place, and their effectiveness measured. The resulting posture is denoted in a cyber security maturity level, determined through a structured framework that identifies current capabilities, gaps, and areas for improvement.
The Capability Maturity Model Integration (CMMI) Institute’s Cybermaturity Platform is commonly used, offering maturity tiers from initial (Level 1) to optimised (Level 5). These describe how organisations manage interconnected assets, online services, risk exposure, impending cyber threats as well as perimeter and access protection, and put them into a risk map. The process involves self-assessment to determine a preliminary maturity level, followed by a gap analysis and improvement plans to achieve higher levels. For example, to combat workforce shortages, there is an agreed-upon consensus that building from within is much preferred to adding new recruits. Thus, Indonesian companies are defining a professional development plan to build and maintain skilled cyber-security workforce.
Subsequently, these plans are implemented according to priority schedules, and the progress measured, ideally by an independent third party. Regular reviews and updated maturity scores would reflect the organisation’s efforts and advances in its current tier. Higher maturity level indicates better defence against online threats, and better protection of assets and data.
What is the typical maturity level of organisations in Indonesia? It is challenging to benchmark or find baseline maturity for various industries, since publicly available data is limited. However, below are some quantitative data:
The National Cyber and Crypto Agency (BSSN), specifically the Directorate for Government Cyber and Crypto Security, evaluated 65 government institutions in 2023, and found that 45 had a maturity score of 2.59 or better, with the highest at 4.85.
The Ministry of State-Owned Enterprises (SOE) issued a regulation in 2013 requiring all state-owned enterprises to reach level 3 within 5 years. News reports have since highlighted these achievements, and the ministry followed up with another regulation focusing on continuous improvements on the Governance, Risk and Compliance (GRC) functions as the next goal.
In the realm of cybersecurity, Indonesia is at a pivotal point. With the average maturity within the “defined level”, substantial work is still in progress to improve how organisations tackle advanced cyber threats, and continuously refining relevant security controls to quickly spot and respond to incidents. By closing this gap, Indonesia can secure its digital future, safeguarding economic interests and ensuring a safer online environment on course to maintaining a leading position in Southeast Asia's digital economy.
Protemus Consulting, a subsidiary of Protemus Capital, is a leading buy-side M&A advisory firm. It leverages deep industry expertise and strategic insights to support clients in identifying and securing top acquisition opportunities with rigorous due diligence.
Andang Nugroho has 20+ years of experience in Information Technology and cybersecurity in Indonesia. He has exposure in various industries in Indonesia with respect to Information Technology, digital transformation as well as cybersecurity initiatives. He helps ensure compliance in M&A transactions through strategic cyber risk management and data protection, providing clients peace of mind during complex deals.Contact Andang.
GCG member firmProtemus CapitalJakarta, IndonesiaT : +6221 3972 6868
Advisory, Corporate Finance
