Breaking down the PEST framework for cybersecurity in APAC

Charl van der Walt, Global Head of Security Research at Orange Cyberdefense breaks down the PEST framework, especially on how treats are emerging for its convergence.

The PEST framework is an acronym for the combination of political, economic, sociocultural, and technological impact in cybersecurity today. According to Charl van der Walt, Global Head of Security Research at Orange Cyberdefense, the cyberthreat landscape in the Asia Pacific (APAC) region today can be viewed from the lens of the PEST framework.

For van der Walt, threats are emerging from the convergence of each of these factors, which is clearly visible in the increasing cybercrime in the region. CRN Asia speaks to van der Walt to understand more about the PEST framework as well as what organizations can do about it.

Can you explain to us a bit more about the PEST framework?

PEST is just a tool for organizing your thoughts about something. It actually comes from business analysis. My team and I have found it useful because we have this analogy that we use that you'll understand this here in Singapore.

You can wake up in the morning and look out the window and see that it's raining and then take your umbrella. Or you can try and understand the patterns in weather, if you like, the systemic forces that create a certain condition on a day. Then you can decide ahead of time. Am I going running? Do I need to take my umbrella, etc.?

PEST is a way to organize our understanding of those systemic forces, these big factors that converge to create a reality that we have now. Those are the political forces, the economic forces, the socio-cultural forces, and then the technology forces.

How is this linked to cybersecurity?

If you try and understand where we are today, why are we seeing the behaviours, the patterns, the results, then you can use that framework to try and explain that. And if you can do that successfully, then you can start pushing your window further out.

For example, when I can understand what's happening today, I can start guessing what's going to happen tomorrow. And so, when we look at the current situation, we look at it through the lens of PEST.

What are those factors that would explain what we're experiencing today, and therefore what we can maybe hope to predict for tomorrow.

I think with respect to all of us who are on the security side of the table, I think there's very little actual future casting or vision casting that happens in cybersecurity.

I think we are mostly reacting. We're reacting to a new threat or a change in the threat, or we're reacting to each other. And so, what we really want to do is we want to get ahead of that and start predicting.

A big focus within my area at Orange Cyberdefense is this synchronization of research, intelligence, and innovation.

So, if this is what we're seeing today, what can we hypothesize will happen tomorrow? And what can we do to prepare? Either what we do, or how we're doing it, or where we're doing it in response to that changing environment.

In your white paper, you’ve mentioned the term balkanization, which is the process involving the fragmentation of an area, country, or region into multiple smaller and hostile independent states. How does balkanization actually impact organizations when it comes to cybersecurity?

Well, I think that this is a very frustrating conversation to have with many people. But I think that many of us here have been in this security game for a very long time. And the truth is we haven't done anything foundationally different in 15 or 20 years. It hasn't really changed.

And the results are visible. I was looking at the statistics for Singapore this year. We recorded twice as many victims of cyber extortion in Singapore so far this year as the total for last year. Since we started tracking worldwide, those crime figures have increased by 200%.

So, everyone on this side of the table is involved with solving this one problem, and yet the graph is just doing this. So, you kind of have to ask yourself, why is that, or what are we getting wrong?

And things like balkanization are an attempt to describe how that landscape is creating the reality we face today. What are the socio-cultural forces? What are the economic forces? What are the political forces? What are technological forces? And where do those things converge? And then we can start to say this is why we are where we are, and this is maybe what we can do to get ahead of that.

So how do you foresee the future of cybersecurity in the region?

I think it's going to carry on the same way it has as a cat and mouse game until regulation or market forces start impacting some of these foundational issues. For example, where responsibility and accountability for security vulnerabilities lies.

In the meantime, I think it's an issue of responsiveness and an issue of geopolitics. So where do the security decisions that I make today place me and my business in five years or ten years? And am I going to be happy with where I end up?

When I talk about regulation, I don't mean that businesses need to be forced into more compliance. Regulation is a way of adjusting the community's behavior. I think the regulation needs to adjust the right behavior at the right place, and I think that what I find interesting about countries Singapore is that, firstly, it is a country that has managed to span these different realities. There's lots of relationships and lots of places to take input and build partnerships.

I also think Singapore has forged its own path, and it's fascinating. It's a young country, but it's built on a vision. Singapore does things a Singapore way, and I think that gives the country the opportunity to maybe sidestep some of the issues that other bigger economies have.

When you look at the numbers of victims, 60% of victims of cyber extortion are small or medium-sized enterprises. So, it's wonderful that we've got these big enterprise tools that we can sell too.

But for Singapore at large, the question isn't actually how do you protect the banks. The question is how you protect the mom-and-pop shops, the medium-sized enterprises.

And I think because it's quite a unified, focused society, there's an opportunity to think about this a little bit differently. We don't have to follow exactly the same path as everybody else. I think that's quite exciting.

What about AI in cybersecurity?

In my perspective, AI in cybersecurity favors the offensive side of security, not the defensive side. With AI, the barriers to entry for attackers are a lot lower. The way to deploy and increase the threat is a lot easier.

So, I think we're still going to see AI favoring a lot of corporates. It's difficult for them to incorporate AI into their defensive technologies. We hear a lot, like in SOC, we can do away with Level 1 because we can replace it with AI.

But we've got other issues, like what happens to the people? What are we doing with those people? So, it's not just the on and off switch. So that's one thing.

Then there is speed. We've been in this industry for three decades now; the speed is just increasing. It's just quicker and faster. Response times are now down from a couple of hours to seven minutes, and it's incredible.

But that means we need to make sure that we build communities around security, and good security people, good security experts. Technology is not going to solve all the problems. We've said that for so many years. But it feels like we do a lot more with technology and a lot less with our people.

We need to develop our people. We need to expose them to them. We need to connect people with communities. I think we have to focus on those communities and make them strong.