Friday, September 14, 2012

The business of IT security in APAC - Overview

This post, part 1 of my two-part series on the IT security market in Asia Pacific (APAC), is a subjective high-level overview of the region. I travel throughout the region frequently in my current role and if nothing else, this serves as a way to capture my thoughts at this point in time.


Photo credit: h8laib8ng
You can learn a surprising amount walking through airports. There are the superficial observations like how modern Singapore, Hong Kong and Shanghai's are compared to the run down airports of Mumbai, Taipei and Sydney. I should point out that Taipei and Mumbai are undergoing renovations so they are actively addressing the issue. Sydney however, is not.

Dig a little deeper and you may notice other things like how the most common language one hears when walking through Hong Kong's airport is Mandarin, not Cantonese or English. For those not aware, Hong Kong locals speak Cantonese. Also, the Mandarin accent of the Chinese is distinct when compared to a Mandarin speaker from Singapore or Taiwan (much like we have different accents in English based on where we are from). What that says to me is that there are more cashed up Chinese nationals that can afford to travel today than there has ever been.

Also, if you get a chance to walk by the premium boutique shops in Hong Kong (e.g. Louis Vuitton), there's usually a queue. Listen to the conversations in the queue, and they are predominantly in Mandarin (with a mainland Chinese accent). That's not to say there's not still a large gap between the upper class and those living below the poverty line, but the Chinese that have money are VERY rich and the number of wealthy Chinese nationals is increasing on a daily basis.
Photo credit: Pondspider

More on this later.


My approach in writing this blog post is hardly scientific. Most of it is based on personal observations, interactions and anecdotal evidence. To be scientific, I'd need a budget of more than $0. Also, I'd be charging you $5000 for this "report" instead of writing it as a blog post. Sorry analyst friends, I couldn't resist :)

I should also point out that my views may be skewed towards the Identity, Access and Security Management markets as I spend a lot more time here than other functional areas within IT security.

Some of what I write may surprise. From the outside looking in, that's a good thing. If you're reading this from one of the countries I'm commenting on, it could potentially offend. For that, I apologise. This is not my intention. I'm simply trying to give my personal views on where we're at right now. Nothing I say is set in stone. Markets evolve, usually for the better. I'm also not always right. Please feel free to discuss in the comments or on Twitter.

IT security market

Analyst firm IDC expects the IT security software market within Asia Pacific (excluding Japan) to have a 13.1% compound annual growth rate through 2015, with India, China and Australia/New Zealand having the highest growth expectations. The report was co-authored by one of my co-presenters at NetIQ's recent Rethinking Security events in India, Naveen Hegde.

These numbers are more or less in line with what most educated people with any sense of what's happening around the world would assume based on their own anecdotal observations. Perhaps some will be surprised that the Australia/New Zealand market is expected to continue to grow (and on a path similar to China and India) given the relative maturity of the market.

Back to the airports. If you look at the airports in the region, there are parallels to the IT security journey of each country. There are countries:
  1. Running antiquated infrastructure but are finding it difficult to move forward at the risk of everything coming to a grinding halt (mature, developed countries).
  2. Without acceptable infrastructure and have been forced to modernise in a hurry to deal with the speed of change and the influx of traffic (developing, fast-growing countries).
  3. That have been on an iterative journey of modernisation to ensure they don't fall behind (modern, developed countries that want to remain ahead of the curve).
  4. That don't care if their airport can support capacity (developing countries without anything more than basic technology infrastructure).
The analogy does have exceptions (e.g. Bangkok, Thailand has an ultra-modern airport), but if we look at things generally, it holds true.

At this point, I should reiterate that my views may be skewed towards the Identity, Access and Security Management markets so the comparisons between countries may not be completely in line with the IDC report I referenced earlier.

I created the following infographic to save me having to type it all out in words, but you could draw a grid based on the 4 points above and have the relevant countries sitting in the correct quadrant (this has been left as an exercise for your visualisation skills), albeit with 1 or 2 minor outliers.
Click on the image for a larger version
I used the term "growth appetite" to describe countries that have near-term, rapid economic growth aspirations and have a good chance of fulfilling their goals. My observation earlier about the increasing number of cashed-up Chinese nationals is one such tangible example.

The point is that countries with the most growth appetite have some way to go in getting to a mature, secure IT environment to support their growth aspirations. This basically means there are more potential opportunities (not revenue, mind you) in these countries.

IT security trends

Unfortunately, I'm going to have to pull out the dreaded buzzwords. I can't avoid them because that's all anyone seems to be talking about this year. I am of course, referring to:
  • Cloud
  • Consumerisation of IT (CoIT)
  • Bring Your Own Device (BYOD)
If you've spoken to people about these, you'll find that CoIT and BYOD end up being very similar conversations. Not exactly the same, but one always links to the other. The Cloud of course, is the omnipresent entity in IT today.

So, what does APAC think about all this? Which countries care and which don't? Well, they all do. But I'm going to focus on these trends from an IT security perspective and add Governance, Risk and Compliance (GRC) into the picture. And I'm going to use a Venn diagram.
Click on the image for a larger version
I deliberately used the term "mindshare" because that's what starts conversations. But it doesn't always translate to budgets being directly allocated to the perceived issue. Often, it's the conversation starter that helps an organisation think about IT security more strategically and address the core issues instead of the tactical ones. If you're in a client facing role, understanding the mindset of your audience is half the battle.

Business etiquette

This isn't specific to the IT security market, but business etiquette is often the thing many struggle with when doing business in APAC so I'll briefly discuss it in here.

Doing business in Australia and New Zealand is very similar to the US and Western Europe, so I won't say anything about it. Just behave as you normally do. Even if there are a few differences, we're used to playing nice with others (in business anyway) and won't be surprised by most of the things you say :)

I will however, make a few observations about Asia in general. There are differences between countries, but if you keep these in mind, you should be fine:
  • Many people in Asia are introverted by nature in business scenarios, even if they may not be in social situations. They don't like standing out. In public forums, it's very difficult to get audiences to participate or ask questions. In one-on-one situations however, they are more open. This is really about not wanting to "lose face". When we speak up in public, we run the risk of sounding uneducated or stupid. In western society, this is generally acceptable. It's why we always say: "there are no stupid questions". I don't necessarily agree with this statement, but the point is that it's perfectly OK to ask them. In Asia however, they would rather not risk the public humiliation.
  • Exchange business cards by presenting yours with both hands to the other person. Reciprocate by accepting someone else's business card with both hands. Look at the business card for a couple of seconds before putting it away. I didn't do this at first, but realised very quickly I was being rude, albeit unintentionally. This is essentially about showing respect.
  • Never try to tell a customer what is best for them, even if you think what they are doing is completely nonsensical or illogical. Try to understand why something is done that way. Only when you have a trusted working relationship with someone can you start to voice your opinion about why something may not be the best idea. When you do this, ensure it's collaborative, not one way communication. Even if the customer doesn't know anything about the subject matter, they like to feel that they do. Do everything you can to reinforce that feeling. Above all else, never make someone feel inadequate in front of their peers or their bosses.
  • Never assume anyone in the room is unimportant. The quietest person in the room might be the most influential. This is rarely the case in the western business world. Not so in Asia.
  • Asian audiences like listening to product features and functions. Many will say they want you to talk about a "solution", but more often than not, they actually want you to talk about the products they are interested in. There are a few reasons why this is so. I'll highlight two:
    • The first is cultural. Just look at the way Asian consumer technology companies (e.g. Samsung) market their wares. They like to tout that they have better hardware and faster processors. In reality, the average person can't observe the differences. But Asians like thinking that they have something that is better than everyone else in terms of technical specifications. We in the western work generally prefer the experience. That's why the iPhone doesn't need the fastest hardware on the market. It just needs to have specifications that are good enough to support the best consumer experience.
    • The second has to do with the Asian IT market's maturity level (or lack thereof), particularly in IT security. When one meets a software vendor or consultant, they want to gain something from the meeting. Essentially, it's about being educated and coming away with something that can be used to do our jobs better. But western views on being educated differ with the east. Asian organisations view listening to product features as being educated. It's a technology-centric view of things instead of a business-centric one. Western organisations don't want to know about everything a product can do unless they've specifically said: "give me a product pitch". Organisations in the west only want to know about how the product solves their business problems and would prefer if the irrelevant features were omitted. Many parts of Asia just aren't at this point yet. They'll get there eventually though.


In part 2, I'll look at key countries in more detail. Do you agree or disagree with me? I'd love to get your opinions either in the comments or on Twitter.

No comments: