JP Yu is a seasoned leader with over 20 years of experience in the cybersecurity and risk management space, where he has led high-performance teams to drive business success and worked with many multinational corporations and partners across the region.

The APAC region is traveling through an alarming cyber environment filled with vulnerabilities. According to reports, the yesteryear wasn’t kind either, clocking a worrisome increase in attacks launched, especially at the human element, with incidents in the region rising by 26.9 percent compared to the previous year. The incidents in the year's second half surged 20 percent compared to the first half. JP Yu, the newly appointed Vice President of Proofpoint, Inc. (Southeast Asia and Korea), navigates us through this industry climate. JP Yu is a seasoned leader with over 20 years of experience in the cybersecurity and risk management space, where he has led high-performance teams to drive business success and worked with many multinational corporations and partners across the region. Below is an excerpt from CEO Insights Asia’s exclusive interview with him.

You have 25 years of experience designing and delivering multi-million dollar sales strategies. What is the biggest challenge you face, and how did you overcome it?
I believe that people are at the core of every business challenge. In Southeast Asia and Korea, business relationships thrive on trust, respect, and long-term commitment. A people challenge requires people to solve it. In such a diverse and dynamic region, building the right team is crucial – one that not only understands local nuances but also bridges cultural differences seamlessly.

In cybersecurity, our customer’s biggest challenge is also about people. Addressing the human element in cybersecurity remains the biggest challenge. Proofpoint’s Voice of the CISO report concurred that human error remains a top vulnerability for organizations, with 74 percent of CISOs citing it as a major concern. We saw this as an opportunity to double down on our human-centric philosophy, prioritizing protecting people rather than just systems. This means focusing our solutions on behavioral analytics, impersonation protection, and insider threat management training to boost employees’ capabilities as the first line of defense. The good news is we are seeing heightened confidence in the region. Less than 40 percent feel that their organization is unprepared to cope with a targeted cyber-attack, as compared to 55 percent in 2023.

AI is increasingly finding its place in such cyber-defense strategies. What are the latest defense strategies you are engaged with?
Artificial Intelligence (AI) and Machine Learning’s (ML) role in cybersecurity will continue to intensify moving forward, but their presence can also be weaponized by cybercriminals to create more sophisticated attacks. For instance, we leverage AI and ML to enhance its cybersecurity solutions, providing advanced threat detection and proactive defense mechanisms. A key component of this strategy is Proofpoint's Nexus, which we revealed just last year at the Protect event, our latest AI-driven platform that continuously analyzes vast datasets to identify and mitigate potential security threats.

Within these strategies, what are the most important practices that will help businesses stay ahead of the curve?
To stay ahead, businesses must adopt a proactive and human-centric approach to security. Three practices to stay resilient against sophisticated threats are:
Invest in the human factor: Organizations are made up of people, and it can be the weakest link if not properly tapped on. Threat actors exploit human flaws as they do system flaws. On average, 10 percent of users are responsible for 100 percent of clicks within any given wave of malicious attacks on a given company. Businesses should empower employees to recognize and respond to threats effectively, transforming them

into their strongest line of defense.

Adopt AI responsibly with clear governance on usage: 62.8 percent of respondents in our 2024 Data Loss Landscape Report cited employees with access to sensitive data (i.e., accounting, sales) as their biggest risk for data loss incidents. Without clear guidance, employees can freely input sensitive organization information into LLM tools such as DeepSeek and ChatGPT, unintentionally exposing risks and security breaches to the organization.

Great cybersecurity leaders focus on empowering people – whether through security awareness training, building resilient teams, or fostering collaboration across departments.

Employ a multi-layered defense strategy: Bad actors target people, not just systems, and there are multiple touchpoints where risky human behaviors can be exploited – phishing emails, insider threats, social media, or poor cyber hygiene practices. A truly effective strategy must account for these vulnerabilities. Adopting a human-centric approach that combines proactive threat detection to mitigate risky behavior is key here.

What is the ideal budget for a business to create an effective cyber defense?
Cyber defense is not a one-size-fits-all investment. It depends on the organization’s size, industry, existing infrastructure and risk profile. The ideal budget should align with the value of the data being protected and the potential financial and reputational damage from a breach.

A good benchmark is to allocate 10-15 percent of the overall IT budget to cybersecurity, but in high-risk industries like finance or healthcare, this figure should be higher. More importantly, cybersecurity spending should focus on people as much as technology. With over 90 percent of breaches starting from human error or phishing attacks, businesses must invest in threat protection, security awareness training, and a layered defense strategy.

Different industries will face varied threats over the next 12 months. Email fraud is seen as the biggest threat by the public sector, transport, and financial services industries, while ransomware would impact manufacturing and product, retail, and healthcare over the next 12 months.

It’s also worth noting that with growing concern around personal liability and increasing numbers reporting excessive expectations, burnout, and challenging budgets, the pressure continues to mount for modern CISOs. Solving this problem must be a top priority if we are to ensure CISOs are equipped for the scale of the task they continue to face now and into the future.

What would be your advice to budding leaders in the cybersecurity industry?
Cybersecurity is not just a technology issue – it’s a business imperative. For aspiring leaders in this space, my advice is threefold: stay vigilant, stay adaptable, and stay people-focused.

With a greater than ever reliance on cloud technology, a mass mobile workforce and armies of cyber adversaries equipped with AI technologies, this is the year that the storm might reach its peak and cyber security leaders will face even more risk. In fact, our recent data shows that over two-thirds (70 percent) of global CISOs remain in fear of a material cyber attack in the next 12 months. It’s important for cyber security leaders to continue to stay vigilant to stay resilient.

Adaptability is key. Cybersecurity is not just about defending networks; it’s about understanding business risks, regulatory landscapes, and evolving threat vectors. Leaders who can bridge the gap between security, technology, and business strategy will drive the most impact.

Never lose sight of the human element. With over 90 percent of breaches originating from human error, a strong security culture is just as critical as the latest tools. Great cybersecurity leaders focus on empowering people – whether through security awareness training, building resilient teams, or fostering collaboration across departments.