For years, companies in the APAC region have relied on DIY security models, buying individual tools and stitching them together in-house. This made sense when IT environments were easier to manage. However, this legacy model is now a major drag on resilience. The hidden costs and risks from this model are increasing the burden on security teams, distracting them from their mission of protecting and staying ahead of evolving cyberthreats.
To learn more about the viability of a DIY model, iTNews Asia speaks with Bennett Wong, Senior Vice President of APAC at Exclusive Networks, who advises that the better way to stay safe in the new 2026 threat landscape is to move from a "Go-it-alone" architecture to a collaborative "Ecosystem" approach.
iTNews Asia: Many APAC companies believed that buying more tools meant better protection. They have built "Frankenstein" environments, often leading to cluttered, disconnected systems that actually slow down response times. What are the dangers that you see from this?
Wong: “Frankenstein” security environments create risk because they are hard to run under pressure. Disconnected tools produce duplicate alerts, inconsistent policies, and gaps in visibility, so real threats hide in the noise. They also slow response because teams must jump between consoles, manually piece together what happened, and coordinate fixes across multiple owners. Over time, costs rise, skills are stretched, and security becomes brittle, with more points of failure and more chances to misconfigure something.
iTNews Asia: Why do you think 2026 is the year companies will stop collecting security tools and start connecting them to reduce complexity? What’s driving this need to change?
Wong: 2026 is the year companies shift from collecting tools to connecting them because the business case is unavoidable. Attacks are faster and more coordinated, while budgets and talent are constrained.
Leaders want clear proof that the business can handle disruptions, but for a lot of companies, the real problem is overload. The quickest gains now come from simplifying and integrating what companies already own, so signals flow automatically, actions are consistent, and response time improves without adding more complexity.
iTNews Asia: How have IT spending trends changed and evolved in the APAC region? Is the traditional model of stitching best-in-class solutions and tools, particularly across security considerations, no longer viable?
Across APAC, IT budgets have shifted from buying more hardware to funding ongoing software and services, with a big uplift in cloud, security, and AI-related workloads. That change is forcing more discipline: leaders want fewer moving parts, faster response, and clearer accountability.
The traditional “stitch everything together” model is still possible, but it is no longer viable as a default approach. Too many best-in-class tools create complexity, alert overload, and integration gaps that slow teams down. The direction we see in 2026 is simplification first, then smarter integration: fewer strategic platforms, clearer operating processes, and services that make the environment work as one system.
iTNews Asia: Gartner forecasted global IT spending to reach US$6.08 trillion in 2026, with software and IT services leading growth. Where should companies in APAC prioritise spending, and where should they be more cautious?
Gartner’s 2026 outlook shows growth being led by software and IT services, and the smartest allocations will be those that turn technology into measurable reliability and productivity.
In practical terms, that means strengthening the “business basics” first: secure access for employees and partners, protection for critical data, stronger backup and recovery, and better day-to-day visibility so teams can spot and contain issues quickly. It also means funding the operating layer that keeps everything working: skills development, clear processes, and trusted service support, because many security and IT teams are stretched and cannot scale simply by adding more products.
Where organisations should be more cautious is spending that adds complexity without improving outcomes. Treat new standalone tools carefully if they create extra screens to manage, duplicate capabilities you already own, or generate more noise for the same team to handle.
Be wary of large, multi-year transformation programmes that delay value, and AI initiatives that move faster than oversight, privacy, and risk controls. Keep a tight lens on infrastructure expansion as well, and link capacity decisions to clear business demand and measurable returns.
iTNews Asia: A recent World Economic Forum report also pointed out that the majority or 87 percent of organisations they surveyed see AI as a vulnerability and have invested heavily in it. On a regional level, can you discuss specific guardrails that companies are buying to secure their own AI pilots?
Wong: The WEF report captures the tension we see daily in APAC. AI is being adopted quickly, yet its risk is rising just as fast, and many organisations are now putting formal checks in place before rolling tools out. In response, companies are buying practical guardrails around their pilots, starting with “what data can go in, and what must stay out.”
That shows up as enterprise controls that prevent sensitive information from being pasted into public tools, automatic masking of personal or confidential data, and approved “safe” AI environments that keep information within the organisation’s chosen boundaries, often aligned to local expectations on privacy and data handling.
Regionally, the guardrails also reflect how APAC regulators and public-sector leaders are shaping norms:
- Singapore: Governance frameworks are pushing companies to define accountability, test controls, and build safety into how AI systems are used.
- Australia: Updated government policy emphasises clear responsibility, risk-based actions by use case, and transparency, which is influencing private-sector approaches as well.
- Hong Kong: Technical and application guidelines similarly encourage practical safeguards and governance principles that organisations are translating into internal playbooks and controls.
- India: The direction of travel is also clear, with data protection obligations shaping how organisations approach consent, purpose limits, and safeguards when personal data could be involved in training or deployment.
iTNews Asia: In your view, which has been the most effective?
Wong: The most effective guardrails are the ones that reduce risk without slowing innovation to a crawl. This means clear usage policies tied to enforcement, strong access controls so only the right people and systems can use AI, detailed logs so decisions can be reviewed, and routine testing to catch unsafe behaviours early.
The common goal is consistent across APAC, even when local rules differ: keep sensitive data protected, keep AI use accountable, and make sure pilots can scale only when those basics are proven in real operating conditions.
iTNews Asia: To meet compliance needs going forward, do companies need to restructure infrastructure to isolate data by geography? How much of a challenge would this be security-wise?
Wong: Not every organisation needs to rebuild its entire IT setup to keep data strictly separated by country. But in APAC, many do need a clear plan for where different types of data should live, because the rules can vary widely by industry and market.
In most cases, the sensible approach is to prioritise: keep the most sensitive or heavily regulated information stored locally when required, and allow less sensitive data to move across borders when there are clear safeguards and approvals.
Security-wise, geo-isolation can reduce some regulatory and exposure risks, but it also creates real operational challenges. Splitting environments across countries increases complexity, duplicates systems, and can lead to inconsistent policies, uneven patching, fragmented monitoring, and slower incident response, especially when access and logs are scattered across multiple regions.
This is where consolidation matters: fewer platforms, consistent controls everywhere, and an operating model that works across borders without creating new blind spots.
iTNews Asia: How much of an impact has the need for digital sovereignty have on IT spending decisions? What does the next five years of cross-border cyber policy for Asia-Pacific look like?
Wong: Digital sovereignty is now shaping IT spend in APAC in a very direct way: it changes the default question from “what’s the best technology?” to “where will it run, who controls it, and how do we prove it?” Therefore, we are seeing more budget flow into in-country or in-region deployments, stronger control over access and encryption keys, tighter oversight of third parties, and the ability to demonstrate compliance through audit-ready reporting. This can also mean paying for parallel environments in different markets, which is not always efficient, but it is often the price of doing business in a region with very different regulatory expectations.
Over the next 5 years, cross-border cyber policy in Asia-Pacific will be defined by a balance between control and connectivity. Many governments will continue to tighten rules for sensitive data and critical sectors, and enforcement will become more active and more practical, focused on evidence of real controls.
Economies still rely on data flows, so we will also see more “trusted pathways” emerge, where transfers are permitted when organisations can meet clear conditions around security, accountability, and risk management. For companies, the takeaway is simple: sovereignty is about moving it safely and lawfully with the right guardrails in place.
.jpg&h=271&w=480&c=1&s=1)
