Inside APAC’s Cybersecurity Shift: An Interview with Brendan Conlon, BlueVoyant APAC President

Across APAC, the cybersecurity landscape is rapidly evolving. Threats are no longer confined to internal systems—they extend across digital supply chains, cloud environments, and external surfaces like the dark web. Organizations are under pressure to adapt while also facing talent shortages and fragmented security infrastructure. In this context, cybersecurity is becoming both a technical and strategic priority, particularly for startups and mid-sized businesses looking to scale securely.

BlueVoyant, a global cybersecurity company, offers a cloud-native Cyber Defense Platform that helps enterprises detect, investigate, and mitigate internal, external, and third-party risks through a single solution.

With advanced AI, managed services, and deep integration with tools like Microsoft Defender and Sentinel, BlueVoyant supports over 1,000 clients worldwide, including government agencies and Fortune 500 companies. 

On April 21, 2025, BlueVoyant announced the expansion of its operations into Japan, strengthening its presence in the Asia-Pacific region. With this, BlueVoyant aims to deliver its cyber defense expertise, especially in sectors critical to Japan’s supply chain-driven economy. Its solutions are built to help APAC organizations simplify security operations while improving threat visibility and response speed. 

To understand how cyber security trends are affecting organizations in the region, AsiaTechDaily spoke with Brendan Conlon, Global Director of Supply Chain Defense at BlueVoyant.. With growing concerns around third-party risk, regulatory complexity, and the integration of AI in cybersecurity workflows, Brendan offered an inside view of how businesses—especially those with lean teams—can make smarter, more resilient security decisions.

How do you see the cyber threat landscape evolving across the APAC region today?

Yeah, I think it’s really interesting. We’ve seen a lot of rapidly evolving and aggressive threats driven by several factors happening in the APAC region. I would say, both geopolitically and from criminal threat actors. One of the key developments has been the rise of supply chain attacks, which are becoming more common. We conduct a survey every year to track these changes, and we’ve noticed a significant increase in the number of companies in the Asia Pacific region that have been impacted by breaches in their supply chain. Companies are now having to respond not just to threats affecting them directly, but also threats impacting their supply chain.

Have there been any recent developments or incidents that stood out to you? Are there any sectors, beyond the supply chain, that you see as particularly vulnerable right now?

Yes, we’ve seen an increase in both threat activity and in the defensive side of things. There’s been a noticeable uptick in interest in our products, particularly in the financial sector. I would say this is probably the largest area where we’ve seen an increase, for obvious reasons. The financial sector deals with money, and it’s all digital—ultimately, bits and bytes. This means that if a significant amount of information is stolen, criminal actors can use that, and nation-states can as well. We’ve also seen an uptick in the healthcare and pharmaceutical sectors, where around 87% have been impacted by breaches in their supply chain. This has led to more frequent attacks in these sectors. Other areas, such as critical infrastructure, power and energy, water, and ports, have also seen moderate increases.

What are the top three concerns CISOs in APAC are raising today?

The number one concern raised by CISOs, both in our survey and anecdotally from the companies we’re working with, is vendor accountability and enforcement. They’re focusing on how to structure things appropriately so that when dealing with vendors or third parties, they can hold them accountable. In previous years, there was an increase in collaboration, with companies working more closely with security teams of these vendors and third parties. Now, the focus is on putting the legal structure in place—holding these vendors accountable with specific clauses and agreements.

The second biggest concern is regulatory compliance. Across APAC, which spans half the globe, there are many countries, each with its own regulatory standards. Some countries have implemented new standards, and there’s concern about whether companies, especially those operating across borders, are meeting these requirements. Companies are trying to do the right thing from a security standpoint, but they need to be able to report and prove to regulators that they are compliant.

The third concern is the lack of visibility. A few years ago, the focus was on collaboration, but now companies want visibility into the risks introduced by these vendors to their business.

How have these changed compared to five years ago?

The way things have changed is interesting. From a concerned perspective, AI is now a concern. They’re asking, “What are their vendors using? Are they sharing data with applications they shouldn’t be?” There’s concern about the risks, but the focus has shifted. A few years ago, it was mainly about visibility—just being aware and understanding the infrastructure so that things could be monitored. Now, companies have those systems in place, and they want to operationalize them. They’re focused on using those tools effectively so they don’t waste the money they invested a couple of years ago. The focus now is on operationalizing the tools to reduce risk in their supply chain and vendor ecosystem.

How are BlueVoyant’s detection strategies evolving to address this?

We built and designed BlueVoyant and its products from the beginning to scale cybersecurity. Handling large amounts of data requires great automation, so we focus on that. We use a variety of AI models to help with that. Now, it’s evolved further with LLMs (large language models), which are only about two years old, but in the startup space, that feels like decades. We’re fully integrating these newer capabilities and embedding them into our system. It’s all about doing things at scale, but it still comes down to accuracy, speed, and automation. We’ve introduced a couple of new capabilities in our detection strategies. We’ve added an administrative component with a questionnaire platform, in addition to all the data collection we do. This platform facilitates better conversations with vendors. On the flip side, we’re focusing on software bill of materials (SBOM). We’re now looking at the code base used by our clients, sourced from third parties.

How are APAC enterprises approaching third-party risk today? What are the biggest blind spots?

Supply chain defense is my passion, and we’ve seen significant maturation in third-party risk management across APAC. In Singapore, for instance, they’re really leading the way. They’ve focused on assessing every vendor under contract, and they’re ahead of the global average. Singapore is one of the leaders in the region, and I would say globally as well. We’ve also seen upticks in Australia, where new regulatory compliance measures have been introduced, along with direction from the government. We’ve recently opened an office in Japan due to growth in that area, and we’ve seen a lot of maturation and expansion there. The Philippines is also a leader with a heavy focus on supply chain management, and because everything is so interconnected in APAC, it’s important.

The biggest blind spots are still significant. Despite the progress, when we survey companies, about a third of them admit that they wouldn’t even know if a breach occurred in their supply chain. Even though 87% have reported breaches over the last 12 months, they’re still concerned that breaches could occur and impact their business operations without them even knowing. There’s a lack of visibility, and companies are looking to improve that. Another issue is underutilization of automation. Many companies start with spreadsheets, manually tracking things, and only once they reach a certain size do they begin using proper tools at scale. This is common in the startup space, too—companies often start small and then eventually realize the need to scale and mature.

How are regulations across APAC markets influencing cybersecurity priorities for organizations?

Yeah, we’ve seen regulators globally changing, adding new requirements to focus on supply chain defense. It’s the same thing happening specifically in Asia. Globally, different countries are doing things. You have, obviously, the EU with DORA, and in the US, there’s the SEC. But in Asian markets, Australia, Japan, and Singapore have all made significant moves. For example, Singapore’s Cybersecurity Act is heavily focused on cybersecurity, with the Cybersecurity Agency implementing it in some ways. They’ve had a big focus on financial sector regulations, especially after incidents like the cloud provider failure that shut down multiple banking institutions. 

This incident highlighted supply chain, third-party risk management. The government in Singapore realized they couldn’t afford to have critical infrastructure in the financial sector go down because of such breaches. They are now improving regulatory requirements. The same trend is visible in Australia, especially after the Optus breach a couple of years ago. Optus has done a lot of work to improve its security, and we can see that progress because they’re reporting directly to the government. Regulators are taking these lessons and pushing them out, ensuring that similar requirements will be enforced soon. There’s this natural maturation process taking place, and it’s a very interesting space to watch.

What role is AI and automation playing in modernizing cybersecurity defenses in Asia-Pacific?

It’s critical. If you’re a company and you’re not using AI right now, you’re missing out on a lot of cool capabilities. Criminal actors are using AI, and it’s evolving in different techniques. From a modernization standpoint, we are heavily invested in it. The amount of data we analyze globally has grown substantially since 2017. We had to use various AI techniques to manage that data. Now, we’ve moved to more advanced methods, like natural language processing and the use of large language models (LLMs). These technologies are essential in automating and scaling our capabilities. At Bluevoyant, we want our smart people to focus on complex problems, not repetitive tasks. Once our AI models solve those problems, we train them to handle more challenges and rapidly evolve. AI is critical in every phase of cybersecurity, including data collection, analysis, normalization, reporting, and response.

Do you think organizations, especially in the startup space, are adopting it fast enough?

The startup space is fascinating to me. Initially, I was concerned that only a few big AI players would dominate the market. But what’s actually happening is we are seeing a ton of startups going into niche roles, solving very specific problems. These smaller companies are creating tailored solutions that are often more effective than the broader, generic models from the big players. We see this internally at Bluevoyant too, as our engineers experiment with different capabilities. Startups are great at solving actual problems and not just applying broad, generic solutions.

How do you ensure explainability and trust in AI-driven defense?

That’s critical. Every time we use AI and it generates a result we want to act on, we make sure that the AI references the source data or the logic it’s using. We ensure that the AI can explain where it found the information. For example, when one of our vendors questioned a breach in 2021 based on an AI-generated result, we could confidently say it wasn’t true. AI can generate inaccurate results, so it’s important to have safeguards in place. We ensure that AI models provide sources and decision logic, allowing analysts to validate the results and trust the recommendations made by the automated system.

Cybersecurity isn’t just an enterprise concern — how should SMEs and startups in APAC approach cybersecurity?

Yeah, great question. I’m not sure if you’re aware, but I was the CEO of a startup before selling the company about 10 years ago. As a startup, you want to focus on building your business—you’re not trying to be a cybersecurity expert.

So, what are two or three simple things that can be done? First and foremost: implement multifactor authentication. If you’re using one of the well-known email or infrastructure providers like Google or Microsoft, it’s really easy to implement, and I can’t stress enough how important it is when setting up your infrastructure. As you grow, that foundation becomes critical.

Second, you need basic endpoint protection—anything on the laptops or infrastructure you’re using. And third, backup your data. Eventually, something is going to get through, and you’ll need to recover.

So, those are the three things to focus on:

• Multi Factor authentication
• Basic endpoint protection
• Backing up your data

There are a few more things you can do, but those are the key ones.

As you grow, just like you eventually bring on a CFO or a general counsel, at some point you’ll also need to start building out your security staff. But initially, you’d want to offload a lot of that to experts—have one or two people in-house, and outsource the rest—so you can focus on running your business.

Brendan, when it comes to third-party risk—especially for lean teams—what’s a practical approach that actually works without burning out the team?

I’ll keep it to three core recommendations.

First, if you’re a growing startup and starting to worry consistently about third-party risk, figure out your vendors. Which ones are critical to your business? Which ones are you sharing client information with?

If a vendor goes down due to a ransomware attack, can you still operate? If not, that vendor is critical—what we call a “Tier 1.” Focus on those vendors. Understand their security posture and whether they’re actively reducing risk.

• So, the first step is tiering your vendors—sometimes called stratification. It’s just a fancy term for asking:
  • Are they critical to my business?
  • Am I sharing private information with them?

• Second, assess and monitor those critical vendors.

• Third, actually reduce the risk. It’s not just about identifying it.

So:

• Tier your vendors
• Assess and monitor
• Reduce risk

Those are the three things I’d recommend for a new CISO in a growing startup.

With over a decade in national security followed by ten years in the private sector, Brendan brings a unique perspective to his role at BlueVoyant—one rooted deeply in collaboration and preparedness. “You need people you can rely on—not just for advice, but when you actually have an incident,” he explains. That mindset, forged in the high-stakes environment of defense, now drives BlueVoyant’s emphasis on intelligence sharing and scenario planning. Whether it’s a cyberattack on a fintech startup or a vulnerability in a supplier’s system, the company urges clients to plan for every possibility—because resilience starts long before an incident occurs.

At a time when cyber threats are evolving faster than ever, Brendan finds APAC particularly compelling. “Many super-sophisticated threat actors are in Asia, and they often test new techniques on companies in this region before going global,” he says. That constant evolution means no two days are the same. BlueVoyant not only monitors those shifts—it actively adapts to them. The company’s broad cyber defense platform now includes cutting-edge capabilities like software bill of materials (SBOM) analysis, enhanced vendor monitoring, and deep integrations with third-party risk platforms. 

Looking ahead, Brendan is optimistic about what’s to come. “You’re going to see great things in APAC from us,” he says. With new leadership in the region and purposeful investments in local talent and infrastructure, BlueVoyant is doubling down on doing things the right way. From Singapore to Sydney, the company is scaling intentionally—bringing global expertise and local execution together to defend against some of the world’s most advanced cyber threats. It’s not just about reacting to attacks; it’s about building an ecosystem of trust, knowledge, and preparedness. And with Brendan’s dual lens of defense and business, that mission has never been clearer.

Most recently, BlueVoyant launched a new service—Continuous Optimization for Microsoft Security (COMS)—designed to help organizations get more value from Microsoft Defender, Sentinel, and related tools. The offering supports enterprises with tailored configurations, analytics, and expert-led guidance to improve threat detection while optimizing costs. Each client receives a dedicated Microsoft Security Architect and access to weekly intelligence and live training. With COMS, BlueVoyant shifts from simply detecting threats to enabling businesses to build scalable, cost-effective, and mature security operations.