This post, part 1 of my two-part series on the IT security market in Asia Pacific (APAC), is a subjective high-level overview of the region. I travel throughout the region frequently in my current role and if nothing else, this serves as a way to capture my thoughts at this point in time.
Airports
You can learn a surprising amount walking through airports. There are the superficial observations like how modern Singapore, Hong Kong and Shanghai's are compared to the run down airports of Mumbai, Taipei and Sydney. I should point out that Taipei and Mumbai are undergoing renovations so they are actively addressing the issue. Sydney however, is not.
Dig a little deeper and you may notice other things like how the most common language one hears when walking through Hong Kong's airport is Mandarin, not Cantonese or English. For those not aware, Hong Kong locals speak Cantonese. Also, the Mandarin accent of the Chinese is distinct when compared to a Mandarin speaker from Singapore or Taiwan (much like we have different accents in English based on where we are from). What that says to me is that there are more cashed up Chinese nationals that can afford to travel today than there has ever been.
Also, if you get a chance to walk by the premium boutique shops in Hong Kong (e.g. Louis Vuitton), there's usually a queue. Listen to the conversations in the queue, and they are predominantly in Mandarin (with a mainland Chinese accent). That's not to say there's not still a large gap between the upper class and those living below the poverty line, but the Chinese that have money are VERY rich and the number of wealthy Chinese nationals is increasing on a daily basis.
More on this later.
Method
My approach in writing this blog post is hardly scientific. Most of it is based on personal observations, interactions and anecdotal evidence. To be scientific, I'd need a budget of more than $0. Also, I'd be charging you $5000 for this "report" instead of writing it as a blog post. Sorry analyst friends, I couldn't resist :)
I should also point out that my views may be skewed
towards the Identity, Access and Security Management markets as I spend a
lot more time here than other functional areas within IT security.
Some of what I write may surprise. From the outside looking in, that's a good thing. If you're reading this from one of the countries I'm commenting on, it could potentially offend. For that, I apologise. This is not my intention. I'm simply trying to give my personal views on where we're at right now. Nothing I say is set in stone. Markets evolve, usually for the better. I'm also not always right. Please feel free to discuss in the comments or on
Twitter.
IT security market
These numbers are more or less in line with what most educated people with any sense of what's happening around the world would assume based on their own anecdotal observations. Perhaps some will be surprised that the Australia/New Zealand market is expected to continue to grow (and on a path similar to China and India) given the relative maturity of the market.
Back to the airports. If you look at the airports in the region, there are parallels to the IT security journey of each country. There are countries:
- Running antiquated infrastructure but are finding it difficult to move forward at the risk of everything coming to a grinding halt (mature, developed countries).
- Without acceptable infrastructure and have been forced to modernise in a hurry to deal with the speed of change and the influx of traffic (developing, fast-growing countries).
- That have been on an iterative journey of modernisation to ensure they don't fall behind (modern, developed countries that want to remain ahead of the curve).
- That don't care if their airport can support capacity (developing countries without anything more than basic technology infrastructure).
The analogy does have exceptions (e.g. Bangkok, Thailand has an ultra-modern airport), but if we look at things generally, it holds true.
At this point, I should reiterate that my views may be skewed towards the Identity, Access and Security Management markets so the comparisons between countries may not be completely in line with the IDC report I referenced earlier.
I created the following infographic to save me having to type it all out in words, but you could draw a grid based on the 4 points above and have the relevant countries sitting in the correct quadrant (this has been left as an exercise for your visualisation skills), albeit with 1 or 2 minor outliers.
 |
| Click on the image for a larger version |
I used the term "growth appetite" to describe countries that have near-term, rapid economic growth aspirations and have a good chance of fulfilling their goals. My observation earlier about the increasing number of cashed-up Chinese nationals is one such tangible example.
The point is that countries with the most growth appetite have some
way to go in getting to a mature, secure IT environment to support
their growth aspirations. This basically means there are more
potential opportunities (not revenue, mind you) in these countries.
IT security trends
Unfortunately, I'm going to have to pull out the dreaded buzzwords. I can't avoid them because that's all anyone seems to be talking about this year. I am of course, referring to:
- Cloud
- Consumerisation of IT (CoIT)
- Bring Your Own Device (BYOD)
If you've spoken to people about these, you'll find that CoIT and BYOD end up being very similar conversations. Not exactly the same, but one always links to the other. The Cloud of course, is the omnipresent entity in IT today.
So, what does APAC think about all this? Which countries care and which don't? Well, they all do. But I'm going to focus on these trends from an IT security perspective and add Governance, Risk and Compliance (GRC) into the picture. And I'm going to use a Venn diagram.
 |
| Click on the image for a larger version |
I deliberately used the term "mindshare" because that's what starts conversations. But it doesn't always translate to budgets being directly allocated to the perceived issue. Often, it's the conversation starter that helps an organisation think about IT security more strategically and address the core issues instead of the tactical ones. If you're in a client facing role, understanding the mindset of your audience is half the battle.
Business etiquette
This isn't
specific to the IT security market, but business etiquette is often the
thing many struggle with when doing business in APAC so I'll briefly
discuss it in here.
Doing
business in Australia and New Zealand is very similar to the US and
Western Europe, so I won't say anything about it. Just behave as you
normally do. Even if there are a few differences, we're used to playing
nice with others (in business anyway) and won't be surprised by most of
the things you say :)
I
will however, make a few observations about Asia in general. There are
differences between countries, but if you keep these in mind, you should
be fine:
- Many people in Asia are introverted by nature in business scenarios,
even if they may not be in social situations. They don't like standing
out. In public forums, it's very difficult to get audiences to
participate or ask questions. In one-on-one situations however, they are
more open. This is really about not wanting to "lose face". When we
speak up in public, we run the risk of sounding uneducated or stupid. In
western society, this is generally acceptable. It's why we always say:
"there are no stupid questions". I don't necessarily agree with this
statement, but the point is that it's perfectly OK to ask them. In Asia
however, they would rather not risk the public humiliation.
- Exchange business cards by presenting yours with both hands to the
other person. Reciprocate by accepting someone else's business card with
both hands. Look at the business card for a couple of seconds before
putting it away. I didn't do this at first, but realised very quickly I
was being rude, albeit unintentionally. This is essentially about
showing respect.
- Never try to tell a customer what is best for them, even if you
think what they are doing is completely nonsensical or illogical. Try to
understand why something is done that way. Only when you have a trusted
working relationship with someone can you start to voice your opinion
about why something may not be the best idea. When you do this, ensure
it's collaborative, not one way communication. Even if the customer
doesn't know anything about the subject matter, they like to feel that
they do. Do everything you can to reinforce that feeling. Above all
else, never make someone feel inadequate in front of their peers or
their bosses.
- Never assume anyone in the room is unimportant. The quietest person
in the room might be the most influential. This is rarely the case in
the western business world. Not so in Asia.
- Asian audiences like listening to product features and functions.
Many will say they want you to talk about a "solution", but more often
than not, they actually want you to talk about the products they are
interested in. There are a few reasons why this is so. I'll highlight
two:
- The first is cultural. Just look at the way Asian consumer
technology companies (e.g. Samsung) market their wares. They like to
tout that they have better hardware and faster processors. In reality,
the average person can't observe the differences. But Asians like
thinking that they have something that is better than everyone else in
terms of technical specifications. We in the western work generally
prefer the experience. That's why the iPhone doesn't need the fastest
hardware on the market. It just needs to have specifications that are
good enough to support the best consumer experience.
- The second has to do with the Asian IT market's maturity level (or
lack thereof), particularly in IT security. When one meets a software
vendor or consultant, they want to gain something from the meeting.
Essentially, it's about being educated and coming away with something
that can be used to do our jobs better. But western views on being
educated differ with the east. Asian organisations view listening to
product features as being educated. It's a technology-centric view of
things instead of a business-centric one. Western organisations don't
want to know about everything a product can do unless they've
specifically said: "give me a product pitch". Organisations in the west
only want to know about how the product solves their business problems
and would prefer if the irrelevant features were omitted. Many parts of
Asia just aren't at this point yet. They'll get there eventually though.
Next
In part 2, I'll look at key countries in more detail. Do you agree or disagree with me? I'd love to get your opinions either in the comments or on
Twitter.
