Cybersecurity
Bookmark

Indonesia needs to shift from compliance to proactive resilience in cybersecurity, says official

Oleh Mochamad Azhar

Instead of merely pursuing a secure state, public sector organisations must begin building a state of readiness, said the Ministry’s Head of the Centre for Data and Information Technology, Pangarso Dadung Nugroho.

Government agencies are considered to need to shift their cybersecurity paradigm from mere compliance to resilience. Image: Canva

A government agency can tick every cybersecurity compliance checklist and still be hit by ransomware the next day, especially in the era of artificial intelligence (AI)-driven cyberattacks. 

 

That is why public sector agencies must stop treating cybersecurity as a matter of compliance alone and start building resilience instead, said Indonesian Ministry of Foreign Affairs’ Head of the Centre for Data and Information Technology, Pangarso Dadung Nugroho. 

 

“Many organisations feel secure after obtaining ISO 27001 certification. However, many ransomware victims around the world have also beencompliant organisations,” said Nugroho during his opening remarks at the From Compliance to Resilience: Building Sustainable Cyber Resilience in the Public Sector event organised by GovInsider and TrendAI in Jakarta, Indonesia, on May 7. 

 

Nugroho noted that while compliance standards were foundational safeguards, they should not be treated as the end goal of cybersecurity. 

 

“In traffic terms, compliance is about following the rules and using a map, so you do not get lost.
 

"Resilience is about the driver’s ability to control the vehicle when the brakes fail or a tyre bursts in the middle of the journey,” he explained. 

 

He urged government agencies to move from a compliance mindset towards proactive resilience. Rather than merely pursuing a “secure state”, governments must begin building a “state of readiness”. 

Using AI to fight AI-powered attacks 

 

Nugroho underlined that the developments in AI have fundamentally changed the cyber threat landscape. 

 

As attackers increasingly use AI to identify vulnerabilities and launch rapid attacks, government organisations need to also use AI to strengthen their own detection and response capabilities. 

 

“If attackers are already using AI, why aren’t we?” he said. 

 

The increasingly uncertain global environment has made this shift even more relevant. 

 

Nugroho was referring to AI-powered cyber warfare occurring alongside geopolitical conflicts and physical wars in various countries. 

Resilience starts at the leadership level 

 

To achieve resilience, the biggest change needed to happen at the leadership level, Nugroho said. 

 

He argued that cybersecurity issues were often treated purely as technical matters, when in fact they were part of organisational risk management and public service continuity. 

 
Indonesian Ministry of Foreign Affairs' Pangarso Dadung Nugroho emphasised the importance of resilience and rapid recovery when cyber incidents occur. Image: Indonesian Ministry of Foreign Affairs

“Leaders need to change the questions they ask their IT teams. The question should no longer be whether the organisation complies with regulations, but how quickly services can recover when an attack occurs,” he noted. 

 

He also referred to the national data centre disruption that affected hundreds of government agencies in Indonesia. 

 

The incident demonstrated that many organisations were not prepared for post-attack recovery scenarios. 

 

Most institutions still focused heavily on allocating budgets towards prevention technologies, without balancing investments in detection, incident response, and system recovery. 

 

“Often, 80 per cent of the budget is spent on protection. But we forget to invest in detection, response, and recovery,” he said. 

 

Without strong and isolated backups, recovery processes become far more difficult when attacks occur, he noted.  

 

For this reason, he stressed the importance of maintaining backup systems that are separated from the main infrastructure, or air-gapped backups. 

Old technologies may become relevant 

 

Amid the push towards AI and advanced technologies, Nugroho believed resilience required a combination of future technologies and preparedness for worst-case scenarios.

 

According to him, society had become highly dependent on the internet and digital systems. If the global internet experienced a major disruption, many critical services could become paralysed. 

 

Nugroho emphasised that governments should begin reconsidering older technologies which have long been abandoned. 

 

As a result, his team has started exploring the use of analogue technologies such as radio communications to ensure coordination and communication can continue during major crises. 

 

“We must have alternative communication channels when digital systems fail,” he said. 

Collaboration to strengthen cyber resilience 

 

Nugroho said building cyber resilience had to be a collective effort through stronger collaboration among government agencies. 

 

One way to achieve this was by sharing information when cyber incidents occurred. 

 

He proposed regular forums for government IT officials to exchange technical and operational experiences, similar to communication forums already established within public relations functions. 

 

“No organisation can become resilient on its own,” he explained. 

 

He also stressed the importance of reporting incidents quickly to sectoral Computer Security Incident Response Teams (CSIRTs), rather than concealing them out of reputational concerns. 

 

By sharing information early, organisations can build collective defence mechanisms and prevent attacks from spreading across sectors. 

 

“If one sector falls, the impact can spread everywhere,” he concluded.