Closing Vietnam’s cybersecurity gap starts at the top

Speaking with Business Forum Magazine, Bruno Sivanandan — CEO of Cycle Vietnam and a Europe-based consultant in digital transformation and cybersecurity — emphasized that the “weakest link” in Viet Nam’s cybersecurity is not technology, but governance and people.

The Vietnamese Government has been pushing hard for digital transformation, yet there still seems to be a gap in cybersecurity capability. How do you assess this issue?

As the level of digitalization increases, exposure to digital risks inevitably rises. Today, most companies outsource many of their operations—from HR, payroll, and marketing to data storage—and every time data is shared with a third party, the risk multiplies.

This trend has become even more pronounced as AI is now integrated into nearly every operational process, making the cybersecurity landscape more complex. In reality, it is extremely difficult to accurately assess the safety of the hundreds of systems that companies rely on. I believe that within the next five to ten years, only a handful of large providers with strong technical capabilities and reputations will retain market trust.

From my experience, the “weakest link” is not technology itself, but cyber risk governance and compliance at the executive level. Many companies lack visibility at the board level, which leads to vulnerabilities throughout the system. My job is to help CEOs and executive teams gain a holistic view of their risks, legal obligations, and to design an actionable roadmap. After governance comes the human factor—such as employees clicking on phishing emails—and then technology.

Do you think cost-cutting concerns are the reason why many business leaders have yet to prioritize cybersecurity?

Yes, but that’s beginning to change. More and more executives are realizing that cybersecurity is not a “cost” but an investment in business sustainability—similar to buying insurance.

Currently, the most common threat faced by Vietnamese companies is phishing attacks. Once an account is compromised, attackers can impersonate the company by sending fake invoices or altered bank account details to steal money. A single careless mistake can result in heavy financial losses, or even bankruptcy if operations are frozen for one or two weeks.

Both companies and individuals must shift their mindset: investing in cybersecurity is building the foundation for digital transformation and safe AI integration.

For example, a company with a solid ERP system can easily integrate AI to process invoices or interact with customers while still ensuring compliance and data protection. Although it requires time and money, this is a long-term strategic asset. In fact, during IPO or M&A processes, a strong IT infrastructure can significantly increase enterprise valuation.

How is Vietnam’s cybersecurity service market evolving, in your view?

It’s expanding rapidly, with participation from both domestic and international firms. I’ve seen Vietnamese companies demonstrate clear strategies and a highly professional mindset; we’ve successfully partnered with them on projects in Europe.

Structurally, the market can be divided into three tiers:

1. Technical security infrastructure – Security Operations Centers (SOC) that monitor systems and issue alerts.
2. Incident response services – including breach handling, penetration testing, and recovery.
3. Governance and compliance – integrating cybersecurity into corporate strategy at the executive level.

At Cycle Vietnam, we focus on the third tier—helping CEOs understand why and how to invest appropriately, optimize budgets, and ensure full coverage of risks. I believe the “cybersecurity-as-a-service” model will soon become the norm in Vietnam.

What about human resources in this sector?

There is still a shortage, especially of consulting professionals. Vietnamese engineers are technically excellent, but they often lack critical thinking and communication skills required for high-level advisory roles. However, as more universities open specialized programs, I’m optimistic this gap will close quickly.

Vietnam has a significant advantage: high-quality talent at a competitive cost. With the right investment, the country can absolutely become a regional hub for cybersecurity services, even exporting expertise to the European market.

How would you evaluate Vietnam’s cybersecurity regulatory framework? And what recommendations would you give to the Government to strengthen it?

The Vietnamese Government has been very proactive. Regulations such as Decree No.13/2023/NĐ-CP on personal data protection, the Personal Data Protection Law, and the Cybersecurity Law, as well as the E-commerce, Digital Industry, and Science & Technology Laws, have all helped establish a crucial legal foundation.

However, the European experience shows that compliance only becomes real when there are strong enforcement mechanisms and penalties. I believe Vietnam is now transitioning from “building the framework” to “enforcing it.”

I share EuroCham’s view that the Government’s dialogue with the business community has been effective and should continue. The recent Hanoi Convention on cybersecurity under the United Nations framework is a commendable initiative that underscores Vietnam’s emerging role on the global cybersecurity map.

That said, there is always a gap between conventions and practical implementation. Those who understand the technical details—the cybersecurity experts—must have their feedback heard to make the legal framework more effective. The Convention carries great symbolic value, but to translate it into real progress, sustained commitment is required for at least the next five to ten years.