Cyber maturity is a journey that never ends: Are you truly secure, or simply feeling secure?

The need for a stronger cybersecurity posture and maturity

In Indonesia, more than 403 million anomalous traffic events were recorded by the National Cyber and Crypto Agency (BSSN) in 2023,¹ a figure that continues to rise as we move toward 2026. Recent analysis has revealed a surge in targeted ransomware attacks, supply-chain intrusions, and phishing campaigns targeting both the public and private sectors. One high-profile incident in 2024 disrupted national data centre operations, affecting hundreds of digital public services–an eye-opening reminder that cyber resilience is no longer optional and should never be underestimated.

Globally, Fortinet’s 2025 Threat Landscape Report recorded a 42% year-on-year increase in stolen credentials and more than 97 billion exploitation attempts, underlining that today’s threats are faster, more pervasive, and more coordinated than ever.²

Reinforcing this, Deloitte’s Global Future of Cyber Survey (4th Edition) finds that cyber is increasingly integral to delivering business outcomes, with leaders embedding security into cloud, data/AI, and GenAI initiatives from the outset (“security by design”)³ (see Figure 1). The survey also highlights a shift in executive mindset: many organisations expect cyber budgets to be integrated with broader transformation spending (e.g., cloud/IT), and high cyber-maturity organisations anticipate better business outcomes than their industry peers (see Figure 2). This reinforces the role of security as an enabler of innovation, not a blocker.

Figure 1. Survey on cybersecurity maturity based on technology roles

Source:Deloitte, “Global Future of Cyber Survey (4th Edition)”, 2025.

Figure 2. Survey on cybersecurity maturity based on capabilities

Source: Deloitte, “Global Future of Cyber Survey (4th Edition)”, 2025.

Security is not all about compliance, and a security posture review is not merely a compliance exercise. It is an opportunity to assess how prepared an organisation truly is–to identify vulnerabilities, adapt to emerging risks, and, above all, protect your most critical assets: data, operations, and people. Notably, confidence in cyber decision-making rises sharply with its maturity. Among high-maturity organisations, board/C-suite leaders exhibit far greater confidence in navigating cyber risks, reinforcing the importance of continuous posture and maturity reviews, alongside sustained executive engagement.

Figure 3. Survey on the C-suite’s and the board’s ability to navigate cybersecurity

Source: Deloitte, “Global Future of Cyber Survey (4th Edition)”, 2025.

Indonesian regulations on cybersecurity posture are becoming more mature. With the issuance of BSSN Regulation No.2/2024 on Cyber Crisis Management,⁴ Indonesian organisations are now expected to conduct regular assessments and simulations, emphasising that preparedness must be continuous, not reactive.

In the financial service sector, regulatory drivers are even more explicit. Bank Indonesia (BI) Regulation No. 2/2024 on Information System Security and Cyber Resilience for Payment System Providers⁵ and other BI-supervised entities sets out strengthened requirements for controls and cyber readiness. In parallel, OJK’s POJK No. 11/POJK.03/2022 (Implementation of IT by Commercial Banks)⁶ together with SEOJK No. 29/SEOJK.03/2022 (Cyber Resilience & Cybersecurity for Commercial Banks)⁷ provide concrete expectations for digital risk governance, incident reporting, and resilience.

At the national level, Presidential Regulation No. 82 of 2022 on the Protection of Vital Information Infrastructure (Perpres No. 82 Tahun 2022)⁸ highlights the obligation to safeguard the continuity, reliability, and security of critical systems supporting essential public services and strategic infrastructure.

Strengthening cybersecurity posture and maturity

A structured security posture review is required to assess an organisation's readiness to mitigate cyber risks, focusing on the CIA Triad (Confidentiality, Integrity, Availability) across three core organisational pillars:

• People – Are your teams well-equipped to identify, detect, and respond effectively?
• Processes – Do your cyber governance and incident-response frameworks align with leading standards?
• Technology – Are your systems protected against the latest and evolving threats?

Survey insights suggest that when security is embedded across these pillars, especially within priority technology domains such as cloud, data analytics, AI/GenAI, and OT, organisations achieve stronger alignment of investment, governance, and measurable outcomes.

Frameworks such as the NIST Cybersecurity Framework (CSF), ISO/IEC 27001 for Information Security Management Systems, and the CIS Controls offer a robust foundation for such assessments. These frameworks help organisations map current capabilities, uncover gaps, and shape their improvement roadmap. High-maturity organisations remain disciplined in executing cybersecurity “fundamentals” (asset inventories, vulnerability/patch management, incident exercises, and recovery testing) while increasingly leveraging Machine Learning and AI to accelerate detection and response, adopting zero-trust principles, and modernising their enterprise security architecture.

Organisations that periodically review their security posture will benefit from:

• Strengthened cyber resilience and readiness against evolving threats through proactive vulnerability identification and enhanced defences;
• Better protection of sensitive data, reducing breach exposure;
• Improved regulatory compliance and audit readiness;
• Reduced financial and reputational risk from breaches; and
• Stronger culture of cybersecurity awareness that sustains robust security practices within the organisation.

Higher cyber maturity organisations reported greater expectations of achieving efficiency, agility, improved threat detection/response, and stronger protection of intellectual property–all while demonstrating faster recovery when incidents occur.

Figure 4. Benefits of strong posture and high maturity of cybersecurity across sectors

Source: Deloitte, 2025.

Getting your organisations ready

Security is no longer a one-time “set-and-forget” investment, but an evolving effort. Positioning security as a strategic enabler gives organisations the confidence to adopt and scale new technology responsibly, strengthening digital trust and continuous innovation.

To ensure objectivity and depth, many organisations engage an independent third party. A trusted external assessor can:

• Conduct an unbiased, end-to-end evaluation of your security environment;
• Benchmark your maturity against industrial peers and recognised standards; and
• Deliver actionable, impactful insights and a roadmap to elevate cyber resilience.

With Deloitte, we can help organisations perform Security Posture Reviews and Cyber Maturity Assessments that align cybersecurity with business priorities, building a foundation of trust and resilience for the digital future.

Figure 5. How Deloitte can help strengthen your organisation’s cyber resilience

Source: Deloitte, 2025.

If you are ready to strengthen your organisation’s preparedness, do not hesitate to connect with our Cyber Strategy and Transformation team. Let us ensure your security does not just feel strong but truly is strong.

Get in touch

Alex Cheung
Management Consulting Director
Digital Trust & Privacy
Deloitte Indonesia
alecheung@deloitte.com

¹ “Addressing the growing cybersecurity challenges for Indonesia’s digital users”. The Jakarta Post. 7 October 2024.

² “2025 Global Threat Landscape Report”. Fortinet. May 2025.

³ “Global Future of Cyber Survey, 4th Edition — The Promise of Cyber”. Deloitte. 21 October 2024.

⁴ “Peraturan BSSN No. 2 Tahun 2024”. Badan Siber dan Sandi Negara (BSSN). 2024.

⁵ “Peraturan Bank Indonesia Nomor 2 Tahun 2024”. Bank Indonesia. 2024.

⁶ “Penyelenggaraan Teknologi Informasi Oleh Bank Umum”. OJK regulation. 7 July 2022.

⁷ “Ketahanan dan Keamanan Siber Bagi Bank Umum”. OJK regulation. 27 December 2022.

⁸ “Presidential Regulation No. 82 of 2022 on the Protection of Vital Information Infrastructure (Perpres No. 82 Tahun 2022).” Government of the Republic of Indonesia. 2022.