A visible paradox is that while we have responsibility for protecting our own systems, most of the tools we depend on belong to external suppliers. This is not only a technical matter, but also relates to the way we choose and place our trust.
For a long time, many major organisations have almost automatically prioritised foreign cybersecurity products. The usual reasons include strong branding, advanced technology, and a greater sense of “reassurance”. These reasons are not wrong, but they can obscure a reality often pointed out by experts: fear of responsibility strongly impacts decision-making to choose tools. When using foreign products, a cyber incident can easily be justified as having chosen the “best available” solution. But if a domestic product is used and something goes wrong, questions tend to be directed at the user — why they choose a Vietnamese product. This mindset limits opportunities for Vietnamese firms to deploy systems in practice, and lack the needed data to improve their products. It is unsurprising that nearly three-quarters of the domestic cybersecurity market is still imported products.
However, using foreign products is not equal to absolute safety. Dependence on foreign suppliers often means slower support processes, multi-layered incident handling, and delayed patching, while attacks occur immediately. Some features suitable for global markets may not align with Viet Nam’s specific requirements. And, of course, there are risks that local users simply cannot verify or control.
Amid increasingly sophisticated cyber threats, from deepfake scams to supply-chain attacks, dependence on foreign solutions not only slows response capability, but also leaves systems vulnerable at critical moments. That is why increasing numbers of experts argue that all important systems must have a domestic defensive layer alongside international solutions. This defensive layer may not be comprehensively strong, but it possesses clear advantages: rapid responsiveness, alignment with domestic standards and security architecture, and reduced dependence on uncontrollable external factors.
The Draft Cybersecurity Law 2025 moves in this direction by changing from a “protective” approach to a mindset of “autonomy for protection”. The law not only consolidates previous regulations, but also proposes new mechanisms to create a foundation for a more mature Vietnamese cybersecurity market. Encouraging the use of domestic products, introducing conformity testing and certification requirements, mandating that a portion of information technology budgets be allocated to cybersecurity, and systematising technical standards, aim to create a real market where Vietnamese products can be tested, improved, and trusted to use.
Another less noticed but very important factor is governance capacity. Most cybersecurity incidents do not stem from technology, but from operational shortcomings: loose procedures, lack of early warnings, and internal controls. Domestic management software, especially those with clear intellectual property, can offer advantages in language, adaptability, and customisation suited to domestic needs. When Vietnamese enterprises earn trust, the market itself will promote them to develop sustainably. The preference for foreign products is not only about technology; it reflects how we perceive our own capabilities.
A sustainable cybersecurity system cannot only rely on external support. Autonomy does not mean doing everything in-house, but rather controlling the core elements to avoid being passive in any change. This change begins with seemingly small decisions in product selection and trust in domestic capabilities. When the change happens naturally and has a foundation, Vietnam will not only have a stronger “shield”, but also a more mature technology market, which is necessary for a country entering the digital age.
