The “Safe” Zone and Other Challenges to Japan’s Cybersecurity Governance Efforts

In May and July 2016, we wrote about positive progress in Japan’s cybersecurity activities, such as in the area of cyberthreat information sharing, subsequent to the December 2015 release by Japan’s Ministry of Economy, Trade, and Industry (METI) and its Information-Technology Promotion Agency (IPA) of their Cybersecurity Guidelines for Business Leadership Version 1.0.

This blog post looks at another recommendation in the METI/IPA Cybersecurity Guidelines: corporate governance for cybersecurity. It is a challenge that any country faces – including the United States – and we believe Japan is in a good position to accelerate needed changes as the country looks to raise its cyber resilience in advance of the 2020 Summer Olympic Games in Tokyo.The Cybersecurity Guidelines include action items that encourage companies to craft and publish a cybersecurity policy and also establish a cybersecurity team with an appropriate division of responsibilities. Without strong corporate governance, this cannot be accomplished. Global audiences reading this section of the Guidelines should be aware of the difference between the corporate structure in Japan and western countries, especially the United States. Understanding some key differences will be useful for companies working with business partners or customers in Japan.

Japanese companies traditionally have not had the concept of “C-level” executives. Article 349 of the Japanese Companies Act states that the President represents his or her company, while C-level positions such as Chief Executive Officer (CEO) and Chief Financial Officer (CFO) have no legal responsibility (by contrast, in the United States such positions have legal responsibility). While some Japanese companies recently started to introduce CEO and CFO positions, Japan is a few years behind the idea of appointing a Chief Information Security Officer (CISO). Given that the Cybersecurity Guidelines encourages Japanese companies to have business executives – including CISOs – to take more action this is can be a tough instruction for those companies to follow.

Another challenge shaping the Japanese corporate governance mindset, and potentially slowing reform, is the country’s employment system. In the United States, where lifetime employment is not necessarily guaranteed, people often change jobs multiple times in their careers, particularly to get promoted. U.S. employees often feel pressure to complete projects and demonstrate accomplishments, detailed on their resumés to prove their competency for their next job. This motivation makes it easier for employees to take initiative to try something new that would expand their marketable skills and make them more attractive to future employers.

In stark contrast, many Japanese still believe in lifetime employment and a seniority-based salary system. Furthermore, Japanese tend to evaluate employees by giving demerit scores. When a new employee starts working for a company, he or she has a full score. As long as employees keep working and performing in line with their predecessor, they can keep their scores. However, if they decide to challenge the company’s traditional approach and try something new, but fail to achieve visible positive results, their scores are reduced. Their courage is rarely appreciated. The culture discourages employees from testing new approaches and encourages them to stay in a safe zone.

Another corporate governance challenge facing Japan that is similar to the U.S. experience is the prevalence of companies that tend to have different departments in charge of networks/IT and security (this structure is based on the pre-Internet-era concept of telecommunications and computer security being separate disciplines). This brings two primary challenges to the Internet era when our daily functions, such as those related to finance and national and international security, rely on regular use of computers, smartphones, and the internet.

First, the different priorities of the network and security teams can make for occasionally challenging collaboration. At a very high level, network professionals prioritize the performance of the company’s IT network, including the smooth flow of data. Security professionals on the other hand prioritize the security needs of organizations, and might see the importance of suspending part of a corporate network or slowing data flows to meet those needs. The tension between the two groups arises when the actions taken to meet the priorities of one group potentially jeopardize meeting the priorities of the other.

As a second point, in many cases, the departments might be working on different planning and procurement cycles to execute a project. For example, even if the Chief Information Officer (CIO) understands the importance of having a comprehensive strategy to address risks posed to the business by cyber threats, separate planning and procurement cycles often prevent coordinated and synchronized equipment acquisition. This can result in a disjointed and complex IT and cybersecurity environment, which can pose operational challenges and weaken overall security posture.

Of course, it is not easy to change longstanding culture and corporate structure anywhere, and it is impossible to do it overnight. But if companies do not change, Japan’s cybersecurity posture will remain fragmented and vulnerable to cyberattacks. To overcome the aforementioned struggles, it would be helpful for a future version of the Cybersecurity Guidelines for Business Leadership to include three main suggestions for Japanese business:

1. A future version of the Cybersecurity Guidelines should refer to the definition of cybersecurity in Japan’s Cybersecurity Basic Act, which informs industry that cybersecurity means “measures to prevent the leak, loss, or alternation of information and ensure the safety and trust of IT systems and ICT networks, and encourages cross-department coordination for better cybersecurity.”
2. The Guidelines should encourage Japanese companies to empower their CISOs and the CISO’s cybersecurity team members. The CISO needs to have the authority to speak up at board meetings, to shape corporate strategy around cybersecurity, and to coordinate the procurement cycle to include cybersecurity more holistically.
3. The Guidelines should acknowledge the importance of educating business executives on cybersecurity. Practically, one way this can be done is through thought leadership engagements. For example, attending cybersecurity seminars or meetings with industry peers would help Japanese business leadership to understand the current threat landscape, and solutions available to counter that landscape. Another form of education could utilize a provision of the Japanese Companies Act, which allows companies to place an “external member” on their boards. This person, who is not a company employee, is expected to bring their expertise and objective opinions to board discussions. Appointing an external board member specializing in cybersecurity could bring a company cybersecurity advice and help leadership to better grasp potential cybersecurity risks and develop a company’s cybersecurity strategy.

Because the Cybersecurity Guidelines provide the Japanese government’s baseline expectation of the industry, including more advice about cybersecurity-related corporate governance, it will help Japanese companies overcome internal red tape and craft more-comprehensive cybersecurity practices to suit the 21^st century. The METI/IPA Guidelines have already stimulated interest in cybersecurity among Japanese business leadership, and non-Japanese governments and businesses have welcomed the development as well. Corporate governance is a universal challenge for any country in the world. Japanese businesses are in a good position to strengthen their cybersecurity-related corporate governance and share best practices with global peers as Japan doubles down on its efforts to be cyber-secure in the run up to the 2020 Summer Olympic Games.

This is the fifth in a series of blogs co-authored by Mihoko Matsubara and Danielle Kriz, aimed at introducing Japan’s cybersecurity efforts and their significance to a global audience, including governments, global industry, and other thought leaders. Subsequent blogs are expected to cover Japan’s role in global cybersecurity capacity-building, the cybersecurity ramifications of planning for the 2020 Summer Olympic Games in Tokyo, and other topics.