How Japanese Businesses Are Cultivating Cybersecurity Professionals

(This blog post is also available in Japanese.)

There’s a shortage in Japan of both IT and cybersecurity professionals, and the country is in urgent need of human resources development. According to the Ministry of Economy, Trade and Industry (METI), the current gap between available professionals and opportunities is 132,060 IT professionals, and it will further increase to 193,010 in 2020 when the Tokyo Summer Olympic and Paralympic Games will be held in Japan. About half of end-user companies believe they are deficient in IT security employees, and only 26 percent of them think they have enough talent in these roles.

Furthermore, although 99.7 percent of Japanese companies are small and medium-sized businesses (SMBs), SMBs tend to lack resources to prepare their employees for career paths in cybersecurity or related specialties. Japan generally defines SMBs as businesses with fewer than 300 employees. In fact, a mere 12.5 percent of Japanese end-user companies that have over 1,000 employees claim they have a career path for IT security professionals. The number is 11.1 percent at end-user companies with 300 to 999 employees, 10.1 percent at those with 100 to 299 employees, and 6.6 percent at those with 5 to 99 employees.

Within this context, Japanese businesses have started new initiatives to cultivate cybersecurity professionals. In October 2014, Keidanren, or “The Japan Business Federation” (equivalent to the Chamber of Commerce in the United States), established a new Advisory Board of Cybersecurity, comprised of approximately 30 companies. The Advisory Board published a list of cybersecurity policy recommendations to the Japanese government in Japanese and English in February 2015 and expressed its strong concern over the manpower shortage.

Separately, three of the 30 member companies, Hitachi, NEC and NTT, have moved to take this discussion a step further and overcome the manpower shortage before the Tokyo Summer Olympic Games in 2020. In April 2015, each began reaching out to major companies in each sector – including critical infrastructure companies – to create a community to discuss and address the challenges of cybersecurity as part of business management. In June 2015, about 30 companies launched a new Industry Cross-Sectoral Committee for Cybersecurity Human Resources Development. This was the first time Japanese businesses initiated a cross-sectoral cooperative framework. As of August 2016, the number of member companies had grown to 48 from sectors spanning finance, IT/telecom, manufacturing, media, trade and transportation/logistics. Some of the committee members do not belong to Keidanren. The committee does not exclude non-Japanese firms, allowing for the sharing of best practices from overseas, such as Information Sharing and Analysis Centers (ISACs) other than Financial ISAC and ICT-ISAC, which Japan already has.

The committee also clarified a number of recommendations related to cybersecurity human resource development. First, they described the ecosystem required to circulate cybersecurity professionals between high/professional schools, universities/graduate schools, end-user companies, ICT companies/security vendors, and the government for education, recruitment/hiring, outsourcing, lecturers, and policy and budget support. The committee identified cybersecurity measures Japan needs to take, business missions it needs to pursue, and professionals in demand for those missions and has shared these findings with educators. Without the visualization of manpower demands, available career paths, and potential compensation packages, schools cannot be part of a true ecosystem to provide future manpower in each field of cybersecurity, and students likely will not be motivated to study cybersecurity or apply for cybersecurity-related positions.

Compared to non-Japanese companies, Japanese companies traditionally have not been proactive about informing policymakers and educators about what kind of public-private partnership is needed. Thus, this effort is epoch-making for the Japanese industry to take the initiative to show a new way of public-private-academic collaboration and share best practices beyond the barriers of different sectors and companies.

The Cross-Sectoral Committee members have studied the (U.S.) NIST Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 and the National Initiative for Cybersecurity Education (NICE). The two global frameworks are useful even in Japan. The committee tailored them to meet Japanese business culture and tradition.

As our recent blog post pointed out, Japanese companies traditionally have not had the concept of “C-level” executives, such as Chief Information Security Officer (CISO)s, until recently. Even today, most Japanese CISOs do not necessarily have a cybersecurity background, and even when appointed, they need a team to support them.

This makes for a sharp contrast between Japan and the United States. The U.S. job market is more flexible and appreciates the accumulation of expertise and specialty. If somebody wants to become a CISO, he or she must have an extensive amount of cybersecurity experiences in different organizations. On the other hand, Japan appreciates generalists who have experienced different departments and types of business projects under the lifetime employment system. It is challenging for those who want to pursue their specialty in their career and get promoted.

When Japan’s Cross-Sectoral Committee published its final report of the first stage in September 2016, they released a few appendixes as well: The first table, A1, is the Cross-Sectoral Definition and Reference of Cybersecurity Professionals Based on Functions and Missions. The appendix covers many different types of cybersecurity jobs, from CISO to hands-on technical people, and shows how much technical expertise is needed to pursue their mission. The table also shows if the person: is responsible for the mission (5); assists or supports the person in charge (4); works on the mission (3); assists or supports people who work on the mission (2); and understands the mission (1).

The second appendix, B, is the Calendar for Cybersecurity Measures to Take – A to Z. It uses the same category of cybersecurity measures as Table A1 to take, such as IT strategy and system planning, and shows when each type of measure needs to take what kind of action. For example, since the Japanese fiscal year for the government and all companies starts in April, the company should start the fiscal year with announcing its IT strategy in April. The document is helpful for those who work at the Information Systems Department of any end-user companies either as an engineer or non-engineer.

The third appendix, C, is the Outsourcing Guidance of Security Operation and categorizes which actions can to be insourced or outsourced. Since most IT professionals work for IT services vendors in Japan, end-user companies find it difficult to do all of cybersecurity work in-house. Nonetheless, the committee believes that some work, such as business planning, should be still done in-house. According to METI’s study in 2015, 24.8 percent of IT professionals in Japan work in-house, whereas 75.2 percent work at IT services companies (e.g., system integrators and others providing cybersecurity to other companies). By comparison, in the United States, 71.5 percent of IT professionals work in-house, with 28.5 percent at IT services companies. Thus, large companies in the United States, such as a banks, can have in-house government affairs people or cyberthreat intelligence analysts to understand and address business risks.

The fourth appendix, D, provides cybersecurity skill mapping from analytical, management and technical skills to legal and policy knowledge. For example, if a CISO has to work on a compliance issue, he or she has to have management policy knowledge and a system to implement and evaluate, understand the Japanese Business Act, be part of business operations management, and seek accountability.

The committee has been working with the Japanese government, such as the National Center of Incident Readiness and Strategy for Cybersecurity (NISC), to continue to have discussions with them and cybersecurity organizations. In August 2016, a committee representative briefed about their activities at the meeting of the NISC Committee for Cybersecurity Awareness Raising and Professional Development. These efforts allowed the Cross-Sectoral Committee to actively engage with thought leaders in Japan.

The second stage for the Cross-Sectoral Committee is to implement specific measures to cultivate and maintain cybersecurity professionals in a balanced ecosystem, working together with the academia and government. The committee members have shifted the interpretation of cybersecurity as a cost to investments in the future for business risk management. However, some other companies in Japan still believe IT should serve the company to increase efficiency and cut costs rather than an area to invest in. It would take some time to change their mindset.

The interim report in January 2016 cites a CEO, who argued that cooperation among cybersecurity vendors is the only way to beat cyberattackers since the number of attackers is larger than the number of cybersecurity vendor employees around the world. The committee has calculated that Japan needs 650,000 cybersecurity professionals. Before, during and after Tokyo 2020, Japan will be under severe cyberattacks, and some of them could lead to damages, such as disrupted business operations, personal information leaks, or interruption to critical infrastructure operations. The committee’s cross-sectoral approach is crucial to cultivate professionals who can prevent such damages.