June 27, 2019
Editor's Note: The Cybersecurity Initiative has as part of its mission supporting efforts in international cybersecurity capacity-building. Part of that is understanding national efforts to build such capacity around the world. With that in mind we welcomed input from our friend and leading Japanese researcher Mihoko Matsubara to share some information about Japan’s new Cross-Sector Forum. She currently works for NTT Corporation, a Japanese information and communications technology (ICT) service firm which played a major role in establishing the Forum. Even before joining NTT, Mihoko has been helping the Forum share its expertise and application of the NIST and NICE Cybersecurity Frameworks with non-Japanese thought leaders.
As cyber threats become more complicated and the world struggles with an acute shortage of cybersecurity manpower, global collaboration is crucial for cybersecurity. Yet, it is also imperative to understand difference in business culture to move cooperation forward smoothly. Despite the fact that Japan has the third largest economy in the world, English-language research and media articles detailing its advances in cybersecurity are few and far between.
Japan has been accelerating its cybersecurity efforts since 2013, when Tokyo was selected to host the 2020 Summer Olympic and Paralympic Games. The selection prompted Japanese industry to strengthen its cybersecurity capabilities and increase cybersecurity manpower to mitigate any potential reputation risks and preserve national pride.
Creating the Cross-Sector Forum
The link between national success and cross-sector collaboration in cybersecurity has drawn high-level attention. In early 2015, the Senior Executive Vice President Hiromichi Shinohara of NTT—Japan’s largest ICT company—began assembling a forum for this collaboration. He visited Japanese critical infrastructure companies to encourage their executives to launch an effort to share cybersecurity best practices and cultivate cybersecurity.
In June 2015, the Cross-Sector Forum was founded with 30 major companies from various critical infrastructure sectors including chemical, financial, manufacturing, media, and transportation. The Forum aims to build an ecosystem to educate, recruit, retain, and train cybersecurity talent in collaboration with academia and government. As of today, the Forum has grown to 44 members.
This was the first time Japanese companies initiated a cross-sector cooperative framework on their own. Japanese companies decided to use the Cross-Sector Forum to present a new way to bring together partners in academia, public, and private sectors to collaboratively lead conversations on developing the cybersecurity workforce. Because the findings of this body offer a unique approach and an informative example for industries in other countries, I have been helping the Forum share its expertise with non-Japanese thought leaders even before I joined NTT Corporation.
Challenges to Cross-Sector Collaboration
Forum members had to overcome two challenges to work together: trust and definition. First, it took months for the members to start to feel comfortable sharing their concerns and trial-and-error in-house processes with different sectors. After overcoming a few month-long awkward conversations, they started discussing incidents they encounter and cybersecurity measures they have taken.
Second, members had to define what kind of cybersecurity talents end user companies need. To do that, they were also required to identify what kind of cybersecurity missions they have and what kind of cybersecurity skills they need to complete those missions. Otherwise, industry cannot notify government and academia of what cybersecurity policy and education are in demand.
Addressing this second challenge requires understanding the drivers behind Japanese firms’ tendency to outsource IT and cybersecurity work, which largely trace back to two unique characteristics of the Japanese labor market: lifetime employment and the allocation of IT professionals between vendors and end user companies.
Japanese industry adopted lifetime employment to retain experienced engineers after the 1950s, when the Japanese economy started to grow after World War II. While younger generations are starting to become more flexible in job change—about 50 percent of IT sector people will change jobs during their career—major companies still largely rely on lifetime employment. It is difficult for industry to keep up with fast-evolving cybersecurity threats and technologies. Compounding this dynamic, Japanese end user companies tend to outsource most of their IT and cybersecurity work. 28 percent of IT professionals work in-house in Japan; whereas, the ratio is 65.4 percent in the United States.
The Cross-Sectoral Forum Picked the NIST Framework as a Common Language
Since Forum members are from different critical infrastructure sectors, they first had to develop a common language to discuss their cybersecurity missions and workforce. The National Institute of Standards and Technology (NIST) Cybersecurity Framework played an important role in defining cybersecurity missions for the Cross-Sector Forum. Because one-fourth of Forum members are Tokyo 2020 sponsors, and all the Forum members have global presence, the Forum looked for a global cybersecurity standard to protect critical infrastructure and serve as a common language between different industry sectors.
The Forum decided to pick the NIST Cybersecurity Framework to map missions for in-house cybersecurity positions. Additionally, they chose the National Initiative for Cybersecurity Education (NICE) Framework to define skills, which Japanese end user companies often outsource, such as digital forensics to fulfill their missions.
The Forum has been actively sharing their insights with non-members including the Japanese government and NIST to increase the number of cybersecurity professionals and input their findings in Japanese policy. They have published multiple reports to define cybersecurity missions and determine which roles to outsource and which to retain in-house. These reports have informed high-level meetings, a 2018 Japanese national cybersecurity strategy, and other cybersecurity policies. To extend this growing impact beyond policy circles, some of the Forum members also fund cybersecurity courses at local universities and send their cybersecurity professionals to teach about day-to-day cybersecurity challenges and solutions.
Future Work for the Forum
Since Japan’s heavy reliance on cybersecurity outsourcing will not change in the near future, the Forum would require collaboration with vendors to improve cyber defense at end user companies. Ongoing conversations with cybersecurity vendors would create greater opportunity to share updated information on recent risks and solutions and enable vendors to better help end users address their concerns. Those dialogues would be also useful to make end users aware of resources needed to retain cybersecurity specialists and let their experts share their expertise with the cybersecurity community in Japan and the world.
The Cross-Sector Forum also should go out of Japan to share their lessons-learned with a bigger community. Since the Forum has found a unique way to combine the NIST and NICE Frameworks to define cybersecurity missions and workforce, other countries would appreciate having the opportunity to study Japanese methodology and perspectives. This is especially needed when other countries are keen to work with Japan for a new market and successful Tokyo 2020.