Cybersecurity for Business Executives Toward an Era When Everything Is Connected
Book written by NTT
Book review by Mihoko Matsubara
Executive Summary. This is noteworthy as the first cybersecurity book written in Japanese to target government leaders and C-suites to convince them that cybersecurity is a business management issue, not just a technical one. It is also the first Japanese book about cybersecurity to be translated into English.
The authors aim to share with domestic and global audiences what a Japanese company thinks about cybersecurity and what kinds of cybersecurity professionals the company has, because such openness is the only way to obtain feedback from global audiences, build confidence and enhance the company’s cybersecurity capabilities. This is unusual in Japanese business practice, which discourages companies from doing things differently from other companies or breaking with tradition.
The book has three key messages: first, we need to reposition cybersecurity from a technical issue to a business management challenge, as cybersecurity requires a whole-company approach to protect trust. Second, cybersecurity is about everything, and cybersecurity professionals are diverse. Third, the industry needs to work together on cybersecurity, not just leave it to the government and tech companies to solve these issues. These may not sound new to non-Japanese governments and companies. Yet, they show the strong will of Japanese business people to break the silence and reach out to global thought leaders to collaborate on cybersecurity. I would recommend this book as a Cybersecurity Canon Hall of Fame candidate.
Review. This is an epoch-making book in two ways: it is the first one written in Japanese to target government leaders and C-suites to convince them that cybersecurity is not just a technical issue but one of business management; and it is the first Japanese cybersecurity book to be translated into English to reach out to global experts and show Japanese businesspeople are ready for international collaboration. Before this book, cybersecurity books in Japanese had been either technical or national security-focused.
The authors belong to the NTT Cybersecurity Study Group, which consists of Senior Managers from NTT Group companies, including public advocacy personnel. NTT is one of the biggest telecom companies in the world, one of only four such companies globally with annual returns over US$100 billion. The Study Group aims to serve as an information hub for the NTT Group to enhance internal cybersecurity capabilities. Members regularly meet to discuss cybersecurity challenges and share their updates with other Group companies.
The Study Group decided to share what a Japanese company thinks about cybersecurity, as well as information about the kinds of cybersecurity professionals they have, with domestic and global audiences in order to obtain feedback from global audiences, build confidence, and enhance the company’s technical and non-technical cybersecurity capabilities. This is unusual in Japanese business practice, which encourages companies to avoid doing something different from others and from tradition.
When I first found this book, I was pleasantly surprised by the authors’ willingness to change the Japanese mindset, to be open in terms of how their company and cybersecurity professionals think about cybersecurity, and to be game-changing in creating social capital such as trust and norms. Japanese businesses tend to evaluate employees by giving demerit scores. When a new employee starts working for a company, he or she has a full score. As long as the employee performs in line with his or her predecessor, this score remains intact. However, if the employee decides to challenge the company’s traditional approach and try something new, but fails to achieve visible positive results, the score is reduced. Courage is rarely appreciated. This culture discourages employees from testing new approaches and encourages them to stay in a safe zone.
I was also amazed that this book came out two months before the Japanese government issued the Cybersecurity Guidelines for Business Leadership Ver. 1.0 to urge Japanese executives to invest more in cybersecurity as part of their business strategy. Traditionally, Japanese companies have not been proactive about informing the government about what Japan should do, unlike American companies.
The book has three key messages. First, we need to reposition cybersecurity from merely a technical issue to an important business management challenge, as cybersecurity requires a whole-company approach to protect trust. The authors point out that cybersecurity cannot be left solely to several experts because this does not allow an organization to take cybersecurity measures to meet organization-wide needs. Every employee uses information and communications technology these days. Cybersecurity is needed for everybody, yet resources are not limitless. The whole-company approach is crucial to decide how to optimize and prioritize the allocation of limited budgets and manpower.
Second, cybersecurity is about everything, and cybersecurity professionals are diverse. There is a wide variety of cybersecurity skillsets, such as knowledge about cyberattacks and defenses, risk analysis and business strategy, and education and training. Chapter 2 introduces 14 cybersecurity professionals, both Japanese and American, from different parts of NTT Group: white hat hackers, consultants, security operations center personnel, and others from financial security, internal defense, managed security service, hardware security, and encryption.
This is probably the first time any Japanese end-user company has revealed a list of their cybersecurity talent to third parties. Because hackers, even white hats, do not necessarily have a positive image in Japan due to the scarce information available about them, this book must have been encouraging to white hat hackers in Japan.
The examples also would have been useful for other end-user companies to learn what kinds of cybersecurity skillsets and professionals exist. NTT is one of three companies (in addition to Hitachi and NEC) that launched the Industrial Cross-Sectoral Committee for Cybersecurity Human Resources Development in June, 2015, to create an ecosystem between schools, universities, companies and the government to educate, recruit, hire and retain cybersecurity professionals.
Third, the authors argue that the industry needs to work together on cybersecurity and should not just leave issues to the government and tech companies to solve. These points may not sound new to non-Japanese governments and companies, yet they show the strong willingness of Japanese businesspeople to break the silence and reach out to global experts to collaborate on cybersecurity.
The authors use Chapter 3 to show how determined they are to be a game changer in the 21st century, in which cyberattackers tend to have the upper hand over defenders. The authors recognize the importance of a multi-stakeholder approach and public-private partnerships, and they have faith in end-user companies to play proactive roles in cybersecurity to change the game. End-user companies fight cyberattacks on a daily basis and own their defense strategy.
Chapter 3 also introduces examples of U.S. cybersecurity efforts, including the White House’s Summit on Cybersecurity and Consumer Protection in February 2015, and Information Sharing and Analysis Centers (ISACs). This aims to help Japanese readers learn lessons from the U.S. about how ISACs’ cyberthreat intelligence sharing helps the critical infrastructure sector and how U.S. leadership is committed to being involved in cybersecurity discussions and sharing personal experiences.
Conclusion. The message about cybersecurity as business management issue is not new. Global experts, especially Americans, are already familiar with ISACs and the NIST Framework, as mentioned in the closing chapter. Why, then, did the authors translate the book into English and post the translation for free on the NTT Group website?
They did it because this book is not just about cybersecurity for leaders. It is also about public advocacy, which the Japanese do not usually practice in the global community. The authors are aware that the cybersecurity described in this book is not perfect, but they are willing to take any feedback, because openness is the only way to break the current wall and grow out of it.
English speakers will find the book demonstrates how Japanese companies are developing a foundation for global collaboration. After reading how cybersecurity professionals in Japan struggle with, and try to overcome, various challenges, global experts will see how they can work with Japan more closely. I recommend this book as a Cybersecurity Canon Hall of Fame candidate.