Private companies are beginning to establish CISOs, strengthen their authority, and collaborate with external experts as part of efforts to “reform management awareness.”

Regardless of the company’s nationality, industry, or size, I often go to the facilities of the victim organization in response to requests for support such as incident response and forensic investigations. The roles and responsibilities of CISOs in Japanese companies cannot be seen.
I strongly feel that CISOs in Japanese companies are still affected by the collective sense of community that is unique to Japan.
I would like to introduce some “CISO behavioral patterns” that are likely to lead to missteps.

(1) Excessively interested in the “security measures of other companies” and trying to find out
This is due to the “typical side-by-side consciousness”.

(2) Decide on the planning and selection of measures to strengthen security through “discussions influenced by the manager’s way of thinking”
It is not understood that cybersecurity is designed, planned, implemented and operated in the context found in the data and information obtained through a thorough risk assessment.

(3) Do not cooperate closely with departments in charge of “business risks”
Unlike natural catastrophe risks, the knowledge and experience required to systematically manage cyber risks, which stand out for their volatility, relevance, expansiveness, complexity, persistence and extremes, are orders of magnitude greater. Management measures for business continuity cannot be formulated simply by receiving a “transient lecture” from an outside expert.

Considering that the CISOs of overseas companies have also overcome various hardships, it is believed that the cyber damage to Japanese companies will continue to grow for the time being.