Keidanren collaboration delivers book with practical advice to corporate leaders

As concern about cyber risk grows in Japan, a new book by veteran American Chamber of Commerce in Japan member and Marsh Japan, Inc. Senior Vice President Ted Sato aims to help corporate management find the most effective approach to mitigating risk and effectively responding to events.

Sato authored the book with Toshinori Kajiura, a member of Keidanren (the Japan Business Federation) and a senior researcher for information and communications technology policy at Hitachi. Kajiura was previously chair of Keidanren’s Working Group on Cybersecurity Enhancement.

🔼 Watch the video above for more insights from Sato himself.

Published in February by the Nikkan Kogyo Shimbun, a Japanese industry newspaper, Strengthening Cyber Risk Management: A Keidanren Handbook to Cyber Risk Management is designed to provide corporate managers with practical guidance for dealing with cyber risk.

Not to be confused with cybersecurity, cyber risk is defined by the US Department of Commerce’s National Institute of Standards and Technology as the “risk of financial loss, operational disruption, or damage from the failure of the digital technologies employed for informational and/or operational functions introduced to a manufacturing system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the manufacturing system.”

Sato told The ACCJ Journal that the book, which spans more than 200 pages, was written by professionals from the battlefield in easy-to-understand language. “We wanted corporate managers to be able to ask effective questions at the earliest stages of any cyber risk event. That is very important.”

The idea came after a series of events last May which Sato conceived with Nikkan Kogyo Shimbun. The well-received sessions showed corporate managers how to deal with cyber risk, not solely as a technical issue but to emphasize management and factors related to organizational culture.

Keidanren had been hosting its own events since 2014, working to change the mind-set of corporate management on this critical issue. The organization built on Sato’s efforts to bring together professionals with similar motivation to create the Cyber Risk Management Japan Study Group, which was a supporting contributor to the book.

These efforts were also supported by the late Hiroaki Nakanishi, who was chair of Hitachi and Keidanren and contributed the foreword.

The book’s core advice draws on a 2014 report by the Internet Security Alliance and the National Association of Corporate Directors’ handbook on cyber risk, which recommends a one-team approach to corporate management. Beginning with the importance of expert advice from outside the company, the book advises an “art of science” approach that balances technology, human factor management, and operational excellence to ensure an organization’s readiness, response and recovery, and recurrence prevention.

The book has been well received by reviewers for its practical guidance.

“It is very meaningful to promote cooperation with experienced US firms at this early stage for Japanese companies,” Sato said. “If all goes well, next we plan to make an English version to share in Asia.”

Two years into the JDA 2030, ACCJ leaders take stock of progress.

Transformations take time. Reaping rewards can take longer. For Japan, shedding analog processes is critical for future prosperity, and the American Chamber of Commerce in Japan (ACCJ) is bringing together the broad expertise and experience of its membership to assist with the push for digital transformation (DX).

In early 2021, the ACCJ unveiled a comprehensive white paper entitled Japan Digital Agenda 2030 (JDA 2030) that outlined 11 big moves which could position the country as a global leader as we dive deeper into the 21st century. Produced together with McKinsey & Company, the JDA 2030 presents technology use cases and describes how Japan could realize a transformation that would put the world’s third-largest economy on equal footing with leading digital nations.

These measures to bolster DX in Japan call for concerted steps by major industries and stakeholders in areas such as digital talent, industry transformation, digital government, and economic renewal. And in the two years since the paper was published, the need for cross-industry collaboration to make many of the JDA 2030’s big moves a reality has become increasingly clear.

An Evolving Proposition

What has also become clear is that the pace at which digital everything is infiltrating all aspects of business and society calls for a reassessment of the JDA 2030. The ACCJ’s new Digital Forum, confirmed by the Board of Governors in April and led by Chair Mitsuhiko Ida, along with Vice-Chairs Kristopher Tate and Scott Warren, will be leading this task, working with the various digital-related committees to coordinate the chamber’s voice and position on DX.

And with DX impacting all organizations, not just those in technology fields, everyone has a role to play.

“The question is swiftly becoming, Is there such a thing as a non-tech field?” Warren told The ACCJ Journal. “We are seeing technology being applied in almost every business. I think the application of technology is almost too alluring—and necessary to keeping a competitive edge—to be ignored.”

ACCJ Digital Transformation Committee Co-Chair Jim Weisser agrees. “All businesses are digital or have a DX component. Trying to figure out which piece to transform—and how to do it—is a problem for all companies.”

Fellow co-chair and ACCJ Governor James Miller added: “The most important thing for members to keep in mind is the cross-sectional view versus the deep dives. There are sets of concerns that are technology specific, but we are continuing to focus on sharing what sets of issues business leaders should prioritize that are cross-sectional.”

Already, the chamber is looking at a variety of mechanisms to bring together the insights from the JDA 2030—and those continually being developed by the ACCJ’s committees—to refine its position and recommendations to provide the best guidance in a rapidly changing environment. This effort, supported by the work of the digital committees on technology-specific issues, is focused on teasing out the common positions across the broad range of committees to bring the whole chamber to bear on DX.

A question about the big moves outlined in the JDA 2030 is whether they might require a longer timeline to be realized than the seven years that remain until the original target date. This has spurred an effort to learn from the chamber’s landmark 2009 white paper Achieving the Full Potential of the Internet Economy in Japan, how progress was achieved, or efforts stalled, and how the digital agenda itself can evolve.

While a lack of dialogue or substantive business input may have slowed progress, the Great East Japan Earthquake and Tsunami of March 11, 2011, reignited interest in resilience. Similarly, former Japanese Prime Minister Shinzo Abe’s focus on the role of data at the 2019 World Economic Forum Annual Meeting in Davos has since proved to be a major lift for the JDA 2030.

Data, Trust, and Talent

At the center of Abe’s Davos proposal was Data-Free Flow with Trust (DFFT), something which Japan and its allies have struggled to define in the years since, said Warren, who is also co-chair of the ACCJ Legal Services and IP Committee as well as vice-chair of the Information, Communications, and Technology Committee.

“How we achieve [DFFT] will be one of the main topics discussed during the G7 conference. The real challenge, I think, is that the definition cannot be static, as it is very dependent on the type of data—critical infrastructure data versus other data—and the question of how much you trust the receiving entity and country. I think the true answer has to take those factors into account.”

Ida, an ACCJ governor, noted that the establishment of a new organization to promote DFFT was agreed at the G7 Digital Ministerial Meeting held in Gunma Prefecture in April. “For this, governments want private sectors to share our experiences, needs, and suggestions for policymaking. This is just one case in which the ACCJ can contribute,” he said.

Another area of great importance to successful DX is the acquisition and training of digital talent. But for a company to build a deep bench of world-class talent, with the digital know-how that is increasingly critical to success, takes time, Weisser said.

Megumi Tsukamoto, a vice-chair of the ACCJ Task Force on Economic Security, said that it is likely to take five years or so for Japanese companies to establish their digital bench once they recognize the need and begin fostering this talent. First, they must overcome major challenges in their operating cultures to provide levels of compensation expected by these professionals.

She also notes that opportunities are emerging that might enable Japanese companies and IT vendors to build their digital talent sooner. One is the sudden availability of personnel following the recent restructuring in the IT sector, both in Japan and in key markets overseas. “They’ll do it because, without IT talent, it is very difficult to compete with other global companies. It is an urgent issue,” Tsukamoto emphasized.

Companies are also increasingly aware of the business opportunities digital can drive, and are developing their people to realize them. Tsukamoto points to one Japanese service provider that is working to create tools, some powered by artificial intelligence, to help staff who lack digital skills. By pooling specialists in planning, user interface design, and the core product—and combining these with dedicated IT support—they are able to develop in-house software that can enable service staff to focus on the highest value tasks while leaving the software to automate others. She also mentioned a Japanese manufacturer that is already pairing robots with its production line workers to realize mutual benefits.

Now Is the Time

New tools such as these show that technology concerns are not the biggest obstacle. “Oftentimes, it is the business thinking that we should be focused on,” said Miller. “A lot of tools can be used to reduce risk and mitigate concerns in a way that was not conceivable a decade ago.”

Japan also brings to the table a high level of competency in science, technology, engineering, and mathematics, or STEM disciplines, that enables it to leverage a strong legacy of engineering capabilities. “Combined with being the world’s third-largest economy, the level of scale and scope of opportunities seen in Japan are really unrivaled,” added Miller.

These insights are the basis for plans to coordinate DX leaders across the ACCJ’s various digital committees. The goal is to
understand the high-level points and the depth of topics, ranging from talent acquisition to cybersecurity.

“Now is the time to work together,” Miller concluded. “We’re seeing dramatic changes in Japanese policy and company environment that we haven’t seen for 30 years. We are seeing a lot more combined interest in [the US–Japan] partnership.”

The ACCJ, with its diverse and multinational membership, is one of the few organizations that can pull such voices together and bring industry views to both the US and Japanese governments, noted Ida. “We can partner with both governments to support their policymaking by providing our experiences, needs, and technical assistance.”

Warren invites all ACCJ members to get involved in shaping the chamber’s digital advocacy.

“The ACCJ has consistently espoused, for years, that whatever new policies are created in Japan must be fairly implemented across both domestic and international companies,” he said. “As for specific policies to implement related to digital transformation, the ACCJ is in the process of gathering those. If you have ones you think important, please submit them to one of the many digital policy committees or to your committee leadership.”

Recruiter Robert Half shares how to find the best cybersecurity talent.

As digital transformation (DX) touches every aspect of how we work and communicate, businesses face ever more complex challenges when it comes to protecting data—whether it is their own or that of customers. The evolution of cybersecurity means that companies must rethink how they hire for this critical task.

Steven Li, senior division director for cybersecurity at recruitment company Robert Half, told The ACCJ Journal that they see a lot of companies going through digital or IT transformations to shared service models, including for security.

“One of the challenges with security is that it’s all about data, and it’s all about being able to see your entire ecosystem or environment using a single source of truth or a single tool,” he said. “And a problem you may face is how to bring different business units that you’ve acquired onto a common platform for security operations and vulnerability management, so that when someone asks, ‘Are we impacted by this incident?’ you can answer with a degree of confidence.”

Robert Half advises clients on how to do just that and helps them find the right people to lead that transformation.

Expertise Matters

From a people perspective, previously siloed teams are being consolidated on a group level to create a centralized point of contact for cybersecurity that then provides support to each business unit, Li explained. Instead of outsourcing technical tasks to consultants, companies are now looking to hire specialists for their internal teams. But with much of this talent coming from outside Japan, domestic salaries are an obstacle.

“Employees here in Japan are typically rewarded based on tenure and age instead of merit and skill,” he noted. “To get around this, some companies have started to offer contracting solutions. They’ll say, let’s do a fixed-term contract. And with this fixed-term contract, we can step outside the bounds of our salary structure and give the specialist what the [global] market is paying, and a little bit more.”

This is important as there is an estimated shortfall of 190,000 cybersecurity professionals in Japan.

“Japanese companies are not used to hiring mid-career security professionals. They are used to hiring graduates, so to bring in someone mid-career, they don’t know how to do it, where to find them,” Li explained.

“Good cybersecurity engineers don’t typically fit the traditional model of an IT person. They may not have finished university, but they are adept at problem-solving and seeing patterns that other people might miss. We’ve placed people like this, and our clients have been absolutely happy with them,” he added.

Recruiting Manager for Cybersecurity Naoto Hamada shared an example of how Robert Half successfully placed a candidate who made a big difference for their client. But to do so, they had to overcome a challenge common in Japan: hesitation to change jobs.

“It was for a key project, and closing the role was a high priority. However, it’s challenging to find this talent in Japan,” Hamada explained. “We were able to find a match, and he received a competitive offer. But just one day before the deadline, on a weekend, he messaged me and said, ‘I can’t take this.’”

The problem wasn’t the offer but that he felt sympathetic towards his current manager should he leave.

“After receiving the message, he asked me to come meet at his station in person. I outlined the benefits of joining this international company and how it would provide him the career growth opportunities in line with his goals,” Hamada explained. “In the end, the key element was that we helped him visualize his priorities, then compare them to his current company. Based on this exchange, he decided to sign the offer and is now a key member in the newly created incident response team at his new company.”

Working hands-on in this way is at the core of Robert Half’s approach to recruitment. An important part of that are cyber risk meetups, which they host to bring together security professionals to share information and experiences which can help bridge the gap in cyber skills. A recent senior leaders’ meetup at Deloitte focused on ransomware resilience, and a public security meetup at Microsoft focused on software supply chain security.

“If we all share best ideas, best practices, and experiences, and implement those, perhaps we can improve cybersecurity maturity in Japan,” Li said.

Changing Regulations

Another thing to consider is the impact of changing regulations. Fabrizio Fumagalli, Robert Half’s recruiting associate director for cybersecurity, pointed out changes to ISO 27001, an international standard for information security management systems.

“This was updated in 2022, and companies have three years to comply,” Fumagalli said. “There are a few notable requirements on code security and the code supply chain. Companies need to be extremely careful about what’s in their code and conduct appropriate audits to assess where vulnerabilities may be.”

On average, about 80 percent of the code in a typical application is open source, Fumagalli noted, so it can be difficult to know what vulnerabilities may be hiding there. As a result, companies will need people in security who are proficient in software development.

“Instead of relying on documents from an external vendor, companies need a specialist who can check the code to ensure it is secure. Teaching security is easier than teaching the development side, so that is where companies’ priorities should be,” he added.

Specific to Japan, he said, is the need for mid-career cybersecurity talent. “You cannot randomly reassign, or do rotations, as most Japanese companies do. Due to the specific set of skills needed for the role, there is an urgent need for individuals who are experts in cybersecurity.”

Li added: “Our clients are sharing that they need people who are application security engineers and can dynamically test the code, play around with it, see if they can break it. Or do static analysis by reading the code itself and figuring out where the logic problems are. These skills are in extremely high demand.”

Partner for Success and Security

In closing, Li said that Robert Half is working to change the perception of recruitment in Japan and to help clients look beyond the numbers and the next quarter. If you are reassessing your cybersecurity, Li, Fumagalli, Hamada, Taeng, and the Robert Half team are ready to expand upon this approach and partner with you to build the best teams for today and the future.

The ACCJ promotes US, Japan, and regional collaboration for economic security

The US–Japan partnership is the cornerstone of peace, security, and stability in the Indo-Pacific region, and the alliance got a boost in May when US President Joe Biden, visiting Tokyo, launched the Indo–Pacific Economic Framework for Prosperity (IPEF) with a dozen initial partners.

The launch came soon after the introduction of the Economic Security Promotion Bill in the Diet in February and was a welcome development for the American Chamber of Commerce in Japan (ACCJ), which believes that Japan’s efforts to promote economic security represent an important opportunity to further strengthen the vital bilateral partnership.

IPEF is built on four key pillars:

• Connected economy
• Resilient economy
• Clean economy
• Fair economy

The ACCJ was honored to be present at the launch, with leaders in the room with Biden, Japanese Prime Minister Fumio Kishida, and Indian Prime Minister Narendra Modi, while officials from 10 other IPEF member nations joined online.

In announcing IPEF, the White House said in a fact sheet that “the United States and our partners in the region believe that much of our success in the coming decades will depend on how well governments harness innovation—especially the transformations afoot in the clean energy, digital, and technology sectors—while fortifying our economies against a range of threats, from fragile supply chains to corruption to tax havens.”

In addition to Japan and India, those partners are Australia, Brunei, Fiji, Indonesia, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand, and Vietnam. There is an open invitation to other nations to join.

Task Force on Economic Security

Along with entry restrictions, digital economy, healthcare, and sustainable society, economic security was one of the ACCJ’s five key advocacy pillars in 2022.

With the Diet taking up the Economic Security Promotion Bill and IPEF approaching launch, in February the chamber formed a Task Force on Economic Security, led by Chair Arthur Mitchell and Vice-Chairs Shuichi Izumo, David Richards, Eric Sedlak, Megumi Tsukamoto, and Toshiki Yano.

On April 12, in support of the efforts by the Government of Japan (GOJ) to promote Japan–US economic security in the context of further strengthening the US–Japan partnership, the task force announced six principles to maximize the contributions of foreign companies to further enhance Japan’s attractiveness as a place for business to invest, innovate, and grow. These are:

• Maintain commitment to economic growth and free market principles.
• Work with partner countries and ensure a level playing field.
• Define critical infrastructure, equipment, and services narrowly and clearly.
• Ensure transparent and fair processes.
• Leverage global best practices.
• Reinforce US–Japan economic collaboration.

The first notes that the promotion of competitive and efficiently regulated markets, as well as open trade and investment, are essential to harnessing the dynamism of the private sector to drive economic growth, prosperity, and overall welfare in Japan. Ensuring predictability, consistency, and alignment across various regulations, while avoiding overly prescriptive, inconsistent, or duplicative measures that risk impairing market dynamism, is key.

The second points out that allowing new market entrants fair access and guaranteeing fair treatment of all market participants is critical. Any measures to introduce differential treatment on the basis of promoting economic security should be narrow, targeted, and not undermine the ability of companies from allied and like-minded countries to continue making important contributions to Japan’s economic welfare and economic security.

The third requires that certain infrastructure, equipment, and services designated as critical be narrowly and clearly scoped, and not cover wide categories of offerings in Japan. This will help ensure that the right resources are applied to protecting the parts of the infrastructure that are most essential, and not extended to non-critical systems.

The fourth asks the GOJ to ensure ample opportunity for broad stakeholder engagement at all stages of development, implementation, and enforcement of rules related to economic security. Ensuring that procedures such as notification or reporting requirements are clear, simple, reliable, and appropriately scoped—and are informed on an ongoing basis by private sector engagement and expertise—will be critical, the task force says, to avoiding negative unintended consequences and achieving their intended goals.

The fifth notes that the adoption of global best practices will promote efficiency and sound regulation, thereby helping Japan benefit from innovation and expertise developed across the globe. By proactively engaging with like-minded countries, such as the United States, the GOJ can develop and elevate best practices as internationally recognized standards, including with regard to ensuring data free flows with trust.

The final principle calls for bilateral mechanisms for cooperation, such as the US–Japan Economic Policy Consultative Committee, established in January 2022, as well as multilateral groupings such as the G7 and IPEF, to be leveraged to share best practices and promote alignment and interoperability in each country’s respective mechanisms for promoting economic security.

Task force Chair Mitchell, Vice-Chairs Izumo and Tsukamoto, and ACCJ President Om Prakash had the honor of discussing the principles directly with then-Economic Security Minister Takayuki Kobayashi on April 21.

With the passage on May 11 of the Act for the Promotion of Ensuring National Security through Integrated Implementation of Economic Measures by the Diet, IPEF underway, and Japan set to host the G7 Summit in Hiroshima in May, economic security will continue to play a key role in ACCJ advocacy throughout 2023.

New embassy role focuses on technology leadership and collaboration

As the pace of digitalization quickens and technology plays an increasingly important role in our lives, maintaining global leadership in science, technology, and innovation is critical. To do so, the United States Foreign Service has created a new position—regional technology officer (RTO)—which will focus on enabling the United States to maintain its leadership through transnational approaches to technology policy and development initiatives.

RTOs will focus on:

• Promoting US leadership in technology
• Ensuring that technology ecosystems support democratic values
• Securing US economic assets
• Enhancing US competitiveness with strategic competitors

The RTO program will place foreign service officers (FSOs) at key global innovation hubs, where they can engage with the local technology community, promote regional cooperation and public outreach, and energize global technology hubs to accomplish US policy objectives.

This year, the US Department of State is deploying three RTOs. Matt Chessen (RTO Tokyo) and Jim Cerven (RTO Sydney) have arrived at their posts, and Charlette Betts is due to begin her RTO role in São Paulo, Brazil, in November. There are plans to deploy three more RTOs in 2022, with additional officers rolling out in the coming years.

To learn more about the RTO role, The ACCJ Journal spoke with Chessen about the overall goals as well as his mission in Japan.

How does an RTO in a diplomatic capacity differ from one in a corporate capacity?
This is a great question, as there are some similarities and analogues, but also important differences in our work.

One interesting observation from the diplomatic perspective is how we’re increasingly seeing corporate representatives playing a more proactive role in areas that traditionally were the domain of governments, such as the creation of normative value frameworks for particular areas of technology.

I was recently introduced to the Business Software Alliance’s Framework to Build Trust in AI. I see this kind of work as a positive evolution in the concept of corporate responsibility, where businesses recognize that there are risks inherent in new tools and are proactively taking steps to mitigate those risks.

The US government welcomes the participation of the private sector, encouraging it to play a strong role in the development and adoption of principles and norms for technologies. In fact, governments can’t and shouldn’t develop these frameworks without working hand in hand with the private sector and other stakeholder groups.

RTOs will focus on some of the same topic areas as their corporate counterparts, such as promoting an environment conducive to US business. RTOs have an outreach role which is analogous to private-sector public relations. This could involve working with our public diplomacy colleagues to enhance messaging around technology issues, or speaking on behalf of the US government. Because RTOs have deeper expertise in technology policy, they will serve as panelists and speakers at regional events, both governmental and non-governmental.

There are also some differences between RTOs and our corporate counterparts. We are focused on a broader range of critical and emerging technologies than are most private-sector representatives. Even within the technology sphere, we are generalists compared with our private-sector colleagues. RTOs have an internal capacity-building role in which we are tasked with raising the level of technology awareness and expertise among our diplomats in the region. We also have a strategic foresight function, where we’re expected to analyze emerging-technology markets and report on trends that generate opportunities and risks for economic and national security.

Why has the US government created this role?
The decision to establish the RTO positions was well supported by evidence from outside and inside government. The National Academies of Sciences, Engineering, and Medicine first proposed the idea of regional technology diplomats in their 2015 report Diplomacy for the 21st Century: Embedding a Culture of Science and Technology Throughout the Department of State. The National Security Commission on Artificial Intelligence made similar recommendations in their final report, where they recommend that the Department of State “establish a cadre of dedicated technology officers at US embassies and consulates to strengthen diplomatic advocacy, improve technology scouting, and inform policy and foreign assistance choices.”

Concurrent with these analyses, the Department of State noted four trends that made the case for RTOs.

First, as we’ve seen with 5G communications technologies and trusted infrastructure, technology issues are closely connected with many US core geopolitical interests.

Second, technology issues—such as semiconductor supply chains—are increasingly transnational in nature.

Third, there is a proliferation of international forums where technology issues are discussed, and we need officers with deeper expertise and focus on technology issues who can represent the United States in these forums.

And fourth, there is a recognition that, to maintain global leadership in technology, we have to build networks of regional partners that include the private sector, non-governmental organizations, and academia—in addition to governments.

Most of our FSOs are generalists who could be issuing visas in one assignment and coordinating climate policy in their next. The RTO initiative is a means of placing greater focus on technology issues and has a side benefit of cultivating a cadre of FSOs with deeper technological knowledge.

How will you liaise with the Japanese government?
In addition to their regional responsibilities, each RTO has a bilateral portfolio focused on their host country. For myself, I’ll be focusing on building additional cooperation with Japan on artificial intelligence (AI) and enhancing our partnership on standards for emerging technologies. I will also be focusing on how we can partner with Japan on broader regional technological issues such as regional data governance or promoting trusted infrastructure in ASEAN member states.

Will you be supporting Japan’s digitalization efforts?
I wouldn’t want to give the impression that the RTO becomes the focal point for all bilateral technology issues. We have officers that cover everything from digital economy issues to emerging energy technologies to fintech. We also have a large team here at the embassy focused on digitalization, both in the Trade and Economic Policy Unit and the Foreign Commercial Service Office. The RTO will serve to support their efforts.

Somewhat related, one of my goals is to improve collaboration between the United States and Japan on basic research in AI. Japan has tremendous capabilities in hardware and robotics, while the United States is strong in software and data. Enhancing our basic research cooperation will allow us to capitalize on each other’s strengths.

What are the biggest technological threats and challenges facing the United States and Japan?
I believe that the United States and Japan must work together, and with other democratic partners, to ensure we remain the global leaders in technology, and that technological ecosystems reflect our shared values. We are facing a new geotechnological environment, where the People’s Republic of China aspires to lead the world in technology and is using technology to undermine democratic values, the rule of law, and human rights. Ensuring US and Japanese leadership will require enhanced cooperation across the technology spectrum, from research and development to principles and governance.

We also need to make certain that markets are fair and that our economic assets are protected. The key will be enhancing our shared economic security without veering into policies that become protectionist or, worse, undermine the very industries we are trying to cultivate. We believe we can strike this balance and we look forward to working with Japan and other regional partners—especially our friends in the private sector—to promote our mutual economic and national security through global technology leadership.