I recently had the pleasure of participating in a conference about multilateral security collaboration in Tokyo. The Japanese government, under Prime Minister Shinzo Abe, has been actively expanding and strengthening security ties. Cybersecurity is one of the most important areas for bilateral and multilateral cooperation, and even more so after Tokyo was selected to host the Summer Olympic Games 2020 in September 2013.
One of the participants at the conference recently asked the other attendees how both Japan and its international partners could make their activities more visible to each other for closer collaboration. I shared three cybersecurity mindset gaps that exist between Japan and other countries that make it difficult for Japan to be visible.
First, fewer business executives are involved in cybersecurity discussions in Japan than they are overseas. According to KPMG’s cybersecurity survey in 2013, only 13 percent of Japanese companies strongly believe business executives should be involved in discussions on how to prevent cyberattacks, whereas the percentage is 56 among overseas countries. This is a result of the continued belief among Japanese companies that cybersecurity is an information technology (IT) issue, not a human issue or a challenge to their business risk management. Japanese companies often perceive cybersecurity as something purely technical to be dealt with by hands-on IT people.
Second, the Japanese tend to interpret cybersecurity as a cost center, not a business enabler. The Cross-Sectoral Committee for Cybersecurity Human Resources Development, to which 48 major Japanese companies belong, points out that Japanese companies employed IT as a tool to cut costs, and thus, the IT department is for cost-cutting. In December 2015, the Japanese government issued the Cybersecurity Guidelines for Business Leadership to encourage business executives to consider cybersecurity as a business enabler, not a cost center. The government aimed to speed up the process of enhancing the national cybersecurity capabilities in a top-down approach rather than a traditional bottom-up approach, because only a few years were left before Tokyo 2020.
Third, there is very little Japanese exposure to English. I know only a few Japanese people who can publish articles or papers, or give a talk about cybersecurity in English at international conferences or symposiums. The language barrier is certainly a problem. It is challenging for the Japanese to express themselves when describing highly technical, geopolitical, or policy issues and write a proposal or peer-reviewed paper in a non-native language.
This is, however, not just about the linguistic issue: the Japanese are culturally not adept at showing off their capabilities. An old Japanese saying, “A nail that stands will be hammered down,” demonstrates the Japanese lockstep mentality of avoiding doing anything differently from others.
The Japanese tend to evaluate employees by giving demerit scores. When a new employee starts working for a company, he or she has a full score. As long as employees keep working and performing in line with their predecessor, they can keep their scores. However, if they decide to challenge the company’s traditional approach and try something new, but fail to achieve visible positive results, their scores are reduced. Their courage is rarely appreciated. The culture discourages employees from testing new approaches and encourages them to stay in a safe zone.
For example, RSA 2017, one of the biggest IT conferences in the world, had several country booths, such as China, Germany, Israel and Korea. There was no Japan booth, although a couple of Japanese companies had set up their individual booths showcasing their products and services. Japan has missed a huge opportunity to highlight the direction its IT and cybersecurity innovations are going as we move toward the Tokyo Summer Olympic Games in 2020.
If Japan wants to improve its visibility regarding cybersecurity capabilities and global collaboration, the country needs to take three immediate actions:
- Use more visual help to draw more attention from Japanese business executives about the cyberthreat landscape and best practices.
Even if a Japanese business executive thinks cybersecurity is a cost center, he or she still cares about their business continuity. In Japanese culture, cartoons or manga are not just for children; the government and security vendors use cartoons and a lot of screen shots to raise cybersecurity awareness and explain security concepts. It would be useful to have visual help to explain what the cyberattack trend is, what types of cyberattacks have impacted business operations, and how customers can prevent successful cyberattacks.
- Fund projects for more English-language exposure, such as conferences and publications.
Japan recognizes global cybersecurity collaboration is crucial for its national security and the success of Tokyo 2020. It is the responsibility of the Japanese government and companies to speak up and share their interests and concerns in English. Professional services are available to help organizations better present themselves in global settings, such as conferences, TV appearances and publications. As Charlie Chaplin said, “All it takes is courage, imagination … and a little dough.” Ten major Japanese companies reportedly plan to participate in the cybersecurity technologies exhibition of the Interpol World in Singapore as “Japan Pavilion” in July 2017. This is the first time for Japanese businesses to take the initiative to provide any Japan IT exhibition, which is a great start. NATO’s annual International Conference on Cyber Conflict (CyCon) in Tallinn, Estonia, Black Hat in Las Vegas, and RSA in San Francisco would be other good events for Japan to raise its visibility in cybersecurity and multilateral security cooperation.
- Use this cultural difference as a golden opportunity to add new perspectives to global cybersecurity discussions
While the Japanese tend to be more introverted in any global discussions, Tokyo 2020 would be a watershed in changing the mindset and sharing different perspectives with other counties. Without explaining how Japan is culturally different from other countries, it is impossible to make bilateral or multilateral cybersecurity discussions work. It is easy to fall into lost in translation. Since Japan has been more quiet about the cultural difference than other countries, this is actually a golden opportunity to turn it to a strength and make an impact on global discussions by speaking up.