Knowledge May 21, 2024 How do you strengthen IT governance at overseas locations? Expanding KDDI networks across the globe to comprehensively support the IT governance in and outside Japan

―What is your view on how Japanese companies are entering Asian regions, and the background and current situation with cyberattacks?

Sezaki: To date, we have encountered a raft of cases where the information system representatives were developing and managing systems to connect their headquarters and overseas locations, and delegating the authority to local representatives to manage their IT infrastructure development and management.

However, recently there have been many information leaks due to vulnerable security at these overseas locations, as well as cases that impact the operations of their group companies and business partners. This has changed the situation, making stronger governance and security, including at overseas locations, an ever more important management issue.

―KDDI provides services to help Japanese companies establish IT governance at their overseas locations. What steps do you take when doing so?

Sezaki: The level of issues varies by customer. Some customers know the current state of their information systems and are thinking about what to do, while some companies have done nothing at all.
When evaluating what action to take, we need to accurately grasp the customer’s current situation, as well as their problems. Two survey methods play a key role in doing this.

The first is an IT environment survey. We actually visit the customer’s office and check their system configuration at the site.
If we just interview their overseas locations from Japan and check documents on the desk, it is often difficult to ascertain one another’s intent and we may not sufficiently understand the current state of their system, so it is important to actually visit the site and see it in person.

The other one is security assessment. The approach of assessing a client’s security through questions about appropriate security frameworks and guidelines enables us to survey the site’s security level.
By combining these surveys, we can clearly visualize what is happening at each.

We use security improvement guidelines such as the NIST Cyber Security Framework to propose how security measures can be enhanced at overseas locations.
The existing situation is arranged into categories such as strategies, organization, accounts, infrastructures, data, networks, and monitoring of operations. We then identify problems and evaluate measures for the five functions of “identification,” “defense,” “detection,” “response” and “recovery.”
As far as actual steps are concerned, we decide which measures to prioritize based on the customer’s management policies and budget, and create a step-by-step response roadmap. Then we run the cyber security framework cycle to continuously improve the security level.

Ikeda: It is extremely difficult for overseas locations and local staff to take these security measures themselves.
We as Japanese people are meticulously taught how to read and write in elementary education, so we are particularly good at reading and understanding manuals and acting accordingly. In other countries, however, people prioritize “listening and talking.”
So, even if we tell local staff to read this manual and take security measures according to the NIST Cyber Security Framework just as stated in the manual, chances are that they will not respond right away.
There are other challenges such as the overseas locations being far away and in different time zones, and having different views, laws and regulations, and business practices with regard to security.
This means that just because we can do these things smoothly in Japan, the same is not necessarily true overseas. This comes from cultural differences.

―Even though you face cultural and linguistic hurdles, KDDI offers services capitalizing on its extensive overseas location networks.

Sezaki: Even if you uncover the issues facing an overseas location, you cannot solve them unless you can actually take measures locally.
KDDI covers 245 locations in 104 cities (as of August 2023) spanning Japan, Europe, China, Southeast Asia, and the Americas.
There are few Japanese companies that cover as many areas with their ICT services.

Katayama: We are seeing ever more security incidents at overseas branches and plants where taking security measures is difficult.
KDDI has locations not only in major cities but in some regional cities as well. Japanese staff and local engineers act together, so people at local corporations can be briefed in the local language.
Information system representatives in Japan can discuss measures with KDDI staff in Japanese to avoid any stress about language.
Customers are finding our services reassuring because we visit their overseas locations and take action with the understanding of the views of their representatives in Japan.

Ikeda: Being in Japan, you may think that we do all local responses in English. However, the Japan side’s requests will not be fully understood by local staff unless we communicate in Thai if we are in Thailand, and in Vietnamese if we are in Vietnam.
We believe security is about devising thorough measures by extending our thoughts to whether even local employees can understand the structure and framework.
KDDI has the system to support customers who are facing such language-barrier problems.

―Going forward, how will KDDI’s IT governance service develop for Japanese companies heading into the global market?

Katayama: In July 2023, we started offering a global security service called “Global SASE Platform Service by Fortinet (hereinafter ‘Global SASE’)”.
Through our experience of supporting countless Japanese companies to date, we know how difficult it is to hire engineers in regional cities, the soaring cost of hiring them, the high rate of turnover, and how difficult it is to guarantee security in overseas locations. However, as I have explained, accelerating business development and ensuring security have become critical issues for companies expanding abroad.

Global SASE is a security service that covers key functions for global security measures, and can sustain security in a guaranteed state without changing customers’ infrastructure, as it utilizes our international communication networks.
KDDI’s many overseas locations will provide support, so we would like customers to focus on their core business without having to worry about information security. Global SASE is a service spawned from this passion.

Ikeda: First, our headquarters in Japan will establish suitable rules on global IT security, including for overseas locations, and put those rules in to practice at the overseas sites. Security is just rules. We need to manage IT governance with shared platforms and operational structures, including those at overseas locations.
And when applying these rules to overseas locations, we will adjust them by taking local laws and regulations, cultures, practices, and languages into account.
Global SASE is one of the universal platform options that can be used across the globe.

Sezaki: KDDI has been working closely with our customers, providing optimized solutions to solve their problems. We will walk side by side with them from the stage of identifying their problems issues so we can devise optimal services for them from among our multiple options. These will be put into action by our local representatives overseas. That’s where we hold a competitive advantages.