Global Security Governance: Insights from Kirin Group's Strategic Initiatives and Approaches
Amid global instability, including the COVID-19 pandemic and geopolitical tensions such as Russia's invasion of Ukraine, cyber-attacks are escalating. Japanese multinational companies are not immune, with vulnerabilities in group companies or supply chains often exploited, leading to widespread damage. Given the varying scales and response capabilities of these global entities, it is crucial to implement robust security measures. This article examines the Kirin Group's initiatives to enhance security and mitigate operational risks
Security Vulnerabilities in Group Companies and Supply Chains: A Critical Analysis
Ransomware attacks have become increasingly prevalent, targeting not only large companies but also smaller entities such as group companies, suppliers, and outsourcers. A recent incident involving a Japanese hospital highlights the vulnerability of non-large organizations. These attacks often aim to infiltrate networks through supply chains to demand ransom.
Japanese multinational companies, both domestically and internationally, have expanded through branch offices, mergers, and acquisitions. Subsidiaries acquired overseas are particularly vulnerable. Arai Yu, Executive Security Analyst at NTTDATA-CERT, a CSIRT (*1) of the NTT DATA Group, emphasizes the weaknesses of overseas subsidiaries within global companies.
- (*1) A Computer Security Incident Response Team (CSIRT) is a team that responds to incidents that are considered to be security problems.
NTT DATA Technology and Innovation General Headquarters System Engineering Headquarters Corporation
Yu Arai, Executive Security Analyst, NTTDATA-CERT
Arai emphasizes the need for robust security measures across all global subsidiaries and affiliates due to the indiscriminate nature of cyber-attacks. He notes that companies acquired through mergers may face unique challenges, such as differing business environments, corporate cultures, languages, laws, and social climates, making it difficult to implement uniform security measures.
Arai predicts this trend will continue and advises that the head office should establish common security policies for the group. Each subsidiary should then implement tools and measures tailored to local conditions, ensuring a unified security foundation to quickly address vulnerabilities within the group and supply chain.
Kirin Group's Security Challenges and Ongoing Improvement Efforts
The Kirin Group, expanding globally for 40 years, faces urgent cybersecurity challenges. Kadota Haruhiro, General Manager of the KBS Infrastructure Reinforcement Promotion Group, emphasizes the need to strengthen defenses against increasing cyber-attacks and enhance cybersecurity governance as the business grows. Kadota led the Information Security Promotion Group until September 2022.
Mr. Haruhiro Kadota, General Manager, Infrastructure Enhancement Group, System Infrastructure Management Department, Kirin Business System Co., Ltd.
Mr. Haruhiro Kadota
The Kirin Group's philosophy emphasizes creating products that enhance "food and health" to contribute to a spiritually rich society. To ensure business continuity and prevent brand damage, they have established the Health Science domain and implemented cybersecurity measures. Recent efforts include privacy data protection, global security visualization, and establishing a Security Operation Center (SOC) and CSIRT. Nobuaki Iijima now leads these initiatives.
Information Security Promotion Group, System Infrastructure Division, Kirin Business System Co., Ltd.
Mr. Nobuaki Iijima, General Manager
Since 2019, the Kirin Group's collaboration with NTT DATA has significantly accelerated global security enhancements. This partnership, rooted in a 2012 capital alliance, has focused on infrastructure and application development, fostering trust and a sense of security. Through ongoing dialogue, the collaboration has strengthened over time.
Strengthening measures based on policy rules, technology, and literacy
Strengthening Measures Based on Policy Rules, Technology, and Literacy
Kadota reveals that the Kirin Group has three pillars for strengthening security: strengthening policies and rules, strengthening technical measures, and improving literacy.
"We reformulated our governance policies and security rules and introduced tools and systems to detect attacks at an early stage. We are taking measures from these three perspectives to raise the security literacy of our employees. In addition, we are working to improve our defense capabilities and our response capabilities based on the assumption that we will no longer be attacked."
The key to these three pillars is the balance between aggregation and dispersion.
At the end of 2019, NTT DATA conducted an assessment of the security measures of 15 Kirin Group companies overseas. As a result, it was found that the Group's detection and response capabilities were particularly weak, and in April 2020, a roadmap for the next 3 years was formulated.
The first of the three pillars, strengthening policies and rules, was established because there was no global security policy at the time. This section summarizes the levels and concepts that must be cleared in order to eliminate "weaknesses" that can be attacked ("aggregation"). On the other hand, specific procedures and methods for security measures are "distributed" as necessary to make them meaningful for each system in each country, because even the method of backup differs between large and small systems. For small group companies that do not have specialized IT personnel and cannot consider measures on their own, the head office provides generous support.
In the second technical section, the head office sets out a security policy that is common to the entire world, and then introduces a common global security infrastructure that enables even small group companies to improve their security levels with as little effort as possible. Again, each group company implements measures to comply with laws and regulations in each country and to implement security measures for individual systems.
In the third section, in order to improve employee literacy, in addition to regular training to simulate actual attacks, we are considering the horizontal deployment of advanced training among overseas group companies. Since the behavior of the people who make up an organization is an extremely important factor in improving the security level of an organization, the aim is to improve both "defense capabilities" and "responsiveness," as Kadota mentioned earlier.
Due to repeated M&As, NTT DATA recognized a weakening in its global security governance. In response, it strengthened governance across the NTT DATA Group around 2017 and reformed its IT security infrastructure based on the Zero Trust concept (*2). An independent third-party assessment rated NTT DATA's security measures at 3.75, significantly above the global average of 3.1 for financial and military sectors.
Satoshi Nakao, responsible for cybersecurity consulting at NTT DATA, states that by leveraging the knowledge gained from their efforts, the Kirin Group aims to meet improvement targets by the end of 2022, addressing the weak points identified in the initial assessment. He also notes that both Kadota and Iijima confirm ongoing improvements in security and continuous efforts to enhance literacy.
Satoshi Nakao, Manager of the Cybersecurity Technology Department at NTT DATA
Iijima emphasizes that security is an ongoing effort, requiring continuous measures in collaboration with NTT DATA to ensure stable products and services. The Kirin Group, under its slogan "Toward a World Connected by Joy," aims to provide new joys in food and health, supported by KBS's IT initiatives. Kadota and Iijima highlight the strong, trust-based relationship with NTT DATA, which shares Kirin's values and provides honest feedback. NTT DATA will continue to support Kirin in enhancing its value
- * Title and affiliation of each individual are as of the time of publication.