Please select a language

Please select the country/region where you would like to introduce your business.

Contact Us

Knowledge May 22, 2024 How do you strengthen IT governance at overseas locations? Expanding KDDI networks across the globe to comprehensively support the IT governance in and outside Japan


img

The concerns of Japanese companies planning to enter overseas markets, especially in Asia, in their search for new markets is how to ensure security for their information systems. Since the COVID-19 pandemic, as remote work has spread and access to corporate information networks diversifies, how to protect themselves from cyberattacks has become a pressing issue.

KDDI uses its subsidiaries abroad as hubs for providing services to overseas-based companies to enhance their IT governance. For this article, we have interviewed three KDDI members who support companies’ entry to overseas markets, asking them to share their own perspectives.

*The division names and job titles in this article were current as of the time of the interview.

Information security issues facing overseas locations

―What is your view on how Japanese companies are entering Asian regions, and the background and current situation with cyberattacks?

Sezaki: I propose ICT infrastructure development overseas to Japanese corporations entering the global market. When companies head abroad, they are either opening new production bases or expanding their market, but in recent years, all kinds of industries are going overseas mostly to expand their markets.

In addition to what manufacturers are doing, the expansion by retailers and the service industry in particular is remarkable. They are also seen to be moving their production bases to avoid geopolitical risks and relocating to receive special treatment in certain countries.

KDDI株式会社 グローバル推進部 部長 瀬崎 智史

Tomofumi Sezaki
General Manager, Global Sales Department
KDDI CORPORATION

Kazunori Ikeda
Regional CTO
(Registered Information Security Specialist)
KDDI ASIA PACIFIC PTE. LTD

Ikeda: I am based in Singapore and provide ICT solutions to Japanese corporations entering Southeast Asia and South Asia. I see many Japanese corporations going to Vietnam and India.

I get daily inquiries from them because these overseas locations of theirs are targeted in cyberattacks, and they want to know how we can respond. New overseas locations usually focus on business development to expand their respective markets, and tend to leave information security measures for later. The extent to which their headquarters information system representatives can respond also varies by company.

Sezaki: To date, we have encountered a raft of cases where the information system representatives were developing and managing systems to connect their headquarters and overseas locations, and delegating the authority to local representatives to manage their IT infrastructure development and management.

However, recently there have been many information leaks due to vulnerable security at these overseas locations, as well as cases that impact the operations of their group companies and business partners. This has changed the situation, making stronger governance and security, including at overseas locations, an ever more important management issue.

Katayama: I was in Singapore for almost eight years proposing ICT services to Japanese companies entering the Asian market, but am now based in Japan proposing ICT infrastructure development.

I think, just as I did in Singapore, that security awareness changed owing to the spread of COVID. Corporate systems use closed networks, but as companies took to teleworking, they needed to use the Internet to enable access from the outside.

When this happened, companies instantly turned their attention to stronger security to protect their business from cyberattacks that invade their systems through the Internet.

Takayuki Katayama
Group leader, Network Service Planning and Architect Department
KDDI CORPORATION

NIST(*1): Enhancing security quality while running the cycle of cyber security frameworks

―KDDI provides services to help Japanese companies establish IT governance at their overseas locations. What steps do you take when doing so?

Sezaki: The level of issues varies by customer. Some customers know the current state of their information systems and are thinking about what to do, while some companies have done nothing at all.
When evaluating what action to take, we need to accurately grasp the customer’s current situation, as well as their problems. Two survey methods play a key role in doing this.

The first is an IT environment survey. We actually visit the customer’s office and check their system configuration at the site.
If we just interview their overseas locations from Japan and check documents on the desk, it is often difficult to ascertain one another’s intent and we may not sufficiently understand the current state of their system, so it is important to actually visit the site and see it in person.

The other one is security assessment. The approach of assessing a client’s security through questions about appropriate security frameworks and guidelines enables us to survey the site’s security level.
By combining these surveys, we can clearly visualize what is happening at each.

We use security improvement guidelines such as the NIST Cyber Security Framework to propose how security measures can be enhanced at overseas locations.
The existing situation is arranged into categories such as strategies, organization, accounts, infrastructures, data, networks, and monitoring of operations. We then identify problems and evaluate measures for the five functions of “identification,” “defense,” “detection,” “response” and “recovery.”
As far as actual steps are concerned, we decide which measures to prioritize based on the customer’s management policies and budget, and create a step-by-step response roadmap. Then we run the cyber security framework cycle to continuously improve the security level.

従来型セキュリティとゼロトラストセキュリティの概念図

Ikeda: It is extremely difficult for overseas locations and local staff to take these security measures themselves.
We as Japanese people are meticulously taught how to read and write in elementary education, so we are particularly good at reading and understanding manuals and acting accordingly. In other countries, however, people prioritize “listening and talking.”
So, even if we tell local staff to read this manual and take security measures according to the NIST Cyber Security Framework just as stated in the manual, chances are that they will not respond right away.
There are other challenges such as the overseas locations being far away and in different time zones, and having different views, laws and regulations, and business practices with regard to security.
This means that just because we can do these things smoothly in Japan, the same is not necessarily true overseas. This comes from cultural differences.

*1NIST:National Institute of Standards and Technology, U.S.

Understanding the local culture of the country and ensuring rules are meticulously followed in the local language

―Even though you face cultural and linguistic hurdles, KDDI offers services capitalizing on its extensive overseas location networks.

Sezaki: Even if you uncover the issues facing an overseas location, you cannot solve them unless you can actually take measures locally.
KDDI covers 245 locations in 104 cities (as of August 2023) spanning Japan, Europe, China, Southeast Asia, and the Americas.
There are few Japanese companies that cover as many areas with their ICT services.

The KDDI Group Platform, supporting customers' global business

従来型セキュリティとゼロトラストセキュリティの概念図
*Numbers of locations and employees are as of the time of data collection.

Katayama: We are seeing ever more security incidents at overseas branches and plants where taking security measures is difficult.
KDDI has locations not only in major cities but in some regional cities as well. Japanese staff and local engineers act together, so people at local corporations can be briefed in the local language.
Information system representatives in Japan can discuss measures with KDDI staff in Japanese to avoid any stress about language.
Customers are finding our services reassuring because we visit their overseas locations and take action with the understanding of the views of their representatives in Japan.

Ikeda: Being in Japan, you may think that we do all local responses in English. However, the Japan side’s requests will not be fully understood by local staff unless we communicate in Thai if we are in Thailand, and in Vietnamese if we are in Vietnam.
We believe security is about devising thorough measures by extending our thoughts to whether even local employees can understand the structure and framework.
KDDI has the system to support customers who are facing such language-barrier problems.

Offering the optimal solution for customer problems from KDDI’s wide-ranging services

―Going forward, how will KDDI’s IT governance service develop for Japanese companies heading into the global market?

Katayama: In July 2023, we started offering a global security service called “Global SASE Platform Service by Fortinet (hereinafter ‘Global SASE’)”.
Through our experience of supporting countless Japanese companies to date, we know how difficult it is to hire engineers in regional cities, the soaring cost of hiring them, the high rate of turnover, and how difficult it is to guarantee security in overseas locations. However, as I have explained, accelerating business development and ensuring security have become critical issues for companies expanding abroad.

Global SASE is a security service that covers key functions for global security measures, and can sustain security in a guaranteed state without changing customers’ infrastructure, as it utilizes our international communication networks.
KDDI’s many overseas locations will provide support, so we would like customers to focus on their core business without having to worry about information security. Global SASE is a service spawned from this passion.

従来型セキュリティとゼロトラストセキュリティの概念図
*Service planned to start in China in fiscal 2024.

Ikeda: First, our headquarters in Japan will establish suitable rules on global IT security, including for overseas locations, and put those rules in to practice at the overseas sites. Security is just rules. We need to manage IT governance with shared platforms and operational structures, including those at overseas locations.
And when applying these rules to overseas locations, we will adjust them by taking local laws and regulations, cultures, practices, and languages into account.
Global SASE is one of the universal platform options that can be used across the globe.

Sezaki: KDDI has been working closely with our customers, providing optimized solutions to solve their problems. We will walk side by side with them from the stage of identifying their problems issues so we can devise optimal services for them from among our multiple options. These will be put into action by our local representatives overseas. That’s where we hold a competitive advantages.

Please consult a KDDI consultant.