Consulting menu
Consulting business
HOME
Solution
column·
Examples/materials
Inquiry
Participated in a hurry 3 months before launch Governance & security consulting round-table talk frankly talking about the actual situation of the new business

Security measures are one of the important factors in business these days as threats become more sophisticated. Especially when launching a new business, responding to security industry standards with an awareness of legal compliance is a part that cannot be neglected in promoting business, but in reality there are many opportunities to face challenges. I will tell you about the importance of security measures in such a new business.

POINT
  • For security measures when launching a new business, it is important to determine whether the target market complies with domestic and foreign laws and regulations.
  • The key to selecting a consulting firm is whether or not it can envision execution after planning
  • It is important to operate using the latest knowledge that will become the industry standard and to create a system that can be improved.

Lack of security…A challenge in new businesses

What kind of issues are likely to arise in the process of creating new businesses that many companies are working on?

Iida: Generally speaking, when starting a new business, one of the best ways to proceed is to expand horizontally based on the company's technological assets and existing strengths. However, there are cases where companies are unable to see what is required in the industry or market they are targeting. The same thing happens when Macnica starts a new business, thinking about the market that fits what they want to sell, and neglecting the issues of business processes in that market. We tend to think of it as an extension of existing products and solutions.

In addition, in the manufacturing industry, which has traditionally done business by selling the product itself and contracting out operational and maintenance services, if we think about business in the area of DX, we will be providing value to customers centered on services. Cheap. In that case, the cloud is highly convenient, but there are many cases where the on-premises knowledge that has been cultivated over many years does not apply well, and progress is slow.

What security issues are likely to emerge?

Suzuki: In order to comply with governance, it is usually necessary to document security rules and policies, implement them on-site, and have them properly observed. However, we often see the so-called issue of personalization, where we have not implemented a mechanism to have the site protect us, even though we have created the document, and each department adopts a different method. There is also a problem that the industry standard policy is not included.

Shimizu: Since there is a shortage of security personnel in the first place, it is not a bad idea to ask outside consultants who are familiar with the industry. However, if the subcontractors are different depending on the department, the method of implementation at the site will also change, so there are cases where the overall security level does not improve. Exactly what Suzuki explained, quite a few companies end up in a situation where the overall level of the company cannot be raised in line with the overall policy.

Iida: A new business must have its target market in mind, and naturally there are laws and regulations in that market. In Japan, of course, there are many laws and regulations in each region when the target region is expanded to China and Europe, for example. GDPR is famous in Europe, but honestly, it is difficult to cover all laws and regulations according to the target region. It is also necessary to consider what concrete measures should be taken against the law, and it is difficult for companies to take measures alone. Although it's not against the law, it's especially difficult for new businesses to make best-practice judgments about what to do, and we're always looking for ways to do so.

Security that is often overlooked in new businesses

Are there any points that tend to be problematic in terms of the system?

Iida: In the case of new businesses, there are many cases where speed is emphasized, and it is undeniable that security tends to be put on the back burner by allocating a lot of resources to system development and promotion. In addition, as the form of the system changes greatly from the conventional system, such as using the cloud from on-premises, it is necessary for conventional developers and operators to acquire technology and operational know-how in a completely different field. It is natural for a company to prioritize development investment for service release and bringing it to a state where it can be promoted on the business side. As a result, security is compromised.

There seems to be an environment unique to Japan.

Iida: In the case of Japanese companies, compared to global companies, there is an overwhelming shortage of people in charge of information security, such as CISOs (Chief Information Security Officers). It is clear that companies without a CISO tend to spend less on information security. In that case, security-savvy consultants like ours are useful, but in the case of general consulting firms, there are many issues before the plan is completed, and there are cases where the plan is abandoned. Even if an optimal security plan for a new business has been created, there are actually some sites that face the dilemma of not being able to implement that plan.

Examples of consulting related to new business

As a consultant, how will you be involved in new businesses in the area of security? Can you give me some examples?

Suzuki: In this case, we were assisting a customer who was about to launch a new service, but when we actually talked to him, the location of the security officer was unclear, and he was not very familiar with the laws and regulations of the new business field. If things continued like this, there was a possibility that governance would become a problem later on. Macnica had a proven track record in the industry and seemed to have a reputation for being knowledgeable about laws and regulations, so they requested that they correct the current situation. Therefore, we decided to provide support in order to bring it closer to industry standards.

Shimizu: When starting a new business, launch is the top priority, and costs and human resources are focused on service development. Although they were focusing on development for monetization, security seemed to be on the back burner. There is a contradiction between development speed and security, and people tend to think that security does not generate profits.

Sato: It is difficult to implement security guidelines, such as setting checkpoints and periodically checking and reviewing development content to prevent information leaks. From the development side, we would like to focus on development and start developing new services. Some customers believe that innovation will come to a halt if the speed inevitably slows down, and this was the same view held by this case study. Many companies believe that security is not a business driver.

What was the actual background behind Macnica 's support?

Shimizu: Initially, a major foreign-affiliated IT strategy firm was participating, and we had a large framework in place to work on. However, they were left unattended without knowing how to put it into operation at the site, and the site was in trouble. At that point, we were singled out.

Sato: At the beginning of the consulting firm, we also conducted a security maturity survey like ours. It did not include perspectives or industry-specific real security insights. Certainly the materials are beautifully made, but I can't see how to actually use them. I had the impression that they had just used what they had created overseas, and I had to say that it would be difficult to put them into actual use.

Common consulting pitfalls

Common consulting pitfalls

It is very difficult to grasp the current situation... How to proceed with the project

How did this project proceed?

Shimizu: Originally, we didn't have a set goal, so we started with a survey of the actual situation, then decided on a major policy, created a manual, and prepared a check sheet. As a customer, they wanted us to list things that could be done quickly and efficiently for things that absolutely must be done. In the initial support, even the part that decides the policy while conducting the survey. After that, we proceeded with the work to put it into operation, and we are still continuing our improvement activities.

Suzuki: At first, we had an image of identifying issues from maturity surveys and presenting points that needed to be corrected, but our customers wanted us to move forward together. When providing execution support including implementation, it is difficult to operate without manuals and policies in the first place, so the start of the project is to decide including them. In reality, we identified what we needed to do based on the major axes of importance and priority until launch, and implemented measures in phases.

Sato: Specifically, safety standards recognized by the government are established, and cross-industry guidelines are presented within them. Organizational structure, information handling, system support requirements, etc. will be determined. I proceeded with the implementation while using the sentences.

How to proceed with a new business security project

How to proceed with a new business security project

It seems to be difficult just to investigate and visualize the current situation.

Sato: Actually, we held individual meetings and interviewed the superiors of more than 25 departments, and conducted a survey in about two weeks to visualize the current situation. For example, when asked if there were any rules, each department responded that they were following the rules in the 30-page PDF. Moreover, the number of documents alone was nearly 100, and there were English and Japanese versions scattered about. To be honest, there were times when I was depressed just by checking, and it was quite a struggle just to do the research.

After clarifying the current situation, we dropped it into the actual manual.

Sato: While referring to the customer's rule document, which includes the contents of ISMS and PCIDSS, we put it into the customer's words. We decided on a big policy and dropped it down to more concrete measures. We have also incorporated a self-inspection system so that we can check and improve ourselves. We asked them to answer Yes / No for each self-inspection item, and we also wrote down specific improvement methods.

I heard that Mr. Iida participated in the project from the systemization of self-inspection.

Iida: In the project, we created a security standard that should be considered in order to provide users with peace of mind and safety, but of course there are areas where the maturity level is not sufficient when compared with the domestic standard. Regarding certain threats, it was certainly included as a requirement in our internal standards, but at that stage it was still not enough. Considering the social trend, it will be necessary to strengthen it more and more in the future, so a sub-project was quickly launched, and I decided to participate in it.

At that point, it seems that a fairly detailed breakdown has already been done, but it is still not enough.

Iida: Security is constantly changing depending on trends on the attacking side. Therefore, since guidelines and requirements are updated on a daily basis, the self-inspection system must also be reviewed periodically, taking into consideration the social situation. In particular, security needs to be prepared for the latest situation while always accompanying customers.

Common issues in creating internal standards

Common issues in creating internal standards

Shimizu: As a company, Macnica in particular has a lot of knowledge about global security, and we constantly monitor the latest information, including collaboration with the hacker community. Because we handle a large number of security products, one of our great strengths is that we can directly communicate with cutting-edge human resources, such as having engineers from our vendors involved in formulating the latest standards. The key point is that we are able to understand global standards for countering increasingly sophisticated security threats and apply them in a form that is suitable for domestic use.

Iida: The theme of the consulting we do is to proceed with projects with customers in an accompanying style, and communication with customers is extremely important. Although we are currently in the midst of the coronavirus pandemic, we are basically stationed at the customer's company and providing consulting from the same perspective as employees. The approach is essentially different from a contract type where only specific tasks are performed.

It is precisely because we face heated discussions with sincerity that we gain the trust of our customers.

What kind of evaluations have you received from customers as a result of the escort-type support?

Suzuki: When working together with customers in the escort style, there are challenges that we have never experienced before. However, we believe that the fact that we continue to receive various consultations because we have continued to provide support without giving up with passion is probably proof that we are highly evaluated. The project is still ongoing, and we are currently reviewing existing projects and working on new themes.

Sato: I received an urgent request from an Executive Officer to join a meeting during an Member of the Board meeting. I was suddenly asked for my opinion on the changes in the world, and I was in a hurry to express my opinion to the Member of the Board when I could not prepare in advance. Even so, we believe that the fact that they ask us for their opinions means that we have built a relationship of trust.

It's quite a thrilling development to speak your opinion at the Member of the Board meeting without having to prepare in advance.

Sato: After 10 minutes, I received a call saying they wanted to discuss it via a conference call. While multiple consulting firms were making proposals for this response, upper management, who had evaluated the company's past support track record, voiced within the company that Macnica might be the best choice, so they immediately submitted a proposal. I received a request for it.
The topic was related to quality control, but once I submitted the proposal, I decided to have a meeting with the two heads of the departments in charge. The order form was delivered within the same day, which gave a sense of speed. It may be that a sense of trust has been cultivated among the customers based on the company's past achievements, such as the fact that the company is highly regarded for its know-how in the industry it is entering into.

Iida: The sense of speed in which things are decided quickly is not unique to this customer, but is common when starting a new business. Of course we have past achievements, but we believe that what we received the most praise for was our ability to execute. Even consultants who draw up beautiful plans find it really difficult to execute them. Our strength is that we can put this into practice and see it through. I believe that this aspect was evaluated correctly.

Of course, there is a responsibility to carry out, but I have the impression that there are many cases where consultants cannot go that far.

Shimizu: I think that's the strength of the escort-type approach, which works as an employee of the customer and as a member of the organization. During the first policy decisions, when we talked to overseas people on site, we asked them to identify points to correct, but they only answered with the nuance that they can do anything. But. Due to differences in stances and ways of thinking, we sometimes ended up arguing before we knew it. It may not be the best approach, but I think it was precisely because we face each other sincerely as a member of the organization that the discussions were so heated.

Were there times when you couldn't get a response on-site even though you conveyed your enthusiasm?

Shimizu: There have been incidents related to the points we suggested in advance, and we have received comments from people who say they should have listened to Macnica more. Naturally, depending on the department, there are some areas that cannot be completed with internal resources alone. Even though we asked them to do this as a top priority, we were not able to fully explain why they should do it now, and as a result, an incident occurred several weeks later. When it comes to security, it is true that the way we think about security changes when we experience an incident, and by repeating this experience, we may be able to develop a new sense of trust in us. Now that Macnica has told me about it, I feel like people are starting to think about whether it's a good idea to do it.

Iida: Even from Macnica perspective as a global technology trading company, I'm sure you can feel the benefits of working with us. When customers purchase new products, we always hear about them going through Macnica, and in consulting, we often help them define and select requirements for systems and products. To begin with, Macnica, as a technology trading company, has a lot of interaction with overseas suppliers, including semiconductors and network products, and has worked very hard to create the current environment. Particularly from the perspective of governance, many companies would like to understand how what is being done domestically compares to overseas standards as a head office function. I think it can be a valuable asset in that respect as well.

Suzuki: We started out as a consulting business, but now we maintain a solid relationship as a company-to-company relationship, and we have grown to be seen as someone we need to engage with in order to expand our mutual business. I think it has become. In the case of consultants, some people are taken for granted as experts in their field, and there are cases where they don't receive direct evaluations, but if they produce results, business will be created one after another. come. I think that's how we are evaluated.

Advice for starting a new business

Finally, do you have any advice for our readers about points to consider when starting a new business?

Sato: The same is true for existing businesses, but especially for new businesses, laws and regulations are constantly updated, organizations and people continue to evolve, and check sheets once created must be updated in a short period of time. As you run a new business, the level of your company or organization will improve, and I want you to be very conscious of whether you have an environment in place that allows you to update your business in accordance with the environment. However, busy customer businesses and information systems departments cannot secure resources, and they cannot invest heavily in governance and security in areas where it is unclear whether or not they will make a profit, so they tend to neglect it. From that perspective, I would like you to turn your attention to the existence of a partner who can quickly establish the security part.

Suzuki: It is important for our company to be able to create a system that can utilize the latest industry standard knowledge, incorporate it into operations, and make improvements. You can look forward to Macnica 's consulting services, which will support you until you can create a well-controlled environment by identifying the workplace environment that has become individualized and improving its operation to the company standard. I think so.

consultant

Our consultants, who are well versed in each field, will accompany you to the success of your project as a team member.

business consultant
  • Hearing of issues
  • environmental analysis
  • Materialization of issues, prioritization, implementation plan formulation
  • Implementation support, effect verification
  • Actual operation support, regular effect measurement
  • Improvement, formulation of improvement measures, etc.
technical consultant
  • Differential evaluation of laws and regulations/guidelines and internal regulations,
  • Proposal of improvement measures, preparation of documents and preparation of manuals for compliance with laws and regulations
  • security verification, etc.

There are an increasing number of opportunities for companies to contact us when they are starting a new business. In particular, as the digitalization of the world progresses rapidly and many companies are promoting DX, many companies are starting new businesses to transform their business models, and Macnica is no exception.

Please feel free to contact us.

Please feel free to contact us