Why NIST is so popular in Japan

While organizations around the globe continue to grapple with chronic shortages of qualified cybersecurity workers, Japan is tackling the problem in a significant way by turning to two U.S. government technology frameworks to help manage its own information security manpower shortages.

Japanese industry has turned to the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and National Initiative for Cybersecurity Education (NICE) Workforce Framework in an effort to fill the unique cybersecurity skills gap characteristic of Japanese companies.

Masato Kimura, a manager in the cybersecurity R&D planning department at Japanese telecom giant NTT, said that the NIST workforce framework in particular plays a pivotal role in Japan due to the high level of reliance by Japanese companies on outsourced IT and cybersecurity personnel.

In the U.S., around 71.5 percent of IT professionals work in-house, but in Japan, only 24.8 percent are company employees, according to Kimura, who spoke Wednesday at NIST’s Cybersecurity Risk Management Conference in Baltimore.

Yet even in-house IT professionals in Japan fall short of achieving the required cybersecurity expertise.

Employment in Japan is a lifetime proposition, with workers typically rotating into new jobs every two to three years, making it difficult for employees to develop strong cybersecurity skills. Compounding the problem, Japan will be facing a shortage of 193,010 cybersecurity professionals by 2020, prompting the Japanese Business Federation to declare that it is urgent and crucial to increase the pool of skilled in-house cybersecurity workers.

“Japanese critical infrastructure needs talents who are able to understand what the IT vendors are doing and [serve] as a bridge between C-suites and engineers,” Kimura said.

Kimura is also secretariat of Japan’s Cross Sectors Forum, a group of 44 Japanese companies from the chemical, financial, manufacturing, media and transportation sectors. These companies decided in 2015 to band together to establish an ecosystem to educate, recruit, retain and train cybersecurity professionals in collaboration with academia and the government.

Toyota, Mitsubishi, Sony, Panasonic, NTT, NEC, Hitachi, Fujitsu and Toshiba are among the Forum’s members.

Additionally, NIST’s Cybersecurity Framework helped provide a means for the forum members to communicate about cybersecurity across their diverse business sets.

“A common language is needed to apply to all the sectors,” Kimura said.

“Cybersecurity is difficult to implement unless you have common terms,” Lauri Korts-Pärn, Senior Security Architect at NEC said, noting that the NIST Framework, which is independent of any industry, serves that purpose.

The Forum hosts monthly plenary meetings as well as four monthly working groups that focus on workforce definition, workforce development, information sharing and collaboration with academia.

The Forum also hosts an annual conference for C-suite executives and invites government into cybersecurity discussions. Among the tools produced by these efforts are talent definitions, outsourcing guidelines and a CISO calendar.

The Forum developed a draft mission list and mapped it to the cybersecurity and workforce frameworks to develop outsourcing guidelines and CISO calendars. Because NIST has mapped the Cybersecurity Framework to the most commonly used information security standard used in Japan, the ISO/IEC 27001, it’s far easier for Japan to embrace the framework’s recommendations.

The appeal of NIST’s Cybersecurity Framework was so strong in Japan that the country’s Information Technology-Promotion Agency, or IPA, became the first foreign entity to translate the Framework fully from its English language version into another language in 2014.

Because of the framework, the forum was able to define and understand what kinds of cybersecurity talents member companies need and even prompted some members to sponsor cybersecurity courses to fill those needs.

“We can now show the reality of Japanese industry to Japanese universities,” Kimura said. The NIST framework also spurred the Japanese government to incorporate the Forum’s insights into the country’s national cybersecurity strategy and sparked a number of public, private and academic collaborations.

The forum has already created a database of cybersecurity training programs available for its members, cross-referenced by the talent definitions it devised. The next steps for the forum including even more innovations, including producing a guidebook for its members outlining the cybersecurity talent definitions it has devised and laying out CISO calendar and outsourcing requirements.

Cynthia Brumfield is a veteran communications and technology analyst who is now focused on cybersecurity. She runs a cybersecurity news and information site, Metacurity.com.