Information Security as a Management Strategy in the DX Era
Aug. 21, 2019
NRI Secure Technologies, which is a group company of Nomura Research Institute (NRI) and responsible for the information security business, has been conducting a “Fact-Finding Survey on Information Security in Companies” since FY 2002-03. This time we have compiled the results of our latest survey conducted on the theme Security as a Management Strategy. Yasuhiro Nabei, who is a security consultant at NRI Secure Technologies, outlines the survey results and the challenges that Japanese companies face in promoting digital transformation (DX).
The promotion of DX also requires information security updates
The survey was carried out to clarify the status of information security activities at companies in Japan, the United States, and Singapore. The responses were received from information system/information security officers of 1,794 companies in Japan, 509 companies in the United States, and 504 companies in Singapore.
One of the reasons to conduct this survey was to understand the efforts of companies towards information security in the DX era (digital security). The percentage of companies working on DX was over 85% in both the United States and Singapore, while it was only 30.7% in Japan. Nabei added that 29.5% of companies in Japan answered “Don’t know”, which could mean that the term DX may not have been fully understood.
He also emphasized the fact that many companies think that there have been no changes in information security requirements due to DX.
He further stated that these companies may view information security needs generated by DX merely as an extension to their current practice and may not realize that it is changing information security demands. Therefore, it is very important for companies to identify the associated risks and continuously update their information security measures when they go digital.
Regarding companies’ efforts towards digital security, Nabei mainly focusses on the advanced security solutions that are adopted in relation to DX. He pointed out that while Japanese companies are introducing and examining information security measures related to DX 1.0, which contributes to transforming business processes, the security measures related to DX 2.0, which transforms the business completely, are not as advanced as DX 1.0. The number of companies working on DX in Japan is increasing, but they seem to have transformed only their business processes and may not have yet transformed their businesses.
Use of outsourcing and tools that are key to eliminating human resource shortages
Lack of information security personnel is becoming a serious challenge for Japanese companies. The survey results show that only 9% of Japanese companies feel that they have adequate information security personnel, while it is over 80% in both the United States and Singapore. Nabei says that Japan alone is overwhelmingly complaining of shortages in human resources and that a similar trend is seen every year.
The type of human resources that were most commonly in short supply were staff for formulating information security strategies and plans. Nabei says, “In order to formulate information security strategies and plans, it is necessary to identify risks specific to the company's businesses and develop resources within the company to handle those businesses."
"Many companies responded that they do not have sufficient resources to assess and investigate information security risks and monitor and analyze logs. However, these are expected to be automated by outsourcing or using tools. In order to eliminate the shortages of human resources, it is important to clarify the areas that will be handled by in-house resources and those that will be handled by outsourcing or using tools."
Information security risks in the DX era caused by insufficient skills
Based on the results of the survey, Nabei expressed his concern that insufficient knowledge about information security may affect the competitiveness of Japanese companies.
“Insufficient knowledge of advanced IT technologies or information security strategies specific to digital business can lead to delays in information security measures in the DX era, thereby hindering business speed. To overcome this situation, information security should be regarded as a management strategy, and efforts should be made to optimize security operations under the guidance of the Chief Information Security Officer (CISO). That's what I think is necessary to ensure a balance between business speed and security in the DX era”.
As DX evolves in the future, the importance of information security will increase more than ever before. Japanese companies need to thoroughly consider how to train the information security personnel required in this situation.