The CISO Office: A Deep Dive into the Background, Mission, and More of the Virtual Team Supporting Mercari’s CISO. #MercariSecurityPrivacy

This article is part of our series on the Security & Privacy Team at Mercari.

The Security & Privacy Team itself is made up of eight separate subdivisions, each specialized in their own unique area of expertise, and working to support the security and privacy requirements of the wider Mercari Group. Mercari covers a broad set of businesses and a diverse team is needed to help meet these needs. It might seem strange to have eight different teams, but it’s no surprise when we consider the breadth of security and privacy domains and the amount of ground to cover.

The Security & Privacy Team was revamped this year, under the leadership of our newly appointed Chief Information Security Officer (CISO) Naohisa Ichihara as part of our efforts to better meet the growing security and privacy requirements of Mercari’s businesses.

In this series, we aim to showcase the work of the Security & Privacy Team by featuring the work of each subdivision of the Security & Privacy Team in their own dedicated Mercan articles. We will dive into each team’s culture, workstyle, and the reasons they believe Mercari to be a rewarding place to work in security and privacy.

In this article, we’ll be introducing our CISO Ichihara and the CISO Office, a virtual team made up of members from the Security Governance, Security Strategy, and Security Engineering teams. We spoke to the managers of each of these teams for this article, and here’s what they had to say.

First up, let’s hear from Keisuke Sogawa, who was acting as the Mercari Group CISO before handing the baton over to Ichihara earlier this year. How did Sogawa come to first meet Ichihara, and what is the current state of the CISO Office?

The Most Enjoyable Part of Security At Mercari? Our Commitment to Challenging the Unknown

──I heard that Ichihara joined Mercari and took over as CISO from May this year. What was the background behind changing CISO? Did you two know each before Ichihara joined the company?

Sogawa：Yes, actually we knew each other from well before I was appointed CISO of the Mercari Group as we were both active in the field of trust and safety. We first met at a conference looking to tackle the issue of fraud in cashless payment services which was, and continues to be, a big issue facing the industry.

Ichihara：I remember the first time I met Sogawa very well. We were very much on the same page in our discussions on the technical feasibility of anti-fraud measures, and I got the impression we understood each other well. We really hit it off.

──Both of you used to work at LINE, right? But I guess you never had the opportunity to work together?

Sogawa：Right. At the time, the challenges with cashless payment services were rooted in long-standing implementation issues and vulnerabilities with how apps carried out authentication and authorization. Ichihara was particularly knowledgeable in this area, and I was impressed to see his contributions to trust and safety across different companies.

Trust and safety is an extremely important area for safely and securely developing internet services both rapidly and at scale. I thought that if Ichihara were to join us at Mercari that we could make great progress in this area and strengthen overall trust and safety initiatives. But it took a while to actually find the right timing to make the move a reality.

The whole reason I became CISO is because security was becoming an increasingly important topic within Mercari Group. That was sometime around January 2021. At the time, we were working nonstop on security incident response and implementing countermeasures. I just happened to meet Ichihara again around this time, when he was facing the same kind of security and privacy issues at his company. It was a really tough time for everyone, but I ended up asking him whether he would be interested in taking on the mantle of CISO. Eventually this led to him taking up the role at Mercari where we are now working together to tackle these challenges.

Keisuke Sogawa (Merpay/Mercari CISO)

──Sounds like you were really excited for him to join. What were your expectations for him taking on the role?

Sogawa：Ichihara has a lot more domain knowledge and experience than I do, so I was excited to bring him in and do whatever was necessary to help him make progress in driving trust and safety initiatives both within and outside the company. Honestly, there was still a lot of work to do when I handed over the reins, and even today there are still many areas where we can improve. That’s why it’s kind of hard to say what I expected from him. If I had to name some big issues we’re facing, I would say strengthening our authentication and authorization infrastructure across multiple services (Mercari, Merpay, etc.) and building a stronger team to support security and privacy across the Mercari Group as a whole.

Naohisa Ichihara (Mercari CISO)

The Security & Privacy Team is steadily growing as we continue to welcome new members, so in terms of building the organization, I hope that he can work with everyone to create a new mission and vision for the Security & Privacy Team. There are still many unsolved issues when it comes to building a marketplace where users can exchange diverse forms of value, and there are many problems that we still have to overcome.

Security and privacy are particularly important domains in that regard. In order to make Mercari a safer and more secure service going forward, we need to go beyond just working on security and privacy within the Mercari Group. It is essential that we work on trust and safety for the industry as a whole. I hope that as CISO, Ichihara can help push us forward toward this goal.

──Those are some big shoes to fill. (laughs) So Ichihara, what is your take on Mercari after joining as CISO?

Ichihara：Mercari is taking on a diverse array of challenges as one of the leading companies in both the C2C and B2C industries. As Sogawa mentioned, there are many unprecedented issues for us to tackle especially on the fraud side of things.

I want us to put our all into taking on meaningful new challenges and creating new value through security and privacy, and do this, in a way that could only be done at Mercari. This includes our efforts to strengthen the security of digital identities across our services (authentication, authorization, provisioning), the creation of data-driven anti-fraud mechanisms, implementing data governance that meets global standards, and automating security testing and operations to offer an even safer product.

──It’s very heartening to hear that your many years of experience are allowing you to see both the micro and macro issues with the current Mercari marketplace. Could you tell us what your biggest reason was for joining Mercari?

Ichihara：I had heard about Sogawa’s struggles as CISO handling last year’s Codecov incident (where Mercari had to respond to unauthorized access of a third party tool in our supply chain resulting in the partial leakage of Mercari’s codebase). It revived my interest in Mercari, and I gradually started to take greater interest in the opportunity to try something new at the company.

Mercari seeks to carve a new path, bringing a new kind of marketplace from Japan to the world. I felt that there’s real opportunity in that desire to actively adopt new technologies, take on new challenges, and continue to evolve. I was very attracted by the idea that Mercari would give me the opportunity to challenge the unknown in terms of security and privacy. That’s what ultimately led me to join the company. I fell in love with the idea that I could experience so much here—this idea that we were working with a blank map and chartering into unknown territory.

──I know it hasn’t been very long since you’ve joined the company, but what’s your impression of Mercari thus far?

Ichihara：Management decisions are made with a great sense of speed, the work environment and culture surrounding communication is very open, I’m surrounded by highly skilled team members, and every day continues to excite me as I take on new challenges. The experience so far has definitely met my expectations, but I would say that I’m surprised by how deeply ingrained Mercari’s three values are among the members. I was surprised by how they come up so frequently in day-to-day communications.

Jason Fernandes（Security Strategy Team, Manager）

Goals for the New Team Structure and Virtual CISO Office Team

──I’d like to take some time here to talk about the Security & Privacy Team under Ichihara and the CISO Office.

Ichihara：First of all, we revised the entire team structure. Broadly speaking, Mercari’s Security & Privacy Team is made up of Security Governance, Security Engineering, and Security Strategy. At the same time, however, we remain a considerably flat organization where these teams frequently work together as a single team on a project basis.

The CISO Office is a virtual team made up of members from the Security Engineering, Security Governance, and Security Strategy teams. (Divisions appear in the diagram in navy, with teams shown in blue.)

──I see. Although there are eight different subteams across the organization as a whole, they are categorized under these three roles that make up the CISO Office. So what exactly is the role of the CISO Office?

Ichihara：We use the CISO Office as a medium to discuss our approach to dealing with security and privacy issues shared across the entire Security & Privacy Team (process improvements, collaborations with other divisions, education, hiring, development, etc.). Then based on those discussions, we work on initiatives to improve the Security & Privacy Team overall.

Jason：It’s common that as an organization grows teams become more siloed. The main goal of the CISO Office is to foster discussion and align our organization so that teams do not lose sight of our overall mission and vision with regards to security and privacy, maintaining a shared perspective and strong collaboration as a single team, despite our size.

──So the goal is to build a scalable team structure through greater collaboration by these major teams. What kind of initiatives will each team be working on going forward?

Nikolay：The Security Engineering Team is made up of the Security Engineering and Product Security teams. Each of these teams has its own specialization, and they cooperate while overseeing the entire technical side of security at Mercari.

First, there’s the Product Security Team. They are responsible for providing consultation on security matters related to new businesses and services, as well as performing design and code reviews, security testing, threat modeling, and handling other matters in collaboration with the Product side. They also work to automate security with a focus on scalability, implementing and operating tools including static application security testing (SAST), software composition analysis (SCA) tools, and dynamic application security testing (DAST).

We work together with Security Strategy to manage vulnerabilities, conduct securing coding training for engineers, and run the Security Champion Program. Additionally, we are in charge of the technical aspects of PCI-DSS compliance. There are also members who work to automate, develop, and create dashboards for in-house security tools.
Security Engineering is further divided into four major subteams/functions.

These cover the roles of Infrastructure/Platform Security, Corporate IT Security, Threat Detection Engineering, and Chaos Security. This is going to get very long if I introduce each of these functions and roles in detail, but you can look forward to their subsequent Mercan articles showcasing each of these teams individually.

Nikolay Elenkov（Security Engineering Team, Director）

──I have this impression of the Security Engineering Team members as not only fulfilling this protective role, but also actively involving themselves in the product side to drive projects forward. Nikolay, you mentioned in a previously published Mercan article that “the Security Engineering Team are not gatekeepers; they’re guides.” I’m really looking forward to see what comes next for this team. How about the Security Strategy Team, Jason?

Jason：Based on our core mission to “enable Go Bold challenges by aligning security/privacy requirements and business goals,” the Security Strategy Team has set four main objectives: Strategic Alignment, Business Enablement, Process Enhancement, and Security Effectiveness.

Our role is to work with the CISO to come up with the Security & Privacy Team’s vision, mission, and mid- to long-term roadmap so that the team as a whole can pursue these four goals. At times, that means discussing and documenting the team’s direction, planning to ensure we tackle issues based on priority, or communicating with other teams to push projects forward.

──You’re playing this support role, but you’re also responsible for encouraging communication and collaboration throughout the Security & Privacy Team overall. I mean, that’s a lot!

Jason：Yes, it is. But, by promoting collaboration and incorporating each stakeholder’s needs into our roadmap, we are trying to foster a company culture that will enable us to offer a safer and more secure product to users and add value to both internal and external stakeholders through a high-level of security and privacy.

When you’ve got a company that changes and evolves as quickly as Mercari, it’s easy to get caught up in the moment and take a myopic view of security and privacy. Sometimes we just have our hands full dealing with immediate incident response or short-term goals. That’s not uncommon among companies taking an approach similar to Mercari. That’s why we’re putting our focus not only on short-term goals, but on mid- to long-term milestones for the team, and we are strongly focused on ensuring our approach allows us to take the initiative when it comes to security and privacy.

Ichihara：The Security Strategy Team was only formed earlier this year, but I want them to play a leading role in developing more fully realized security and privacy for the Mercari Group overall. In order to accomplish that, we need to create a more sophisticated Security Team, and it’s essential that we work to raise the skills of each individual member.

──Last, let’s hear from Ushijima about Security Governance.

Ushijima：The Security Governance Team’s primary mission is to support the growth of the Mercari Group and strengthen our security and privacy governance structure by establishing rules and systems regarding information security and privacy, assessing those rules and systems, working on related countermeasures, responding to incidents, and consulting on security governance matters.

We currently have a number of experienced professionals, split across four different subteams (the Information Security Team, FinTech Security Team, Privacy Office, and CSIRT).

The Information Security Team works on a wide variety of tasks including establishing and maintaining information security-related in-house rules and regulations, consulting on information security matters for other teams, and the management of data assets and security risk using GRC (governance, risk and compliance) tools.

The FinTech Security Team is in charge of managing and strengthening security for our finance-related businesses—a focus area for the Mercari Group. Specifically, that means assessing guidelines’ compliance with financial laws and ordinances, advancing measures to address those laws, PCI-DSS response, and strengthening security for financial transactions, for example.

The Privacy Office is in charge of building systems for managing personal information for the entire Mercari Group, establishing rules and guidelines, providing consulting services for other teams regarding privacy issues, conducting privacy checks for each business, and work related to the amended Act on the Protection of Personal Information (APPI).

Finally, the CSIRT is in charge of handling security incidents. They collect and analyze information on security threats and vulnerabilities, and in the event of a security incident, they implement measures to prevent the damage from growing and the recurrence of incidents by collaborating with stakeholders both within and outside the company.

Hisaharu Ushijima (Security Governance Team, Director)

──It sounds like the Security Governance Team is also covering quite a wide area, and that requires a high level of expertise.

Ushijima：Exactly. The Security Governance Team’s role is to proliferate information security and privacy management throughout the Mercari Group—this is a role that is extremely critical to Mercari’s growth. Some people might see information security management and privacy management as blockers to the business, but we believe that ultimately, the fastest route to growth is ensuring information security and privacy is understood throughout Mercari Group and providing an even safer and more secure service for users.

──So Yumi, I understand that your role is to be looking at the big picture across teams so that the Security Governance Team can work even more independently, but where are you focusing your efforts exactly?

Yumi：Thanks for featuring us in this article! The Security & Privacy Team overall is made up of many teams with a high level of expertise. Each member is a specialist in their field and the teams also include members from many different countries and backgrounds. We’re always considering how we can ensure our organization maximizes the particular characteristics and capabilities of these members. In order to achieve that kind of work environment, it’s extremely important that we understand the full scope of work, bridge the separate teams, and respond flexibly as needed.

More than half of our members are currently working remotely, making it difficult for members to work with people in the next team over or to casually ask how things are going. We’re working on measures to raise the capabilities of our organization, such as working harder than ever before to reach across teams for team building, holding events and offsites where members can communicate with a wider variety of peers, and coming up with ideas for how meetings should be held and how we can encourage collaboration. We have more and more new members joining our ranks as the business continues to accelerate. We’re at a point where teamwork is essential to building a unified, scalable organization.

Yumi Ito (Security Governance Team)

The Organization and Attention to Quality Needed to Build a Global Marketplace

──Ichihara, could you tell us a little bit about your future outlook, mission, and vision for the team?。

Ichihara： We’ve decided on a new mission for Mercari’s Security & Privacy Team: “Build trust & drive value for stakeholders through a collaborative approach to security and privacy.” This reflects our desire to offer a wide range of security and privacy services and initiatives in the spirit of All for One, to draw out the value of our diverse stakeholders (other divisions, companies, product teams, and customers we’re working with), and build trust within our team, our service, and our company.

We also have our vision, separate from our mission: “Security and privacy by design, by default, and at scale.” These words refer to our intention to provide scalable mechanisms to enable implementation of security and privacy by design and mechanisms that can ensure security and privacy within our development, product, work, and data utilization environments from the outset (automated security testing, etc.). We believe that we must sustainably support the future of Mercari’s security/privacy and unwaveringly support trust in the company.

Overview of the Security & Privacy Team’s Mission and Vision

Based on this mission and vision, we want to strengthen efforts toward security and privacy throughout the Mercari Group and create the strongest security and privacy team that we can.

──This belief is directly related to the company’s pursuit of overseas expansion that we’ve held since our establishment, embodied by our mission statement, “create value in a global marketplace where anyone can buy & sell.”

Ichihara：Precisely. This is why we are also driven to create the ultimate team, aiming to provide world-class security and privacy. We are continuing to challenge domains where the work is often complex and challenging, where we have no precedent or knowhow we can refer to. This Mercan series will serve to introduce our team to new potential allies who want to Go Bold to take on new challenges. If this sounds like you, then I hope you’ll look forward to our next installment!