Mercari Appoints Naohisa Ichihara as New CISO: Making a Mark in History with the Goal of Establishing the World’s Most Secure Marketplace

※This article is a repost from Engineer type.

Naohisa Ichihara joined Mercari in May 2021 after working on the frontlines of cybersecurity at LINE for more than six years. As CISO, he has since been working to strengthen both security and privacy at Mercari.

For this article, we asked him about why he joined Mercari and what drives him to continue pursuing the open-ended questions facing cyber security today.

Aiming to Create the World’s Most Secure C2C/B2C Marketplace

──Could you start by telling us a little about the reason you left LINE for Mercari?

I was at LINE for a little over six years from 2015 to 2021, and I was eventually appointed the head of the Cyber Security Office there. It was really exciting doing work to support the security of such a rapidly growing company. There’s something fun about doing the kind of work where you have to think outside of the box instead of just following textbook knowledge.

It was after a report about LINE’s handling of personal information hit the media in the spring of 2021 that we started to attract attention from the public.

I was one of the people on the frontlines handling this incident. I learned a lot through this, and it gave me time to think about where LINE was headed and what I really wanted in my career.

It was around that time that I really started to feel that the members and managers under me had grown and the team had matured. I felt that it was about time I took on a new challenge.

That was when Mercari contacted me.

Mercari still has plenty of room to grow, and the company is making a concerted effort toward global expansion. I realized that this was a place where I would have room to utilize my experience up until now while gaining new, exciting experience. This was when I decided to join Mercari.

──I imagine you were approached by several different companies, but what made Mercari stand out?

One of the deciding factors was Mercari’s value of “Go Bold.”

I think this is true of a lot of security engineers, but I’ve got a strong sense of curiosity and an inquisitive mind. The kind of organization like Mercari that welcomes bold challenges really draws me in.

I’m motivated by being able to work alongside coworkers who share these kinds of values.

──Is there anything that you’re particularly interested in taking on?

I want to work to establish a global model of what C2C and B2C marketplaces can be while gradually solving the immediate issues we’re also facing.

There are two core projects I worked on related to these goals:

The first is making sure that the Mercari ecosystem utilizes user information and data even more safely and with the utmost care. An essential requirement for taking Mercari overseas is ensuring that our service environment, processes, and structure enable us to always explain how our users’ data is utilized.

The second is building mechanisms to enable us to push our security and privacy forward continuously and in a way that’s scalable.

For example, you wouldn’t call an organization scalable if the number of members doubled every time they started work on a new service. I want to try building a team that looks forward to the future growth of the service without relying on numbers to achieve it.

Mercari’s service represents unknown territory for me, in a domain completely different from my experience up until now. There’s also no right answer when it comes to building the world’s most secure C2C and B2C marketplace. That’s why, the way I see it, our future is so full of possibilities.

──Looking back on the last 10 years, do you think security has become more important or more complex?

As attackers’ skills grow, we see the situation growing more and more complex for security professionals. This has made system resilience an increasingly important topic for all companies.

Resilience assumes that cyber attacks will happen at some point and that incidents will occur. However, it emphasizes the need to predict potential attacks and respond quickly when attacked, so that we can recover.

There are limits to what we can do to strengthen resilience as a single company alone. It will become more important for our company to take open action, including exchanging information with the greater security community outside of the Mercari Group.

As the speed of our business continues to increase, security needs to make sure that it doesn’t become a factor holding the business back.

I believe that the teams in charge of security need to be enablers* rather than blockers.

In order to keep up the velocity of our business, we need to lead the industry and take on new challenges. That’s why I strongly feel we need to take an aggressive approach when it comes to security.

Past Experience Taught Me What a Data Company Should Be

──I think leading the security team through the incident you mentioned, the one that happened in spring 2021, was a huge experience for you. How did it impact how you see the world?

It made very clear to me the importance of aligning understanding of the service between the in-house security team and external stakeholders like users, the media, and public institutions.

That’s because when there’s a gap between how we see the service and how the public sees the service, it can cause a huge loss of trust in the company when something goes wrong.

That experience at my previous job was also an opportunity for me to consider the future of data companies overall.

I think most people involved in security understand this, but the West is much more advanced when it comes to data handling regulations.

While Japan’s laws are gradually inching closer to the Western standard, I think that many Japanese companies today are far from meeting the expectations of the regulations you see in the US or Europe.

If Mercari is going to take on the world, it needs to try building the kind of data governance framework that can meet these Western standards ASAP.

──It seems like a big topic in the coming years will be how companies can build security structures that are future-proofed for overseas expansion.

Right. In the past, it was all about how we could protect data. Now, it’s not only about protecting data; equally important is how we can utilize the data for business purposes.

Organizations handling data need to always understand whether they are meeting users’ expectations regarding how that data is handled. Moreover, if those organizations want to use the data for something outside of those expectations, they need to figure out how to obtain users’ consent. When it comes to obtaining consent, most companies now are just dealing with issues as they occur.

I want us to get past that phase. I want us to digitize data governance mechanisms themselves to achieve more scalable cyber security.

We’re also aiming to build an organization that embodies Trust & Openness, where information can be shared openly.

That’s not only true of our organization, either. The service is premised on users’ mutual trust, and I want our Security Team to support trust in our organization and our services from behind the scenes.

The Importance of Communication Ability: “Driving Consensus on Key Ideas”

──Up until now, your career has been in cyber security, but what is it about cyber security that drives you?

I’m drawn to this idea of carving my own path through the world.

The work carries a weighty responsibility and a mountain of challenges. It’s precisely because we don’t know what tomorrow may bring that I feel like I’m free to write my own history. That might sound like an exaggeration, but that’s really how I feel about it.

Working in security, adversaries are evolving their methods faster than ever before. In figuring out how to deal with these attackers, people working in security often find themselves driven by inquisitiveness and curiosity.

They speed through this cycle of considering approaches to keep up with attackers based on past success stories, trying out those approaches themselves, and seeing those approaches fail at times.

We live in an age where pursuing and continually updating your security to ensure it’s the best has become commonplace. However, you can’t have the best security without the best team.

Since security only really works once you have a team working together in concert, no single security engineer can afford to stubbornly think they are right all the time.

Having a team moving in alignment, where members inspire each other—that’s a big part of what drives me.

──As technology continues to evolve and companies grow faster and faster, how do you think the skills expected of security engineers will change going forward?

While it goes without saying that engineers need to master basic security tech, skills that go beyond that, like various data analysis methods, machine learning, etc., are becoming increasingly important.

For example, recent malicious actors commit attacks while behaving in ways that appear random at first glance—not the product of human thought.

But when you utilize a massive number of parameters and analyze the data that way, you can obtain clues about what they’re actually doing.

Breaking down these complex attack patterns to understand the particular characteristics of these attacks can help us solve problems faster.

I also think that we’ll see more places in the cyber security field calling for engineers to not only conduct an analysis into the incident and the attack, but be able to numerically and statistically explain their interpretation of events or find a solution based on the data available.

At the same time, I also think security engineers need to develop skills outside of tech.

I mean the kind of communication skills whereby engineers can explain their what they mean to others in an easy-to-understand way while carefully taking into account the context and needs of the other side, to build mutual understanding and trust with them even if, say, their assertions and opinions differ from that of the engineer.

I think it’s important to be able to explain the context and how important security is even to non-engineers, standing in their shoes and speaking from their perspective.

Whether someone is able to communicate with tech experts or not can depend on the company, but I think that it’s precisely because security engineers understand the tech, the knowledge, and the issues most deeply that they should be responsible for leading communication, pushing for mutual understanding, and working to solve the problem.

There’s no doubt in my mind that this approach can help enrich engineers’ ability to communicate and persuade, and it helps raise their value as an engineer.

──I guess it’s important to strike a good balance in developing your skills, including not only the tech aspects but communication skills as well.

Yes, that’s what I think. And to add to that: What I’ve felt seeing security engineers across the years is that the ones who truly make strides in their growth are the ones who can take responsibility for their own self-development.

That means not just doing what you’re told, but seeking out tech you should learn about and drawing out your own potential. People who can do that naturally are the ones who can adapt to the sweeping changes of tomorrow.

I think that those people are also the ones who like to interact with others. They join communities outside the company, and they value the opportunity to interact with people who have the same interests. It’s those experiences that show them what they are lacking and what they stand to gain.

I hope that I can help develop many security engineers like that at Mercari, who are experts in both tech and people skills.

Interview by: Mai Ichimoto / Photographs by: Miki Kuwahara