Building a Robust IT Environment to Grow the Business The Corporate IT Security Team supports the very foundations of Mercari #MercariSecurityPrivacy

This article is part of our Meet Mercari’s Security & Privacy Team series, where we will be introducing you to the teams that make up the wider Security & Privacy Team at Mercari over the next two months or so. Today we will be featuring the Corporate IT Security Team, which is a sub-team of the Security Engineering Team.

This team is responsible for taking a security perspective to reducing risk and improving the safety of information systems at Mercari, and their work spans a broad variety of areas. To put it simply, the Corporate IT Security Team supports the diverse working styles of our members and the working environment of the whole company.

Currently, Mercari is in a growth phase where our size fits right in the middle of a mega-venture and a large corporation. Against that backdrop, we went to a park near Mercari’s Tokyo office where we spoke with Ginji Hayashi (@ghayashi) and Hiroshi Shinozaki (@helosshi) about their valuable experiences working in security at Mercari during this unique, transitional stage. Without further ado, let’s get into the interview!

The IT security field is too complex to be defined in a single word or phrase

──This fifth installment marks the halfway point of this series! Now, as always, I’d like to begin by asking you both to briefly introduce yourselves.

@ghayashi：Sure, I’ll go first. Hello! My name is Ginji, but I am often called “Gyaashi” at Mercari because it sounds kind of like my Slack name. I started my career at a security services provider. After that, I wanted to know more about the other side of the solutions I was using, so I switched jobs to become a solution maker. I joined Mercari in April 2021 because I wanted to experience the customer side—in other words the recipients of the security services that I had been selling.

@helosshi：Hello, my name is Hiroshi, but at Mercari people call me “helosshi.” I joined Mercari in September 2017, which means I’ve been here for six whole years already… wild how time flies! In my career—from when I was a student working part time, through being a new graduate, and now working at my current position—I have always been involved with IT systems. This year, I moved to the Corporate IT Security Team, which, as you might guess, is more focused on the security side of things.

Hiroshi Shinozaki (@helosshi)

──Come to think of it, both of your nicknames are a bit “different” (on the sillier side) from the nicknames of other members who have appeared in the series so far, aren’t they? (laughs) Alright, so, next I’d like to ask about the team. What kind of role does the Corporate IT Security Team play in the company, and what is your team’s mission?

@ghayashi：Mercari has several teams that deal with security, but we are responsible specifically for corporate IT security, which is a domain overseen by the Security Engineering team. Our job is to bring our security perspective and expertise to bear in providing solutions to reduce risk and improve security for information systems.

That said, “security for information systems” is a very broad category that covers a wide range of services and systems used by Mercari employees on a daily basis. For example: the company-loaned computers you’re using right now, your accounts managed by Google and Okta, SaaS, security solutions such as EDR—these all fall under our purview. Each day, our work is to ensure that everyone at Mercari can safely and securely access the systems and services they need to do their work.

Ginji Hayashi (@ghayashi)

@helosshi：Actually, I think that the work we do at Mercari is quite similar to what an IT Systems Department or a specialized task force would do at another company. What makes us unique is that we are a permanent, specialized organization within the Security Team, and also that we work closely with the Corporate Engineering Team.

──I see, so you must be pretty busy! You touched on how your team at Mercari is distinct from similar teams at other companies, but could you expand on that and what you like about the team?

@ghayashi：I think that when people hear “Mercari” they think of the marketplace app itself, but the “behind-the-curtains” support aspects of Mercari are also very interesting! For one thing, we have very diverse members. Also, our work allows us to experience a variety of fields, including development, operation, and support tasks, for which we come up with broad-approach IT infrastructure systems used across the entire company. I think that those are the main things that make this team so great.

@helosshi： I agree with everything @ghayashi said. I would add that I think it’s interesting that we are asked to actively support the development of new internal policies. The flagship example for this would be our involvement with the creation of Your Choice (a system that allows each employee to choose their own optimal work style in terms of performance and value embodiment). We are also sometimes asked to bring the team’s global perspective to the table, for example in collaborations with Mercari US. For me, these are two parts of the job that I never get tired of doing.

──Now that you mention it, I can see how considering the way we work from various perspectives would be important in promoting corporate IT security. At the beginning, both of you mentioned briefly what you did before Mercari, but I wonder if we could talk about what drew you both to Mercari in the first place?

@ghayashi：I joined Mercari for a bunch of different reasons. One reason is because I was impressed with the depth of material covered in Mercari’s engineering blogs. I also liked the idea of Mercari’s open culture in which the technology stack used is made available to everyone. I joined the company with the hope that I would be able to apply my knowledge and professional experience to the Mercari environment. In a sense, I thought of it as a sort of opportunity for me to try to “level up.”

@helosshi：For me, it goes back to why I chose to work in IT in the first place. I have been a Mercari fan since the marketplace app was first launched, and I thought that if I could support the working environment of the people who develop that service I love so much, I could help make Mercari even better. I also liked that back in 2017, Mercari launched their IT department with only 3 or 4 individuals.

I moved to the Corporate IT Security Team this year because I wanted to be involved in adapting the working environment to post-2020 society.

──Was there anything about Mercari that surprised you once you joined?

@ghayashi： I was surprised in a good way—not only by the high level of professionalism across the organization as a whole, but also by the permeation of the Mercari values that support that professionalism. At this point, I have personally witnessed in various projects that when faced with a hurdle, every member is willing to come together to discuss the issue in order to make a positive improvement, and then the organization as a whole supports attempts to solve the problem. I think this is because everyone is always trying to embody Mercari’s three values: “Go Bold,” “All for One,” and “Be a Pro.”

@helosshi：Since at this point it’s been a long time since I joined the company, I’ll phrase my answer to your question in terms of joining the Security Engineering Team instead. Although I had been involved with the Security Engineering Team since I was on the Corporate Engineering Team, actually transferring to the team gave me a fresh perspective. It was my first time doing an internal transfer, so of course that aspect of it was novel as well, but it was mostly the realization at the sheer volume of demands on Mercari’s security organization from both inside and outside the company!

I also found it refreshing to see Mercari from a different perspective— I’ll just say this: we have grown a lot since I first joined! (laughs)

Just as they were describing how their work is “like a game of catch” in that they have to keep a close eye on their opponent, throw the ball in just the right place, and occasionally even scramble to pick up a loose ball… they spontaneously started tossing a ball back and forth!

Supporting an even safer and more secure work environment

──Let’s talk a bit more in depth about the work your team is doing. What have been some of the highlight projects your team has taken on?

@ghayashi：The one that sticks out in my mind is the project where we conducted a risk assessment of Corporate IT as a whole. At the time, I had only just joined the company, so I had to talk to a lot of different people to gather information. That meant that, eventually, I had interacted with basically Mercari’s entire IT environment. As a result, I was able to make connections with lots of different project stakeholders, not to mention the boost to my understanding of the IT environment. I believe this was an important part of the process of becoming a trusted member of Mercari and the team. In terms of more tangible results, this project also served as a model case for how and where to respond to the needs of Mercari in the future, and at what priority level.

@helosshi：One of our more recent projects was about implementing a measure to strengthen access privileges to infrastructure services. We started out by considering the scope of impact based on our previous experience with IT services, and then made progress from there. Another one is the roadmap that we established as a team. The roadmap is the basis on which we promote security enhancement for work-related devices and SaaS. Although many of these measures may seem modest at first glance, keep in mind that we are still in the process of “laying the groundwork” for a safer and more secure working environment. Also, I think this came up earlier as well, but it’s worth mentioning again that many of our projects are collaborative efforts with other teams.

@ghayashi：Yeah that’s very true. Our team is also often involved in new businesses that the company wants to develop. A public example of this would be Mercoin. Honestly though, I wouldn’t be able to even begin explaining this adequately in the limited time we have here, so if you’re interested in seeing further details about what our team does, I suggest taking a look at the job description!

──I think that gives us a pretty good idea of what your team’s goals are, but could you talk about what kinds of challenges the team deals with?

@ghayashi：Seriously—and this is not a joke—problems are still all our team deals with (laughs).

@helosshi：Our IT systems have a history of being expanded and stretched while trying to somehow keep up with the break-neck pace at which Mercari, being in such a transitional phase, continues to grow. We continue to address operational inconsistencies and management issues that have arisen in the past. Automating a more uniquely Mercari IT system, and implementing more sophisticated access policies are just two examples of such issues.

@ghayashi：The company as a whole is also committed to strengthening security and has stated as much publicly, so I think that these kinds of things are expected of us.

Being on the verge of becoming a full-on enterprise comes with some unique points

──What kind of person would be a good fit for your team as you work hard to improve those perennial issues?

@ghayashi： Let’s start by talking about the hard skill requirements. A foundational assumption for our team is that Mercari’s IT environment is a combination of various cloud-based solutions. Of course any potential team member would have to understand these solutions, and they should be able to provide a technical point of view or explanation when requested, which happens quite frequently. Therefore, I think that a successful candidate would have an understanding of the ideas, concepts, and mechanisms related to some kind of modern, cloud-based IT architecture, and would also be able talk about it in their own words.

Something important to note is that Mercari also emphasizes culture fit. This means embodying the three values that we talked about earlier, but not just that—you will also be required to think through processes on your own, hold discussions with stakeholders, and even involve them in your work in order to achieve high-level results.

@helosshi：This may sound a bit “romantic” to some people, but I think “passion” is important. I don’t think there are very many people working in corporate IT security, but if you work in corporate IT, or if you work in security, I think it’s important to have a vision for how you want corporate IT or security to be, and a desire to pursue that vision. Also, if you’re like me and you have a more personal reason that motivates you (for me it’s a love for Mercari!), I think that is also very useful.

──So, to summarize, a successful candidate should have the requisite skill set, be a good culture fit, and also have passion for the work. What about the qualities of someone who would not be a good fit?

@ghayashi：Honestly, if you are accustomed to a top-down style work environment and mindset, it will probably be difficult for you to succeed in this environment. When launching or implementing any measure, each stage of the process requires its own thorough explanation of the rationale, reasons, and background. You also need to involve key members while building a consensus. In those moments, Mercari members will not be motivated to action because “someone said so” or “that’s what has been decided.” That kind of “top-down mindset” type of approach will lead to a setback.

@helosshi： I know I’m repeating myself at this point, but corporate IT security covers a broad range of different fields. You don’t have to know and be able to explain everything, but if you are the type of person that will do the necessary research to be able to have discussions on various topics, and you are quick to get started on things, I think you would be a great fit. I think this because Mercari’s business environment changes at a very fast pace, and new plans and projects crop up all the time, all over the company, progressing in parallel. That’s why I think that people who are self-motivated to keep up with this pace are suited for this job, while people who prefer to wait for instructions before acting are not.

── I think that, for people outside of the company, there are certain aspects of the business phase Mercari is in right now that may be difficult to understand. From the perspective of a potential candidate for your team, what opportunities and chances for success do you see?

@ghayashi： I think that Mercari is currently in a “leap-forward” phase. We are approaching a point in time when a different approach and new measures are needed across the board, and that applies to strengthening Mercari’s security too. We are right in the middle of a metamorphosis from a “mega-venture” to a true enterprise. Nevertheless, I think that people who are considering joining this team should know that Mercari’s current transformative stage will not prevent them from having lots of valuable experiences here, brainstorming, creating, and implementing new and innovative approaches, rather than the typical, rigid style of security that focuses on suppression and repression. What about you @helosshi? It’s been about five years since you joined the company, is there anything that you’re feeling, like the impact of phase changes for example, that is unique to this moment in Mercari history?

@helosshi：There has been a change in attitude and structure of Mercari’s top management from the end of last year to this year. Also, the appointment of our new CISO changed our direct report line, so that’s a pretty big change. Furthermore, after the Codecov incident last year, management expectations for corporate IT security are particularly high. I think the chance to work in an environment that mixes all of this together makes for a very unique opportunity.

Notice of New Management Execution Structure for Mercari Group and Changes to Responsibilities for Members of Leadership

The stronger the IT environment, the stronger the business

──Lastly, please tell us about your future prospects—your wildest dreams and desires!

@ghayashi：“Wildest dreams and desires” is pretty intense (laughs). Seriously though, I want to create the strongest possible IT environment that provides a secure and stress-free work experience for everyone at Mercari, no matter what the size of the organization. In reality though, while convenience and security are often clashing concepts, we want to tune the IT environment at the company to create something that is uniquely “Mercari.” By extension, we hope to give back to Mercari’s users… albeit in a roundabout sort of way.

@helosshi：Echoing what @ghayashi said, with respect to the process that has gone into creating the system that we already have, I want to create a new, secure IT environment where the company and its employees can do what they want so that business can continue to expand in the future. In order to achieve this, we need the continued cooperation of all Mercari members! We are excited to keep working with you all in the future!

And, to the people out there who will one day join our team as new members, whoever you are—we’re looking forward to meeting and working with you!

──I think that “respect” in the sense that you are talking about is something important for everyone to keep in mind. Alright, what is your final message for all of our readers?

@ghayashi：If you have passion for the work—for example maybe you really want to build a modern, improved IT environment, or maybe you have your own, unique approach to security—whatever that passion may be, I would love to have a conversation with you.

@helosshi：Let’s play “catch” together sometime!

──Yes, let’s! Thank you so much for being a part of this series!