Going Beyond Diverse to Become Borderless: The Culture of Mercari’s Security & Privacy Team

※This article is a repost from SELECK.

As cyber attacks grow more sophisticated, we see more and more new reports about breaches of personal information and services going down because of attacks by malicious parties.

This has put companies in the position where they need to further strengthen risk management for information security, and many companies now have dedicated teams to handle these measures.

That’s where Mercari Group’s Security & Privacy Team comes in. They aim to serve as a leading example of this kind of dedicated team within Japan.

The Security & Privacy Team has helped continued to support the Mercari Group’s growth over the years, even receiving an excellence award at the 7th Information Security Incident Response Awards for their work handling the exposure of users’ personal information in an that resulted from the compromise of a  third party tool that made up part of their software supply chain in 2021.

In May 2022, former LINE employee Naohisa Ichihara was appointed Chief Information Security Officer (CISO).  Mercari established a virtual team, the CISO Office, two months later, in order to strengthen the overall structure of the Security and Privacy Team.

While it’s common for most companies to  have a team of dedicated security professionals these days, Ichihara says what sets the Security & Privacy Team at Mercari apart from the rest is the team’s culture. “There’s great diversity within the team, they work together with the frontlines of the business, and there’s a great atmosphere and strong relationship between the members.”

We recently talked with not only Ichihara, but two other members of the Security & Privacy Team as well: Jason Fernandes and Yumi Ito. They shared a bit about the role of the Security & Privacy Team and the work that’s gone into building a strong security organization.

A Diverse Set of Members With and Without Traditional Security Backgrounds

Ichihara: I joined Mercari in May of this year (2022) as CISO. While I’m still learning a lot with the help of the other members, I’m also working on handling issues related to security and privacy, managing the team, and communicating with Mercari leadership.

Ito: I work directly underneath Ichihara, and I’m largely involved in overall management and organizational development for the Security & Privacy Team. Currently, my main tasks are hiring and onboarding new members.

I joined Mercari in February 2018, and initially, I was working as an executive assistant within the COO Office/CEO Office. I started working with the Security Team sometime after that, when the team was put under the CEO Office. It was later that I officially transferred to the team.

Actually, there are a lot of members like me, who joined from domains outside of security. That’s true of you as well, right, Jason?

Jason: I’m currently the manager of the Security Strategy Team, which was established in January 2022. My main roles are working with Naohisa to come up with the mid- to long-term strategy, vision, and mission for the team, decide on the team’s direction, and incorporate those into the team’s work.

From the left: Naohisa Ichihara, Jason Fernandes, and Yumi Ito

Jason: I joined Mercari in May 2018 as a interpreter and translator. My second week after joining, I was suddenly thrown into a Security Team meeting to interpret last minute.

The more interpreting I did for the team, the more I gradually came to understand security, and then one day, one of the Security Team members said to me jokingly, “How about joining the Security Team, Jason?” (laughs) I thought it was a joke at first but in no time at all, I’d joined the team as a full-fledged member.

When I initially transferred, I was starting from zero when it came to coding knowledge. I did my best to learn, did some simple automation, and developed some support features for our security tools, but I wouldn’t say that I loved coding—it wasn’t my strong suit.

I believed my strength lay in communication, so I gradually shifted into a role where I was involved more in program management.

“People,” “processes,” and “technology” are usually named as the three most important factors to organizational and personal growth in the tech industry, but you could say the same about security.

Especially when it comes to “people,” I think security is a domain that requires people with a wide range of skills rather than only specialized professionals. It needs people who can push projects forward, who have high communication skills, etc.

The current members of the Security & Privacy Team come from diverse backgrounds and have a diverse set of skills. I feel that the team works so well because we try to be very careful in how we communicate, understanding that we all have different perspectives and values.

Security and the Business Working in Alignment

Ichihara: My team at my previous company was also very international, but the team at Mercari feels even more diverse. It’s unique and truly interesting how we have engineers from around the world, and even members with no past experience working in security, like Jason and Yumi, are able to shine.

I think the people are truly instrumental to a successful security team. While any group made up of security professionals can produce high-quality work, coming to Mercari, I was reminded how there’s much more to a team than that. The most important thing is being able to reconcile the needs of security and the needs of the business.

Many people working in security may be able to identify the risks they can see or have a direct sense of what might be “dangerous,” but what’s important is whether they can accurately convey that to stakeholders in a way that is easy to understand.

The way we see the world can be vastly different from person to person. For example, someone working on the business side might focus on immediate sales figures and profit, whereas someone in PR is always thinking about reputation risk.

Naohisa Ichihara

Ichihara: In many situations, it’s important to really understand that everyone has different perspectives depending on where they stand, and communication means conveying the information that that specific person needs to hear. Particularly as you build your career in security, you’re brought into contact with people from across the company.

I think it’s important that Security and Product avoid conflict and figure out how to reconcile differences.

The ideal security team has a strong organizational structure where rather than simply step in to make comments right before release—where we might, say, ask the product team to fix a vulnerability found during diagnostics only to find that they lack the time or money to do so—we work closely together with them before the release.

When things don’t go well, it’s usually that there’s this distance between the security and product teams. At Mercari, however, Security and Product work closely together. This is backed by Mercari’s powerful culture.

Mercari’s three core values of Go Bold, All for One, and Be a Pro are deeply ingrained in our company culture, and you’ll hear them mentioned countless times a day. Since the values are so rooted in members’ thoughts and behavior, they are naturally reflected in the activities of the company as well.

We have a term in the security industry: “Shift left.” It refers to security actively involving itself in product development from the early stages, so as to avoid creating any blockers in the release schedule. The product side at Mercari is very All for One, so things tend to go smoothly.

When it comes to the success of a product or service, it’s not just the product side that needs to persevere. We have a culture at Mercari where Security, PR, Compliance, and many others come together to make our business successful.

Pushing Business Forward as the CISO Office

Jason : The Security & Privacy Team was restructured in July 2022, with a new virtual team called the CISO Office arising in the process.

CISO_Office

Jason: Simply put, the Security & Privacy Team can largely be divided into two sides: Security Engineering and Security Governance.

When an organization gets this big, it’s easy for the teams to become siloed or lose sight of the big picture. That’s why we have the Security Strategy Team, to increase collaboration within the organization so that we can all stay aligned as we move forward.

Mercari is rolling out an extremely large number of businesses in addition to our C2C marketplace, such as the Merlogi logistics business, the Merpay mobile payment business, the Mercoin crypto asset business, and our Mercari Shops online storefront business. As the organization that has to work across all these different businesses to ensure security, we need to move in concert while listening to the requests and demands of each division.

Ichihara: I believe that while product security is a given, as we continue to work on corporate security, support anti-fraud measures for the service, and expand our business globally, it’s vital that we prepare scalable mechanisms and systems in advance.

Before I joined the company, Mercari experienced a case of personal information exposure stemming from the Codecov incident in 2021 (check here for details). Divisions throughout the company (and the upper leadership as well) have a strong security mindset and high expectations for the Security & Privacy Team.

Team Building and Onboarding to Build a Positive Atmosphere and Strong Relationships

Ichihara : It’s not unusual for a security team to have some true professionals on the roster. However, I think another one of Mercari’s advantages is the team culture.

Ito: Since we have new members joining us all the time, we’re making efforts to create opportunities for communication within the team as much as possible. That includes workshops, offsite meetings, etc.

Everyone on the team gets along really well, but the engineer and non-engineer teams are so busy with their respective tasks that it can be easy for a divide to grow between them. We are hoping to achieve smooth collaboration by giving everyone regular opportunities to interact.

All the members are highly experienced and skilled, but team building is essential to expanding their capabilities further. Taking on challenges as a team can allow us to grapple with things that would be impossible to accomplish alone. It also makes the team more efficient and helps raise motivation.

We held a two-day offsite in Karuizawa just recently, and nearly everybody came. Efforts like this greatly help to improve relationships of trust among team members.

A glimpse of the Karuizawa offsite (photo provided by Mercari)

Ichihara: The atmosphere of the offsite also really reflected the diversity of the team. It wasn’t the typical “employee trip” you might imagine. People were playing board games; it was all super casual.

Ito: It’s truly a melting pot of cultures, with members hailing from over 10 different countries. That’s why when we plan an event, we try to come up with things that will enable everyone to interact.

For example, we randomly sort members into small groups to facilitate discussion across different team functions, and we hold workshops to discuss team vision/mission, Mercari’s proprietary Unconscious Bias Workshop, and other training.

Recently, since we have so many members working to improve their Japanese/English, we’ve also implemented our own program, the “Language Exchange Program,” where members buddy up to work on tasks together in their non-native language.

Ichihara: In terms of team development, we’re also doing some wonderful onboarding. Right before I joined the company, almost all of our members showed up at the office as part of my onboarding.

I was able to meet everyone face-to-face for the first time, and the comfortable atmosphere made it easy to chat. That made a real impression on me; even now, I remember it fondly.

Ito: Mercari’s HR also has an onboarding program that they prepare, of course. But in addition to that program, I think it’s important that we do something at the team level to welcome new members.

To welcome Naohisa as our new CISO, we set up a time for him to meet the team face-to-face, thinking that we needed to create an opportunity for him to talk to everyone once.

Ichihara: It was really helpful to have that opportunity. It also helped that we have plenty of friendly members like Jason who were eager to talk to me. (laughs)

Everyone: (laughs)

Ichihara: Additionally, the first thing I was given after I joined was a “List of Materials We Want Naohisa to Read”. The spreadsheet contained close to a hundred documents about each division’s projects, histories, etc.

Jason: There were about 200 entries. (laughs)

Ichihara: 200… (laughs) I was fairly surprised when something I was already thinking of doing was suddenly dropped in my lap, already fully prepared on day 1.

Ito: In addition to the onboarding checklist provided by the company, each team makes their own onboarding book to prepare for onboarding new members and makes sure to introduce the new members to the teams around them. The fact that our numbers continue to grow means that we cannot afford to neglect these kinds of onboarding efforts.

Jason: That’s true not only of Naohisa; we previously had new members from Austria and Hungary who could not enter Japan due to the COVID-19 pandemic. Even when they were unable to come to Japan, we made sure to do team building and forge strong relationships remotely with these members.

Although we were dealing with a 7–8 hour time difference, their mentors would sync their schedule with theirs so they could work together. That meant that even if they were working remotely from overseas (and had never met their mentor), they were still able to feel like part of the team. This struck me as a particularly All for One approach.

Ichihara: Now wait just a minute. Isn’t this sounding a bit too good to be true? Are you sure we’re not missing anything? (laughs)

Everyone: (laughs)

A Borderless Team

Ito : When it comes to hiring, finding people with a global mindset who are also a good culture fit for Mercari is not easy.

That’s why we fully commit to hiring as a team. From a personal standpoint as well, I want us to continue to focus on building an environment where new members can excel.

Ichihara: I hope that we can have a work environment where members feel excited to work each day and that we create a culture where members can further add to the culture.

Recently, people often use the word “borderless player.” The thing about people is that they tend to work within their fairly limited worldview. They limit the scope of their work, and it’s really a shame.

Mercari members have a wide variety of perspectives and values, operating within that culture we described. I think the kind of security work our members experience here brings a lot of possibilities.

That’s why we want members to work borderless-ly, with a sense of freedom and without pigeonholing themselves. I believe we will become the ultimate team if each of us can help build the team culture with that mindset.

Ito: “Borderless” is a great word for it. Concepts like “global” and “diversity” have already become commonplace, so I think that it’s great we’re looking ahead to expand those concepts to the next stage.

Ichihara: Both Yumi and Jason embody that idea, proactively working to build their own positions within the team. I believe that positions like the ones these two fill will be incredibly vital to security teams going forward. It makes me want to come up with a word for it.

Jason: In some respects, everyone at Mercari is working beyond the bounds of their predetermined title. Everyone is doing what they do best. Yumi does her thing; I do mine.

Everyone here is quick to jump into something new without hesitation, which brings its own kind of chaos. But at the same time, it means we can take on a greater number of new challenges as a company overall.

“Company” can be another kind of border, if we’re talking about going borderless. I hope that we can continue to learn from other companies as we share our Mercari brand of security and privacy with not just Japan, but the world at large.

Culture is always changing, and our culture here will continue to gradually change as well. I think it may never stop changing as we continue to share our culture while allowing others outside the company to inspire us in turn.