Creating a New Era for Security and Enterprise IT—The Future Our New CIO and Current CISO Envision

In October 2023, Hiroaki Shintani (@hiroshin) joined the Corporate Engineering Team as our new Chief Information Officer (CIO).

In this article, we invite our Chief Information Security Officer (CISO) Naohisa Ichihara (@ichihara) and new CIO @hiroshin for a conversation to talk about the events leading up to recruiting a CIO and the future they envision for the Security & Privacy and Corporate Engineering organizations at Mercari.

A CIO is indispensable to the long-term growth of Mercari

—Please start by telling us about your role and responsibilities, @ichihara.

@ichihara：As CISO, I work from Mercari’s Security & Privacy Division to supervise the security and privacy of all of the company’s activities.

The Security & Privacy Division is responsible for risk mitigation and governance for the information security, cybersecurity, and privacy of not only products like Mercari and Merpay, but our production, development, and enterprise environments, and every aspect of Mercari Group employees’ work.

Since joining the company in 2022, I’ve redefined the mission and vision for the Security & Privacy Division, established the CISO Office, reinforced countermeasures against fraud including the implementation of FIDO, formulated our security maturity assessment and roadmap, and worked on measures for managing software supply chain risk. Recently, I have been focused on the automation of various security operations.

—What were the reasons behind recruiting for the new position of CIO?

@ichihara：I believe it’s crucial to establish scalable operations that support Mercari’s long-term growth and to shift to a new enterprise architecture as a tech company aiming for the global stage.

Mercari celebrated its 10th anniversary in February of 2023, and the company now has over 2,000 members. We have expanded to the US and have a development base in India, as well. I feel that today we can be considered a large-scale cloud-native tech company in Japan that utilizes an incredibly large number of cloud services.

Reflecting on the time since the team was first established in 2013, we have handled tasks such as managing company computers, managing and resolving issues for the enterprise environment, preparing and maintaining VPN and VDI environments, and various other day-to-day operations. In order for us to move forward into the next phase, I believe it is crucial to have a leader who can guide the organization with a more strategic perspective and an effective roadmap. That’s why I decided to recruit a CIO.

—Why did you decide to join Mercari as CIO, @hiroshin?

@hiroshin：At my former workplace, Rakuten, I was appointed to the US in 2017 where I led the corporate IT division for the US region. After returning to Japan in 2022, I worked from the Japan head office and managed global corporate IT for just under a year and a half. At Rakuten, corporate IT has been globalized, and the global strategy and operations are already quite mature. While it was incredibly fulfilling to be able to play a role in managing it, I gradually developed the desire to build such an organization from the ground up.

Mercari is currently shifting into a new phase in order to prepare for its growth into a global enterprise, as symbolized by its transition to a company with three committees. I joined Mercari because I feel that this environment will allow me to take on the challenge I’ve been looking for, and that my experience will be able to help Mercari grow, as well.

I think Mercari’s corporate engineering is more advanced than the average enterprise in terms of its communication and application systems. For instance, many processes have been integrated and automated using ServiceNow, Workato, and other application platforms, and various tasks can be completed right within Slack, one of the company’s communication tools. However, there is still room for improvement and challenges that need to be resolved around IT service management, IT infrastructure, and system and data integration if we are to grow into enterprise-class IT. The organization has also not yet globalized, and I feel that this is exactly the environment and challenge I’ve been looking for.

Enhancing collaboration between the Security & Privacy and Corporate Engineering Teams to ensure both business results and security

—How are tasks divided between the Security & Privacy Team and the IT division of the Corporate Engineering Team?

@ichihara：Traditionally, companies tend to have an information security team within the IT department, but at Mercari, the Security & Privacy Team that I am a part of oversees virtually all enterprise and task-related security and privacy across the entire group and for all of our products. For that reason, we are able to handle many tasks that are separate from Corporate Engineering, collaborating on projects with product and engineering teams, sharing common OKRs, and communicating closely on a daily basis.

The Corporate Engineering Team, on the other hand, handles a portion of product-related tasks that are unrelated to security and various enterprise-related tasks and issues. From here on, I’m looking forward to seeing improvements and increased productivity brought about by the collaboration between the Security & Privacy and Corporate Engineering Teams. We plan to divide tasks so that the two teams work together on projects for which we share OKRs and work independently on the remainder of our projects and tasks.

—So, Mercari has separate teams for IT and security. What are your thoughts on this structure, @hiroshin?

@hiroshin：Many companies have separate IT and security divisions now, as the spread of the internet and advancement of digital technology has caused cyber threats to evolve and become increasingly advanced. Internet companies in particular often face cyber threats, so my understanding is that almost all of them have adopted this structure. Also, like Mercari, many companies appoint two separate roles—a CISO and a CIO, respectively—to lead their security and IT divisions.

The CIO is focused on achieving the company’s business objectives through information technology and is expected to improve efficiency and productivity, whereas the CISO is responsible for ensuring security and protecting the company’s information assets. The work of achieving business objectives often conflicts with maintaining security, so having an independent CISO role like Mercari does allows for the objective evaluation of security concerns. My understanding, in other words, is that this structure makes it possible to control risk more effectively.

However, collaboration and communication between the CIO and CISO are crucial as well. It is difficult to maintain a balance between business results and security without appropriate exchange of information and cooperation, which is why Mercari has built an organizational structure that focuses on collaboration between the Corporate Engineering and Security & Privacy Teams.

Pioneering the way with never-before-seen Security & Privacy and Enterprise IT

—In what ways specifically have we enhanced the collaboration between the Security & Privacy and Corporate Engineering Teams?

@hiroshin：Currently, the Corporate Engineering Team is working on upgrading the sophistication of our IT service infrastructure and operations. Many of these tasks relate to IT security and controls, making collaboration with the Security & Privacy Team exceedingly important. To set up and ensure this collaboration, the Security & Privacy and Corporate Engineering Teams have established common OKRs.

For quarter three of the 2024 financial year (January to March 2024), we have set common OKRs around the two areas of upgrading ID access management and improving endpoint management and security, and have been working on these projects together. Moving forward, I would like to continue setting relevant shared OKRs each quarter that will ensure solid progress toward achieving more sophisticated IT security and IT controls.

@ichihara：We are looking to upgrade various areas over the long term, but one of the initiatives we have started this year is the use of AI and LLM for business tasks. The extent to which today’s generative AI can help with business operations is, of course, still limited.

However, I believe there is much untapped potential and value in incorporating AI and LLM into tasks we’ve done without AI until now, such as half-automated operations and tasks digitized with low-code and no-code solutions. We are working on a project to do so with a mixed team of AI professionals within the company and members of the Security & Privacy and Corporate Engineering Teams, including both Japanese and English speakers.

—Please share your future visions for each team.

@ichihara：Mercari celebrated its 11th anniversary on February 1, 2024, and now has its sights set on global expansion and even greater growth. Security and IT should not slow the company down and conversely must become pillars that support smooth and scalable growth for the company and for business.

For instance, through bold overhauls and repeated trial and error, I would like to replace industry standards, processes, and documentation-based tasks that haven’t changed in over 20 years with full automation and digitization, allowing us to visualize risk, cost, and governance with higher precision. With this kind of innovation, we will create a completely new form of Security & Privacy and Enterprise IT and become pioneers in this realm.

@hiroshin：In the first three months after I joined the company last October, I held many discussions with the members of the Corporate Engineering Team regarding the team’s mission and roadmap for the next three years, and we decided on our new team mission: to unleash Mercari’s potential through technology and implementation.

Last year Mercari updated its group mission, aiming to “circulate all forms of value to unleash the potential in all people.” I would like our team to provide strong and reliable support toward achieving this new mission. In line with the group mission, the Corporate Engineering Team’s job, then, should be to commit to unleashing the potential in Mercari’s members, business, organization, and management. That’s why we decided to make unleashing Mercari’s potential the core of our mission. Next, when considering our core competencies that contribute toward unleashing Mercari’s potential, I believe we should leverage technology. We should serve as an organization that utilizes technology to provide solutions to the challenges that members and management face. However, technology alone is not enough to maximize Mercari’s potential. The ability to act and implement is just as important.

The basic plans in our roadmap are to upgrade our IT service infrastructure and operations, our application infrastructure and corporate systems, and our organization and its operations within the next three years.

First, in regard to upgrading our IT service infrastructure and operations, I believe it is the Corporate Engineering Team’s responsibility to contribute to the growth of our businesses by providing an environment in which all of Mercari’s members can focus on their work with peace of mind. To achieve this, it is necessary to close the gap between the current state of our IT service management and infrastructure and the ideal state we are aiming for. Furthermore, as Mercari achieves greater business growth, the importance of IT controls grows, as well. That’s why it’s also necessary to raise the composite maturity of our IT service management, covering people, processes, and technology. We have incorporated initiatives toward achieving this into our OKRs and begun making progress on them from this January.

Next, in terms of upgrading application infrastructure and corporate systems, Mercari has implemented systems suitable for enterprises in recent years, but integration between those systems has not been optimized. We have addressed this in our roadmap and plan to work toward optimizing integration. Another issue is that the data accumulated in each of these systems is not being utilized to its full potential. We also plan to develop data infrastructure in order to create a corporate system that encourages data-driven management and democratization of data within the company. We will start with discussions around architecture focusing mainly on the integration of HR data. Furthermore, we have incorporated the use of AI and LLM for internal tasks as an important theme in our OKRs this quarter and are progressing on this front as well.

Finally, to increase the sophistication of our organization and organizational operations, I believe we need to streamline the complete process from strategic planning to execution. This will allow us to determine priority appropriately and quickly, and to optimize our allocation of resources. In the short term, we plan to work on refining project planning and management, as well as budget planning and cost management. In addition, we will also work on measures to prepare for the organization’s globalization, building the foundations for an IT organization that can become a global benchmark in the next three years.

We are looking for members who can Go Bold to solve problems not in any manual!

—Finally, please share a message for our potential future members.

@ichihara：At Mercari, we highly value the ability to Go Bold and take on challenges without fear of failure. In the fields of cloud-native security and enterprise IT that Mercari deals with, there still exist many challenges and issues that have never been documented in any manual. Tackling these challenges and creating a new era for security and enterprise IT will require the strength and flexibility to destroy existing frameworks and update ourselves and the way we think. I look forward to working with new members who will enjoy tackling such challenges with us.

@hiroshin：Our long-term goal is to become an IT organization that is benchmarked globally as a model for corporate engineering. We are currently taking our very first steps toward this goal. This long-term process will involve much change, but if you are someone who enjoys such an environment and it brings you excitement to work on such projects and tasks every day, I would love to have you on the team. I’m looking forward to meeting members who will join us on the journey to carving out a new future!