• menu

Defending to Pioneer Vol. 2, Information Security

Keiko

01/17/2022

About the Defending to Pioneer Series

The Legal & Risk Management Division protects PayPay, its users, and merchants from a variety of threats and risks, including cyberattacks and fraud.
Although it is true that the division protects against threats directed at PayPay, it is also a group of specialists who work together to enable the company and employees to assertively move forward into uncharted territory. In this series, we will ask the heads of respective departments to explain their thoughts on the all-encompassing protection against risks, to keep PayPay the undisputed no. 1 in the industry. This second installment features CISO Kato, the head of information security. He discusses the security measures of PayPay, which is constantly at the forefront of the industry.

Makoto Kato CISO(Chief Information Security Officer) After working as a system integrator (SI), he joined Yahoo! JAPAN as an engineer in 2006. Then, after his post as system development head for payment related services, he became the CISO and corporate officer in charge of information security and risk at YJFX! (currently Gaika ex by GMO).
He became PayPay Corporation’s CISO in July 2018.
He is a father of three.

Protective Measures to Run an Assertive Business

Please tell us about the areas of the protective framework you handle.
As shown in the chart above, my area of responsibility includes all operations related to information security. The company has grown steadily since its inception and now has no shortage of security measures in place.
What are your “offense” tactics despite you being a defensive division?

The PayPay app is constantly adding new features and evolving. That’s why we believe that periodic security diagnoses by external security vendors are insufficient. As a countermeasure, we established a system in which our in-house red team specializes in vulnerability assessment and penetration testing.
Unfortunately, there will always be threats from malicious attackers and organizations. To prevent the theft of important information via unexpected attacks, we analyze attack procedures that combine various methods in cooperation with SOC, CSIRT, and product teams that does system development. We take proactive measures, such as constantly conducting analyses of simulated attacks on all PayPay systems to assess the behavior.
There are few companies in Japan that have an internal unit dedicated to this type of attack resistance evaluation, and we believe it is a key feature of PayPay’s security organization.

What areas do you want to strengthen in the future?

I don’t want to just strengthen particular areas, but fortify security overall.

Thankfully, PayPay is used by many people and growing every day. That means that the amount of work and the range we need to protect are expanding proportionally. We have grown into a company that handles the information of over 44 million users. Due to this growth, our responsibilities are increasing too. We are striving to achieve a global top-level security framework. In order to do it, I think it is essential to improve the overall sophistication of our security. From the launch of our service to the present day, we managed to make overall security grow in sync, without strong bias toward any one area. This simultaneous growth is the strength of our current structure, and the impetus behind our steady progress toward our goals.

As a leader, what are some things you share with your team to be mindful of?

This is something I myself am mindful of, but PayPay is a young company that rolled out its service only three years ago. Security measures have evolved significantly since then, so we are conscious of not becoming satisfied with a certain level of improvement. Malicious attackers are constantly evolving their attack methods. If our measures stop at a certain point, we will become easy targets.
I tell my members to be aware of the need to evolve every day, and to not be satisfied by comparisons to our past selves and other companies.

Gathering the latest information is also essential in our work. Each member researches their own area of expertise, but I tell them that it is important to look into cases both in Japan and overseas. Recently, we are becoming quite a diverse organization, with folks coming from various backgrounds and nationalities. I think by taking advantage of this diversity, we can put into place more comprehensive security measures.

The People PayPay Seeks for Its Defense and Offense

What sort of person would you like to see join PayPay?

We want people who can enjoy changes and tackling new challenges. Even though the entire company is working to strengthen its framework, there are still many things left undone and multiple issues that need to be addressed. If you can enjoy such situations and grow with PayPay, you will fit in fine.
Moreover, I think communication skills are necessary, however banal a response that may be. Coming to PayPay means that you will work in a remote environment. Even if you are not talking face-to-face, you need to be able to communicate so that there are no misunderstandings, and you will also need to accurately understand other people’s intentions. When you receive inquiries in your daily work, the ability to explain difficult jargon and complicated matters so that people in other departments understand them is where your communication skills will be put to the test.

What skills are required in working with PayPay’s defensive framework?

I would say a sense of balance. PayPay is adding new services rapidly, and new things happen every day. There will be many things that do not conform to the existing rules, but if we simply say it is impossible because it does not line up with the rules, PayPay will stop growing. You will need to accurately grasp the facts, determine whether or not there are security risks, decide whether they are large or small, and never lose sight of the main security policy. Such qualities will be necessary.

In addition, PayPay’s security units have a variety of other tasks, including incident response (CSIRT), security monitoring, vulnerability assessment, penetration testing, establishing regulations and security rules, and internal security consultations. It’s not essential that you are experienced in all of the above, but if you have a field that you are the absolute best at, you will be able to play an active role. That is the kind of person we are looking for. We don’t require a specific industry experience either. I hope that PayPay’s security team becomes a specialist group as a result of the diversity of specialists that join.

Of course, there are also generalist types who have some expertise in all areas. We have opportunities for both specialists and generalists here. Either way though, you will need to have good communication skills as a foundation.

A message to those interested in joining PayPay.

Although we are still midway, I believe we are making history. In the past, SoftBank launched the broadband service “Yahoo! BB,” which revolutionized the pricing and speed of the internet in Japan. That was an epoch-making event that people have been talking about ever since.
Likewise, we are now working to make our business a catalyst for a drastic change in the assumptions about finance in Japan, and to make it something that will be discussed for years, even decades, to come.

We are looking forward to meeting people who want to make history together with us.

See our currently available open positions here Job Openings
Edited by: Keiko (PayPay Inside-Out Editor)​​​​
* Employees’ affiliations are those of the time of the interview.