PayPay Inside-Out People and Culture

Aiming to Be the Safest and Leading Fintech Company: CISO Interview


PayPay Leader Interview is a series of interviews with PayPay top executives that show a glimpse into their personalities and perspectives. In this issue, we sat down with Makoto Kato, Division Head of the Risk & Security Division.

Makoto Kato

Head of the Risk & Security Division, Legal & Risk Group

After working at a systems integrator, I joined Yahoo! JAPAN as an engineer in 2006. I first served as the head of the system development department for payment-related services, then in 2016, I moved to YJFX! (current GMO Gaika, Inc.) and held the positions of CISO and Corporate Officer in charge of information security and risk. I became PayPay Corporation’s CISO in July 2018. I am a father of three.

Ensure the security of the service that is a payment infrastructure

Please tell us your journey leading up to joining PayPay?

After overseeing the system development for payment-related projects during my time at Yahoo! JAPAN, I got involved in the launch of a QR code payment service (Yahoo! Money). Later, as I gained more experience as CISO of YJFX!, I strongly felt the importance of security in the financial industry, during which I participated in the launch of PayPay.

This is not just limited to the financial industry, but a single instance of information leakage or similar mishap can have a significant impact on a business, so handling information brings with it a heavy responsibility. Ensuring safety continuously and managing and improving on the detection of potential risks is not easy, but I find this job rewarding.

What is the role of the Risk & Security Division?

We handle two main areas: information security and general risk management. Our mission is to accurately understand the impact of risks, take preventive measures to avoid crises, and reduce risks. Particularly in cases where large-scale data breaches or system failures occur, these can severely impact our business continuity, so preventing these are our top priorities.

How do the CISO and CIO work together?

CIO stands for “Chief Information Officer.” The CIO is not just responsible for information security measures but also plans, constructs, operates, and manages the entire company system, playing a role in the first-line of the three-line defense model.

The CISO is the chief person responsible for information security, standing in the second-line of the three-line model, with roles in risk mitigation and monitoring. Although there are overlapping areas between the two, we closely collaborate to design the security requirements of each system, and then build a system based on that. Even after the system is completed, continuous monitoring from the perspective of information security is conducted by our second-line departments.

Preparing for more diversified risks

How has the organization of the Risk & Security Division changed since its inception?

As a fintech service with over 58 million users, PayPay has strengthened its security, AML (anti-money laundering) measures, anti-fraud measures, privacy management, data governance, and other aspects as the business has grown. We have welcomed experienced members, expanded our organization, and are now in a position to compare favorably with other companies in our field.

We are also planning further service developments in the future, including services that take care of users’ salaries, such as digital payroll. As our business expands, the risks diversify and the responsibilities of our second-line departments become even more significant. Our goal is to enhance and level up our preparedness, keeping up with PayPay’s pace.

What does the entire organization keep in mind to respond quickly to a changing environment?

To never be content with the status quo, and to continually evolve with an imaginative perspective toward risks. Malicious attackers are constantly evolving their tactics. If our measures stop at a certain point, we will become easy targets. Rather than thinking, “It’s been okay so far, so it’ll be okay,” we operate under the premise that we never know what will happen, always preparing so that we’re ready even if something happens tomorrow.

However, preparing for every contingency would be enormously costly, so balancing risk management and cost is crucial. This eye for striking the perfect balance is the most crucial skill of PayPay’s second-line department.

What are the challenges you’re currently facing?

Balancing a sense of urgency with strengthening risk management. Typically, in financial institutions, new plans or projects take time for planning, approval, budgeting, and then sending orders to external vendors, but PayPay was able to increase speed and efficiency through in-house production by talented engineers hired from around the world.

However, as services diversify and the organization grows post-inception, maintaining speed and staying innovative has become more challenging than before. As the number of users grows, we become a more attractive target for attackers, so we want to strengthen control without losing our pace.

Growth can be achieved through challenging situations

As the leader of the Risk & Security Division, What do you emphasize in your members’ growth?

I prioritize keeping a good balance between delegating tasks to members and personally taking action. Over-intervening might deprive team members of growth opportunities, but swift and accurate decision-making is essential for critical matters, so I am conscious of making decisions based on the situation and maintaining an appropriate balance.

I also believe that difficult situations offer unique experiences and opportunities for growth. Personally, since the establishment of PayPay, I’ve had many challenging experiences more than ever (laughs). However, I believe that the word “challenging” implies not just negativity but also “significant change.” I think each team member grows by overcoming their respective challenges. While new challenges may arise after overcoming one, I believe further growth awaits those who clear the challenges at hand.

Where does your motivation come from?

Undergoing challenges at PayPay and growing together with the expansion of the service. I thought things might stabilize a few years after the service was launched, but we haven’t quite reached that point yet (laughs). There are in fact still new initiatives and big goals. For a recent example, due to PayPay Card becoming a wholly owned subsidiary of PayPay, we must also consider strengthening group governance. I believe these new initiatives are challenging, but also rewarding.

What would you like to accomplish or try in the future?

To be recognized both as Japan’s safest and leading fintech company. We are grateful that many people use our service, but with that comes increased risk from potential attackers. We aim to safely manage the information entrusted to us, avoid major problems like system failures, and keep doing that to build a reputation as a reliable and safe brand.

Do you have a message for potential candidates?

Since its inception, PayPay has experienced numerous challenges and growth. As we expand our services, continuous change and evolution are essential. If you’re eager to grow and enjoy change, I believe it’s an environment where you can thrive. Together, let’s aim to make PayPay the top fintech company.

Current job openings

*Recruitment status and employee affiliations are correct at the time of the interview.