The Professional Series brings you closer to the exceptional professionals working within the PayPay Group. This time, we had the opportunity to speak with Kohei Sakashita, the Senior Manager of the CSIRT Department at PayPay Card, about his team’s role, and the fulfilling nature of his work.
Kohei Sakashita
Senior Manager of CSIRT Department, Cybersecurity Division, PayPay Card
After starting his career in the information systems department, involved in system construction and management, he then specialized in IT security, later transitioning to the education industry focusing on cybersecurity. In 2023, he joined PayPay Card. He is currently the Senior Manager of the CSIRT Department.
Addressing New Security Challenges at PayPay Card
Could you tell us about your current role and mission?
I serve as the Senior Manager of the CSIRT Department at PayPay Card. Our mission is to build a security system of the highest caliber for a financial institution and to safeguard users from potential threats. Specifically, we focus on compliance with PCI DSS, an international security standard for credit cards, conduct vulnerability patrols to prevent incidents, and manage responses should any incidents occur.
Could you share your career journey?
Originally, I began my career in the information systems department, gaining experience in system development and operations. I was fortunate to handle firewalls internally and gradually specialize in the security domain. To further enhance my expertise in security, I switched to the education industry, where I specialized in cybersecurity.
I decided to consider a move to PayPay Card because I sensed that the company was in a growth phase and likely investing actively in the security sector. The impression I had of financial institutions was that they prioritize security, and joining the fast-paced PayPay Group felt like it could offer me new challenges in the security arena.
Did you feel any difference compared to your initial expectations after joining?
The pace was faster than I had anticipated. For instance, when a problem is identified, the time available for addressing it feels twice as quick compared to traditional approaches. Due to the emphasis on speed being a priority throughout the company, even the system personnel tasked with resolving issues act swiftly. In that sense, the company is successful in nurturing a culture where problems are rectified promptly.
Moreover, the company was proactive in investing in security. If we can demonstrate that our users can use credit cards with peace of mind, the implementation of new tools and equipment proceeds quickly. For instance, when I previously proposed the implementation of a new EDR, the immediate response was, “If we can expect stronger security, let’s go ahead,” illustrating an environment that allows for taking on new challenges.
Boldly Investing in Security Robustness to Protect Users
Could you tell us about any recent notable initiatives?
There was a task force aimed at enhancing security across departments. It was established to ensure the highest security standards for financial institutions within the PayPay Group and protect all users from any threats. I took a leading role right after joining, overseeing projects. We systematically organized current workflows, hardware, and cloud-based tools, scrutinizing existing vulnerabilities from a security perspective, and collaborated with the systems department to drive improvements.
For me, it was difficult to get a grasp of the current state at the inception of the task force. Just joining the company only recently, it was not clear which hardware was necessary for security investigations and what sort of resources we had on cloud platforms. Furthermore, deciding priorities and forming a consensus regarding “what to improve, to what extent, and by when” proved challenging.
I focused on explaining the necessity making improvements with concrete examples and evidence. Rather than simply quoting guidelines, I considered PayPay Card’s business context and emphasized a risk-based approach, citing past examples and potential risks in similar environments. At first, there were various objections, but driven by the conviction that I joined this company to transform PayPay Card’s security and protect users, I continued to advocate for change. As a result, I was able to foster a sense of unity with members who already held a user-first mindset, leading to the success of the task force.
What incidents are of the most concern presently?
Ransomware and attacks targeting contractors. These typically involve infiltrating an employee’s computer or remote access systems, compromising them from within. Consequently, attackers approach with the anticipation that there are numerous security measures in place, and they strategize to bypass those. Even a reputable security tool cannot detect advanced attacks if it is merely operated with default settings.
To address this, we simulating realistic attacks, identifying what may go undetected and customizing our security tools to enhance our detection capabilities.
What is fulfilling about engaging in security at PayPay Card?
The opportunity to actively engage in new security challenges. PayPay Card is a central player in the PayPay ecosystem, which boasts 69 million users (as of May 2025), and we face threats daily, both national and international. To counter ever-evolving sophisticated attacks, people—even at the executive level—consider security to be of crucial importance. This helps create an atmosphere that encourages taking on challenges to protect our users. Though I feel the pressure of safeguarding users, there is also a massive sense of fulfillment in supporting their daily lives.
Proactively Leading the 0 to 1 Security System Implementation
Could you elaborate on the CSIRT Department?
Our department currently comprises a dozen or so members, and it is notable that many of us, including myself, are relatively new to the company. With members from diverse backgrounds, it’s easy for us to express opinions regardless of position, and there’s an environment where we share whatever knowledge we have. For example, in discussions about allowing access from overseas, a member with a manufacturer background shared insights about preparing dedicated devices for overseas deployment at their previous company, broadening the scope required for consideration. The mutual sharing of insights among members creates an organization capable of addressing a variety of attacks from multiple perspectives.
What do you emphasize in communication to help team members to grow?
During regular one-on-one meetings, I tailor messages according to each member’s skill level. For younger members, I offer practical advice on time management and prioritization, while for the veterans, I focus more on supporting their personal growth through work. While giving them autonomy at work, I serve as a sounding board for any concerns and provide support in challenging situations. I continually reassure them, “I’ll shoulder the responsibility, so you maintain CSIRT’s initiative-taking posture.”
What experiences can you gain through work in the CSIRT Department?
In the current climate with diverse threats, particularly in the credit card industry which has a large user base, you can gain the experience of actively engaging in the construction of top-tier security while meeting stringent requirements. For example, going in-house with post-incident forensics is a security measure recommended by the Financial Services Agency, yet few companies actually do it. This is because it’s challenging to cultivate and secure talent with advanced skills essential for forensics, including a deep understanding of computers, memory analysis, and malicious program analysis.
However, because in-house processes allow for swifter responses than outsourcing, there’s a strong desire at PayPay Card, where we value speed, to take on this challenge. We are currently in the stage of building the operational flow from scratch, so anyone can actively engage in establishing a forensic system.
Ensuring Continuously Reliable Credit Card Usage
What are your future goals and vision?
I aim to lead PayPay Card’s security measures as part of CSIRT, continuously playing a role in ensuring that users can safely utilize our credit cards. However, because attack methods evolve daily, CSIRT needs to consistently innovate. Specifically, this entails building a red team actively assessing potential risks and pushing the frontline departments to promote in-house forensics, among others. Achieving this requires upskilling by all members, including myself, while learning from PayPay’s advanced security systems and knowledge, and acquiring necessary skills and resources.
Moreover, while complying with regulations set by various laws, we aim to continually improve efficiency. A major goal is to automate operations related to security, such as detecting suspicious activities on employee PCs and alerting users. If members passionate about operational improvements emerge, they will promptly be assigned projects.
Could you share a message to readers?
The diversity of attack patterns continues to grow, and there is no end to security measures. Even when new threats arise, we aim to remain an organization that embraces change with agility to protect our users through the establishment of cutting-edge security systems. What matters most is the ability to proactively explore optimal solutions in an environment without precedents or prescribed answers. To that end, we value the ability to craft original approaches. We look forward to applications if you have a forward-thinking mindset and are eager to grow as a security specialist.
*Job openings and employee affiliations are current as of the time of the interview.