CSO Conversations: Keiko Itakura, Regional CSO of Japan

CSO Conversations is a blog series interviewing Okta’s Regional CSOs supporting David Bradbury, Okta’s Chief Security Officer in providing the best service for our customers. Okta’s Regional CSOs are integral to Okta’s Security Trust and Culture team, building and strengthening trusted advisor relationships with global security thought leadership.

What motivated your career pursuit in cybersecurity at Okta?

Logging in is the first step in a threat scenario, and identity represents the person themselves. In one survey, it was found that over 80% of security incidents were related to identity credentials. Okta is used by many customers in Japan, and the greatest reward of pursuing a career at Okta is that by securing Okta, we contribute to protecting the businesses of our many customers.

How has your previous experience shaped your approach to cybersecurity today?

I have worked in the identity security field in a variety of positions, not only as a product vendor, but also as a security officer at a user company, as a consultant at a partner company, and as an engineer at a system integrator. Attackers may attempt to exploit gaps in normal processes, such as emergency recovery processes or exception processes for executives. My real-world experience in a variety of roles has helped me to think realistically about which business processes are vulnerable and what countermeasures can be taken.

Are there any existing or emerging threats of particular interest to you?

I continue to be concerned about phishing attacks. As I mentioned earlier, there are many incidents related to credentials, and phishing using email and SMS is still being used as a way to steal credentials. And, with the development of AI technology, it is becoming more difficult for humans to detect. In addition to system-based measures such as passwordless authentication and DMARC, it is necessary to take a wide range of measures, including user education and reviewing business processes.

Recently, I have also been paying more attention to cyber attacks resulting from geopolitical risks, such as the MirrorFace cyber attack. This year, the Osaka-Kansai Japan Expo 2025 will be held, and such international events increase the risk of being targeted by cyber attacks, so I am also vigilant about threats related to this.

From your perspective, what is the impact of cybersecurity awareness in today’s organizations?

No matter how much you invest in system protection, if the security culture is weak, there will be risk. Of course education and training are important, but it is also important to have a system for evaluating security awareness. In addition, security is often neglected because of concerns that it could put the brakes on business speed. It is necessary for the management team to themselves place importance on security and to propagate it as a corporate culture.

As the methods used in phishing and social engineering become more and more sophisticated, it will also be important to create a relationship where people feel psychologically safe to report any suspicions they may have.

What are your thoughts on automated intelligence, or AI, in cybersecurity?

The democratization of AI technology has lowered the cost of carrying out attacks. It is becoming increasingly difficult to visually determine whether something is fake, such as advanced deep fakes. I believe that defenders also need to use AI technology to create a system that can automatically and timely detect and repair attacks while implementing multilayered defence.

What trends are you seeing in cybersecurity relating to your region?

Japan has a distinctive organizational structure, way of working and underlying way of thinking, and this gives rise to issues and responses that are specific to Japan.

For example, Japan's traditional employment system is known as the ‘membership type’, and rather than honing specific expertise, employees are expected to take on a variety of tasks based on the premise of lifetime employment. In other words, they are committed to the company itself. For this reason, in many cases, security expertise is heavily dependent on external resources such as SIers.

However, in light of the growing importance of security in recent years, there has been an increase in the number of cases where companies are hiring external security experts as full-time employees. As a result of global business expansion and management integration, many companies are now faced with the common challenge of determining what organizational structure and mechanisms they should use to ensure security across the entire supply chain and implement governance across the entire corporate group, while also having to collaborate with members not only in Japan but also overseas.

Additionally, identity verification using Individual Number cards is becoming increasingly common and is a topic unique to Japan that has been gaining discussion in recent years.

What is the most significant change you’ve seen in the cybersecurity industry in your career to-date?

The concept of Zero Trust has emerged. I think that the emphasis on implicit relationships of trust is also a characteristic of Japan. With the diversification of working styles and the globalization of business, and with reports of actual damage, the idea that attacks are inevitable has gradually become more widespread, and I think it is now gaining considerable support. Many companies have yet to fully consider measures against internal crime, but I think that taking measures will also protect employees, so I would like to focus on this.

How do you employ Okta’s corporate values in your day to day?

In Japan, Okta products are delivered via partners, so I consider that our customers include both end users and partners, and I “Love our customers.”

I feel rewarded by the fact that I can build trusting relationships and communicate with various customer CISOs etc, with the responsibility of being the only Japanese person on the Okta’s security team. My biggest mission is to properly understand what issues Japanese customers have, and to reflect this in the activities of the global security team.

Oktane24 brought numerous exciting announcements, which are you most looking forward to?

I’m looking forward to IPSIE, the Interoperability Profiling for Secure Identity in the Enterprise - improving industry standards is one of the pillars of the Okta Secure Identity Commitment (OSIC.) By promoting standards together with various technology companies, I hope that not only Okta but the entire industry will become a safer society.

If you could provide a few short cybersecurity words of wisdom to Okta customers, what would they be?

I feel it is a shame not to leverage higher assurance options that can be used without requiring much additional cost or effort. For example, since you are already using Okta I recommend for you to make the most of the options that can enhance security, such as FastPass and the migration from Okta Classic to the Okta Identity Engine, or OIE.

Keiko was recently interviewed by ScanNetSecurity on why she joined Okta as Japan’s Regional CSO and her mindset to fulfill her mission. She was also featured by EnterpriseZine for a profile piece on her career in Identity management and her vision for its future in the Japan region. Keiko also shared insights as a speaker at the 2024 Fido Alliance Seoul Public Seminar, and at the Authenticate 2024 Conference.