Speaker: Toshio Nawa
Computer Security Incident Response Teams (CSIRTs) can be set up within organizations in a variety of ways depending on their constituencies and the nature of services that the teams provide. Yet according to the classic textbook approach, it is preferable to set up CSIRTs directly below the management level in the organization and endow the teams with the authority they need to carry out their responsibilities. Indeed, this arrangement may be the optimum solution for many American companies. However, the way Japanese companies are organized and governed, particularly Japanese large corporations, are very different from the U.S., so setting up CSIRTs in the classic textbook manner is not only very difficult but may not even be appropriate. In light of these cross-cultural differences, a number of Japanese large firms have established and are now operating CSIRTs that are tailored to their own unique organizational and governance requirements, and performance results for these teams are now starting to become available. This paper describes (1) results of the survey about some successful implementations of CSIRTs in Japanese large firms, (2) analyses on reasons why these implementations have succeeded, and (3) suggestions about how CSIRTs can be set up to meet the unique organizational requirements of Japanese large firms. The organizational principles uncovered here are not just confined to Japanese big companies, but are expected to be useful in setting up CSIRTs in other countries where companies are organized similarly to those in Japan.