Exploring Japanese Cybersecurity with SMBC CyberFront CEO Yasunori Aoki Sprinting from new grad to CEO in 11 years, what’s his vision for the future?

After SMBC sent me to Carnegie Mellon University over in the United States to earn a Master’s in Cybersecurity, I spent four years in our Cybersecurity Management Department working primarily on improving Group security measures and planning a Groupwide security strategy.

On a personal level, I also serve as an examiner for the Information Technology Engineers Examination and the Registered Information Security Specialist Examination run by the Information-technology Promotion Agency, but while I believe in social contribution and addressing societal challenges, I felt that there’s a limit to what one person can do.

After contributing to SMBC Group cybersecurity for the four years after Carnegie Mellon, I felt that I wanted to make more use of my expertise. When the CEO opportunity came up, I saw it as a way to leverage my knowledge and skills further to support our customers’ cybersecurity measures and, by extension, lift the level of Japan’s cybersecurity industry.

I joined SMBC in 2014 straight out of university. After time in our Sannomiya branch and then the Corporate Business Office in Kobe, I was transferred to the IT Planning Department in Tokyo, where I worked on system failure management for four years.

When I first joined SMBC, I wasn’t interested in systems-related work-I had my sights set on corporate sales or becoming a stock and foreign exchange dealer! It was only when a personnel transfer landed me in the IT Planning Department and my boss was describing the department’s work that I thought “Cybersecurity sounds intriguing-I want to try it.”

Even today, I remember my boss saying that SMBC Group too could be targeted by cyberattacks, and asking me to help protect them.

Yes, I was sent there as part of SMBC Group’s drive to train up inhouse cybersecurity experts.

Most of Carnegie Mellon’s graduates go on to work for GAFA (Google, Apple, Facebook, Amazon), so, unsurprisingly, the curriculum was very advanced. When I first applied, I was actually rejected because the university felt my IT skills and English proficiency weren’t up to par and that I wouldn’t be able to keep up with the classes.

I contacted the professors directly to put in a plug for my skills and my English and managed to get a conditional offer. The deal was that to be officially accepted, I had to complete six months of online classes and achieve a certain average grade across all my subjects. If I hadn’t pulled that off, I wouldn’t be where I am today.

Two things-first, that the professors were corporate cybersecurity officers or involved in national cyber protection. US cybersecurity education is set up so that you learn from people who really know the frontlines of the various industries.

The second was American students’ intense focus on grades and test scores. In the States, your school performance is directly tied to your job prospects. In addition to interviews, another path to a job offer is performing well as an intern, so everyone does their best to shine. Students are also serious about classes, and no one slacks off. After grad school in Japan, that was a real culture shock.

The coursework was so demanding that I had to pull an all-nighter at least once a week, but being able to gain a structured, systematic understanding of cybersecurity was amazing. Because the instructors are all US frontline operators, they passed on not just theoretical knowledge but also practical skills. For example, in exams, we would actually attack devices with vulnerabilities, earning points if our attacks succeeded. Going through that exam experience several times helped me to understand the perspective of both the attacker and the defender.

Where almost no universities or grad schools in Japan offer systematic and specialized knowledge to train a cybersecurity expert, the US and Europe have dedicated cybersecurity departments. This shows how far Japan has to go in developing cybersecurity education, and it’s one of the reasons why our pool of cybersecurity professionals isn’t growing.

I never expected to be appointed to such a responsible position so early on. I’m truly grateful for the rare chance that SMBC gave me to study at a US grad school and gain cybersecurity expertise, and it’s incredible to now be in a role where I can bring every ounce of that expertise into play.

So far I’ve honed my skills alongside inhouse colleagues, but going forward, I think the key will be building good relationships outside the company. Cybersecurity can’t be handled by one company alone. I want to work with other cybersecurity service providers to strengthen the security of Japan as a whole.

Historically, Japan was protected from a lot of cybersecurity attacks by the language-foreign attackers couldn’t decipher Japanese, so there was no merit in attacking Japanese businesses. But now, advances in machine translation have made Japan much easier to attack. Today, any Japanese company is a potential target, with businesses operating not just in critical infrastructure but a whole range of industries suffering damage from cyberattacks.

Creating services from scratch is incredibly hard. Most of the subsidiaries set up within SMBC Group to date have built on the services of a co-creator partner company, but that is not the case with us. Conversely, though, we do have a huge amount of freedom to customize our services, and I think that being able to adjust our services at speed to suit customer needs is a real strength.

Cyberattacks are a constant cat and mouse game between attackers and defenders. As soon as defenses are developed to deal with a new attack, more attacks appear to beat those defenses, so more defenses have to be developed, and so on. So rather than just offering the same old solutions, services need to evolve with the threats-which is where our advisory service comes in.

It entails meeting regularly with the customer, senior executives included, to plan and develop concrete cybersecurity measures together, using tools like ASM (Attack Surface Management) to identify their specific security vulnerabilities. We also help design one- to three-year security plans and provide unlimited email-based consultation. Short-term consulting can leave companies vulnerable to new attacks once the contract ends, but through our long-term customer support we aim to build internal systems that can ultimately function independently of us. That’s the SMBC CyberFront mission.

Our strength lies in direct engagement with senior executives, which arises from the networks SMBC Group has built through corporate sales. We don’t just speak with system administrators-we help executives understand the importance of cybersecurity and then propose appropriate measures. We’re initially designing services for small and medium-sized businesses, but in the future we plan to expand into services for corporate majors and groupwide cybersecurity management services.

The name SMBC CyberFront was chosen with the idea of serving as the equivalent of a hotel front desk, where customers can come to us with any kind of cybersecurity concern. We know that we can’t do everything on our own, so we’ll join forces with our competitors toward the common goal of enhancing Japan’s cybersecurity.