Yahoo! JAPAN LogoYahoo! JAPAN Logo
Special Feature: Engineers
Masanori Kusunoki Main Visual Masanori Kusunoki Main Visual
WORK&PERSON Masanori Kusunoki

Catalyst for joining Yahoo Japan Corporation was the Great East Japan Earthquake; now working on formulating privacy and security rules

Masanori Kusunoki

CISO-Board
Policy Planning Division, Corporate Management Group

Privacy/Security

Joined in 2012. Black belt (privacy/security)*
Did IT and internet-related work in college. Came to Yahoo Japan Corporation via the Internet Research Institute, Inc. and Microsoft (now Microsoft Japan Co., Ltd.). Working on ID, privacy and security. Also wears many hats outside of work: advisor to government CIO; ad hoc member of the Industrial Structure Council, Ministry of Economy, Trade and Industry; OpenID Foundation Japan board member; part-time lecturer at Tokyo University graduate school.

Formulating and implementing rules for security and privacy

I was very impressed by Yahoo! JAPAN's response to the Great East Japan Earthquake of March 11, 2011. The response was swift and the information was presented well. This was a big motivator for me when I joined Yahoo Japan Corporation in 2012.

For the first two years after I joined I was in the department in charge of Yahoo! JAPAN ID. Now I'm in the Policy Planning Division, working on formulating privacy policy, which is the basic policy for handling customers' personal data, and at the same time I oversee the in-house mechanisms for implementing that basic policy.

One of my other roles as part of the CISO-Board is to develop security strategy. The CISO-Board is a cross-cutting team under the CISO (Chief Information Security Officer) that's responsible for implementing information security measures.

Whether for security or privacy, the diversity of the team is important. If we talk about security, Yahoo! JAPAN has people who know a lot about network infrastructure, but there are also people who are good at coding and middleware, and database experts. The CISO-Board is a team made up of people with a big variety of specializations.

In the context of making rules for privacy and security, what we really have to think about is how to minimize the effect in the workplace. Once a rule is made it takes on a life of its own. If we simply add something new on top of an old rule without thinking too deeply about it, the rules just get heavier and heavier. Making a rule that can't be kept leads to higher risk.

Masanori Kusunoki Interview Masanori Kusunoki Interview

A variety of perspectives are required in dealing with privacy issues

When working on privacy policy, multiple perspectives are required. There are no problems that are purely business problems or purely technology problems. For example, to protect individual data, should we make it so that information linked to the individual is never used? But the problem isn't that simple. It's not only important to protect the information; in some cases the question of how to use it is more important.

Let me give a personal example. To attend an overseas symposium, I reserve a hotel online, but then when I'm browsing the web, I get ads for other hotels in that area in spite of the fact that I've already made a reservation. This is called behavioral targeting advertising.
I think that some people are probably worried by this kind of advertising. If we analyse the reasons, we find two main ones. Some are concerned that the fact that they searched for a place to stay in that area is known. Others don’t appreciate the continued appearance of ads for hotels even though they've already made their reservation.

For the former, these days the possibility to opt out is generally offered, but a lot of users don't find their way to the relevant settings page unless they understand how that kind of advertising works. For the latter, it might be better if the information that the user has already made the reservation is appropriately distributed, and used to change the advertising accordingly. Here, if we just make an across-the-board rule that "the individual's shopping history is secret information so should not be used," there won't be any improvement in the service.

How do we assess all these different impacts on privacy? We need people who understand the thinking and systems in each country, and who also understand the flow of information in the in-house system, the processing capability required, and so on. In that sense as well, I think it's a good thing that Yahoo! JAPAN has a team that is rich in diversity.

Masanori Kusunoki Interview Masanori Kusunoki Interview

Combining roles by having fun with them

Besides my job at Yahoo! JAPAN, I have several other roles, including advisor to the government CIO and university lecturer. From my point of view, these external activities and my role in the company are linked, and often overlap. The external activities are useful in alerting me to developments that could affect Yahoo! JAPAN.

I think the trick to combining a multiplicity of roles is to somehow have fun with them. If I have a dilemma, or am confronted with some difficulty, I try to take a step back and look at things from a higher perspective, or find a different viewpoint. I also think it's important to have as many opportunities as possible to be with enthusiastic people who are totally engrossed in something. I get energy from other people.

In the area of security, we can see where we're going with the "set sequence" for protecting the company's data from cyberattacks and internal crime. But a part remains which a lot of organizations haven't even touched yet, and that is data links between different organizations. For example, how can data be safely exchanged among group companies, or to partner companies, and how will it be utilized? To give a familiar example, it's not uncommon, even if access is tightly controlled within an organization, for information to be attached to an e-mail and sent outside the organization. From that moment on, it becomes wide open to being taken and forwarded anywhere. Not only can access not be controlled, but it can become a vector for targeted attacks and ransomware. I'd like to get rid of e-mail attachments as soon as possible! One possibility for that is blockchain technology, although we still don’t know if it is general-purpose enough. But I think the blockchain mechanism is very interesting, since it’s designed with all of its data out in the open instead of in the deep silos of individual systems.

The importance of ID, security and privacy will grow even more for systems that connect organizations. I get the feeling that there's still a lot to be done in the 10 years to come.

*Black belt: A system whereby the company supports the activities, both internal and external, of employees who exhibit outstanding talent in a certain area, designating them as black belts.
※ Information current as of August 2016.

Select in same service

Division A
Division A
Division A

Select in same domain

Research Domain A
Research Domain A