William Saito’s Guide to a Cyber-Crisis


Tech in today’s world is ubiquitous. It’s difficult to work in some fields without the help of the internet. And in others, it’s impossible. What used to be a tool for academics and scientists has been democratized as the information hub of the common man. This wide scale reliance on technology has revolutionized the way we think about being connected and what it means for our individual online identities. This means the need for cybersecurity has grown tenfold, making it an integral part of how we think about using the internet.

Cybersecurity is a broad term for data protection that can range from daily monetary transactions to large scale, multi-billion dollar purchases. Protecting this information means ensuring privacy, authentication, integrity and availability of data. This global takeover of the internet makes cybersecurity essential not just to protect personal information but to understand the entrenchment of technology in our everyday lives.

Technology is Everywhere

That’s something William Saito recognized early on and has been working to address through his leadership in cybersecurity around the world. Saito has become one of the world’s foremost experts on cybersecurity, writing extensively about how companies and individual can protect themselves from cyber-attacks.

William Saito’s interest in programming started when he was young, which he turned into his own company in high school. He quickly became one of the world’s experts in cybersecurity, gaining recognition from Ernst & Young, NASDAQ and USA and becoming one of the “100 Most Influential People for Japan.” He is a Foundation Board Member at the World Economic Forum and acts as Special Advisor of the Cabinet Office and Prime Minister for the Government of Japan. He was also the former Vice Chairman for Palo Alto Networks Japan.

“Today, the web is changing faster than ever before: wirelessly connected to a vast, invisible network, the number of Internet-enabled mobile phones in the world is roughly the same as the total global population. Already, cars and televisions are being manufactured with inbuilt Internet capabilities, and in the coming year we will see a plethora of “smart” refrigerators, toasters, heaters and air conditioners. In a very short time there may be more appliances online than computers,” William Saito said in his article for the Huffington Post.

William Saito’s work spans continents as a venture capitalist, author and strategic advisor to private companies like Japan airlines and top advisor to Japanese Prime Minister Shinzo Abe. He has built protection mechanisms from the ground up, helping individuals, companies, and governments find holes in their systems and address those shortcomings early on.

That’s no easy feat in a technological environment that expanded at a breakneck speed, becoming a daily necessity in just a few decades. Our culture relies on technology and William Saito said that means there are inevitably going to be major issues down the line that we aren’t able to see in technology’s golden years.

“The problem is not in expanding the scope of the basic technology itself, but in doing so haphazardly. My concern is that although security is the key enabling technology of the last two decades of Internet growth, its vital role is still not recognized, and so it is not being designed into products and systems from the ground up. Security is being added on carelessly, an afterthought rather than a design priority. This is not merely poor planning; it is a recipe for disaster,” he added.

Saito’s solution to address this problem is cultivate greater awareness at every level. He said that doesn’t mean paranoia about cyber-attacks, but realistic understanding about risks without disconnecting from the internet.

Thinking in Crisis Mode Before the Crisis

In numerous articles written for Forbes, William Saito talks about what incidents like Y2K, 9/11 and Fukushima taught him about what cybersecurity really means. Saito worked as chief technology officer for the Fukushima Nuclear Accident Independent Investigation Commission. which reported to the country’s national legislature. This job allowed him to see how the small errors that eventually lead to a major disaster, and made him think about what could have been done differently.

For Saito, it’s all about perspective and zooming out to look at problems within the bigger picture. “One moral of this story is that it’s possible to do security on the cheap without sacrificing usability. But implementing IT security is not enough. It misses the critical component of risk management. Real security lies in maximizing our field of view and expanding our thinking,” William Saito told Forbes.

That’s become a large part of how Saito looks at any security challenge by parsing out the minor mismanagement that could spell disaster down the line. His work now is figuring out how to safeguard companies and individuals from these risks to stop the same thing from happening in the future.

William Saito Says Don’t Blame the Victim

Managing in crisis mode also helped William Saito adapt a risk-aware attitude that can help individuals, companies and governments be better protected even if a crisis does not occur. Saito said this also means not blaming the victim in cyberattacks but learning out to act quickly and address the issue at hand.

Because the cyber world is so interconnected, it’s not always clear who is responsible for security breaches and who is at fault. By blaming the victims of a cyberattack, William Saito said we are more likely to miss things that could have been prevented.

“Basically, “blame the victim” and finding the “bad guy” inside the company does not do any good and only fosters a mentality of “pretend it doesn’t exist,” especially in a layered bureaucracy,” Saito wrote.

“Pointing the finger at the perceived weakest links in the chain of the organization can encourage them to hide breaches, or try to fix things themselves. This kind of suppression of information and awareness can be devastating for cybersecurity,” Saito said.

Read related: Microsoft Says Hackers Tried to Mess with US- Based Political Think Tanks

William Saito provides insight into government protections against cyber-attacksLarge scale hacks like what happened to Sony Pictures in 2014 caused head executives to lose their jobs and created fissures within the company about who was to blame. Other major, public hacks like the personal email leaks of Former White House Chief of Staff John Podesta and Presidential Candidate Hillary Clinton created sharp divisions in the Democratic Party. The hacking of the RNC finance chairman also created issues for the Republican Party.

These events create a tendency for those hurt in the process to look for a place to put their blame. But William Saito said this is missing the point in many circumstances by not addressing the systemic problems that will ultimately inflict this kind of harm in politics, business and personal lives. A large part of the problem for Saito is complacency. Many people think that they are immune to these kinds of security risks. But by focusing on who’s to blame, they miss the signs.

“What I realized was that all these catastrophes had one factor in common: all came with tell-tale signs. Managers had tried to achieve a false level of “perfection,” and in the process losing valuable time and a thorough grasp of the big picture. In each case, the relevant engineers saw the potential for problems and warned their superiors, who in turn dismissed warnings due to normalcy bias,” William Saito wrote in Forbes.

“Today, data has more value than physical objects and crosses not only corporate lines but sovereignty. That means we need a new mentality of reporting incidents quickly, and without blame. If a stranger without a badge wanders into a company, it will provoke a response from today’s workers. Similarly, suspicious data has telltale signs that we need to report immediately — it’s better to be better safe than sorry,” he added.

Avoid Normalcy Bias

EU is a great trading partner for Japan: William Saito

In town for Interpol World 2017, William Saito, special adviser to Japan’s cabinet, talks about the Japan-EU trade deal and the third arrow in Abenomics.

The fact of the matter is, no one is immune. Every time we use technology there is potential for a security breach. And that could come in many different forms. The more technology becomes something we can operate on autopilot, the less likely we are to take these risks in to consideration.

“Normalcy bias has been described in studies of disaster psychology as an unwillingness to recognize the urgency of a crisis or acknowledge that a crisis could happen…. If resilience is the starting assumption, real risk management becomes a challenge in how best to respond and recover from all types of accidents, breakdowns and system failures, both foreseeable and as yet un-imagined, by taking action at the earliest stage and assessing what is preventable next time,” William Saito wrote.

His recommendations for organizations for how to prevent these kinds of attacks are an amalgamation of his experiences and his own foresight into how technology will continue developing:

  • Every organization should have an executive chief information security officer who reports to a board on security and risk.
  • Every organization must have an incident response plan that is consistently refined to address the needs at hand.
  • Organizations should hold cybersecurity training and education programs for all employees as well as a security team.
  • Organizations should ensure their partners like contractors are also protected and prepared. Security should apply to third party vendors as well as internal operations.
  • Security teams should carry out regular cybersecurity simulations that prepare organizations for potential crisis scenarios.
  • Organization should have forensics, legal and public relations experts to disseminate information to stakeholders as needed.
  • Cyber insurance should be a taken into consideration for all organizations as cybersecurity threats are becoming increasingly common.

Don’t Fall into the Cyber Attack Trap

William Saito said it’s essential for everyone to recognize the myths that perpetuate about cybersecurity and whose responsibility it is to prevent disaster from striking. It’s not just an IT problem, and cybersecurity risks are not a category in themselves. They are risks just like any other.

There are certain things we do in our everyday lives that we don’t think are necessary in the digital world, which is why William Saito said we are falling short. He compares cybersecurity to eating — protecting our cyber realms like we protect our bodies by avoiding unnecessary risks.

William Saito's experience in cyber-security reaches all the way back to his days in a college dorm building software.
William Saito’s experience in cyber-security reaches all the way back to his days in a college dorm building software.

“We all have to practice common sense cybersecurity hygiene every day – and do what we can to prevent threats. That’s why you should think of your activities online like eating. You’d naturally be wary if a complete stranger walked up to you and offered you food. Suspicious messages, web pages, links and other cyber-morsels should be treated with similar caution,” Saito said.

By normalizing the idea that cybersecurity is just a normal part of our everyday lives, William Saito said we can get rid of some of the stigmas around talking about security breaches. Instead of hiding past failures, Saito encourages people and organizations to share their stories about security breaches. Expanding the circle of thought and understanding, he says, is the only way we will grow as a culture to be able to address these issues.

“If all we’re doing is detecting and analyzing attacks after they’ve taken place, then the attackers have already won. If you practice day-to-day prevention, just as you’d maintain your health and home, cybersecurity can be simple, effective and as routine as brushing your teeth,” Saito said.

“There’s no such thing as perfect security – the key here is resilience. That’s the ability to take a hit and keep going, or in certain cases failure, to default to a protected state. You should architect security with a prevention-first mindset, and also view attacks as an opportunity to learn about vulnerabilities and grow stronger based on that knowledge.”

Stay Vigilant Before Disaster Strikes

William Saito’s experiences in the public and private sector have informed the way he thinks about security at every level. He boils it down in layman’s terms to treating cyber security in the same way we think about any other precaution we take in our lives. We have to assume that we’re vulnerable, even when things seem to be going smoothly.

“Hackers never sleep. They use automation better than most businesses and can sit at their desks scanning the entire planet for victims with a mouse click. While personal computers usually have automatic security updating, many businesses have security updates set to “manual” so they won’t disrupt their operations,” William Saito said.

“Just like checking smoke alarms or changing the oil in a car, we have to deal with these occasional nuisances to be safe – and find security technologies that will actually enable, not slow down, core business operations,” he added.

Read more: Even with Location Off, Google Still Tracks You

For Saito, that means vigilance is key — even after you might think that the worst of an attack has ended. This means that there’s likely more to come. We need to build defensiveness into our internet culture to make sure we understand why these things are able to happen in the first place.

“It’s not game over if they penetrate one part of your system; they’ll have to overcome many obstacles to get the data or whatever else they’re after. Thus, it’s important to be proactively defensive and to understand that in a well-designed system there are many opportunities to stop bad guys from accomplishing their end goal. Resilience and communication are key,” Saito told Forbes.

It starts from the bottom and should be implemented at every level up to the top. It can never start too early. It’s a part of every function of an organization and something that we can all learn to think about in a more nuanced way.

“Leaders need to get smart about cybersecurity and realize that it’s much more than an issue for the IT department. As a mission-critical piece of infrastructure, cyber cuts across all divisions of an organization and affects everyone. An effective cybersecurity strategy, organized to prevent versus only remediate cyber-attacks, can improve competitiveness and even lead to a better work-life balance among employees. The time to start is now.”

Follow William Saito:









Please enter your comment!
Please enter your name here