Security as a Business Accelerator: How Our Security Organization Enables Speed × Quality

This is the Day 7 article of KINTO Technologies Advent Calendar 2025 🎄

1. Introduction

I'm Ka-Sai from the Security and Privacy Division at KINTO Technologies.

As a member of the Toyota Group, we provide mobility services including financial services. We consider protecting information assets such as personal information and confidential data entrusted to us by customers and partner companies, as well as the systems that support them, as one of our most important priorities. We operate under the following mission and vision:

Mission

• Provide customers with safe and secure services.
• Our mission is not to apply the brakes, but to think about how we can safely and securely step on the accelerator.

Vision

• Establish Security by Design and Privacy by Design to create a world where safe and secure services are the norm.

・・・・・

The word security often brings to mind images of slowing things down or blocking new attempts. However, we believe that security is not a brake on business but can become a driving force. In this entry, I would like to discuss:

• Why security tends to appear as a blocker
• How our company addresses these structural challenges through our philosophy and design
• Our specific organizational structure, systems, and initiatives
• The future we envision

2. Problem Awareness: The Dilemma of Traditional Security

2-1. Why Does Security Appear to Slow Things Down?

In many organizations, security is often seen as:

• Procedures are cumbersome, and reviews and approvals slow things down

• New tools, cloud services, and generative AI get blocked

• Rollbacks occur just before release, causing significant rework

• Security is treated as a cost center, making its value hard to see

These challenges arise from structures such as security being added after the fact, individual judgments dependent on specific people, and case-by-case consultation-based approaches. There's another reality we are keenly aware of:

Rules can become implicit blockers simply by existing.

When rules exist, people tend to self-censor, thinking I'd better not do that just to be safe or I should avoid touching this area. As a result, both new initiatives and innovation become less likely to emerge.

2-2. Toward Security That Scales for Breakthrough Growth

Our company aims for breakthrough growth in a domain where mobility and finance intersect, a field characterized by strict regulations and complex business requirements.
As we expand into new markets, countries, and service models, our security must grow at the same speed and scale.

What becomes important here is the perspective that:

Security is a risk, but slowing down business is also a significant risk.

Not only the risk of being attacked, but also the risk of losing momentum for growth cannot be ignored from a management perspective.

Therefore, we place great importance on how quickly we can deliver secure products to the world.
In other words, from the initial stage, we focus on how quickly we can reach the market while meeting a certain level of security and compliance.

• Deliver new businesses and features to the world quickly
• At the same time, meet the strict safety standards required in the finance and mobility sectors

To satisfy both requirements, we need an approach that designs business goals that directly contribute to business success and security goals at the same table, rather than separating them.

2-3. How to Reduce the Burden on Employees

The Security and Privacy Division is not all‑knowing or all‑powerful. It is not realistic for our team alone to review every piece of code, every configuration, and every data flow, and the cooperation of each and every employee is essential.

However, employees each have their own missions. They are also swamped with product development, operations, and business-side tasks.

• Security work piles on as additional work
• Manual checks and evidence collection increase
• Understanding the requirements takes time, which puts pressure on the time they have for their regular work.

As a result, we often end up with excessive or disproportionate security work whose impact is small compared to the time invested. That's why at our company, we emphasize:

• Top-down support from the CISO
• Delegation of authority to the front lines and autonomous bottom-up actions

We focus on designing systems that raise security levels without increasing the burden on employees by balancing both of these approaches.

3. Our Security Philosophy: Security as Momentum

Based on the challenges described above, the conclusion our division reached is simple:

When properly designed, security becomes a driving force that accelerates business.

Under this philosophy, we have adopted the following approaches:

3-1. Security as a Platform

Rather than having people check things one by one, we embed security into systems and platforms to minimize friction.

• Incorporate secure cloud design and configuration into guidelines and templates
• Build automated checks into CI/CD pipelines
• Provide secure baseline settings and ensure the system is safe without any extra steps.

3-2. Not Someone Who Stops, But Someone Who Enables

The role of security is not to say "No" but to think together about how we can safely say "Yes".

• Welcome consultations from the planning stage and present feasible options
• Show not only what you shouldn't do but also how you can do it

3-3. Security as Developer Experience

Building a secure developer experience ultimately leads to improved productivity across the entire development organization, so we constantly keep in mind whether we are creating an environment where developers can confidently step on the accelerator.

• Clear guardrails that say, "You’re good to go if you use this template."
• Automate tedious security assessment evidence collection work
• Easy-to-consult channels and clear documentation

4. Security Management Organization Structure: A Structure to Support Business Growth and Speed

Our company belongs to the Toyota Financial Services (TFS) group, a subsidiary of Toyota Motor Corporation. The TFS Group positions cybersecurity risk as one of the most important management issues and promotes countermeasures across the entire group. Under this policy, information security management at our company operates based on the TFS Group's security program.

4-1. GIS Standard: A Security Framework Based on Global Standards

The TFS Group has developed its own security requirements called the GIS Standard (Global Information Security Standard), optimized for financial services based on international standards such as NIST and ISO27001, and operates it across the entire group.

The GIS Standard includes over 300 control items covering a wide range of domains such as:

• Governance
• Operations
• Technical controls
• Cloud security
• New areas such as generative AI

Our company has adopted this GIS Standard as our own standard, choosing to conduct our business with global-standard safety and reliability as fundamental prerequisites.

4-2. Three Specialized Groups in the Security and Privacy Division

To make this GIS Standard security framework in practice, the Security and Privacy Division consists of the following specialized groups:

1. Cloud Security Group

• Standardization of cloud design and configuration (guidelines and guardrails)
• Introduction and operation of CNAPP / CSPM / CIEM
• Risk monitoring of multi-cloud environments

2. Cyber Security Group

• SOC operations (log collection, analysis, incident response)
• Vulnerability management and assessment (Red Team / Blue Team)
• Shadow IT countermeasures

3. Information Security Group

• Digital transformation of GIS Standard assessments
• Policy development and risk assessment
• Enhancement of information security education
• Privacy Impact Assessment (PIA)
• Development of data protection guidelines for AI use
• Systematization of intellectual property rights management

These groups work in coordination to form a structure that partners with product teams, corporate divisions, and related global companies.

5. Our Specific Initiatives: Implementation Structure to Transform Security into a Driving Force

5-1. Platform Security: Embedding Security into Systems

(1) Standardization of Cloud Security

We have developed:

• Security guidelines for each of AWS / Azure / GCP
• Kaizen Guides for guardrails
• AI security guidelines

We aim for a state where designing and implementing according to these naturally meets GIS Standard and best practices.

(2) Introduction of CNAPP (Cloud-Native Application Protection Platform)

We are automating:

• Continuous evaluation of cloud configurations
• Detection and remediation of excessive IAM permissions
• Protection of workloads on the cloud
• Threat detection through log collection and analysis

We are evolving from having people check things case by case to a system that constantly monitors and raises alerts as needed.

5-2. Cyber Defense: Both Offense and Defense

(1) Red Team (Offense)

• Proactive vulnerability assessments for new projects and products that haven't been assessed
• Verification including software supply chain perspectives such as SBOM, secret management, and EOL

(2) Blue Team (Defense)

• Log monitoring and analysis using SIEM, EDR, Proxy, DNS, etc.
• Development and exercises of incident response plans
• Continuous tuning of detection rules

Through these initiatives, rather than scrambling to respond after being attacked, we aim to create organizational capacity through advance preparation and continuous monitoring.

5-3. Security and Privacy Assessment Digital Transformation: Making Compliance a Byproduct

(1) Security Governance

• Automation of compliance assessments with GIS Standard
• Dashboarding of evidence collection
• Organization of assessment targets through a risk-based approach
• Automation of security inquiry responses

We treat security governance as a key focus of our Digital Transformation efforts, reducing the reactive burden of scrambling to collect audit evidence after the fact and moving toward a state where daily operations naturally serve as audit trails.

(2) Privacy Governance / Intellectual Property Management

• Introduction and operation of Privacy Impact Assessment (PIA)
• Development and dissemination of data protection guidelines for AI use
• Comprehensive intellectual property investigation and log management linked to the lifecycle

Through this, we aim to make being a service that customers can use with peace of mind one of the reasons why they choose us.

6. Conclusion: From Craftsman's Work to Standardization, and Then to a Driving Force

The mission of the Security and Privacy Division is to provide customers with safe and secure services.
To achieve this, we constantly think about how security can contribute to business growth and momentum building from both Speed and Quality perspectives, rather than merely minimizing risk.

On the other hand, balancing competing priorities such as:

• Responding to rapid business growth
• Reducing the burden on employees
• Ensuring efficient compliance with legal requirements

is, in reality, a significant challenge. We are addressing this challenge through:

From Craftsman's Work to Standardization

From security dependent on specific security experts to standardized systems where anyone can produce the same quality

Employee-Centered Design

Rather than overworking people for security, design so that employees can engage without strain and with pride

Automation-First Design

Reduce toil (work that can be automated) so people can focus on creative work

Agile Governance

Maintain an attitude of continuously rebuilding while breaking down existing rules

We believe that:

We can not only provide security that enhances Quality, but also contribute to Speed and promote security in a way that accelerates business.

We will continue to move forward with our business teams, our developers, and customers!