Japan has 110,000 unfilled cybersecurity roles. The ISC2 Cybersecurity Workforce Study publishes this figure annually and it has not materially improved in three years. The gap between certified practitioners and open positions is structural, not cyclical.
The numbers that matter
IPA runs the RISS certification program, the primary government-backed credential for cybersecurity professionals in Japan. As of 2024, 23,000 people hold RISS certification. The target is 50,000 by 2030. At the current trajectory, that target is achievable. Whether 50,000 RISS holders closes a 110,000-role gap is a separate question the program does not address.
NICT runs CYDER (Cyber Defence Exercise with Recurrence), a simulation-based training program for government and critical infrastructure personnel. The content is genuinely informed by real threat data from NICTER. The problem is throughput. Government training running at government speed is not going to close a six-figure gap.
What is already happening
Foreign vendors operating in Japan have already adapted, not always in ways that serve the security objective. Offshore penetration testers with limited Japanese language proficiency are working inside Japanese organisations on engagements coordinated by domestic SIs. The output is technically adequate pen test reports in English, delivered to security teams that need them in Japanese. The translation layer introduces risk. The cultural translation layer, which findings will survive a ringi and which will die, is absent entirely.
The AI question
AI tools reduce the analyst-hours required for tier-one alert triage, OSINT aggregation, and report generation. For a talent-constrained environment, that matters. The complication in Japan is that the tools with the largest productivity benefit also have the largest data residency footprints. APPI and the FSA’s data handling requirements mean the compliance approval process for a SaaS AI security tool can exceed the time it takes to train a junior analyst.
McPhail Security’s role
Navigation, not recruitment. The gap between a vendor’s security capability and what Japan can actually absorb is a knowledge problem before it is a staffing problem. McPhail Security identifies where you fit, who you should work with, and what the actual delivery model looks like. That is a different service from placing bodies.