This is the longer read behind “Japan’s security talent problem in plain numbers.”
The ISC2 Cybersecurity Workforce Study puts Japan’s unfilled cybersecurity roles at 110,000 — but that figure understates the problem. Raw headcount is a misleading metric when the roles being counted require capabilities that the available candidate pool does not currently have. Japan does not have 110,000 unfilled security jobs waiting for qualified applicants. It has an indeterminate number of unfilled roles, many of which are described as security roles by HR systems but are effectively IT operations roles with a security checkbox. The genuine security capability gap, the gap between what Japan FSI actually needs and what is available to deliver it, is harder to quantify and significantly more serious.
The structural cause: two decades of outsourcing
The most important thing to understand about Japan’s security talent shortage is that it is not primarily a training or education problem. It is a consequence of two decades of IT outsourcing that hollowed out domestic technical capability across the economy.
Japan’s large enterprises, including banks and financial institutions, systematically offshored IT operations and development functions to lower-cost locations in the 1990s and 2000s. The offshore delivery model, primarily to India and parts of Southeast Asia, was economically rational at the time. The legacy is that the internal teams left at the client side managed relationships and specifications but stopped doing technical work. When security became a board-level concern and organisations needed to build internal capability, the pipeline of domestically developed technical talent had been thinned by two decades of institutional disuse.
This is not something that can be fixed by a certification program. The RISS program (23,000 certified of a 50,000 target) is valuable. But it produces credential holders, not experienced practitioners. Experience requires environments where you practice under real conditions. Japan FSI has relatively few environments where junior practitioners can build that experience at depth; the outsourcing model pushed the meaningful work offshore, and the legacy of that model is a missing generation of mid-level practitioners.
The offshore penetration testing import
The most visible and problematic manifestation of the talent gap is in penetration testing. Japan FSI requires regular penetration testing, as the FSA’s October 2024 guidelines make explicit, but does not have enough qualified Japan-based penetration testers to meet demand at the frequency and depth required.
The result is a market that has emerged: offshore penetration testers, predominantly based in India and Southeast Asia, conducting assessments of Japan FSI environments under contracts with domestic SIs. This is a market that exists and is growing. It is also a market with specific failure modes that are rarely discussed.
The first failure mode is communication. A penetration test report that documents critical findings in English, delivered to a Japan FSI security team that needs to present those findings in Japanese to management via a ringi process, requires a translation step. In security, translation is not neutral; what gets translated, how it is framed, and what gets softened in the translation are all downstream risk decisions being made by someone who is not accountable for the outcome.
The second failure mode is context. A penetration tester who does not know the keiretsu structure of the organisation’s IT environment, the specific regulatory constraints that govern which findings are actionable in what timeframe, or the operational context of the systems being tested will produce findings that are technically accurate and practically useless. The Japan FSI environment has specific characteristics, legacy mainframe integration, SIer-managed network segmentation, and approval processes that affect how quickly critical patches can be deployed, that require local knowledge to interpret correctly.
NICT’s CYDER program: genuinely good, wrong scale
NICT’s Cyber Defence Exercise with Recurrence is one of the more honest attempts by a government agency to build real capability rather than just credential holders. CYDER runs simulation exercises where participants manage real incident scenarios against live systems in a controlled environment. The content is informed by NICTER, NICT’s threat observation infrastructure, which gives it actual threat intelligence basis rather than generic scenarios.
The limitation is throughput. CYDER serves government agencies and critical infrastructure operators. The number of participants who can go through a meaningful CYDER exercise in a year is measured in hundreds. The gap to be closed is measured in tens of thousands. CYDER is a genuinely useful program running at the wrong scale for the problem it is trying to address.
IPA RISS: right intention, wrong execution velocity
The IPA RISS program is doing the right thing at too slow a pace to matter at the required scale. The curriculum is relevant. The certification is respected within Japan. The 2024 figures (23,000 certified, target 50,000 by 2030) suggest the program will hit its target. The target is insufficient.
METI’s Study Group on Promoting Cybersecurity Talent issued its final report in May 2025. The report identifies the mismatch between certification targets and actual capability gaps. It recommends expanding practical training components. These are correct recommendations. The implementation timeline for government recommendations in Japan is characteristically long.
NCD as a different model
Nihon Cyber Defence is the most interesting response to the talent problem from inside Japan’s security industry. NCD’s model is not to absorb the existing pool of credential holders and put them in a managed service wrapper. It is to build a delivery organisation with different baseline requirements: NCSC certification (the UK National Cyber Security Centre standard), incident response practitioners with international experience, and a delivery model that looks like a UK or US-style boutique security firm operating in Japan.
NCD is small. It is not yet at the scale where it can absorb a significant portion of the demand. But it represents a proof of concept that a different model can operate in Japan, one that does not accept “we cannot find the people” as a structural constraint.
Where agentic AI actually helps
For a talent-constrained environment, the analyst productivity gains from AI-assisted security operations are real and meaningful. An agentic SOC platform that handles tier-one alert triage, opening an alert, pulling context, making an initial assessment, and closing or escalating, frees analyst time for work that requires human judgment. In an environment where analyst headcount is the binding constraint, this genuinely extends effective capacity.
The complication in Japan FSI is that the platforms delivering the largest analyst productivity gains are also the ones with the largest compliance friction. A SaaS agentic SOC platform that processes log data in a US or European cloud data centre requires an APPI sub-processor review before a Japan FSI organisation can use it. That review process can run six to twelve months. The analyst time you would have saved during that period is time you didn’t save.
The platforms that will succeed in Japan’s talent-constrained environment are the ones with Japan-local data residency options or federated architectures that keep data inside the organisation’s control. The capability trade-off is real, as local deployment often lags cloud deployment on features, but it is the trade-off Japan FSI will consistently choose.
Red flags in the Japan security staffing market
Without naming specific companies: the Japan security staffing and managed services market has a class of provider that has learned to present itself as a Japan FSI specialist without the underlying capability to justify that positioning. The signals are consistent. They have impressive client name lists but cannot explain what they actually do for those clients. They can produce a ringi template but cannot explain what happens after it is signed. Their “Japan team” is one bilingual account manager and offshore delivery. Their incident response capability is notional.
The test is simple. Ask them to describe the last significant incident they handled for a Japan FSI client: what the initial indication was, what tools they used to investigate it, how long it took to contain, and what the root cause was. Organisations with real delivery capability can answer this in detail. Organisations without it cannot.
Reference documents and programmes
- ISC2 Cybersecurity Workforce Study — the source for the 110,000 unfilled roles figure; published annually
- IPA RISS program — the primary government-backed cybersecurity certification framework in Japan
- NICT CYDER — government simulation-based training programme for cyber defence practitioners
- METI Cybersecurity — METI’s Study Group on Promoting Cybersecurity Talent and related talent development programmes
- National Police Agency (NPA) — source for MirrorFace campaign advisories and Japan-specific threat intelligence publications