How We Think About Security

Security is often mistaken for a checklist of safeguards. At MailMate, we see it differently. Security starts with team culture and philosophy. Instead of viewing security as a series of processes and measures, we adopt a culture of security. Good organizational and individual habits are key, but so too is the ability to make informed decisions as new threats and security risks emerge. Technology is always evolving and we need to be able to evolve with it. The answer to this is to make security top of mind in our company culture as a whole.

1) Open conversations

For us, step one is to make it a topic of discussion. 

When someone joins the team, we make security top of mind by having a conversation during training on day one.

• Have you done cybersecurity training before?

• What about privacy protection?

Great security—and great privacy—starts with talking about it. Maintaining sound security practices begins with maintaining the conversation. Too often, business processes become ingrained without change until something happens that precipitates it. 

With security, that something is a breach, and by then it is too late.

2) Building good habits

After ensuring awareness, it’s about developing good habits. These habits need to become part of the team’s culture and be embedded in operations. 

Done right, the operations reinforce these habits, and the company culture continuously seeks ways to improve and stay ahead in a constantly changing security landscape. The more everyone understands the intent behind measures or company policy, the better they can apply and implement not just specific measures but the actual intent. 

In our work with large, publicly listed companies, we've seen how fear of regulatory missteps can lead to a checkbox mentality—following rules without fully understanding their purpose. We see organizations slowing their operations to a crawl due to a lack of understanding of why certain requirements are present, causing companies to seek out requirements from their vendors that are not always applicable. 

Understanding intent is critical because even when all the requirements are met, you need to determine if the intent is still being met.

3) Adopt understandable standards

A tactical decision we’ve made around our security implementation is to adopt standards that are worded in ways people understand. We begin with clear intent, expressed in simple language. 

Once you have this base, you’ll find that most security frameworks will map to your best practices, or at the very least, your best practices will be much faster to update when needed. Recently, we went through P-Mark certification.

It’s common to hire a P-Mark consultant and work with them to prepare for the certification process. What we found was a preparation process focused on checking the box: template privacy manuals, training, and terms of service. 

Ultimately, this misses the forest for the trees. An organization should write and tailor its own manuals, training, and privacy-related operations for its team, industry, and size. Requirements should be adopted into a security-first mindset, rather than used to architect your team’s security philosophy around passing them. 

Doing it right is not just better for security, it’s better for efficiency—so doing it right is actually good for business beyond risk mitigation. Another underrated benefit is that teammates can articulate intent when working with customers. This goes a long way toward building trust, beyond simply posting a certification endorsement on your security page.

4) MailMate and security

At MailMate, we adopt a regular cadence where we focus on security. We bring key teammates together once a week and have a meaningful conversation about what changes we need to make or adopt.

• Is there anything new in the threat environment? 

• Is there anything we should do or an accreditation we should look at to better understand? 

This is a time that is carved out specifically so we adopt frameworks and incorporate changes. We’ll go over breaches, hacks, and privacy mishaps and map how our organization would have performed in similar situations. Awareness is key to prevention. When we spot emerging threats, like the rise of deep fakes, we share them with our entire team to keep everyone informed.

In-house expertise

We’re fortunate to have team members with security backgrounds, including two certified CISSPs and CREST-certified Security Analysts & Penetration Testers, in addition to a Cyber Security Master’s degree holder. 

This puts us in a position to truly engage with security, rather than simply reading from requirements. Not every team has access to this expertise, which makes it even more important to start simple and work in understandable jargon. Integrating privacy into our security practices is essential. Today, security and privacy intersect across various domains—legal, operational, technical, and beyond. 

For more information, you can download our security deck or reach out to our team at security@mailmate.jp for a detailed discussion.