Pola Orbis Optimizes Security with NIST CSF 2.0 Assessment

Pola Orbis Holdings security team leaders Iihara and Yamamoto pose at the Group Digital Solution Center office entrance.

Pola Orbis Holdings, a global enterprise with numerous locations both in Japan and overseas, manages a diverse portfolio of brands, primarily in the cosmetics business. In April 2022, the company established the Group Digital Solutions Center to accelerate group-wide digital transformation (DX) while simultaneously advancing IT rationalization.

As part of its commitment to strengthening security, the company decided to implement assessment and improvement activities based on the NIST Cybersecurity Framework (NIST CSF). In response, NRI Secure developed specialized questionnaires tailored to the NIST CSF and provided assessment support services on its "SecureSketCH" platform. Pola Orbis Holdings has been utilizing this service to conduct ongoing assessment and improvement activities since 2023.

At a Glance

CHALLENGE
- Lack of visibility into the security status of each group company, preventing the implementation of comprehensive enhancement measures.
- Need for continuous assessment and industry benchmarking by utilizing an objective, globally recognized framework.
SOLUTION
- Conduct a standardized security maturity assessment across 22 group companies.
- Establish a system to calculate both the NIST CSF 2.0 Tier value and the SecureSketCH score.
RESULTS
- Visualized the group's overall strengths and weaknesses, clearly defining areas for prioritized action.
- Enabled reporting to the executive management team with persuasive, data-driven explanations, including industry comparisons.
- Clever operational tactics and effective use of features allowed self-service deployment to overseas locations.

Background

Adopting NIST CSF for Objective, Continuous Group-Wide Assessment

Akihiro Iihara of Pola Orbis discusses adopting NIST CSF for global security assessment during an interview. Mr. Akihiro Iihara, Manager of the Network & IT Security Team at the Group Digital Solution Center

Pola Orbis Holdings established a dedicated team and a cross-group information security committee. This structure allowed them to implement security strengthening measures across the group. However, a major challenge remained: effectively understanding the current security status of each group company, which was essential for driving effective measures.

Mr. Akio Iihara, Manager of the Network & IT Security Team at the Group Digital Solutions Center, recalls the situation at the time:

Iihara：

"Even though we established the structure, we didn't have visibility into the security measures of each group company at the time. We felt a strong need for a system that could quantify the security status across the group and allow us to comprehensively implement enhancement measures.

Previously, we used spot-assessment services provided by other vendors. However, since those assessments used the vendor's own proprietary standards, we often questioned the evidence for the necessary countermeasures and the continuity of the process.

What we truly needed was a way to continuously conduct quantitative and objective evaluations using a globally recognized, standard framework. The framework we ultimately selected was the NIST CSF."

The company's organizational culture significantly influenced the process of adopting the NIST CSF.

Iihara：

"We drafted the NIST CSF adoption plan within the department and received final approval from the Board of Directors. Management was also supportive of adopting the NIST CSF. Our organizational culture encourages management to actively back proposals from the field, which allows this initiative to be driven by the on-site teams."

Key Selection Factors

Why SecureSketCH? Combining NIST CSF Compliance with Industry Benchmarking

When the company began its tool selection process in July 2023, its primary focus was on practical usability and the ability to achieve objective, continuous evaluation. Mr. Iihara elaborates on the reasoning behind their final decision.

Iihara：

"SecureSketCH met our requirements: it allowed for web-based evaluation, didn't require a large investment, and was manageable for us to operate ourselves. Furthermore, the use of a common security standard, not one proprietary to a single vendor, and the ability to benchmark our evaluation results against other companies were highly attractive.

For reporting to management, we needed visualization using the NIST CSF evaluation tiers (Tier 1-4) to answer the questions: ‘How well are we doing?’ and ‘What level should we be aiming for?’. Even more critical than the Tier value itself was demonstrating the supporting evidence and validity of that tier."

To address this, NRI Secure leveraged SecureSketCH's strength in providing statistical data for competitor comparison. They proposed an evaluation support system that could simultaneously calculate both the SecureSketCH score (out of 1,000 points) and the NIST CSF evaluation tiers (Tier 1-4).

A diagram illustrating how dedicated questions calculate both a Secure SketCH score and NIST CSF tier values simultaneously. Figure 1: Unified Assessment Mechanism for SecureSketCH and NIST CSF 2.0

Ms. Yumi Yamamoto of the Network & IT Security Team explains why this proposal was the deciding factor:

Yamamoto：

"Ideally, we wanted to express our evaluation using NIST CSF Tier values. However, since there is no public statistical data on Tier values, we couldn't compare ourselves with other companies. We were worried that we wouldn't know if our results were valid or how to benchmark them.

SecureSketCH’s strength lies in its statistical data and benchmarking functions. NRI Secure provided the ideal solution: a mechanism that enables evaluation using Tier values for NIST CSF compliance, while simultaneously benchmarking against the industry using SecureSketCH's 1000-point scale. This allowed us to understand our standing in the industry while adhering to the framework."

Yumi Yamamoto from Pola Orbis explains the benefits of using SecureSketCH for group-wide security maturity evaluation. Ms. Yumi Yamamoto of the Network & IT Security Team at the Group Digital Solution Center

Deploying NIST CSF 2.0 Questions to 22 Companies with Operational Support

After the decision, NRI Secure provided flexible support for both technical and operational aspects.

Iihara：

"Since 2023, NRI Secure has proposed flexible and speedy support schedules aligned with our annual business plans. Notably, when the framework was updated to NIST CSF 2.0 in 2024, their technical expertise allowed them to immediately update the questions to correspond with the new version."

Yamamoto：

"Initially, we were overwhelmed by the volume of nearly 400 questions proposed. However, reading through them deepened our understanding of required security measures, which ultimately helped us support the group companies in their responses.

NRI Secure also proposed operational optimizations. For example, we set display conditions to control follow-up questions based on previous answers. We also applied the parent company's answers to child companies for questions related to shared policies or infrastructure. This reduced the number of questions for subsidiaries to between 100 and 200, significantly reducing their burden."

Through a phased approach, starting with two pilot companies in 2023 and expanding to all 22 companies in 2024 following the NIST CSF 2.0 update, Pola Orbis successfully established its evaluation foundation.

Visualizing Group-Wide Risks

Comprehensive Assessment Reveals the Full Picture

The comprehensive evaluation of 22 group companies brought previously unseen organizational conditions to light. Mr. Iihara discusses the insights gained from the results.

Iihara：

"We visualized the strengths and weaknesses of the entire group and clarified where the gaps against our targets were largest. A key win was identifying areas where individual company operations were inefficient, such as security product standardization and centralized management.

We can now prioritize measures based on evaluation results and calculate predicted outcomes if those measures are implemented. This is invaluable for formulating concrete improvement plans."

A sample table displaying group-wide security evaluation results including SecureSketCH scores and NIST CSF tier metrics. Figure 2: Group-Wide Evaluation Results (Sample Data)

This visibility sparked a change in mindset across group companies.

Yamamoto：

"With weaknesses visible, companies began actively consulting us on specific measures needed for improvement. Many expressed a desire to use the evaluation data for future action planning.

For instance, we receive specific requests to simulate how scores would improve based on remediation items to help build next year's plans. There is also a growing momentum to share best practices across the group, referencing the initiatives of high-scoring companies."

Elevating Management Reporting with Data-Driven Benchmarks

Combining NIST CSF Tiers with Industry Comparisons

The hybrid approach of outputting NIST CSF 2.0 Tier values and SecureSketCH scores simultaneously has been a game-changer for management reporting.

Iihara：

"By using SecureSketCH scores for industry comparison, we could report our current Tier values and target levels to management in a way anyone could understand.

NIST CSF 2.0 Tier values alone don't indicate 'good or bad.' By combining them with SecureSketCH statistical data, we could persuasively explain, 'We are here compared to the industry average,' or 'Our target is equivalent to this industry level.'

Management highly appreciated this, noting that the metrics were easy to understand. One executive even commented that 'This evaluation calculated by SecureSketCH should be at the very beginning of the report,' proving they deeply understand the importance of this initiative."

Streamlining Global Operations

Achieving Efficiency Across Language Barriers

On the operational side, the system's characteristics enabled efficient management.

Yamamoto：

"Visualizing evaluation values and targets created a common understanding among group companies and management. Because this is a self-assessment not reliant on external vendors, we can adjust the timing to fit our needs, such as aligning with budget planning.

We can check response status immediately on SecureSketCH, making progress management and communication via the comment function smooth. The multi-language support also significantly lowered the hurdle for deployment to overseas entities."

The Secure SketCH dashboard interface displays survey response progress status via a pie chart and list of companies. Figure 3: Response Progress Monitoring Dashboard on SecureSketCH

Deploying to overseas bases presented challenges, but the team overcame them through operational ingenuity.

Iihara：

"Overseas entities vary in IT scale, and some lack dedicated IT staff. We started with almost no information on their infrastructure or applications. We had to secure staff hours and conduct interviews from scratch regarding sales channels and IT assets.

It required several times the support effort compared to Japan, checking all questions and explaining misunderstandings. However, by operating in four languages (Chinese, English, Thai, Japanese), we ultimately achieved a unified evaluation, including overseas bases."

Future Outlook

From Common to Individual Issues: A Phased Approach to Security

Moving forward, Pola Orbis plans a strategic approach to improving security maturity.

Iihara：

"First, we aim to raise the overall baseline by identifying and improving common group issues centered on NIST CSF 2.0. Specifically, we will establish a common foundation, such as rule formulation and management processes, that makes it easier for each company to implement individual measures. Deciding on common rules first prevents confusion regarding implementation methods."

Yamamoto：

"We place particular importance on the 'Govern' function added in NIST CSF 2.0. We plan to establish a system where risk identification, analysis, and evaluation defined in this function are steadily implemented across the group, with policies continuously reviewed to reflect changes in social conditions. This directly supports our goal of strengthening group governance."

Expectations for SecureSketCH and a Message to Peers

Mr. Iihara shares his current challenges and future expectations for the platform.

Iihara：

"Currently, calculating NIST CSF 2.0 Tier values requires a separate request to NRI Secure. In the future, we hope for a feature that automatically calculates this within SecureSketCH.

Participating companies want to see results immediately. Features that display results instantly after input, allowing them to check corrected answers or predict how improvements change their score, would be incredibly helpful. Real-time feedback would likely further invigorate group-wide activities."

Ms. Yamamoto offers advice to companies facing similar challenges.

Yamamoto：

"If your organization requires an objective security assessment, quantifying your status against NIST CSF 2.0, using SecureSketCH is a realistic and effective method.

It presents indicators that are easy for non-experts to understand and allows for the construction of an improvement cycle aligned with NIST CSF 2.0. For companies with global operations or multiple subsidiaries, the value of having a unified evaluation standard is immense."

Iihara：

"I feel we have realized efficient and persuasive security management by combining the objectives: continuous framework of NIST CSF 2.0 with SecureSketCH's statistical data and usability.

I understand that the evaluation mechanism we built with NRI Secure is planned to be rolled out as a service for other companies soon. I believe it is well worth trying for any enterprise facing similar challenges."

_DSC3627
Learn more about the solutions featured in this case study
SecureSketCH Product Information
Download Service Brochure
Contact Us