NC

The information superhighway was established in the early 2000s. I imagined what kind of world would emerge after the establishment of such an infrastructure. Just as a car can run quickly on a highway, the importance of a system to prevent and manage accidents will also increase, don’t you think? I came to think that in the realm of information networks, the importance of security systems that manage the adverse effects of the cyber world may also increase. Therefore, I moved to a government research institute responsible for national security policies and began my career as a security officer.

Over the past 10 years, I have worked as a security officer for several global companies, including Microsoft Korea, Inc. and Amazon Web Services (AWS). I have usually worked on tasks primarily for corporations and government bodies, but I wanted to try establishing a security system for a broader range of users. At that moment, I learned that NC was seeking to hire a general manager for information security. NC was getting ready to expand its business globally at that time. I decided to join NC, thinking that my experience at global companies could contribute to the company’s challenges.

The Information Security Center is responsible for various tasks related to information security for NC’s services and infrastructure, including protecting the privacy of employees and customers, planning internal security training, establishing security policies, developing game security solutions, monitoring security, and more.

Just two years ago, privacy protection and game security organizations were scattered throughout the company. I recognized the need to establish an organic cooperative system among organizations that shared similar tasks, so I spearheaded a reorganization effort in January 2022. Under the Information Security Center, I reorganized five divisions: Privacy Protection Division, Security Policy Division, Security Operation Division, Security Technology Development Division, and Information Security Inspection Division. As a result, we were able to improve inefficient work processes and enhance synergy between the organizations. Several organizations responsible for security tasks came together to create a specialized security protection management system for NC’s game services.

There is a concept known as “stealth security.” This refers to a system in which employees and customers don’t necessarily perceive the presence of a security system, but the security measures still operate effectively. Reinforcing security at the company level is crucial, but it shouldn’t impose unnecessary burden on employees. The Information Security Center is committed to continuously strengthening the security system while minimizing any inconvenience to employees. We’re able to accomplish this thanks to our in-house technical expertise at NC.

IBM research has shown that preparing preventive measures is 60 times more cost-effective than dealing with actual damages. This underscores the importance of security. As a result, we implemented a company-wide vulnerability check process last year. The process involves evaluating security functions and eliminating any potential threats prior to and after the release of a new service, by regularly checking for vulnerabilities. Our efforts were recognized last year, and we were able to receive high scores from various ESG evaluations. NC’s privacy protection and information security management abilities received high praise from Sustainalytics’ ESG Risk Ratings and achieved a score that ranked in the top 1% of the global software and service industry.

Cheating programs such as hacks or bots can spoil a player’s enjoyment of games. A significant part of our work revolves around managing and preventing the spread of such programs. Until last year, we used commercialized solutions for this, but the Security Technology Development Division under the Information Security Center has now developed its own anti-cheat solution. We are now progressively implementing this solution across all our IPs.

Also, NC is a B2C company that provides services to numerous players. NC has a broad range of customers, so we pay close attention to privacy protection. The leakage of private information can have a direct impact on a company’s reputation and business, which is why we establish and manage our privacy protection system with utmost care.

Establishing a safe service environment is a social responsibility that IT companies must prioritize beyond their business goals. The background for this is that we conduct security training every year to enhance employees’ security awareness. Furthermore, we provide a global security care service to assess the security levels of our nine subsidiaries both domestically and internationally. Moreover, implementing the Zero-Trust model, which is the latest security technology trend, as a preemptive measure has been a positive factor. We did this before other companies, which helped us stay ahead of the curve.

Previously, the security training mostly consisted of warnings about potential threats and dry explanations of the rules that all employees were expected to follow. I realized that it would be difficult to increase employees’ security awareness using this approach. That is why I suggested creating video content that parodied or dramatized popular content, and it was well-received. In 2021, over 4,500 employees completed the security training, achieving a 100% completion rate, with a satisfaction rate of over 93%. In addition to video content, we also use other means, such as security campaigns featuring webtoons or card news, to approach employees in a friendlier way. We plan to continue operating security trainings in this way.

Zero-Trust is a recent security technology trend that has gained widespread adoption in the industry. It involves always maintaining a trust level of “0 (zero).” In the previous security model, once a user gained access to the intranet, they were considered trustworthy and granted all privileges. This made it easier for hackers to steal the IDs and passwords of employees, which led to security breaches in many IT companies.

On the other hand, Zero-Trust is a paradigm that continuously verifies security by assigning a trust level of “0” to everything, including networks, services, devices, and users. It's like COVID-19 preventive measures in Korea in the sense that verification doesn't end when someone enters the intranet but continues to monitor traffic endlessly. Once a suspicious activity is detected, the system initiates a lockdown, and all activities are closely monitored. This allows us to quickly identify where to direct our attention and take necessary measures if a security incident occurs.

We implemented the Zero-Trust model as we integrated the intranet network. When I first joined NC, the company was using separate networks for development and business. A divided network environment provides high security but makes it difficult to collaborate between organizations. It also has other downsides, such as making it hard to integrate the latest technologies like cloud computing. The need for an integrated network to address such inconveniences had been consistently raised. However, integrating the network while maintaining a high level of security was an insurmountable task with the existing security model. To this end, we initiated a large-scale network integration operation by shifting our security paradigm to the Zero-Trust model. As a result, employee job satisfaction rates have soared. 95% of all employees evaluated the network consolidation positively in an internal survey.

Additionally, the integration enabled employees to respond effectively to the changes in the working environment caused by the COVID-19 pandemic. NC enforced company-wide remote work since 2020, which raised concerns about security as it increases the chances of outside hacking. But fortunately, NC was already equipped with the basic infrastructure of the Zero-Trust model, so the company was able to transition into remote work mode. For the past two years, NC has been able to conduct remote work without any major security issues. Externally, this has been recognized as an impressive achievement.

The Zero-Trust model is a journey that we are still exploring. The first step was to integrate the separate network and establish a security environment in response to the COVID-19 pandemic. The next step is to develop an information classification system. Currently, the importance level of each piece of information within the company has not yet been classified, and as a result, a standardized security system is applied to all information and assets. For example, it is as if we are applying the same security system for both the lunch menus at the company cafeteria and the game development server.

Our center plans to implement a four-step classification system to improve the management of information and assets. This system will help to reduce restrictions where security can be lowered and increase them for information and assets that require more stringent management. In other words, each piece of information will be graded and applied with a different level of security system. With this system in place, NC can collaborate more effectively with subsidiaries and third parties that have lower security levels.

Regardless of the outcome, I tend to focus on what can be learned from the experience. Everything is a continuous cycle of endless improvement. Using a car as an example, all the latest trendy cars that satisfy us now go through endless improvements for greater convenience before being released as a more satisfactory car after five to ten years.

Information security is also about endless checking and consistent improvement of areas where improvements are needed. I try not to fluctuate between hopes and fears at every outcome but instead try to establish a better service and security environment based on the lessons I've learned at each moment.

I try to identify the “true culprit” behind a problem. While it may seem that the problem has been solved in the short-term, if the underlying cause is not addressed, similar problems are bound to occur repeatedly.

There was a time when I struggled to achieve the desired outcome while conducting security control work. I have attempted various technical solutions, but none have been effective. I carefully investigated the root cause and discovered that it was related to our human resources. To address the issue, I hired a leader with expertise in the area, and as a result, we saw significant improvement. If we had focused only on the technical issues, we would have never been able to solve the problem. I believed that it was more important to determine the root cause, even if it took a significant amount of time.

The first is an autonomous culture. I strive to foster a culture where every member is empowered to take on challenges and complete tasks from their own initiative, rather than solely relying on tasks assigned by others.

I also hope that all employees become experts in the security field. But to do so, it is essential to be able to see the forest for the trees. My role as the head of the center is to encourage employees to take on different responsibilities rather than be buried in a single role. As an example, I have come up with the job rotation system. We made an internal rule that any employee who has worked for over three years in the same position may freely transfer to another position if they wish to do so. I will not spare any effort in supporting my employees to broaden their perspectives in the security field and cultivate their own careers.

The business environment in the gaming industry is becoming increasingly competitive. Advancing into the global market and embracing open innovation is now essential for the company’s survival. NC has been working diligently to tackle this challenge, starting with the launch of Lineage W. My biggest goal is to establish a safe, trustworthy security system that aligns with this challenge and enables NC to collaborate more effectively with overseas branches and affiliates.

However, as I have mentioned before, this reinforced security must not become inconvenient. I aim to improve the system's durability while establishing NC’s own security system that does not compromise the convenience of our employees and customers.