• 한국어
    • 日本語
    • 中文-繁體

    2023.03.13 NC Leadership

    Shin Jongwhoi, Head of Information Security Center, Establishes a Global Top 1% Information Security System

    As technology, such as AI and digital infrastructure, continues to develop and the digital transition accelerates, the importance of information security to protect company assets from cyber threats is also increasing. NC’s Information Security Center provides a leading security environment through the operation of the organization responsible for information security policy and privacy protection tasks, as well as the development of security solutions specialized for game services. Together with Shin Jongwhoi, CISO and Head of Information Security Center, we will discuss NC’s efforts to establish a trustworthy service environment. We will also learn about the dreams and goals of Shin Jongwhoi, who has previously worked as a security officer in various global companies, and what he wishes to accomplish at NC.

    Shin Jongwhoi

    NC Chief Information Security Officer (CISO)

    Shin Jongwhoi is an information security expert who has built up more than 20 years of experience in the security sector. He has worked as a security officer in global companies, including Korea Internet & Security Agency (KISA), Microsoft Korea, Inc., and Amazon Web Services (AWS). He became the Chief Information Security Officer (CISO) and Head of the Information Security Center at NC in 2019. He has implemented the Zero-Trust security model, a cutting-edge security technology trend, to integrate the intranet. Additionally, he established a global security care service that inspects the security level of all subsidiaries. These efforts have been focused on enhancing NC’s information security system.

    Designing a Solid Yet Flexible Safety Net

    You have built a career with more than 20 years of experience in the information security field. Was there a specific reason that led you to start your career as a security officer?

    The information superhighway was established in the early 2000s. I imagined what kind of world would emerge after the establishment of such an infrastructure. Just as a car can run quickly on a highway, the importance of a system to prevent and manage accidents will also increase, don’t you think? I came to think that in the realm of information networks, the importance of security systems that manage the adverse effects of the cyber world may also increase. Therefore, I moved to a government research institute responsible for national security policies and began my career as a security officer.

    You joined NC in 2019. Which company’s vision resonated with you?

    Over the past 10 years, I have worked as a security officer for several global companies, including Microsoft Korea, Inc. and Amazon Web Services (AWS). I have usually worked on tasks primarily for corporations and government bodies, but I wanted to try establishing a security system for a broader range of users. At that moment, I learned that NC was seeking to hire a general manager for information security. NC was getting ready to expand its business globally at that time. I decided to join NC, thinking that my experience at global companies could contribute to the company’s challenges.

    You hold the position of Chief Information Security Officer and Head of the Information Security Center. What kind of work is the Information Security Center responsible for?

    The Information Security Center is responsible for various tasks related to information security for NC’s services and infrastructure, including protecting the privacy of employees and customers, planning internal security training, establishing security policies, developing game security solutions, monitoring security, and more.

    Just two years ago, privacy protection and game security organizations were scattered throughout the company. I recognized the need to establish an organic cooperative system among organizations that shared similar tasks, so I spearheaded a reorganization effort in January 2022. Under the Information Security Center, I reorganized five divisions: Privacy Protection Division, Security Policy Division, Security Operation Division, Security Technology Development Division, and Information Security Inspection Division. As a result, we were able to improve inefficient work processes and enhance synergy between the organizations. Several organizations responsible for security tasks came together to create a specialized security protection management system for NC’s game services.

    We are curious about the Information Security Center’s approach to security.

    There is a concept known as “stealth security.” This refers to a system in which employees and customers don’t necessarily perceive the presence of a security system, but the security measures still operate effectively. Reinforcing security at the company level is crucial, but it shouldn’t impose unnecessary burden on employees. The Information Security Center is committed to continuously strengthening the security system while minimizing any inconvenience to employees. We’re able to accomplish this thanks to our in-house technical expertise at NC.

    In your opinion, what is the significance of security?

    IBM research has shown that preparing preventive measures is 60 times more cost-effective than dealing with actual damages. This underscores the importance of security. As a result, we implemented a company-wide vulnerability check process last year. The process involves evaluating security functions and eliminating any potential threats prior to and after the release of a new service, by regularly checking for vulnerabilities. Our efforts were recognized last year, and we were able to receive high scores from various ESG evaluations. NC’s privacy protection and information security management abilities received high praise from Sustainalytics’ ESG Risk Ratings and achieved a score that ranked in the top 1% of the global software and service industry.

    Protecting the Value of Joy from an Unseen Domain

    I would now like to shift our discussion to focus on NC. What differences have you noticed in security practices in a game company?

    Cheating programs such as hacks or bots can spoil a player’s enjoyment of games. A significant part of our work revolves around managing and preventing the spread of such programs. Until last year, we used commercialized solutions for this, but the Security Technology Development Division under the Information Security Center has now developed its own anti-cheat solution. We are now progressively implementing this solution across all our IPs.

    Also, NC is a B2C company that provides services to numerous players. NC has a broad range of customers, so we pay close attention to privacy protection. The leakage of private information can have a direct impact on a company’s reputation and business, which is why we establish and manage our privacy protection system with utmost care.

    NC has achieved excellent ESG ratings both domestically and internationally, gaining recognition as one of the top 1% global companies in the information security and privacy protection sector. What do you think is the background or basis for this?

    Establishing a safe service environment is a social responsibility that IT companies must prioritize beyond their business goals. The background for this is that we conduct security training every year to enhance employees’ security awareness. Furthermore, we provide a global security care service to assess the security levels of our nine subsidiaries both domestically and internationally. Moreover, implementing the Zero-Trust model, which is the latest security technology trend, as a preemptive measure has been a positive factor. We did this before other companies, which helped us stay ahead of the curve.

    Your annual company-wide security training has received excellent feedback from employees. What was the process or inspiration behind it?

    Previously, the security training mostly consisted of warnings about potential threats and dry explanations of the rules that all employees were expected to follow. I realized that it would be difficult to increase employees’ security awareness using this approach. That is why I suggested creating video content that parodied or dramatized popular content, and it was well-received. In 2021, over 4,500 employees completed the security training, achieving a 100% completion rate, with a satisfaction rate of over 93%. In addition to video content, we also use other means, such as security campaigns featuring webtoons or card news, to approach employees in a friendlier way. We plan to continue operating security trainings in this way.

    Privacy protection training was implemented in 2022 (image). As a part of the company-wide mandatory training, the Information Security Center plans to conduct dramatized forms of information security training every year.

    The aforementioned Zero-Trust concept sounds very new. Please elaborate.

    Zero-Trust is a recent security technology trend that has gained widespread adoption in the industry. It involves always maintaining a trust level of “0 (zero).” In the previous security model, once a user gained access to the intranet, they were considered trustworthy and granted all privileges. This made it easier for hackers to steal the IDs and passwords of employees, which led to security breaches in many IT companies.

    On the other hand, Zero-Trust is a paradigm that continuously verifies security by assigning a trust level of “0” to everything, including networks, services, devices, and users. It's like COVID-19 preventive measures in Korea in the sense that verification doesn't end when someone enters the intranet but continues to monitor traffic endlessly. Once a suspicious activity is detected, the system initiates a lockdown, and all activities are closely monitored. This allows us to quickly identify where to direct our attention and take necessary measures if a security incident occurs.

    What is the background behind NC’s implementation of the Zero-Trust model?

    We implemented the Zero-Trust model as we integrated the intranet network. When I first joined NC, the company was using separate networks for development and business. A divided network environment provides high security but makes it difficult to collaborate between organizations. It also has other downsides, such as making it hard to integrate the latest technologies like cloud computing. The need for an integrated network to address such inconveniences had been consistently raised. However, integrating the network while maintaining a high level of security was an insurmountable task with the existing security model. To this end, we initiated a large-scale network integration operation by shifting our security paradigm to the Zero-Trust model. As a result, employee job satisfaction rates have soared. 95% of all employees evaluated the network consolidation positively in an internal survey.

    Additionally, the integration enabled employees to respond effectively to the changes in the working environment caused by the COVID-19 pandemic. NC enforced company-wide remote work since 2020, which raised concerns about security as it increases the chances of outside hacking. But fortunately, NC was already equipped with the basic infrastructure of the Zero-Trust model, so the company was able to transition into remote work mode. For the past two years, NC has been able to conduct remote work without any major security issues. Externally, this has been recognized as an impressive achievement.

    What is the next plan for the Information Security Center?

    The Zero-Trust model is a journey that we are still exploring. The first step was to integrate the separate network and establish a security environment in response to the COVID-19 pandemic. The next step is to develop an information classification system. Currently, the importance level of each piece of information within the company has not yet been classified, and as a result, a standardized security system is applied to all information and assets. For example, it is as if we are applying the same security system for both the lunch menus at the company cafeteria and the game development server.

    Our center plans to implement a four-step classification system to improve the management of information and assets. This system will help to reduce restrictions where security can be lowered and increase them for information and assets that require more stringent management. In other words, each piece of information will be graded and applied with a different level of security system. With this system in place, NC can collaborate more effectively with subsidiaries and third parties that have lower security levels.

    Building a Supportive Environment for Employee Growth

    What is your work philosophy as a security officer?

    Regardless of the outcome, I tend to focus on what can be learned from the experience. Everything is a continuous cycle of endless improvement. Using a car as an example, all the latest trendy cars that satisfy us now go through endless improvements for greater convenience before being released as a more satisfactory car after five to ten years.

    Information security is also about endless checking and consistent improvement of areas where improvements are needed. I try not to fluctuate between hopes and fears at every outcome but instead try to establish a better service and security environment based on the lessons I've learned at each moment.

    There must have been many hardships while building up your career. How did you overcome them?

    I try to identify the “true culprit” behind a problem. While it may seem that the problem has been solved in the short-term, if the underlying cause is not addressed, similar problems are bound to occur repeatedly.

    There was a time when I struggled to achieve the desired outcome while conducting security control work. I have attempted various technical solutions, but none have been effective. I carefully investigated the root cause and discovered that it was related to our human resources. To address the issue, I hired a leader with expertise in the area, and as a result, we saw significant improvement. If we had focused only on the technical issues, we would have never been able to solve the problem. I believed that it was more important to determine the root cause, even if it took a significant amount of time.

    What is the culture that the Information Security Center strives to promote?

    The first is an autonomous culture. I strive to foster a culture where every member is empowered to take on challenges and complete tasks from their own initiative, rather than solely relying on tasks assigned by others.

    I also hope that all employees become experts in the security field. But to do so, it is essential to be able to see the forest for the trees. My role as the head of the center is to encourage employees to take on different responsibilities rather than be buried in a single role. As an example, I have come up with the job rotation system. We made an internal rule that any employee who has worked for over three years in the same position may freely transfer to another position if they wish to do so. I will not spare any effort in supporting my employees to broaden their perspectives in the security field and cultivate their own careers.

    Finally, I would like to know what you wish to accomplish at NC.

    The business environment in the gaming industry is becoming increasingly competitive. Advancing into the global market and embracing open innovation is now essential for the company’s survival. NC has been working diligently to tackle this challenge, starting with the launch of Lineage W. My biggest goal is to establish a safe, trustworthy security system that aligns with this challenge and enables NC to collaborate more effectively with overseas branches and affiliates.

    However, as I have mentioned before, this reinforced security must not become inconvenient. I aim to improve the system's durability while establishing NC’s own security system that does not compromise the convenience of our employees and customers.