• 한국어
    • 日本語
    • 中文-繁體

    2023.01.26 The Originality

    Security Administrator, Information Security, Seungyeon Lee

    <THE ORIGINALITY> is a series about NC’s new generation — they are immersed in their jobs where they find inspiration. They pave the way towards excellence and then aim even higher.

    People at NC freely express themselves and achieve growth by challenging themselves to new experiences.

    I never compromise with myself. While it is important to gain recognition from others, appreciating myself is more important. Just doing 80% of what I can do is not enough — I always want to push to 100%. Only by finishing work at a level that satisfies me can I fully rejoice in the recognition of my colleagues and leaders.

    Security Administrator, Information Security, Seungyeon Lee

    Security Administration, Information Security

    On the Personal Information Protection Operation team, I manage and respond to the personal information protection certification system. In short, my work involves testing by an external organization to verify how well NC protects personal information. The importance of personal information is increasing daily, and a sensitive response is required, especially in IT companies. There is more meaning to acquiring a certification system that exceeds standards set by law than by meeting compulsory requirements. Interest and response to personal information protection not only functions as a symbol of the company's technology standard, but also directly correlates to trust.

    Leading the Industry with Safety

    This year, NC plans to manage and obtain a total of three certifications: the ISMS-P1 of the Korea Internet & Security Agency (KISA), the ISO certification (ISO 27001, ISO 277012), and the APEC CBPR3. Getting a CBPR certification means a lot, as it will be its first validation in the game industry. It is an opportunity to show our global customers and partners that NC is indeed a leading company that values personal information protection.

    The certification process is largely carried out in a 6-month cycle. First, an independent risk assessment is conducted three months before the review. It is done by running meetings with related departments that review whether there are any deficiencies, or any missing points found since the release of a new service. If the risk is determined to be high, it will go through a revision.

    Afterwards, an audit will be conducted by the responsible agency. Through document screening and interviews, NC will be evaluated to see if personal information protection is conducted properly. If there are any deficiencies, we receive the feedback and make corresponding improvements over the next 3 months. After that, the company receives the final certification. NC repeats this process every year and continues to strengthen its personal information protection system.

    1. 1. A certification related to personal information protection among ISMS (KISA Information Protection and Personal Information Protection Management System Certification)

    2. 2. ISO 27001 is an International Standard Information Protection Certification, and 27701 is an International Standard Personal Information Protection Management System Certification

    3. 3. A global certification system for the personal information protection management system prepared by APEC as a cross-border privacy rule

    Creating a Safe Playground

    NC values joy. Although the Personal Information Protection Office and Information Security Center are not departments that directly provide joy to players, the work we do is closely related to the “continuity of joy.”

    With many of the NC games being RPGs, there are countless people who have built a long-term affection for their characters. It would be truly devastating if their accounts disappeared or were stolen — the loss would be immeasurable. Our job is to provide a safe playground so that players can play to their heart's content without these worries.

    Doing My Best Everyday Made Me Who I Am Today

    From a Developer to a Personal Information Protection Expert

    I didn't start out working in the information security team. My first career was as a developer building and operating systems used by thousands of employees and corporate members. As the Personal Information Protection Act was enacted at the time my development work began, the system I was in charge of also needed to reflect these changes. I became interested in the security work when I started improving the system in line with the law and conducting mock hacking to see how well the security level was established. Coincidentally, the importance of security was emphasized in the company, and it was looking for someone to take charge of security. Around the third year of my employment, my job responsibilities changed, and I started to pursue a career in information security.

    While experiencing solutions in information and network security, I was also interested in law, so I also worked with personal information, which is more closely related to regulations and policies. Personal information is closely related to corporate services, so protecting and utilizing the related data became inviting. To be more specific, I started as a developer, moved on to information security and then began my career in personal information protection.

    Utilizing Endeavor as My Weapon to Climb up the Ladder

    When I first joined information security, I worked with a senior-level manager who had about 20 years of experience. Filling my career gap was daunting. I first started following the manager's advice by reading whatever he did. As I gradually understood the unique terminology used in my work, I knew that I needed to gain proper knowledge by studying for related certificates. After taking the position of a personal information protection manager, I also started graduate school, since I wanted to study law and security systems more profoundly.

    If the definition of know-how is how to do something easier and faster than others, I haven't worked at a company with any special know-how. Instead, I just believed that proper results would come to fruition relative to the effort and time I put in. Rather than looking for a shortcut, I always try to do my best and take one step at a time.

    The Best Defense Is to Move Forward

    Personal information protection is the management of customers' personal information, so that it can be used safely while defending against internal and external threats. In the field of information security and personal information protection, it is often said that “no news is good news.” When things go wrong, a company's credibility can be destroyed, but when everything is going well, it’s not very noticeable. That is why one might think that a job in personal information protection is easy and doesn’t require special knowledge.

    However, at NC, it is different. I still remember what I was told during the interview and when I first joined the company. “NC aims to lead the industry in Korea, then the global game industry, and finally move beyond the game industry to become a global top-tier company in the field of personal information protection. You, Seungyeon, will be a part of that journey.” I was convinced that in a place with such a vision, my capabilities can grow as well.

    It’s All-Out Effort or Nothing

    The Most Important Thing Is the Self-Acknowledgment

    I love to be recognized for my work. While it is important to gain recognition from others, appreciating myself is more important. Just doing 80% of what I can do is not enough — I always want to push to 100%. Reaching the standards set by myself is the minimum. Only by finishing work at a level that satisfies me can I fully rejoice in the recognition of my colleagues and leaders.

    My Experience Becomes a Stepping Stone for Someone to Grow

    After coming to NC, I had an opportunity to introduce the personal information protection job to undergraduates. After that, I received an email from a student who attended that lecture. The student wanted to know what kind of education and experience was required to start a career in personal information protection. Hoping to be helpful, I shared my personal experience as well as advice from other colleagues in reply to that email. After a while, the student emailed me again about getting a job in personal information protection. I was proud that my knowledge and experience helped someone start a career.

    Maybe in 10 years I will come to be a better expert in this field. I also want to share my experience with more people if I have the opportunity. I want to become a mentor who listens to not only students but also colleagues’ concerns about their careers.

    Seeing the Forest for the Trees

    “Careers aren’t ladders, they’re jungle gyms," said Meta's former COO, Sheryl Sandberg, and I agree with the statement. You can climb a ladder rather quickly, but you can only go up or down — it is also easily swayed by external changes. On the other hand, it takes more time to climb a jungle gym, but you can turn around, take a short break, and find different paths to the top. Of course, prioritizing your own field is important, but I think you can grow more diversely when you have various experiences and perspectives.

    In most cases, personal information protection tasks require the understanding of comprehensive information including related laws, tech environments, platforms, and internal policies. I strive to be a person who sees the “forest” rather than the “trees.” Understanding the big picture can easily help you identify and deal with related parts even when new issues arise.

    Weighing My Words and Actions

    I plan on strengthening work in policies in addition to my current operational work next year. Personal information and data laws and policies are constantly changing. When the government establishes new policies, it tends to listen greatly to the opinions of the IT and game industries. I want to do more than simply comply with the policies on the corporate side. I want to speak out and participate in discussions about what is needed not only by NC but also by the game industry.

    Also, I want to be a person who is trusted by the organization, and a colleague people want to work with. Personal information protection is a job that does not have the correct answer, but I want to be recognized as a person who can make rational decisions while considering various perspectives. To achieve this, it is important to have expertise in my field and to continuously be exposed to the changes in other fields. Even if I don't have any special know-how, I want to develop my skills one step at a time.

    * The content stated in this interview is the personal opinion of the interviewee and does not represent the official position of NCSOFT.