NC

On the Personal Information Protection Operation team, I manage and respond to the personal information protection certification system. In short, my work involves testing by an external organization to verify how well NC protects personal information. The importance of personal information is increasing daily, and a sensitive response is required, especially in IT companies. There is more meaning to acquiring a certification system that exceeds standards set by law than by meeting compulsory requirements. Interest and response to personal information protection not only functions as a symbol of the company's technology standard, but also directly correlates to trust.

This year, NC plans to manage and obtain a total of three certifications: the ISMS-P¹ of the Korea Internet & Security Agency (KISA), the ISO certification (ISO 27001, ISO 27701²), and the APEC CBPR³. Getting a CBPR certification means a lot, as it will be its first validation in the game industry. It is an opportunity to show our global customers and partners that NC is indeed a leading company that values personal information protection.

The certification process is largely carried out in a 6-month cycle. First, an independent risk assessment is conducted three months before the review. It is done by running meetings with related departments that review whether there are any deficiencies, or any missing points found since the release of a new service. If the risk is determined to be high, it will go through a revision.

Afterwards, an audit will be conducted by the responsible agency. Through document screening and interviews, NC will be evaluated to see if personal information protection is conducted properly. If there are any deficiencies, we receive the feedback and make corresponding improvements over the next 3 months. After that, the company receives the final certification. NC repeats this process every year and continues to strengthen its personal information protection system.

NC values joy. Although the Personal Information Protection Office and Information Security Center are not departments that directly provide joy to players, the work we do is closely related to the “continuity of joy.”

With many of the NC games being RPGs, there are countless people who have built a long-term affection for their characters. It would be truly devastating if their accounts disappeared or were stolen — the loss would be immeasurable. Our job is to provide a safe playground so that players can play to their heart's content without these worries.

I didn't start out working in the information security team. My first career was as a developer building and operating systems used by thousands of employees and corporate members. As the Personal Information Protection Act was enacted at the time my development work began, the system I was in charge of also needed to reflect these changes. I became interested in the security work when I started improving the system in line with the law and conducting mock hacking to see how well the security level was established. Coincidentally, the importance of security was emphasized in the company, and it was looking for someone to take charge of security. Around the third year of my employment, my job responsibilities changed, and I started to pursue a career in information security.

While experiencing solutions in information and network security, I was also interested in law, so I also worked with personal information, which is more closely related to regulations and policies. Personal information is closely related to corporate services, so protecting and utilizing the related data became inviting. To be more specific, I started as a developer, moved on to information security and then began my career in personal information protection.

When I first joined information security, I worked with a senior-level manager who had about 20 years of experience. Filling my career gap was daunting. I first started following the manager's advice by reading whatever he did. As I gradually understood the unique terminology used in my work, I knew that I needed to gain proper knowledge by studying for related certificates. After taking the position of a personal information protection manager, I also started graduate school, since I wanted to study law and security systems more profoundly.

If the definition of know-how is how to do something easier and faster than others, I haven't worked at a company with any special know-how. Instead, I just believed that proper results would come to fruition relative to the effort and time I put in. Rather than looking for a shortcut, I always try to do my best and take one step at a time.

Personal information protection is the management of customers' personal information, so that it can be used safely while defending against internal and external threats. In the field of information security and personal information protection, it is often said that “no news is good news.” When things go wrong, a company's credibility can be destroyed, but when everything is going well, it’s not very noticeable. That is why one might think that a job in personal information protection is easy and doesn’t require special knowledge.

However, at NC, it is different. I still remember what I was told during the interview and when I first joined the company. “NC aims to lead the industry in Korea, then the global game industry, and finally move beyond the game industry to become a global top-tier company in the field of personal information protection. You, Seungyeon, will be a part of that journey.” I was convinced that in a place with such a vision, my capabilities can grow as well.

I love to be recognized for my work. While it is important to gain recognition from others, appreciating myself is more important. Just doing 80% of what I can do is not enough — I always want to push to 100%. Reaching the standards set by myself is the minimum. Only by finishing work at a level that satisfies me can I fully rejoice in the recognition of my colleagues and leaders.

After coming to NC, I had an opportunity to introduce the personal information protection job to undergraduates. After that, I received an email from a student who attended that lecture. The student wanted to know what kind of education and experience was required to start a career in personal information protection. Hoping to be helpful, I shared my personal experience as well as advice from other colleagues in reply to that email. After a while, the student emailed me again about getting a job in personal information protection. I was proud that my knowledge and experience helped someone start a career.

Maybe in 10 years I will come to be a better expert in this field. I also want to share my experience with more people if I have the opportunity. I want to become a mentor who listens to not only students but also colleagues’ concerns about their careers.

“Careers aren’t ladders, they’re jungle gyms," said Meta's former COO, Sheryl Sandberg, and I agree with the statement. You can climb a ladder rather quickly, but you can only go up or down — it is also easily swayed by external changes. On the other hand, it takes more time to climb a jungle gym, but you can turn around, take a short break, and find different paths to the top. Of course, prioritizing your own field is important, but I think you can grow more diversely when you have various experiences and perspectives.

In most cases, personal information protection tasks require the understanding of comprehensive information including related laws, tech environments, platforms, and internal policies. I strive to be a person who sees the “forest” rather than the “trees.” Understanding the big picture can easily help you identify and deal with related parts even when new issues arise.

I plan on strengthening work in policies in addition to my current operational work next year. Personal information and data laws and policies are constantly changing. When the government establishes new policies, it tends to listen greatly to the opinions of the IT and game industries. I want to do more than simply comply with the policies on the corporate side. I want to speak out and participate in discussions about what is needed not only by NC but also by the game industry.

Also, I want to be a person who is trusted by the organization, and a colleague people want to work with. Personal information protection is a job that does not have the correct answer, but I want to be recognized as a person who can make rational decisions while considering various perspectives. To achieve this, it is important to have expertise in my field and to continuously be exposed to the changes in other fields. Even if I don't have any special know-how, I want to develop my skills one step at a time.