[Editor’s note] Recently, SK Telecom, YES24, and the National Research Foundation of Korea (NRF) suffered cyberattacks by hackers resulting in personal information leaks and service disruptions. With the advent of the artificial intelligence (AI) era, cyber threats have intensified, and the tactics of attacks have become sophisticated, while the response capabilities of our government and corporations remain weak. This article diagnoses the issues in the cybersecurity system through domestic and international cases and seeks solutions.

The Cybersecurity and Infrastructure Security Agency (CISA) under the Department of Homeland Security houses thousands of personnel, including information security experts, data analysts, and infrastructure engineers. They focus on threat analysis and attacks to respond to cyber threats during normal times. If a hacking incident occurs, CISA shares information with private corporations in real-time to activate a joint response manual. Private corporations in the United States are offering high salaries and benefits to attract excellent security personnel.
Korea designated ‘security’ as a national strategic industry for the first time in 2004 and established the ‘Basic Plan for Promoting the Information Security Industry.’ However, while each administration made pledges to strengthen cybersecurity, the actual budget and investment scale have been minimal. Cybersecurity is considered a low-profile field with poor recognition and treatment in the IT industry. Most corporations operate information security departments with minimal staff or outsource them. Even in cases of incidents, the real-time cooperation system with the government is deficient, making proactive responses or immediate recovery difficult.
Illustration = ChatGPT

◇ Large-scale hacking incidents caused by ‘security complacency’… 75% lack dedicated personnel

According to the ’2024 Cybersecurity Workforce Supply and Demand Survey' by the Ministry of Science and ICT, only 8.7% of corporations responded that they needed cybersecurity personnel. The low recognition of security has led to a lack of dedicated personnel. Of the 79,509 cybersecurity personnel in Korea, only 28.4% are exclusively dedicated to security tasks. Meanwhile, 63.8% are multitasking, and situations using external personnel accounted for 7.8%. Looking at the statistics of reported cyber incidents over the past two years, there has been an increasing trend: ▲1142 cases in 2022 ▲1277 cases in 2023 ▲1887 cases in 2024.

Professor Kim Hyung-jun from Korea University said, “Small and medium-sized enterprises are too busy generating immediate revenue to prioritize security, while large corporations that can invest are only responding at a formal level. Most corporations perceive security as an expense rather than an investment, leading to insufficient risk management.” He continued, “There is a need to change perceptions regarding security,” and emphasized the necessity to recognize that a security incident can seriously harm a company’s reputation, prompting the need for increased investment.

The low awareness of security is also reflected in the compensation levels. Last year, the average annual salary of dedicated security personnel in domestic corporations was 54 million won. The average was 63.4 million won for large corporations and 46 million won for small and medium-sized enterprises. The average annual salary for major information security companies was also just over 60 million won. SECUI had the highest average salary at 79 million won, while AhnLab, a representative security company, was at 70.7 million won. In contrast, during the same period, major IT companies like Naver (129 million won) and Kakao (100.2 million won) had average salaries exceeding 100 million won. The biggest reason job seekers are not interested in cybersecurity jobs is cited as ‘low salaries’ (38.2%).

The problem is that the aversion to security jobs creates a vicious cycle that undermines industrial competitiveness. According to the ’2024 Domestic Information Security Industry Survey' published by the Korea Information Security Industry Association (KISIA) last year, the biggest obstacle to technology development for information security companies is ‘securing and retaining technical development personnel’ (76.3%). Last year, the average tenure of employees in major information security companies was 5 years and 1 month, which is relatively short compared to the average of 10 years in large IT companies.

Graphic = Son Min-kyun

◇ Cybersecurity jobs in the U.S. increase by 32%… active technology convergence through M&A

According to the Bureau of Labor Statistics (BLS) in the United States, the average annual salary for cybersecurity professionals is around $127,000 (approximately 173.1 million won), with high-level professionals earning over $150,000 (approximately 205.7 million won). Some global security companies, such as Palo Alto Networks and Zscaler, are offering over $200,000 (approximately 272.6 million won) to attract talent for cybersecurity leaders. With the rise of artificial intelligence (AI), the importance of cybersecurity has become prominent, and the U.S. is actively improving compensation. The BLS has stated that cybersecurity jobs will increase by about 32% in the United States by 2032.

Overseas, mergers and acquisitions (M&A) among cybersecurity companies are also thriving. As cyberattacks become more sophisticated, integrated security has become critical, compelling security companies to pursue the convergence of solutions, services, and technologies through M&A. Palo Alto Networks announced in April that it acquired ‘Protect AI,’ an AI security platform company, to respond to newly emerging cyber threats driven by AI. The company also acquired IBM’s cloud security software, QRadar, last year. Last year, Cisco acquired Splunk, a leading company in the integrated security information and event management (SIEM) field, for $28 billion (approximately 38.2 trillion won), marking the largest transaction in the history of security networks.

◇ “Now is not the time for the Korean government to be idle”… Need to establish related laws and systems

Industry experts argue that for the domestic security industry to grow, institutional support from the government must be established. In fact, related legislations, such as the basic cybersecurity law, have been stalled in the National Assembly for 12 years. This law was first proposed in the 17th National Assembly and reintroduced in the 18th to 21st standing committees, but has not passed the main assembly of the National Assembly.

According to the domestic security industry survey by the Ministry of Science and ICT, last year there were a total of 814 information security software (SW) companies in Korea. Among them, there are 122 security SW companies with a minimum of 24 years of experience. However, there are currently no globally renowned security SW companies. The information security industry’s export value was 1.68 trillion won last year, representing a 16.3% decrease from the previous year, according to the survey report published by the Korea Information Security Industry Association (KISIA) last year. This has led to calls for the government to support the localization of core technologies and allocate part of the total AI investment budget to information security research and development (R&D).

The security industry sees the current situation, where the Lee Jae-myung government is searching for measures against successive corporate hacking incidents, as an opportunity to change the landscape of the domestic information security industry. The Ministry of Science and ICT presented plans to strengthen cybersecurity capabilities during a report to the Presidential Committee on Policy Planning last month. The core plan is to amend the Telecommunications Business Act to enhance the authority of the Chief Information Security Officer (CISO) by granting them personnel management and budget allocation rights. The obligation regarding information security disclosures will also expand from corporations with sales over 300 billion won to all listed companies. The designation of major information and communication infrastructure will be broadened, and the review of the information security certification system will be strengthened.

Emeritus Professor Yeom Heung-ryeol of Soonchunhyang University said, “The government should expand the cultivation of cybersecurity personnel and R&D budgets while also encouraging corporations to significantly increase security investments. Broadening the current mandatory disclosure target for information security to include all listed companies or expanding the authority of CISOs within corporations could be concrete measures.”

※ This article has been translated by AI. Share your feedback here.