South Korea’s cybersecurity blind spot

Despite a surge in cyberattacks and the country’s deepening reliance on digital infrastructure, South Korean companies are failing to invest meaningfully in cybersecurity personnel—leaving critical systems increasingly exposed.

Only 8.7 percent of firms reported a need for cybersecurity staff, according to a recent workforce survey by the Ministry of Science and ICT. The sector’s modest labor pool—79,509 workers—is spread thin: just 28.4 percent are fully dedicated to security roles, while 63.8 percent juggle cybersecurity alongside other tasks. Another 7.8 percent of companies outsource their security altogether.

The understaffing comes at a time of rising threats. South Korea recorded 1,142 reported breaches in 2022, 1,277 in 2023, and 1,887 already in the first half of 2024.

“Small and mid-sized enterprises are too focused on short-term profits to prioritize security,” said Kim Hyung-joon, professor at Korea University’s Graduate School of Privacy & Data Protection. “Even large corporations that can afford to invest often treat it as a symbolic exercise.”

“Cybersecurity is still viewed as a cost center rather than an investment,” he added. “That perception needs to change.”

Illustrated by ChatGPT

The gap between risk and resources is perhaps most visible in compensation. As of 2024, the average annual salary for full-time cybersecurity staff in South Korea stood at 54 million won ($39,000). Large companies paid around 63.4 million won ($46,000), while small and mid-sized firms offered only 46 million won ($33,000).

Even the country’s top cybersecurity firms fall short. Secui offered the highest average salary at 79 million won ($57,000), while market leader AhnLab paid 70.7 million won ($51,000). By contrast, major tech firms paid far more: Naver employees earned an average of 129 million won ($93,000); Kakao paid 102 million won ($74,000). Unsurprisingly, 38.2 percent of job seekers cited “low pay” as the main reason for avoiding cybersecurity careers.

The shortage of skilled workers is already hampering innovation. A 2024 report by the Korea Information Security Industry Association (KISIA) found that 76.3 percent of cybersecurity firms cited “difficulty securing and retaining R&D personnel” as their greatest challenge to technology development. Average tenure at major security firms was just over five years—roughly half that of employees at leading IT companies.

International comparisons are sobering. According to the U.S. Bureau of Labor Statistics, American cybersecurity professionals earn $127,000 on average, with senior roles exceeding $150,000. Firms like Palo Alto Networks and Zscaler offer over $200,000 for top security officers as part of aggressive hiring strategies. The U.S. cybersecurity job market is projected to grow 32 percent by 2032.

Graphics by Son Min-gyun

Globally, cybersecurity firms are consolidating to meet increasingly complex threats. In April, Palo Alto Networks acquired Protect AI, a startup focused on securing artificial intelligence. In 2024, it purchased IBM’s cloud security software platform QRadar. Cisco’s $28 billion acquisition of SIEM leader Splunk last year remains the largest deal in the sector’s history.

South Korea, by contrast, remains fragmented and under-leveraged. Among 814 domestic cybersecurity software companies, only 122 have operated for more than 24 years. The country has yet to produce a globally recognized brand in the sector.

Meanwhile, the Basic Cybersecurity Act, first introduced in the 17th National Assembly, has languished in the legislature for more than a decade despite repeated attempts at revival.

Exports have also declined. In 2024, South Korea’s information security industry generated 1.68 trillion won ($1.2 billion) in exports, down 16.3 percent from the year before.

Experts are calling for a multi-pronged government response. Some urge the localization of key cybersecurity technologies and recommend diverting a portion of the national AI R&D budget to security-related initiatives.

A recent wave of high-profile hacks appears to have caught the government’s attention. In a policy report submitted to the National Policy Planning Committee, the Ministry of Science and ICT outlined a set of reforms. These include amendments to the Act on Promotion of Information and Communications Network Utilization and Information Protection, which would give chief information security officers (CISOs) greater authority over staffing and budgets.

The government also plans to expand mandatory cybersecurity disclosures from companies earning over 300 billion won ($218 million) to all publicly listed firms. The definition of “critical information infrastructure” will be broadened, and the criteria for certification will be tightened.

“The government must scale up funding for training and R&D,” said Youm Heung-youl, professor emeritus at Soonchunhyang University. “And companies need to make meaningful investments in security.”

“Expanding mandatory disclosures and giving CISOs stronger internal authority,” he added, “would be concrete first steps.”

[Kim Su-jeong]

- Copyrights ⓒ 조선일보 & chosun.com, 무단 전재 및 재배포 금지 -