Following the hacking incident at SK Telecom, national awareness of cybersecurity has increased, prompting the government to consider empowering security officers in corporations and institutions. In particular, it is reported that the government plans to enhance the authority of the Chief Information Security Officer (CISO) and the Chief Privacy Officer (CPO) to ensure they have a voice in the boardroom. For corporations, this will likely increase pressure to maintain separate CISO and CPO positions. Currently, most firms have one executive serving as both CISO and CPO due to expense.
According to industry sources on the 4th, the presidential office is reviewing amendments to the Act on Promotion of Information and Communications Network Utilization and Information Protection (Information and Communications Network Act) and the Personal Information Protection Act with relevant ministries, including the Ministry of Science and ICT and the Personal Information Protection Commission. Particularly, it has been noted that the government is looking into ways to allow security leaders to be involved in the anticipated budget proposal. The Ministry of Science and ICT stated, "We are reviewing the strengthening of the authority of the CISO and CPO."
◇ CISO handles technology, CPO handles law... holding both positions is not illegal
Both the CISO and CPO are responsible for security within corporations, but their specific duties differ. The CISO oversees the overall information security strategy and execution, while the CPO manages personal information of customers and employees according to laws and regulations. Typically, the CISO is a technology expert, whereas the CPO is a legal expert. However, many firms combine both roles under one executive due to expense. Holding both the CISO and CPO positions concurrently is not illegal under current law, and the government is not considering prohibiting such dual roles.
The reason the government is pressuring for a reorganization of the corporate security control tower is to prevent large-scale personal data breaches like the SK Telecom hacking incident. The Personal Information Protection Commission pointed out last month on the 27th that the role of the CPO at SK Telecom was limited in light of the penalty surcharge imposed on the company. Ko Hak-soo, the head of the commission, remarked at the time, "The issues related to the CPO identified during the investigation indicated that there was a clear division of roles between departments handling IT comprehensively and those managing infrastructure." He added, "While the CPO is able to oversee network infrastructure, there seemed to be a practice of viewing it only restrictively."
SK Telecom recently appointed a new CPO by separating personal data functions from the duties previously held by the CISO. This is the first time SK Telecom has made this distinction in 6 years. The company promoted Cha Ho-beom, a former lawyer and head of the AI governance team, to the position of CPO.
◇ "Due to expense and the nature of the work, it's not easy to have two security C-level executives."
As the government emphasizes the need for comprehensive security investment from the industry, there are forecasts that corporations will bolster their security-related C-level personnel. There is a higher likelihood that leaders above the head of the team level will be placed in roles that can influence the corporate budget. In the case of KT, the company has recently promoted its CISO to the level of executive director, but Hwang Tae-seon, the CISO, is still concurrently serving as the CPO. At LG Uplus, Hong Kwan-hee, the head of the information security center, is in charge of security. In the case of Naver, Lee Jin-kyu, who is a former police officer, is overseeing corporate security as the head of personal information protection.
Industry sources indicate that not only are there expense limitations, but the actual nature of the work makes it challenging to separate the two roles. For small and medium-sized enterprises, it's virtually impossible to achieve separation due to limited manpower and budget, and even large firms may end up structuring themselves with a CPO under the CISO even if separation is formally established. LG Uplus announced that it would appoint separate CISO and CPO roles after expanding its security organization following a security incident in 2023, but it has since been reported that it is maintaining a dual-position system as it has not found suitable candidates.
An industry insider noted, "There are many companies that do not have sufficient personnel and organization to separate the CPO as a distinct 'C-level', so in practice, there are often cases where they may only have the title of CPO." He added, "Considering the expertise, it would be appropriate to appoint the two roles separately, but it would be wise for the government to listen to voices from the field before amending the law."