Only One Executive Director-Level Security Officer at Card Companies: "Need to Increase Both Budget and Personnel"
19% of Executives at Eight Major Credit Card Companies Are in IT Roles
Only 3% Are Information Security Experts, Such as for Hacking Defense
"Authority to Lead Security Strategy for Risk Control Must Be Guaranteed"
Despite a series of information technology (IT) incidents causing difficulties for credit card companies, there are criticisms that the number of executives in charge of information security remains insufficient and their ranks are low. Experts advise that Korean firms should look to overseas examples, such as the United States and the United Kingdom, where dedicated security executives are in place and where strong organizations and clear reporting lines are established under the Chief Information Security Officer (CISO).
Only 8 Out of 46 IT Executives Handle Security
According to an analysis on June 6 of first-quarter reports disclosed by eight domestic full-service credit card companies (Samsung, Shinhan, Hyundai, KB Kookmin, Lotte, Woori, Hana, and BC Card), as of the end of the first quarter, there were 46 IT-related executives among a total of 245 executives, accounting for 19%. In contrast, each of the eight companies had only one executive in charge of information security, meaning that such roles represented just 3% of all executives. By rank, seven were at the executive director level, and one was an acting division head.
Within credit card companies, IT-related departments are largely divided into information security, IT operations, and consumer protection. Of the 46 IT-related executives, 38 (83%) were general IT executives responsible for profitability-focused work such as AX (AI transformation), DX (digital transformation), platform, and digital innovation. Only eight (17%) were dedicated to information security, responsible for risk management such as hacking defense.
It was also difficult to find information security experts among chief executive officers (CEOs) and outside directors. The CEOs of credit card companies generally majored in business administration, economics, finance, public administration, or political science and diplomacy, and most outside directors were experts in business, economics, law, tax accounting, or public administration. While there have been some appointments of engineering majors, such as Choi Jae-boong (mechanical engineering) as outside director at Shinhan Card, Moon Yong-ma (industrial engineering) at Lotte Card, and Yoo Hyuk (computer engineering) at BC Card, it was rare to see outside directors with practical experience in financial sector cybersecurity or information protection.
Academia Points to "Window Dressing" Management That Barely Meets Minimum Standards
Academia criticizes not only the insufficient number of information security executives at credit card companies, but also their lack of authority within organizations. In a situation where general IT executives are at the forefront of profitability-driven businesses, it is argued that a single executive director-level information security executive faces difficulty boldly demanding increased security budgets at board or management meetings.
Article 32 of the Enforcement Decree of the Personal Information Protection Act stipulates that companies with annual sales of at least 150 billion won that process personal information of more than 1 million people, or sensitive or unique identification information of more than 50,000 people, must designate a professional Chief Privacy Officer (CPO). However, there is no clause requiring the CPO to be at the executive vice president or higher position. As a result, some financial companies are criticized for 'window dressing' management—appointing the lowest-ranking executive as the information security officer just to meet the bare minimum legal standard.
Professor Chae Sangmi of the School of Business at Ewha Womans University said, "It is true that securing personnel and bearing related costs are burdensome, but as management systems become more advanced, it is absolutely necessary to have information security professionals who can put the brakes on profit-driven projects at board or executive meetings." She added, "The most timely and fundamental measure is to secure information security executives who can ensure budget execution efficiency and lead enterprise-wide security strategies."
She further commented, "If there is only one security officer per company and that officer is merely at the executive director level or acting division head, there will inevitably be serious limitations in the decision-making process. When marketing or sales departments led by executive vice presidents or higher demand simplification of security procedures for profitability, it is nearly impossible, given the nature of financial company organizations, for an executive director or acting division head to strongly oppose this."
Industry: "Governance Structure of Holding or Owner Companies Must Be Considered... Reporting Lines Are More Important"
On the other hand, the credit card industry argues that the reality of management, where parent companies and groups are financial holding companies or large conglomerates (owner companies), must be taken into account. In particular, for financial companies affiliated with holding companies or large conglomerates, the number of executives is limited, and each financial institution maintains information security executives in accordance with their own scale and organizational structure. The industry also claims that simply raising the rank of information security executives does not necessarily lead to a proportional improvement in the company's security level.
An industry official said, "Card companies are not simply expanding security budgets or reorganizing teams, but are also making parallel investments in technology and strategy," and added, "Even if the information security officer is at the executive director level, they are able to present sufficiently independent opinions in line with the CEO's management direction."
There are also opinions that the essence lies in securing the real status of the information security officer within the organization, along with strong reporting lines. Rather than simply increasing the number of executives, it is considered more efficient to assign clear responsibilities and authority to executives with expertise.
Hot Picks Today
"Let's Double with Samsung and SK hynix": Retail Investors Dump Semiconductor ETFs for Samsung and SK hynix Leverage Products
- Nvidia Loses $2 Trillion in Market Cap in a Day... Semiconductor Stocks Plunge on New York Stock Exchange
- National Election Commission Reports Voter List Verification Slip Leak... Personal Information Commission "Investigating Facts"
- Paid 180,000 Won for Wedding Gift but Got Cold Burgers Instead of a Buffet: "Is This a Business, Not a Wedding?"
- "Record-Breaking Heat Expected, but Air Conditioners Ordered Now Will Arrive in Autumn" Surge in Demand in Japan Due to Government Environmental Policy
Seo Jiyong, Professor of Business Administration at Sangmyung University, analyzed, "In the United States, United Kingdom, and Japan, it is common for organizations to have a single CISO, with a strong organization and board reporting line under the CISO," and added, "What matters more than the rank of the information security officer itself is how substantive their authority is within the organization and how independent their reporting line is."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
![[Exclusive] CCRS Debt Adjustment to Be Required Before Rehabilitation or Bankruptcy... Legislation Pursued for 'Debt Adjustment Prerequisite Principle'](https://cwcontent.asiae.co.kr/asiaresize/307/2022102710072884384_1666832847.jpg)