The Growing Cybersecurity Crisis in South Korea
South Korea is facing a significant cybersecurity crisis despite its increasing dependence on digital infrastructure and the rising number of cyberattacks. One of the most alarming issues is the lack of investment in cybersecurity personnel by South Korean companies, which leaves critical systems vulnerable to threats.
According to a recent workforce survey conducted by the Ministry of Science and ICT, only 8.7 percent of firms reported a need for cybersecurity staff. The sector’s labor pool, consisting of 79,509 workers, is stretched thin, with just 28.4 percent fully dedicated to security roles. An additional 63.8 percent of workers juggle cybersecurity responsibilities alongside other tasks, while 7.8 percent of companies outsource their security entirely. This under-staffing is particularly concerning given the surge in cyber threats.
In 2022, South Korea recorded 1,142 reported breaches, followed by 1,277 in 2023 and an alarming 1,887 in the first half of 2024 alone. Kim Hyung-joon, a professor at Korea University’s Graduate School of Privacy & Data Protection, highlighted that small and mid-sized enterprises often prioritize short-term profits over long-term security. Even large corporations, which can afford to invest, frequently treat cybersecurity as a symbolic exercise rather than a strategic necessity.
The perception of cybersecurity as a cost center rather than an investment needs to change, according to Kim. However, this shift is not happening quickly enough. Compensation for cybersecurity professionals remains low compared to other industries. As of 2024, the average annual salary for full-time cybersecurity staff in South Korea was 54 million won ($39,000), with large companies offering around 63.4 million won ($46,000) and small and mid-sized firms offering only 46 million won ($33,000).
Even top cybersecurity firms fall short in terms of pay. Secui offered the highest average salary at 79 million won ($57,000), while market leader AhnLab paid 70.7 million won ($51,000). In contrast, major tech firms like Naver and Kakao paid significantly more—129 million won ($93,000) and 102 million won ($74,000), respectively. Unsurprisingly, 38.2 percent of job seekers cited “low pay” as the main reason for avoiding cybersecurity careers.
This shortage of skilled workers is already hampering innovation. A 2024 report by the Korea Information Security Industry Association (KISIA) found that 76.3 percent of cybersecurity firms cited “difficulty securing and retaining R&D personnel” as their greatest challenge to technology development. The average tenure at major security firms is just over five years, roughly half that of employees at leading IT companies.
International comparisons are sobering. According to the U.S. Bureau of Labor Statistics, American cybersecurity professionals earn an average of $127,000, with senior roles exceeding $150,000. Firms like Palo Alto Networks and Zscaler offer over $200,000 for top security officers as part of aggressive hiring strategies. The U.S. cybersecurity job market is projected to grow 32 percent by 2032.
Globally, cybersecurity firms are consolidating to meet increasingly complex threats. In April, Palo Alto Networks acquired Protect AI, a startup focused on securing artificial intelligence. In 2024, it purchased IBM’s cloud security software platform QRadar. Cisco’s $28 billion acquisition of SIEM leader Splunk last year remains the largest deal in the sector’s history.
South Korea, however, remains fragmented and under-leveraged. Among 814 domestic cybersecurity software companies, only 122 have operated for more than 24 years. The country has yet to produce a globally recognized brand in the sector. Meanwhile, the Basic Cybersecurity Act, first introduced in the 17th National Assembly, has languished in the legislature for more than a decade despite repeated attempts at revival.
Exports have also declined. In 2024, South Korea’s information security industry generated 1.68 trillion won ($1.2 billion) in exports, down 16.3 percent from the year before.
Experts are calling for a multi-pronged government response. Some urge the localization of key cybersecurity technologies and recommend diverting a portion of the national AI R&D budget to security-related initiatives. A recent wave of high-profile hacks appears to have caught the government’s attention. In a policy report submitted to the National Policy Planning Committee, the Ministry of Science and ICT outlined a set of reforms. These include amendments to the Act on Promotion of Information and Communications Network Utilization and Information Protection, which would give chief information security officers (CISOs) greater authority over staffing and budgets.
The government also plans to expand mandatory cybersecurity disclosures from companies earning over 300 billion won ($218 million) to all publicly listed firms. The definition of “critical information infrastructure” will be broadened, and the criteria for certification will be tightened.
“Expanding mandatory disclosures and giving CISOs stronger internal authority,” said Youm Heung-youl, professor emeritus at Soonchunhyang University, “would be concrete first steps.” He emphasized the need for the government to scale up funding for training and R&D, while companies must make meaningful investments in security.