Hello, I am Kim Hee-hyun, a Pro in the Security Planning Department at POSCO DX. Our department plays a pivotal role in overseeing the company’s entire infrastructure, ranging from corporate security and network systems to data center operations. Beyond supporting the Security Management (SM) of our group affiliates, we work closely with our Security Operations Center (SOC) and penetration testing experts to prevent security breaches and information leaks. Specifically, I am responsible for penetration testing, where I identify and remediate security vulnerabilities across POSCO Group. I approach my work with unwavering dedication every day, striving to enhance system stability and protect our valuable data.

My journey into security began with an incident during my time as a server administrator. One morning, I discovered that a server had been rebooted without authorization, which made me realize that someone had breached our system. Feeling a strong sense of responsibility to protect our systems, I pursued various security-related activities and eventually moved to a specialized information security firm. However, I found that external consulting often focused on short-term assessments, which limited my ability to continuously advance and perfect security frameworks. As my thirst for deeper involvement in security grew, I found the perfect opportunity to join the Security Planning Department at POSCO DX.

ⓒ clipartkorea

While both groups may use similar technical skills, their objectives, ethics, and procedures are fundamentally different. A white hat hacker is a security professional who, with formal authorization from an organization, identifies vulnerabilities based on real-world attack scenarios and provides solutions. Our ultimate goal is to prevent incidents and strengthen security systems. In contrast, black hat hackers engage in illegal activities—such as unauthorized access, data theft, or system sabotage—for criminal or financial gain.

Before any web-based service developed in-house—such as our main website or E-Procurement system—is launched, it must undergo a rigorous security vulnerability assessment. We meticulously check for any security loopholes. If a vulnerability is found, we submit a report to the development team, and once they have addressed it, we conduct a follow-up verification to ensure the issue is resolved. This process is repeated until all vulnerabilities are cleared, which is a prerequisite for the final service launch.

We screen for 26 types of vulnerabilities, including SQL Injection, Cross-Site Scripting (XSS), and file upload vulnerabilities. Beyond web applications, we also perform penetration testing for mobile apps and security configuration audits for infrastructure systems (Unix, Windows, network equipment, DBs, etc.).

Furthermore, we visit group affiliates, including POSCO Holdings and POSCO, to conduct on-site inspections. Since each affiliate has different business models and system scales, our focus areas vary accordingly. When we identify potential risks that could lead to hacking or data leaks and provide guidance on improvements, the local security teams often tell us how valuable our support is. I believe these activities play a meaningful role in elevating the overall security posture of the entire POSCO Group.

The core value lies in “prevention”—identifying and blocking risks before they manifest into problems. Security incidents can cause massive financial losses, service disruptions, and data breaches; therefore, eliminating potential threats in advance is the most efficient strategy.

By testing systems using the same methods as actual attackers, white hat hackers find the “doors” that intruders might use and provide ways to lock them. This process also helps uncover early-stage issues in corporate operations, policies, and organizational structures. In essence, white hat hacking is a strategic asset that safeguards a company’s financial value, brand reputation, and operational stability.

The greatest challenge lies in consistently delivering results that meet the high expectations of our stakeholders. As hacking techniques evolve daily, it is not easy for a limited team to master new technologies and apply them immediately to the field. To ensure we provide the top-tier expertise expected of us, we actively participate in technical seminars and external training to internalize these capabilities.

Recently, we have been working to shift the paradigm of our security operations by integrating AI. We are currently testing various ways to incorporate AI into our penetration testing and security monitoring processes to reduce time and costs while building a more seamless security framework.

I adhere to the principle of ‘thoroughness until I am fully satisfied.’ I believe that if you rush an assessment due to time constraints, problems are bound to occur. While it is not always easy to uphold this principle during peak periods due to various internal and external factors, I keep in mind that this rigor is the only way to truly prevent accidents.

ⓒ clipartkorea

As closed-off factories of the past transition into smart factories, cyberattacks are no longer limited to simple data leaks; they can lead to massive operational losses, such as factory shutdowns or physical destruction. Therefore, digital security in the steel and manufacturing industries has become an essential safety mechanism that goes beyond data protection—it is now vital for “preventing factory downtime” and “ensuring the safety and lives of our field workers.”

The most critical competency is “practical problem-solving.” It is not enough to have technical knowledge; one must be able to identify the risks inherent in that technology and propose realistic solutions. If you aspire to be a security expert, you must develop a comprehensive mindset that allows you to grasp the technical essence of a risk and provide “actionable solutions” optimized for the organization’s business environment.

To grow as a white hat hacker or security expert, you need a solid understanding of overall IT infrastructure, including Operating Systems (OS), networks, and programming. Since the targets and services change constantly, you must also possess strong problem-solving skills and diverse practical experience. Relying on a single technology will eventually lead to a dead end. I recommend practicing with various hacking tools, participating in bug bounty programs, and staying updated on the latest security trends to cultivate flexible thinking and response capabilities.

Lastly, you need persistence and passion. Finding and fixing hidden vulnerabilities involves many failures. If you have the persistence and passion to overcome every challenge, you will surely become an excellent security expert.