Portfolio

Detailed background, role, results and lessons behind each achievement.

ISMS Initial Audit Preparation & Certification

Rapo Labs operates 'Queenit', a vertical e-commerce platform, and had met the mandatory ISMS certification requirements based on annual revenue and user count.
Joined as a sole security officer with no existing security team, setting ISMS initial audit passage as the top priority.
Minimized use of external firms (management system review, risk assessment, app/web testing) and handled all other certification preparations internally.

As a sole security officer in an environment with zero security infrastructure, passed the ISMS initial audit in 15 months (12 months preparation + 3 months remediation).
Built an information security management system optimized for the organization's scale and Cloud Native environment through thorough analysis, achieving excellent results with only 14 minor findings across 6 items.
Despite being a Series B startup, received the Minister of Science and ICT Commendation for Information Security in recognition of the outstanding security management system.

The biggest challenge in certification preparation was cross-team collaboration. Rapo Labs used OKRs for performance measurement, with each team already operating under tight resource constraints. Security team requests inevitably added burden, but this was overcome through 'effective communication' and 'building collaborative frameworks'.
For effective communication, I specified requests precisely and wrote persuasive PRDs. By meticulously analyzing certification requirements against our current state, I eliminated unnecessary work and conveyed only essential requests. This process shifted my thinking from mechanically applying conventional security controls to considering service-oriented remediation approaches — earning trust from POs and engineers and laying the foundation for collaboration.
To build collaborative frameworks, I pre-organized expected tasks, schedules, and requirements, discussed them with POs and team leads, and negotiated their inclusion in each squad's OKRs. This transformed security requests from mere 'support' into each team's 'achievements'. The result was an organizational culture that positively embraced security requests, teaching me the importance and effectiveness of re-framing situations.

In an environment with zero information security concepts, I designed and introduced procedural and technical policies to embed security as organizational culture.
Closely discussed with practitioners to establish substantive rather than formal policies, focusing on service-oriented policy development that supports business growth.
Established and operated security policies that enhance the company's security posture while minimizing employee inconvenience or even increasing convenience.

Established and applied practical, efficient information security policies company-wide in an organization with zero security concepts. Beyond compliance, improved each department's business processes and established access control systems for personal data processing, significantly enhancing the company's overall security maturity.
Successfully introduced an AWS managed policies-based permission management framework and planned masking policies for GCP BigQuery personal data protection. Systematically managed cloud resource access permissions while effectively reflecting business needs through close departmental collaboration.
Designed services that improve user experience while meeting legal requirements, enhancing user satisfaction. Effectively resolved government agency explanation demands from ICT Network Act violations, built prevention systems, minimized legal risk, and increased organizational credibility.

Learned that security policies that don't consider organizational characteristics and business processes have low feasibility and invite pushback, while designing realistic, executable policies through practitioner interviews and continuous discussions enables security to be perceived as a support element rather than an obstacle.
Through the GCP BigQuery masking policy process, experienced trial and error across various attempts to derive better solutions. Despite initial approach failures, deeply analyzing problems and exploring new solutions through collaboration emphasized the importance of perseverance and creative approaches to technical challenges.
In designing approaches that support business goals while meeting legal requirements, learned the importance of going beyond mere regulation compliance to enhance user experience and business efficiency. Realized the need for strategies that design compliance to promote rather than hinder organizational growth.

In an environment lacking even basic security solutions, conducted PoC and deployed security solutions appropriate for the company's growth stage. Evaluated both commercial and open-source solutions, selecting optimal choices based on cost and effectiveness.
Enhanced service security using open source and shell scripts for vulnerability scanning, and pre-emptively identified and eliminated potential financial threats through bug bounties.
Identified automatable tasks and implemented them with Python to efficiently use limited human resources, building an environment for effective resource utilization while improving task accuracy.

Reduced costs and strengthened security by deploying optimized solutions considering the organization's growth stage and resource constraints. SaaS-based endpoint security significantly reduced operational overhead while providing a satisfying environment for both employees and administrators.
Periodically assessed cloud environment vulnerabilities using Prowler and SSM, remediating root causes to prevent security incidents. Bug bounty programs significantly contributed to improving the company's overall security maturity by early discovery and remediation of potential service vulnerabilities.
Built an environment for efficient utilization of limited human resources by automating repetitive tasks. Through the cloud security monitoring system, established real-time threat detection and remediation capabilities, simultaneously enhancing accuracy and efficiency of security operations.

Realized that popular enterprise security solutions aren't always the right answer. Learned that by aligning solution selection with company growth stage, resource constraints, and business priorities, it's possible to simultaneously achieve cost savings and security improvements. Particularly developed the ability to make decisions by comparing open-source and commercial solutions.
Through vulnerability assessment and remediation, learned that security goes beyond finding technical solutions — it's about building overall organizational stability and trust. Effective tools and automation provide value beyond mere efficiency, with iterative scanning and improvement being key to elevating security maturity.
Developed the ability to implement desired automation using tools like Python and Ngrok. Realized that automation contributes not only to security team productivity but also to organization-wide productivity by eliminating employee bottlenecks caused by the security team.