White-hat hackers in high demand for Internet security skills

PHOTO: Shutterstock

Yang Wei is so good at solving thorny online security problems, and so in demand, that he hasn't had any rest over the past two months.

Yang, 24, who works for WooYun, the largest employer of white-hat hackers in China, was on the road to Shanghai last week to provide security technology training and organise offline security salons.

"I never thought I would be exhausted as a security employee, but I find it is not an easy job," Yang said.

Despite his youth, Yang has become a key player at WooYun, sharing his security knowledge with online communities and working with companies to resolve their security issues.

Younger people like Yang form the majority of China's white-hat hackers, a type of Internet expert known for identifying security problems, but not exploiting them for personal gain.

According to a report released by GeekPwn, an online security community, and Tencent, a large Chinese technology company, more than 60 per cent of white-hat hackers in China were born after 1990, and they are becoming younger.

Neither the report nor the country's cyberspace authority have released the exact number of white-hat hackers in China. But WooYun, for example, which was founded in 2010, has more than 7,200 security staff members.

Some of the young generation have talent in handling security risks and most of them have a broader understanding of the industry than their predecessors, said Guan Mochen, technical director of Kingsoft Security, a large national security provider.

They are also shouldering more pressure and facing bigger challenges, Guan said.

The report said that 84 per cent of Internet users think the yearly income of security staff could be more than 100,000 yuan (S$22,000), and 21 per cent think they could earn more than 500,000 yuan.

But, in fact, the yearly income of 55 per cent of the white-hat hackers is less than 100,000 yuan, it said.

Most security employees with just two years of working experience cannot demand a high salary in the field, Yang said.

"Even those who have mastered the key technology and can solve difficult security problems have not been paid what they deserve," Yang said.

Guo Xunping, vice-president of Bangcle, a mobile network security company, said talented security experts deserve higher incomes, but pay still trails.

High pressure

Salaries may be lower than desired, but white-hat hackers keep busy. Yang is a frequent flier, and he complains that he has no personal life.

"Since June, I have always been on a flight to Shanghai, Shenzhen, in Guangdong province, or Hangzhou, Zhejiang province, during the weekends, and it is still going on," he said.

"I am physically and mentally exhausted, but I am still persisting because I love the security job and always have a great passion," he said.

In the past, he supplied online security testing for companies, but with the fast development in the industry, he needs to handle many issues in person and through on-site training.

"In this way, I have to go to the companies to communicate. After all, some thorny or complicated security risks are not suitable to discuss in calls or on the Internet," he said.

Additionally, as a leader of the white-hat hackers at WooYun, Yang also is in charge of contacting companies in different cities and calling them regularly to share new industry findings.

Liu Hui, 25, who has a doctorate in security from Shanghai Jiao Tong University, said it is not difficult for her and her classmates to find security jobs, but identifying high-paid work without frequent business trips is challenging.

"If my future security job demands that I fly all the time and asks me to devote more time and energy, maybe I will change to another job or even consider leaving the industry," said Liu, who works for a security lab in the university.

Although Liu does not face excessive work currently, she is often asked to participate in security competitions, which occupy her spare time.

"I've felt the big pressure in the industry, so now I've decided to select some interesting or useful competitions that can improve my security skills to take part in," she said.

Guo, of Bangcle, said the younger generation's family members or friends don't always understand the commitment the field requires.

"The security technology, for many smartphone users, is too professional or advanced to understand," Guo said.

Additionally, the lower salaries have even made it challenging for some white-hat hackers to afford their apartment rentals in Beijing, Shanghai and Guangdong.

"The living challenges sometimes cause a few security protectors to be real hackers, as the 'black market' could bring them great profits," said Guan, of Kingsoft.

Shortage of talent

The Tencent report said that the security industry's fast development means finding and training more young security employees is a big challenge.

By 2014, 103 of the more than 2,500 universities across the country had offered majors relating to information security. But fewer than 10,000 students graduate every year, so the shortage of related talent could reach 1 million, it said.

Guan said most young security employees taught themselves and it remains necessary to provide them additional training.

"We don't exclude talent who have a deep and powerful understanding of the field, but the industry still needs a complete knowledge base that can help employees look at problems thoroughly," he said.

Meanwhile, there is also a big demand for security talent with more knowledge in certain or specific fields, such as mobile network security, Guo said.

"My company focuses on the security of smartphone applications and can give higher pay for people who are competent, but now the recruitment disappoints me," he said. "Few security graduates know the section, let alone how to ensure the security of purchase, privacy and data transmission on the applications."