Developing the Cyber Workforce

Higher Education

Think Community Colleges, Undergraduate and Graduate programs, and the like. As someone who has created a higher education cyber curriculum and class, I want you to know that, professionally speaking, the Information Security community is NOT HELPING. Get a bunch of CISOs in a room and ask them what skills they want students to learn and they give some vague answer like “programming skills” or “communications skills” or “writing skills”. Guess what — educators have been teaching these things for DECADES. Without calling it “Cyber Security”.

Internships, Co-Ops and Other OTJ Training

Mathematically, Higher Education cannot train the people needed to fill the gap in the Cyber workforce fast enough. This means the Security profession must create training opportunities to bring people into the profession without a formal education. Let’s face it, most of the people currently in the profession don’t have a formal Cyber education, so this shouldn’t be a big deal, right?

  1. Have a training plan. Don’t bring new people in, even senior people, and just let them lose. Learning Cyber takes time — a lot of time — so you need to have a training plan so that everyone knows what needs to be learned before they are legitimately a Security Pro. This applies to an intern who is still in college or an intern who is a mid-career re-skilling trainee.
  2. The more other-job experience a trainee has, the longer your internship needs to be. In other words, it’s OK to do a 12 week summer internship with a college student. If you are cross training someone with five years of [insert other job here] experience, you should expect your training program to be at least a year. This isn’t because they’re older, but because they will bring their own skills to the training, and part of their learning curve is how to translate what they already know to the new paradigm. They will want to go deeper, because they know deeper exists. They will need more stretch in their assignments to feel like they’re learning something.
  3. Connect interns to the Security Community. I know you’re training them on the job, but part of being an effective Security person is knowing where to get help — inside and outside your company — and that means building a network of Security friends. So send them to external training, send them to conferences, give them training resources outside your own organization (your team will thank you too). Give them access to Twitter, Reddit, GitHub and other online communities while they’re on the job.
  4. Within your company, create Security Internship Cohorts. Make it a badge of honor to be part of this program, and treat graduates of the program like Alumni that are regularly brought back for social events — even if they leave to work elsewhere.
  5. Treat your trainees/interns with professional respect. This means to give them tasks and projects geared to their level of experience, which stretches their skills and gives them a way to demonstrate competence. Don’t just give them low value work because you won’t take a risk on them.
  6. Ask your interns what they want. When I asked my undergrad interns what they wanted to learn, they wanted all the Cyber stuff, and they also wanted to know how to write a cyber resume, and do a cyber interview. Part of being a Security Pro is knowing how the entire ecosystem works — let your interns tell you what they need, and adjust accordingly. Ask them often — their pace of learning might surprise you.
  7. Look broadly for internship and trainee candidates (and employees). Folks who complain about the lack of talent are ignoring the wealth of talent out there, or are not willing to pay to move the talent where it needs to go, or to allow for remote working so they can meet talent where it already is. If you’re looking in all the usual places, you’re missing out. Use your social networks to find candidates. Look for groups like Year-Up or other training programs to bring on fresh faces. Look for adjacent professions to bring on mid-career trainees.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Helen Patton

Helen Patton


Cyber Security, Technology Ethics, and Humanity. What else? I can be found at or on Twitter @CisoHelen or on Mastodon