Willem Westerhof could be the Cinderella of cybersecurity interns.
The Dutchman had worked as a physiotherapist, made cakes in a bakery and worked night shifts at food and drink stands at Amsterdam’s Schiphol Airport before embarking on a cyber internship at university in 2016.
Internships can generally be considered the lowest form of drudgery in any industry, stereotypically reducing young newbies eager to gain experience to underpaid or unpaid coffee pickers, frustrating their hopes and dreams. But Westerhof was touched by a magical discovery that transformed his life and career: A critical vulnerability was detected In the field of solar panel technology, Westerhof threatened to jeopardize the entire Dutch power grid. Westerhof made headlines around the world, speaking at several conferences and appearing in two documentaries, as well as landing a full-time job at ITsec, the Dutch company where he had interned.
That seven-month internship helped ITsec make a pivotal discovery: a talented newcomer to add to its permanent team. A growing number of employers are also leveraging internships as part of their cyber talent pipeline.
Nearly a quarter of new cyber workers were interns
According ISC2 2023 Cybersecurity Workforce Report24% of new cyber workers (those who have been in the industry for one year or less) completed a cyber internship or apprenticeship before landing their first job in the sector. In contrast, only 9% of more experienced workers (those with 10 or more years in the industry) had completed an internship.
“Internships not only help (employers) complete the projects and work they need done, but they really expand the pool of eligible people to draw from as more people are needed within an organization,” says Matthew Prager, associate director of learning at the Cybersecurity and Infrastructure Security Agency (CISA). The U.S. government agency offers paid internships to high school, undergraduate and graduate students.
Are cyber internships really worth it for employers? What is the best way to offer them? Should they be paid or unpaid?
Work experience often trumps education
Internships typically provide students or recent graduates of high school, college, or university with work experience related to their degree program or career goals. They can last weeks or months, be paid or unpaid, in-person, virtual, or hybrid.
They may or may not be for academic credit and can be taken during the school year or in the summer. They are offered by private companies or government agencies, often in partnership with educational institutions. Today, they are the linchpin of a hyper-competitive cyber talent landscape in which work experience often trumps education.
According to the ISC2 report, here’s what employers value most when hiring for cyber jobs:
- Entry-level cyber work experience: 70%.
- A bachelor’s degree, basic certification, or other entry-level education: 30%.
“This tells us that cybersecurity professionals view professional exposure of any kind as more valuable than education in a classroom or virtual environment,” ISC2 concluded in the study.
“To be blunt, schools are not producing people with the skills we need,” says John Anthony Smith, founder and chief strategy officer of Conversant Group.
For the past eight years, the Chattanooga, Tennessee-based cybersecurity consulting and services firm has offered internships to recent STEM graduates from a local high school. Smith has hired many of them full-time, including one he describes as “absolutely one of our best and brightest” current employees.
“At best, we hire them when they are still flexible,” Smith says. “We match them with an appropriate person in our company and then train them on the technology we need to perform well in that specific part of our business.”
Cyber internships can be valuable for both companies and candidates
Internships can also help address the chronic cyber skills gap by equipping more diverse candidates with the skills employers demand when hiring.
“The gap is widening. It’s not narrowing based on what we have now and who we’re attracting to the sector. So diversity becomes really critical,” says Alexandria Chiasson, coordinator of national associations at Information and Communications Technology CouncilThe Ottawa-based non-profit organization Offers paid cyber internships for underrepresented students through a partnership with government, businesses and educational institutions.
Internships are not only valuable to employers, but they also give interns something they could never achieve in the halls of academia.
“It’s one thing to learn the material, right? It’s another thing to have work experience and see how it works,” says Jeremy Shaki, CEO of Lighthouse Labs“Our program is not very lecture-based. You spend about ten hours a day developing real skills based on projects, rather than sitting, reading and lecturing. So people have material in their portfolio where they can show that they have actually worked on real projects with a company.”
Toronto-based IT skills training company has partnered with employers and e-learning platform Riipen to offer ICT Ignite Cyber, a 60-hour virtual cyber internship lasting two to four weeks and partially funded by the Canadian government. Interns must be graduates of a Lighthouse Labs cyber training course (which costs them $3,500 (CDN)), but they receive a stipend of at least $1,400 (CDN) once they complete their internship.
Many interns come from outside the cybersecurity field.
ICT Ignite Cyber is part of the growing trend of expanding internship opportunities beyond high school, college and university. To qualify for Ignite, interns must have at least three years of prior work experience, though not necessarily in cyber, as the program is geared toward professionals transitioning from other careers into cyber.
“This is a great help for people with previous work experience to move into this sector. It is definitely for those who want to change careers,” says Shaki.
Whether cybersecurity internships involve students, recent graduates, or career-changing professionals, how can a CISO make the most of these programs, which sometimes last just a few weeks?
How to make cyber practices effective
While an internship can be cost-effective for an employer in the form of recruiting a new talent pool, it does require the company to invest time, planning, oversight, and resources. Appointing one or more people to manage the process internally can make things easier for the organization.
“Sit down with your supervisory staff so they understand what the position is being advertised for, what the expected outcomes are, how to manage that intern, the needs of the program, and how they should report (on that intern),” Prager says.
Employers should also clearly define the process for the intern and explain what is expected of them. If possible, Smith recommends mentoring the intern, not simply ticking off a bureaucratic checklist: “I strongly believe in having a sponsor, someone who will take the intern on and foster that relationship, foster that person.”
Chiasson cautions employers to manage their own expectations as carefully as they manage interns themselves. Rather than waiting for a unicorn — an intern with one or more degrees, several technical certifications and other prior work experience — to come along, he urges companies to “hire them and then train them based on what’s required.”
Focusing solely on technical skills can be a mistake
Chiasson also cautions employers not to focus solely on teaching technical skills. He says cyber internships are an opportunity for many students and recent graduates to learn soft skills that are crucial in real-world cybersecurity, such as communication, teamwork, problem-solving and interacting with customers.
Shaki suggests that internships be project-based rather than an unstructured series of “small individual tasks.” In her experience, interns who work on specific projects “often feel very valued at the end… and very responsible for what they’re doing.”
Companies that allow interns to do more than menial tasks, such as fetching coffee, end up with more full-time hires at the end of the program. In 2023 survey Among U.S. interns across a variety of industries (not exclusively cybersecurity), interns who felt their “work duties were meaningful” were 3.7 times more likely to subsequently accept a full-time job offer from their placement sponsor.
Should You Pay Your Cyber Intern? 59% of US college internships (across all industry sectors) were paid in 2023. While unpaid internships are Legal in the United StatesSmith calls them “cruel” and swears that his company would “never” offer them one. Prager more diplomatically notes that paid opportunities often attract higher-quality candidates because “you get a larger pool of candidates applying for a paid internship than would necessarily apply for an unpaid internship.”
Cyber Internship Resources:
Cyber internship programs and opportunities hosted by or in conjunction with the U.S. Government: https://niccs.cisa.gov/education-training/internships-apprenticeships
List of Canadian Government Cyber Internship Programs: https://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/cbr-crr-wrnss/index-en.aspx
Internships for racially diverse candidates at Cyversity: https://www.cyversity.org/programs
JOBs Apply News
For the Latest JOBs Apply News, Follow ©JOBs Apply News on Twitter and Linkedin Page.