Willem Westerhof just might be the Cinderella of cybersecurity interns.
The Dutchman had worked as a physiotherapist, made pies in a bakery, and toiled in overnight shifts at food and beverage stands in Amsterdam’s Schiphol airport before embarking upon a cyber internship at university in 2016.
Internships might be generally considered the lowest form of drudgery in any industry, stereotypically reducing young rookies eager to get experience to poorly compensated or unpaid coffee fetchers, dashing their hopes and dreams. But Westerhof’s was touched by a magical discovery that transformed his life and career — he detected a critical vulnerability in solar panel technology that threatened to put the entire power grid of the Netherlands at risk. Westerhof made global headlines, spoke at several conferences, and appeared in two documentary films — and landed a full-time job at ITsec, the Dutch firm at which he had interned.
That seven-month internship helped ITsec make a critical discovery of its own: a talented newcomer to add to its permanent team. A rising number of employers are similarly tapping into internships as part of their cyber talent pipeline.
Almost one-quarter of new cyber workers were interns
According to ISC2’s “2023 Cybersecurity Workforce Report”, 24% of new cyber workers (those in the industry for one year or less) completed a cyber internship or apprenticeship before getting their first job in the sector. By contrast, just 9% of more seasoned workers (those with 10 or more years in the industry) had done an internship.
“Internships not only help [employers] complete projects and work that they need to get done, they really expand the pool of eligible people to draw from as you need more people within an organization,” says Matthew Prager, associate chief learning officer at the Cybersecurity and Infrastructure Security Agency (CISA). The US government body offers paid internships to high school, undergrad and graduate degree students.
Are cyber internships really worth it for employers? What’s the best way to offer one? Should they be paid or unpaid?
Work experience often trumps education
Internships typically provide students or recent grads from high school, college or university with workplace experience related to their degree program or career goals. They can last weeks or months, be paid or unpaid, in-person, virtual, or hybrid.
They may or may not be for academic credit and can happen either during the school year or in the summer. They’re offered by private companies and/or government agencies, often in partnership with educational institutions. Today, they’re the linchpin of a hypercompetitive cyber talent landscape in which workplace experience often trumps education.
According to the ISC2 report, here’s what employers value most when hiring for cyber jobs:
- Entry-level cyber work experience — 70%.
- A bachelor’s degree, basic certification or other entry-level education — 30%.
“This tells us cybersecurity professionals view professional exposure in any manner as more valuable than education in a classroom or virtual setting,” ISC2 concluded in the study.
“To be frank with you, the schools are not turning out people with the skills we require,” says John Anthony Smith, founder and CSO of Conversant Group.
Over the past eight years, the cybersecurity services and consulting firm in Chattanooga, Tennessee, has offered internships to recent STEM grads from a local high school. Smith has gone on to hire many of them full-time, including one he describes as “absolutely one of our best and brightest” current employees.
“Best case scenario, we catch [interns] while they’re malleable,” Smith says. “We align them with an appropriate [person] at our company and then we educate them in the tech that we need to know to perform well in that particular part of our business.”
Cyber internships can be valuable for both companies and candidates
Internships can also help address the chronic cyber skills gap by equipping more diverse candidates with the skills that employers demand when hiring.
“The gap is only widening. It’s not narrowing based on what we have now and who we’re already attracting to the sector. So diversity becomes really critical,” says Alexandria Chiasson, national partnerships co-ordinator at the Information and Communications Technology Council. The Ottawa-based non-profit offers paid cyber internships for underrepresented students through a partnership with government, businesses and educational institutions.
Internships aren’t only of value to employers. They also give interns something they can never attain within the halls of academia.
“It’s one thing to learn material, right? It’s another to actually have work experience and see how it parlays and plays,” says Jeremy Shaki, CEO of Lighthouse Labs. “[Our program] is not very lecture-based. You’re doing about 10 hours of work a day of actual project-based skills as opposed to sitting, reading and doing lectures. So, people do have stuff in their portfolio where they can show that they’ve actually worked on real projects with a company,”
The Toronto IT skills training firm has partnered with employers and e-learning platform Riipen to offer ICT Ignite Cyber, a virtual, 60-hour cyber internship lasting two to four weeks and partially funded by the Canadian government. Interns must be graduates of a Lighthouse Labs cyber training course — which costs them $3,500 (CDN) — but they receive a stipend of at least $1,400 (CDN) once they complete their internship.
Many interns come from outside cybersecurity
ICT Ignite Cyber is part of the growing trend to extend internship opportunities beyond high school, college and university. To qualify for Ignite, interns must have at least three years of prior work experience, though not necessarily in cyber, since the program is aimed at professionals pivoting to cyber from other careers.
“This is very much helping people go from previous work experiences into this sector. Absolutely, it’s [for] career changers,” Shaki says.
Whether cybersecurity internships involve students, new grads or career-shifting professionals, how can a CISO get the most from these programs, which sometimes last only a few weeks?
Making cyber internships effective
Though an internship can pay off for an employer in the form of a fresh crop of talent to hire, it requires the company to invest time, planning, oversight, and resources. Designating one or more people to manage the process internally can make things easier for the organization.
“Sit down with the supervisory personnel so they understand what that position is being advertised for, what the expected outcomes are and how to manage that intern, the program needs, and how they have to report [on that intern],” Prager says.
Employers should also clearly define the process for the intern and explain what is required of them. If possible, Smith recommends mentoring an intern, not simply ticking off a bureaucratic checklist of their tasks: “I do fervently believe you essentially need a sponsor, someone who’s going to take the intern under his or her wing and nurture that relationship, nurture that person.”
Chiasson warns employers to manage their own expectations as carefully as they manage the interns themselves. Rather than expecting a unicorn to show up — an intern with one or more degrees, several technical certifications and other prior workplace experience — she urges companies to “take them on and then train them based on what you require.”
Focusing solely on technical skills can be a mistake
Chiasson also cautions employers against focusing solely on teaching technical skills. She says cyber internships are an opportunity for many students and new grads to learn soft skills that are crucial in real-world infosec, such as communication, teamwork, problem-solving, and interacting with customers.
Shaki suggests making an internship project-based rather than an unstructured string of “small individual tasks.” In his experience, interns working on specific projects “tend to feel very valued at the end… and a lot of ownership over the thing they’re doing.”
Companies that let interns do more than just menial tasks such as coffee runs actually wind up with more full-time hires at the end of a program. In a 2023 survey of US interns across various sectors (not exclusively cybersecurity), interns who felt their “work duties were meaningful” were 3.7 times more likely to accept a full-time job offer from their placement sponsor afterward.
Should you pay your cyber intern? 59% of US college internships (across all industry sectors) were paid in 2023. Though unpaid internships are legal in the U.S., Smith calls them “cruel” and vows his company “would never” offer any. Prager notes more diplomatically that paid opportunities usually draw higher quality candidates because “you get a larger group who will apply for a paid internship than you necessarily would for an unpaid internship.”
Cyber internship resources:
Cyber internship programs and opportunities run by or in conjunction with the US government: https://niccs.cisa.gov/education-training/internships-apprenticeships
The Canadian government’s list of cyber intern programs in Canada: https://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/cbr-crr-wrnss/index-en.aspx
Internships for racially diverse candidates at Cyversity: https://www.cyversity.org/programs