Willem Westerhof may be the Cinderella of cybersecurity internships.
Before starting his cyber internship at university in 2016, the Dutchman worked as a physiotherapist, made pies in a bakery and worked the night shift in a food service division at Amsterdam’s Schiphol airport.
Internships are generally considered the lowest level of hard work in any industry. The stereotype is that they relegate young newbies eager to gain experience to low-paid or unpaid coffee delivery jobs, shattering their dreams and hopes. But Westerhof was seized by a magical discovery that would change his life and career: he discovered a critical vulnerability in solar panel technology that could put the entire Dutch power grid at risk. Westerhof made headlines worldwide, spoke at several conferences, appeared in two documentary films, and got a full-time job at the Dutch company where he interned, ITsec.
The seven-month internship has helped ITsec make a key discovery: it has uncovered a talented new recruit to join its full-time team, and a growing number of employers are similarly leveraging internships as part of their cyber talent pipeline.
Nearly a quarter of cyber industry new hires are interns
According to ISC2’s 2023 Cybersecurity Workforce Report, 24% of entry-level workers in cybersecurity (those with less than one year of industry experience) completed a cybersecurity internship or training before landing their first job in the field. In contrast, only 9% of more experienced workers (those with 10 or more years of industry experience) completed an internship.
“The internship [employers] “When interns complete projects and required tasks, it really broadens the pool of qualified talent that you can hire from when you need talent within your organization,” says Matthew Prager, deputy chief learning officer at the Cybersecurity and Infrastructure Security Agency (CISA). U.S. government agencies offer paid internships to high school, college, and graduate students.
Are cyber internships really valuable to employers? What is the best way to offer a cyber internship? Should a cyber internship be paid or unpaid?
Work experience is more important than academic background
Internships typically provide high school, college, and university students and graduates with work experience related to their degree programs and career goals. Internships can last from a few weeks to a few months and can be paid or unpaid, in-person, virtual, or hybrid.
Some courses are for credit, others are non-credit, and take place during the semester or summer. They are offered by private companies and government agencies, often in partnership with educational institutions. Today, as the war for cyber talent heats up, on-the-job experience is increasingly valued over education, making them a staple of the cyber talent war.
According to the ISC2 report, the top priorities for employers looking for cyber jobs are:
Entry-level cyber work experience — 70%. Bachelor’s degree, basic certification, or other entry-level education — 30%.
“This suggests that cybersecurity professionals consider professional experience in any form to be more valuable than classroom or virtual education,” ISC2 concluded in the survey.
“Frankly, schools are not producing people with the skills we need,” said John Anthony Smith, founder and chief scientific officer of the Conversant Group.
For the past eight years, the Chattanooga, Tennessee, cybersecurity services and consulting firm has offered internships to STEM graduating students from local high schools. Smith has hired many of the interns full time, including one who is “by far the best and brightest” of his current employees.
“In the best case scenario, [interns] “While it’s flexible, it’s also important to have appropriate [person] We teach them the skills they need to know to excel in our specific business areas.”
Cyber internships are valuable for both companies and applicants
Internships also help address the chronic cyber skills gap by equipping a more diverse pool of candidates with the skills employers are looking for when hiring.
“The gap is only getting wider, and it’s not getting narrower, given where we are today and the talent we’re already attracting to the field, so diversity is really key,” says Alexandria Chiasson, national partnerships coordinator for the Information and Communications Technology Council, an Ottawa-based nonprofit that provides paid cyber internships to underrepresented students through partnerships with government, corporations and educational institutions.
Internships aren’t just valuable to employers; they give interns something they can never get in academia.
“It’s one thing to learn the material, but it’s another to actually get the work experience and see how it unfolds and works,” says Jeremy Shaki, CEO of Lighthouse Labs.[Our program] It’s not lecture-based. Instead of sitting and reading books and taking lectures, you practice real-world project-based skills for about 10 hours a day, so your portfolio will show that you’ve worked on real projects in a company.”
A Toronto IT skills training company has partnered with employers and e-learning platform Riipen to offer ICT Ignite Cyber, a 60-hour virtual cyber internship over two to four weeks, funded in part by the Canadian government. Interns must be graduates of Lighthouse Labs’ cyber training course. The course costs $3,500 CAD, but participants will receive a stipend of at least $1,400 CAD upon completion of the internship.
Many interns come from outside cybersecurity
ICT Ignite Cyber is part of a growing trend to expand internship opportunities beyond high school, college and university. To be eligible for Ignite, interns must have at least three years of work experience, but the experience doesn’t have to be in the cyber field, as the program is aimed at professionals transitioning into cyber from other professions.
“This is very helpful for people with previous work experience to enter the field. [for] “These are people making career changes,” Shaki says.
Whether cybersecurity internships involve students, recent graduates, or career-changing professionals, how can CISOs get the most out of these programs that sometimes only last a few weeks?
Making Cyber Internships Effective
Internships provide benefits to employers in the form of new talent to hire, but they require companies to invest time, planning, oversight, and resources. Appointing one or more people to manage the process internally can make things easier for your organization.
“You will need to sit down with your supervisor and make sure they understand what the position is about, what the expected outcomes are, how the interns will be managed, what the needs of the program are, and how the interns will report. [on that intern]” says Prager.
Employers need to clearly define the intern process and explain what is expected of interns. When possible, Smith recommends mentoring interns rather than simply having them complete a bureaucratic checklist of tasks. “I’m a big believer in essentially having a sponsor who will mentor the intern, foster the relationship and help develop the intern.”
Chiasson cautions employers to manage their own expectations as carefully as they manage interns: Rather than hoping for unicorns (interns with one or more degrees, multiple technical certifications, and other work experience) to emerge, Chiasson urges companies to “hire them and then train them based on demand.”
Focusing solely on technical skills can be a mistake
Chiasson also cautions against employers focusing solely on teaching technical skills: For many students and recent graduates, cyber internships are an opportunity to learn soft skills such as communication, teamwork, problem-solving and customer interaction that are crucial in the real world of information security, she says.
Shaki suggests making internships project-based, rather than a chaotic series of “small individual tasks.” In his experience, interns who work on a specific project “tend to feel very valued at the end, and they take a lot of responsibility for what they’re doing.”
Companies that assign interns more tasks than just buying coffee have been found to hire more full-time employees at the end of the program. In a 2023 study of interns across a variety of industries (not just cybersecurity) in the U.S., interns who felt their work responsibilities were meaningful were 3.7 times more likely to subsequently receive a full-time job offer from their internship company.
Should you pay your cyber interns? In 2023, 59% of US college internships (all industries) were paid. While unpaid internships are legal in the US, Smith calls them “cruel” and is adamant that his company “never” offers them. Prager is more diplomatic and points out that paid opportunities typically attract higher quality candidates, “because you have a larger group that applies for paid internships than you have for unpaid internships.”
Cyber Internship Resources:
U.S. Government-run or -cooperative Cyber Internship Programs and Opportunities: https://niccs.cisa.gov/education-training/internships-apprenticeships
Government of Canada’s list of cyber internship programs in Canada: https://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/cbr-crr-wrnss/index-en.aspx
Internships for racially diverse candidates at Cyversity: https://www.cyversity.org/programs
