Big challenges in our world sometimes have simple solutions. The goal to be healthy, for example, can often be achieved through basic lifestyle improvements. And financial goals can often be met by just spending less and saving more.
Similarly, I believe that the ongoing and nagging skills gap in cybersecurity might be solved by just training more young people. I think it can be that simple. And one of the best tools for onboarding new talent that we’ve used at AT&T for years is through internships.
You already know that an internship involves some limited period of time during which work experience might be gained. Interns are often students interested in some professional field such as telecommunications. At AT&T, we benefit from this common interest in our area of business. We can offer geographical diversity, and we carve out roles within certain fields such as in our technology group, network team, sales and finance.
As you would expect, finding students who are interested in cybersecurity is easy. And the laws in countries such as the US provide excellent guidance on how internships must be managed legally. Furthermore, during workforce changes or reductions, it is imperative that internships be performed in full accordance with labor laws and corporate policies.
You’d expect that internships in cybersecurity would be the norm across our industry, but I recently ran a mini survey on the topic. (OK – it wasn’t scientific but hear me out). I asked several of our larger security customers if they had a skills gap – and 100% said yes. I guess I wasn’t surprised by this result.
But when I asked these same companies how they were doing with internships, the answers were spottier. One said that they didn’t use interns (“More work than they are worth.”) Several others said that the internships programs were scattered ad hoc across their direct report teams. Only one reported a formal program with the ultimate goal to try to select and hire the best interns.
If you’re reading this and you believe your security team can benefit from having interns in cybersecurity, then I’d recommend the following steps for implementation:
First, work with your human resources and legal teams to provide that all applicable laws, policies and employment conditions warrant the hiring of interns. We security folk benefit from their expert guidance in these important areas of labor management, so working with them is always the first step.
Assuming the conditions are OK for interns, the next step is to establish a formal program to be administered by your team. The program should have three goals: First, it should be geared to creating an awesome learning experience for interns – because, after all, that is the primary objective.
Second, it should establish focus areas in programs of cybersecurity that you consider to be essential to your present and future mission. Interns should never be used for mundane, repetitive work in less important areas. This can harm young people’s enthusiasm for our field, and it usually ends in poor performance on all fronts.
Finally, the internship program should be designed to encourage the intern to consider the company as a place to work after graduation. We’ve found at AT&T that by selecting good interns, we rarely have to test their performance. Instead, it is generally the opposite: We need to pass the audition!
Techniques for making internship experiences high quality include allowing interns to experience multiple types of projects, exposing them to many different work groups, and encouraging them to provide guidance on where they are most interested in working. These flexible freedoms help the intern to learn what your program is all about.
I hope you’ll take my advice to heart. We can help address the major problem we have with this skills gap by deciding to add some interns. Good luck with your program.