How to Create a Cybersecurity Mentorship Program
As the talent shortage rages on, companies have found mentorship programs to be one of the best ways to obtain the security skills they need to develop their existing teams.
![Two co-workers confer over paperwork. Two co-workers confer over paperwork.](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt66e2798166ec406c/64f175efec1d25dc76a6a9f9/Slide_1Cover_Art.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Source: Lightfield Studios via Adobe Stock
Talk to managers in the security industry and they are singing the same blues: We can't find enough qualified people.
Some companies have taken matters into their own hands, starting mentorship programs that aim to take Level 1 SOC interns and turn them into threat modelers and hunters — and future red team leaders and CISOs.
It takes investing resources and maintaining tight control and follow-up on actual progress and results, whether for three-month, six-month, or yearlong programs.
"Focusing on the development of our employees – at every level – is a focus for our company," says Leslie Jones, chief human resource officer (CHRO) at Coalfire. "We could be helping an individual early in their career identify their career goals and providing some guidance, or we could deliver a broad leadership development for our leaders."
Kelly Albrink, security practice director at Bishop Fox, explains it this way: "You can't buy senior-level talent; you can only build it, and mentorships are the best way to do that."
Here's how to get a cybersecurity mentorship program launched in your organization.
At Bishop Fox, Albrink, the security practice director who helped develop a mentorship program at the company, says they start by sending out a survey two to three times a year to the company's internal employees. In the online form, they ask employees what they want to learn. And for potential mentors, they ask them what they want to teach.
Using the responses, they try to match mentors with mentees based on years of experience and interest. Albrink says they then check in with the mentors and mentees every three to five months to see how it's going because sometimes it's helpful for employees to have more than one mentor.
Demi Ben-Ari, co-founder, CTO, and head of security at Panorays, says companies need to find the people who are the best evangelists for security and encourage them to become mentors.
"They might be super talented technical people or just good with people and explaining the field," Ben-Ari says. "But get them involved. Lure people in by giving them a challenge."
Shanni Prutchi, a Level 2 security consultant at Bishop Fox, says she started off on a blue team but through her mentor expressed an interest in developing red team penetration-testing skills.
The mentor at Bishop Fox first worked with Prutchi to assist her and offer guidance when she was conducting application tests. When she told the mentor she was interested in developing threat-modeling skills, the mentor created an exercise on how to build a threat model that Prutchi worked on for about four months.
"My goal was to do consulting work, not just be an internal red team person," Prutchi says. "I wanted to get to a point where I could lead a red team on a pen test and explain the results to the customer."
Joni Klippert, founder and CEO at StackHawk, says she encourages all of her leaders to have regular check-ins with mentors, peers or otherwise.
"Benchmarking yourself against others in your position or the position you want will help you grow in your career and prepare for what's around the corner," Klippert says. "We also have a buddy program for our engineers. Each new hire in engineering gets an onboarding buddy who they can go to with questions and who helps them learn the ropes. We also create a customized set of onboarding goals for new hires that helps them learn and get up to speed over their first 90 days."
At Bishop Fox, they don't just hire people, train them for a few months, and then send them to RSA and Black Hat to give presentations at the major security industry shows.
Bishop Fox has a series of "Brainjams" where mentees get an opportunity to talk over a lunch hour and present a technical topic to their peers.
Bishop Fox's Prutchi says at one of the Brainjams she participated in, everyone on the team took one or two items from the OWASP Top 10 list and then took roughly 10 minutes to explain each vulnerability, say what it looks like, go over the best testing methods, and offer suggestions for mitigations.
Ben-Ari at Panorays says he works closely with the mentees to help them prepare for presentations.
"Once we had this young woman who was afraid to speak to groups," Ben-Ari says. "I went with her to the presentation and introduced the topic. In the end, she did 80% of the work; all I did was warm up the crowd. I was mainly there to help support her."
Chenxi Wang, founder and partner at Rain Capital, recommends that companies build performance excellence on a mentorship program as part of the evaluation criteria for a promotion.
"It's really important to make the mentorship an important part of advancing the mentee's career," Wang says. "Get them excited about the program but also build in some accountability. Track them aggressively so they don't fall by the wayside."
Wang adds that it's really important for companies to do this for senior people at the vice president level and above. "Companies spend a lot of effort recruiting and training; you don't want to waste that effort by not doing the proper follow-through," says Wang.
Mentees looking to run red or blue teams need to develop the technical skills, but they also need to learn how to handle relationships with customers.
Bishop Fox's Albrink says most of the mentors will shadow the senior people and then sit in on follow-up meetings where they go over "lessons learned" and discuss situations where the relationship didn't go so well.
Prutchi of Bishop Fox says if she has a question of the client, she can usually ask during the kick-off call. As a general rule, the engagement manager speaks directly to clients on most issues, but when a situation arises in which she wants to explain a finding to a customer, she'll consult with her mentor. "I work with my mentor to decide what I should focus on and what I can skim over," Prutchi says.
There are any number of organizations that offer help with mentorships and will put companies in touch with young people looking to get into the industry. Albrink says Bishop Fox patterned its mentorship program on a program developed at the security organization at Google.
Ben-Ari of Panorays says they reach out to the local schools and try to get young people excited about the security field. They also go to conferences and, since they are based in Israel, they reach out to people who are ending their military service to see if they are interested in joining their company. They will reach out to military people to become mentors for their people internally.
There are also many groups looking to reach out to women and minorities. Maggie Domond, executive director at Cyversity, says the mentorship program has become one of the cornerstones of the organization. Domond says it has been reaching out to community colleges and historically Black colleges and universities (HBCUs) to generate interest in cybersecurity.
The organization also receives foundation grants from many security industry companies that give it the resources to help reach out to potential candidates. Domond says they typically run a six-month mentorship program where they work with the mentees to set goals, develop job interview skills, and work on their resumes.
Wang of Rain Capital says she’s also working with a group of 90 high-level female executives to help build up the Forte Group, an organization focused on bringing gender diversity to the cybersecurity industry.
"Much of what we do now is word of mouth, but we are looking to reach out more to colleges and universities and set up mentorship programs," Wang says.
The Mentor/Mentee Program at Women in Cybersecurity (WiCys) is also worth investigating. And check out the Cybersecurity Mentoring Hub run by Noureen Njoroge, global director of cyber threat intelligence at Nike.
There are any number of organizations that offer help with mentorships and will put companies in touch with young people looking to get into the industry. Albrink says Bishop Fox patterned its mentorship program on a program developed at the security organization at Google.
Ben-Ari of Panorays says they reach out to the local schools and try to get young people excited about the security field. They also go to conferences and, since they are based in Israel, they reach out to people who are ending their military service to see if they are interested in joining their company. They will reach out to military people to become mentors for their people internally.
There are also many groups looking to reach out to women and minorities. Maggie Domond, executive director at Cyversity, says the mentorship program has become one of the cornerstones of the organization. Domond says it has been reaching out to community colleges and historically Black colleges and universities (HBCUs) to generate interest in cybersecurity.
The organization also receives foundation grants from many security industry companies that give it the resources to help reach out to potential candidates. Domond says they typically run a six-month mentorship program where they work with the mentees to set goals, develop job interview skills, and work on their resumes.
Wang of Rain Capital says she’s also working with a group of 90 high-level female executives to help build up the Forte Group, an organization focused on bringing gender diversity to the cybersecurity industry.
"Much of what we do now is word of mouth, but we are looking to reach out more to colleges and universities and set up mentorship programs," Wang says.
The Mentor/Mentee Program at Women in Cybersecurity (WiCys) is also worth investigating. And check out the Cybersecurity Mentoring Hub run by Noureen Njoroge, global director of cyber threat intelligence at Nike.
Talk to managers in the security industry and they are singing the same blues: We can't find enough qualified people.
Some companies have taken matters into their own hands, starting mentorship programs that aim to take Level 1 SOC interns and turn them into threat modelers and hunters — and future red team leaders and CISOs.
It takes investing resources and maintaining tight control and follow-up on actual progress and results, whether for three-month, six-month, or yearlong programs.
"Focusing on the development of our employees – at every level – is a focus for our company," says Leslie Jones, chief human resource officer (CHRO) at Coalfire. "We could be helping an individual early in their career identify their career goals and providing some guidance, or we could deliver a broad leadership development for our leaders."
Kelly Albrink, security practice director at Bishop Fox, explains it this way: "You can't buy senior-level talent; you can only build it, and mentorships are the best way to do that."
Here's how to get a cybersecurity mentorship program launched in your organization.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024