Every single person I speak to in the software security industry agrees on one thing. There is a talent war. Put another way the demand for good software security people far outstrips the supply, or yet another way there aren’t enough people to secure the software that needs to be secured for the digital economy to continue to growing at the current rate. I could go on but you get the point. This is of course not a security industry issue but a general software engineering issue, amplified in niche areas and the dial turned right up to eleven for ‘red hot’ niches like security. Most companies approach the issue by making their company a more attractive place to work. Bigger salaries, better perks and a better work environment. If you judged the state of the economy by the amount of recruiter calls you would think we are in boom times.
A few days ago I watched the Presidential debate. Inspired by Barack Obamas speech about investing in education to create a workforce with the skills that are in demand I started thinking about ways the security industry could invest to create the talent that is clearly in such high demand. I was thrown out of high-school at 17 (sixth form college in the UK) for being a generally naughty boy but after working it out of my system (yes “my” system not “the” system) I returned to formal education in my mid-twenties ending up with a Bachelors degree in engineering and a Masters Degree in Information Security where I specialized in cryptography at the Mathematics department of a top British University; Royal Holloway and Bedford New College, University of London. Despite being very proud of my academic achievement and appreciative of the doors that it undoubtedly opened, I can’t help also acknowledge that relatively little of what I learned at college has been used in my career. I wouldn’t change a thing (my ‘no regrets’ rule of life) but I often wonder how life might have been different if I had found a mentor in the security industry or had found an apprenticeship instead. I love the idea of mentors and apprenticeships and clearly others do as well. Last year Living Social invested in growing talent this way by creating the Hungry Academy.
I have an idea. I think a software security mentor and internship program done right would have a meaningful impact on the industry and I would invest time and money in making it happen as a core Seconauts project starting in the new year. I have spoken to a few people about this offline but before I start calling around and actually asking people if they will commit money and time I wanted to get some broader feedback as to whether companies would be willing to sponsor it and if mentors would be willing to invest their time in mentoring candidates.
How would it work? What’s in it for sponsors? What’s in it for candidates? What’s in it for mentors?
How would it work? I don’t have a detailed plan (yet). This idea has been conceived over the last few days but I think it might work something like this.
Companies sponsor the Seconauts non-profit 501(3)c being setup for about $10,00 USD for each year they wish to support the program. There would be two, six month internship periods each year. Each Intern gets assigned (or chooses) four mentors. The primary mentor would be their ‘go-to’ person. I really don’t like the term life coach but it maybe appropriate here. They would focus on the career, business and industry skills and provide continuity across the program. The primary mentor would also provide a physical workspace for the Intern at their company and the Intern would be expected to be physically present Monday-Friday. This will likely mean relocating for the period of the Internship, a small but important commitment for serious candidates. There is no substitute for face-to-face time and ad-hoc meetings. The primary mentor would commit to at least two hours of one-on-one coaching every week, probably two breakfasts or evening meetings. Each Intern would also be assigned three other mentors that focus on specific areas: one for coding, one for security testing and one for security architecture / technology. The coding mentor would help them develop great coding skills, the testing mentor great code review and hacking skills and the architecture coach work through technical specifics like cryptography or SAML. Each secondary mentor would meet via a Google Hangout with the Intern for one hour a week and provide additional support as needed. For one week during the six month internship period the Intern would then also spend one full week physically with each secondary mentor at their work location. Candidates would almost definanely need to be located in the States and be legal US citizens (unless we could set this up globally of course).
Using 100% of the sponsorship money for the proogram each Intern would get paid a living allowance of say $2,000 USD a month, healthcare and get a travel allowance for expenses while on the road at the secondary mentors locations. I estimate that it would cost $4K a month per Intern and so around 10 sponsors at $10,000 each would turn out 4 Interns a year. Each Intern would get all the equipment and tools they need to be successful including a brand new MacBook to keep if they successfully graduate and fully expensed accounts on GitHub, AWS etc. for the period of the program. Each Intern would be expected to work on projects as part of a scrum team building 100% open source software projects at Seconauts. That’s right the underlying program would be shipping security related software that will be open source. There is no place like production. We would set meaningful and challenging tasks that advance the community and push the interns to learn and explore. People would work from an established backlog and would be free to hack on their own projects at weekends as well. Living expenses, great equipment, great mentors and the ability to work on a reference able open source code base should be enough to attract the very best, brightest and most motivated talent out there.
All Interns accepted into the program would be required to sign-up to work for one of the sponsors for 18 months after the program is completed. All sponsors (but only sponsors) would be able to make offers to candidates and they would choose the most suitable offer. This provides the incentive for sponsors to fund the program in the first place. $10,000 USD is generally less than the fees companies pay recruiters! At the end of the six months Interns would have learned how to ship secure code, review and fix broken code, design secure software with their understanding of core technologies like cryptography as well as a solid understanding and experience of the industry. Another way to read that is that they would be highly skilled and highly valuable (and of course in high demand).
At the end of the Internship, sponsors would be able to offer the Interns jobs.
What’s in it for sponsors?
- Invest in creating skills the industry needs
- Exclusive access to the interns for recruiting after the program finishes
- All sponsorship would be tax deductible via the 510(3)C
What’s in it for the interns?
- Invaluable access and coaching to top industry mentors
- 6 months of pure software security training to develop skills in high demand
- A public portfolio of work (code and blogs)
What’s in it for the mentors? Brad Feld talks a lot about giving first and being rewarded later in his new book Startup Communities. Most successful people that I know value their time working on advisory boards and the personal relatinships from mentoring people as some of the most rewarding things they do. Any good mentor will have a busy schedule but paying it forward or paying it back will be a rewarding experience that will have an impact on the industry and on individuals lives. I know I would sign-up for something like this as a sponsor and as a mentor in a heart-beat. 15 years ago I would have applied in a heart-beat. A CSO for a major Internet company, an AppSec lead for a big financial services company and the CTO of a tools vendor have also said they would sign up to mentor I could pull this off. To top that three security services firms said they would sponsor a program like this and a core developer on the JQuery team has offered to participate if I could pull it off. What about you? [Thanks to @mkonda and @mikedelibero for their offline thoughts on this.]