We need a cybersecurity curriculum taught by hackers

Dark web forums are now hosting resumes. Not from seasoned criminals – now, from teenagers and recently laid-off tech professionals looking for work.

At the same time, the global cybersecurity workforce shortage remains dire. ISC2 estimates there’s a gap of 4.8 million cybersecurity professionals worldwide.

The cybersecurity industry has spent years talking about a talent and skills shortage. Turns out the talent and skills exist. It's just being recruited by the other side.

Early influences and the path to cybercrime

The skills I gained as a teenager, guided by mentors and a strong ethical foundation, ultimately determined which path I would take in cybersecurity. My curiosity was nurtured by industry professionals – an opportunity not everyone receives. Without that support, my trajectory could have been vastly different.

Statistics from the NCA are telling: the average cybercriminal is now just 17 years old, and the median age for referrals to their cybercrime prevention team is 15. Children as young as nine have been caught launching DDoS attacks.

It starts small: chat codes, account takeovers, or DDoS attacks on rival gamers. A kid gets banned – sometimes unfairly – and retaliates. Others watch and learn, with techniques spreading quickly through Discord servers and private forums.

Each successful exploit lowers the bar for the next one. The thrill of accomplishment, combined with peer validation, turns minor boundary-crossing into routine behavior. Desensitization grows slowly, then suddenly accelerates.

Money isn’t the primary motivation for young hackers at first. The NCA discovered that reputation and status within their online communities are what matter most. By the time financial incentives become important, habits and allegiances are already formed.

We built this pipeline problem

We trust that curious, technically skilled young people will find their way into legitimate security careers. We trust that credential systems and hiring processes will capture the right people.

That trust is, to put it bluntly, failing. Measuring and assessing risk is a significant part of my job. I constantly ask myself: what systems and processes do we actually trust, and what happens when that trust fails? The same skills that make someone valuable to a security team make them valuable to criminal enterprises.

The difference often comes down to which opportunity arrives first. Right now, threat actors are showing up earlier and with better offers.

Pay people

Criminal recruiters appear to understand one thing: young people with technical skills need money. Displaced professionals need money.

Whereas companies set job requirements emphasizing certifications and degrees, and design hiring processes for candidates with conventional backgrounds. As a result, they overlook an entire generation of talented individuals simply because they don’t know how to reach them – or even how to communicate with them.

Paid mentorship programs and early opportunities change the equation. Experienced security professionals – including ethical hackers – are needed for mentoring teenagers through structured curricula.

Start early, during the teen years, when skills are developing and career paths haven't been set. Partner with schools to embed these programs directly into education. Pay the mentees too, so legitimate work competes with illegitimate offers.

This isn't charity. It's a recruitment strategy.

Why hackers specifically

Social engineering and phishing are still the primary methods threat actors use to breach organizations. Defending against attackers requires people who think like attackers. That mindset doesn't come from textbooks.

Ethical hackers who've spent careers probing systems understand how threat actors operate. They know the techniques. They know the psychology. They know which defenses actually hold up under pressure and which ones just look good in a presentation.

A curriculum designed by people who've done the work – legally – transfers practical knowledge that traditional education misses. It also signals to young people that their unconventional skills have legitimate value.

What we get from this

Embedding mentorship into school programs and industry partnerships does two things:

It creates a viable alternative to criminal recruitment. When a technically skilled teenager has a clear path to paid, legitimate work, the dark web job posting loses appeal.

It also builds defenders who learned by breaking things. We need people who understand how systems fail, not just how they're supposed to work.

Timing, mentorship and opportunity often distinguish a security researcher from a cybercriminal. The existence of this talent pipeline is not within our control; however, we have the opportunity to determine the direction in which it progresses.

Criminal enterprises aren't moving slowly

Every month we delay building our talent pipelines, criminal enterprises are filling theirs. They don't require certifications or degrees. They meet talented people where they are and offer them work and mentorship.

We can do the same thing. Pay experienced hackers to teach. Pay young people to learn. Build curricula that transfer real skills.

Or keep posting job requirements that filter out exactly the people we need. The skills exist.

Where they end up – that is on us.

We've featured the best online learning program.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit