The kids aren’t alright: Why cybersecurity needs unconventional talent

Hackers are getting younger and we need to stage an intervention

As the average age of cybercriminals gets younger, the cybersecurity industry is desperately short of the skills it needs to adapt and innovate. Turning cybersecurity into a profession has backfired, and the industry needs to widen its gene pool with unconventional talent.

In addition to a tendency to outsource cybersecurity, some of the recent high profile cyberattack victims have something else in common. Where arrests have been made, those behind the hoodies have been very young – in the cases of TfL, M&S, Co-op and Harrods most still in their teens. Perhaps most shocking is the arrest yesterday of two 17-year-olds in connection with cyberattack on the Kido nursery chain.

At the same time as we seem to be losing more young men (and they are mostly young men) to cybercrime, most security teams report skills gaps, and a third have no entry-level hires at all.

What happened?

Professionalising cyber

Chris Wysopal, former L0pht hacker turned Veracode co-founder, thinks that this mismatch and wasted potential stems partly from what amounts to the professionalisation of cybersecurity.

“Twenty-five years ago, you had to use unconventional talent in cybersecurity because there were no degree programmes or bootcamps,” he says. “It was the only place you could go. If you looked at the practitioners who worked in the SOC, did the red teaming, it was all non-traditional talent at one point.”

“That got augmented by graduates and training programmes and then we built recruiting programmes and job requirements around the professionalised programmes. The result is that we haven't focused on the non-traditional talent for 20 years.”

Wysopal is not the only cybersecurity advocate with concerns about how the professionalisation of cybersecurity has backfired. Rebecca Taylor is a threat intelligence researcher, speaker, author, podcaster and ambassador for The Cyber Helpline. She says:

“When we talk about growing the cybersecurity workforce, we often fall into the trap of thinking we need more of the same — more STEM graduates, more people with technical degrees, more candidates who’ve followed a conventional pathway. But if we truly want to strengthen our collective cyber capability, we need to look beyond the obvious.

“Some of the most successful transitions I’ve seen have been from the NHS — even from psychiatry and mental health roles — into cybersecurity. Several of my mentees have come from these backgrounds, and their ability to analyse behaviour, think empathetically, and understand human motivations has made them exceptional professionals in threat intelligence, insider risk, and awareness roles. Their lived experiences give them an edge that can’t be taught.”

Amelia Hewitt, Director of Consulting-Principle Defence echoes the value of those who took unconventional paths into security careers and leadership.

“I’ve always challenged the idea of a conventional pathway into cyber,” she says, “largely because my own experience of working with, and being mentored by leaders who took what we’d consider to be the ‘non-traditional’ path. Cyber no longer belongs exclusively to those who followed a linear academic or technical route; some of the most capable professionals I’ve worked with came from unexpected backgrounds, with core skills that you can’t learn from hours on CTFs or textbooks. “

Criminal recruitment

Running in parallel to the professionalisation of cyber has been the explosion in the volume of resources available to that non-traditional talent. Children and young adults have a bunch of freebie AI tools, Discord, Twitch and other online forums at their disposal. Wysopal believes that there is far more talent out there consequently, but that it’s fatally disconnected from the cybersecurity community. He also points out that he and his L0pht community weren’t being recruited by cybercrime gangs twenty years ago.

“There's a whole criminal ecosystem that didn't exist back then,” he says. “The online carding forums that existed back then were much smaller and that we didn't have the online ransomware communities, where you can rent tools and purchase information on access to corporations.”

Wysopal questions a commonly accepted narrative from many cybersecurity vendors, which is that all you need to kick off a life of cybercrime is a desire for easy money and an ability to find your way around the dark web for ransomware-as-a-service.

“You can,” he says, “but the people who are actually running the service have to be talented, and the ones that are the most successful, like Scattered Spider, they're extremely talented. The ransomware-as-a-service ecosystem needs people and they either get recruited or they see the capability, the tools and the marketplace, and they enter themselves into that marketplace.”

If you imagine this marketplace as a kind of dark LinkedIn for wannabe cybercriminals and potential employers, you wouldn’t be wide of the mark. Wysopal continues:

“There is a strong unconventional talent pipeline into the cybercriminal world, but no complimentary pipeline into the white hat world.

“When I became a cybersecurity consultant I could recruit people like me. The people who were in cybersecurity were closely associated with the people who were the unconventional talent. Now there’s a complete disconnect from that and we have to recreate that if we want to get that pipeline built.”

Wysopal has some ideas for how to build this pipeline and divert unconventional talent away from the cybercrime marketplace.

“We need social media and traditional media that that that can shine a light on these cyber security careers. One of the things that The Hacking Games [Wysopal is on the ethical council] is doing is trying to connect with Gen Z people and help them build communities on platforms like Discord.”

Discord is important, and Wysopal emphasises the role of gaming communities as a source of unconventional talent. This is exactly why cybercrime groups recruit there. He continues:

“Hacking a game uses the same kind of skills as hacking an enterprise computing platform. If you steal an in-game object or download a cheat tool you're manipulating a digital world. You can easily see that the skills can transition over, but we're not, we're not doing anything to find these people and explain that what they are doing may or may not be ethical but you could use these skills to help people.”

Rebecca Taylor is equally emphatic about the importance of early intervention with children or young adults who begin to push legal boundaries. She says:

“Around the world, there have been remarkable programmes that have intervened early with young people who’ve engaged in hacking or online offending — helping them redirect that curiosity and skillset into ethical hacking, digital forensics, and security research. Programmes, such as The Hacking Games and particularly those run in countries such as the Netherlands and Germany, have shown that when you provide guidance and opportunity, you can turn a potential risk into a powerful asset.”

Making cybersecurity visible

Cybersecurity is no different to lots of other branches of technology in the sense that it looks to those outside it like only a certain type of person belongs there. The cybersecurity industry itself really needs to step up and take some responsibility for that. As Taylor says:

“Many disaffected people don’t see themselves represented in this field, and they don’t know the doors are open to them. Cyber as a career feels unobtainable. We can change that by offering more accessible pathways: funded learning opportunities, shadowing programmes, apprenticeships, mentoring, technology bursaries and community events that don’t require expensive tickets or prior experience. Removing financial and cultural barriers can make all the difference and allow people to see the potential, to dream big, and to know that they can.”

Cybersecurity needs unconventional talent because it needs people who think differently. The brutal reality is that the current model is failing. It needs new blood. Amelia Hewitt thinks the current generation of leadership is starting to get the message.

“Considering the diversity of experience in next generation of cyber leadership, particularly during this year’s National Cyber Security Awards, I feel reassured that we are building stronger, more adaptable teams.

“The underlying principle that we see brings value to the industry, technical or not, is a sense of purpose. The challenge for organisations isn’t finding talent, rather it’s recognising potential in places they’re not used to looking, and for skills that we haven’t yet tapped into, to achieve longer-term resilience.”

The resilience of enterprise, public services and above all, people, is contingent on a recruitment pipeline into cybersecurity that looks different to the one currently in place.

“Cyber is for anyone who’s curious, resilient, and willing to learn,” Rebecca Tayor says. “If we can show disaffected young people that there’s a place for them here, that their skills and perspectives are valued, then we not only grow our workforce, but we also strengthen our ability to defend, adapt, and innovate as an industry.”

If you’re a current or aspiring cybersecurity leader check out the Computing Security Leaders Summit on March 26th 2026. Packed with content including business continuity planning, bridging the cyber skills gap and cloud resilience, its promises to be full of insight and practical advice to take away. Register here for your free place.