Unguided curiosity: finding cyber-security talent in schools

UK students breaking into their schools’ networks sounds like a nightmare scenario for education IT teams and in the moment, it is. Systems get disrupted, sensitive data might be exposed and trust takes a hit. But take a step back and it also tells us something important. These students are curious, persistent and willing to learn by doing. Those are exactly the instincts the cyber-security industry struggles to find – and will need even more of in the years ahead.

 

Recent reports of pupils breaching school IT systems highlight two realities at once. First, many environments we assume are “safe enough” are more fragile than we realise. Second, the mindset required to test, probe and understand those weaknesses already exists in young people today. While formal qualifications matter, practical skills come from exploration: pulling systems apart, asking “what happens if I try this?,” and rebuilding something stronger after you’ve learned how to break it. In professional security teams, practical judgement matters as much as technical knowledge.

 

Closing the skills gap with AI

The UK faces a critical cyber-security skills shortage. Half of UK businesses admit they lack basic cyber-capability, with 49% struggling to set up firewalls, manage data securely, or detect malware. The people most likely to close that gap are currently sitting in classrooms – with AI baked into learning, experimentation and problem solving. UK schools are actively working out how students can use generative AI tools safely in learning. This means many young people are becoming fluent in AI-supported problem-solving far earlier than older generations.

 

UK’s next generation of threat hunters need to learn these skills early because AI is constantly evolving, which means so are threats and the means to defend against them. Attackers are using AI to scale phishing attacks, automate reconnaissance, and generate more believable exploits. But students who are already testing boundaries in school networks – and using AI to learn faster – could be future defenders with a competitive advantage, with expertise using Al to spot anomalies, stress-test systems and speed up remediation responses.

 

AI won’t replace human judgement, though. Automation is capable of taking on repetitive tasks like monitoring and triage, freeing human teams to focus on higher-value tasks and strategic thinking. That combination of AI fluency and hacker-style curiosity we’re seeing in schools is one of the most realistic ways to solve the skills gap.

 

Why curiosity matters

With automation taking on more of the basics, curiosity has never been more valuable. AI can generate code, summarise threat reports, and even pass professional exams from top schools. But tools don’t solve problems, people do.

 

This is why the instincts of young school hackers matter. Look for the students who constantly ask, ‘why does this work like that?’, test boundaries, and persist until they crack the problem – whether that’s finding a permissions loophole, spotting a weak password, or figuring out how systems connect. Left unchecked, that curiosity and drive could drift into potentially harmful behaviour. But if nurtured within the right boundaries and environment, these young people have the potential to be the pipeline of future security talent that our industry needs.

 

Treating them as troublemakers doesn’t reduce risk in the long term. It just pushes potential defenders away from legitimate paths and wastes the raw ability that is hard to teach.

 

Creating the right pathways

The responsibility doesn’t sit solely with schools or parents. The industry has to play its part too. Businesses, government and universities need clear pathways that take natural curiosity and channel it into legitimate opportunity. That can mean structured internships, outreach with local schools, hands-on training programmes or ethical hacking competitions where students sharpen skills safely and learn the difference between testing and harming. These routes give young people a positive outlet whilst helping organisations spot talent early, before it’s lost to other fields – or worse, to the wrong side of the law.

 

The Co-Op’s response to its own breach is a great example of this. It partnered with The Hacking Games to find unconventional young hackers and steer them into legitimate cyber-security careers, rather than leaving that talent to be recruited by criminals. And we’re seeing similar investment across Europe. Tanium supports CyberSQUAD in the Netherlands and Germany, a community that gives emerging cyber-professionals hands-on challenges, mentoring and the chance to test their skills through competitive events like Capture the Flag, while connecting with experienced security leaders.

 

Schools can support this shift by partnering with security professionals, clarifying rules, and offering supervised labs or clubs. A student who learns to disclose responsibly, document what they find, and think about consequences is already learning the behaviours of a professional analyst.

 

By offering these opportunities, the industry can show students that cyber-security is about protecting people, services, and communities. For many, that realisation is transformative. It can turn a pastime into a purpose, and a risky experiment into a future career. Curiosity isn’t the threat. Unguided curiosity is.

 

Building future-ready teams

To seize this opportunity, organisations must rethink what “good” looks like in hiring. Credentials will remain useful, but they should sit alongside evidence of problem-solving, experimentation, resilience and ethical awareness. These are the traits that matter most when AI rewrites workflows and attackers evolve faster than playbooks.

 

Cyber-security has always been a race to stay ahead. Attackers are endlessly creative and so defenders must be just as resourceful. The students probing their school networks are a reminder that the next generation already has that inventiveness in abundance. The challenge is to recognise it early, guide it responsibly, and build a future of ethical hackers to support our defences with a foundation of innate curiosity underpinning credentials. 

 

---

 

Dan Jones is Senior Security Advisor, EMEA at Tanium

 

Main image courtesy of iStockPhoto.com and Caiaimage/Chris Ryan