Dr. Arthur Carter is a professor of information systems at Radford University and chair of the Department of Accounting, Finance, and Information Systems.
With a background spanning mechanical engineering, nuclear engineering work with the U.S. Navy, business information technology, and cybersecurity education, Dr. Carter brings a practical, multidisciplinary perspective to preparing students for both technical and management-focused cybersecurity careers.
Summary of the episode
Dr. Carter discusses the difference between technical cybersecurity roles and cybersecurity management roles, emphasizing that students should explore their interests, strengths, and long-term goals before choosing a pathway.
The conversation also highlights Radford University’s multidisciplinary cybersecurity programs, online certificate options, and student outreach efforts, with the key takeaway that cybersecurity offers many possible career directions, from hands-on technical work to policy, risk, management, and leadership.
Listen to the episode
Read a full transcript of the episode
Steven Bowcut:
Welcome to the Cybersecurity Guide Podcast. My name is Steven Bowcut and today I’m joined by Dr. Arthur Carter, professor of information systems at Radford University, where he also serves as chair of the Department of Accounting, Finance, and Information Systems.
Dr. Carter brings a distinctive blend of engineering business information technology and cybersecurity education to our conversation. He earned his Bachelor of Science in mechanical engineering and mechanics from Old Dominion University, followed by an MBA and a PhD in business information technology from Virginia Tech.
Before entering academia, he worked as a nuclear shift test engineer on Nimitz class aircraft carriers for the US Navy and later moved into production work in the newspaper industry while continuing his graduate studies in information technology.
At Radford, Dr. Carter has taught a wide range of information systems courses, including database, networking, programming, management information systems, decision support systems, spreadsheets, and cybersecurity management.
His current teaching includes information assurance management and much of his recent work has focused on keeping Radford’s information systems programs current and relevant to the needs of students and industry, especially as cybersecurity management continues to evolve rapidly.
Dr. Carter, welcome to the show. So tell us, so we always like to get some information about the guests before we get into the meat of the topic that we’re talking about. So your career is quite diverse. It looks like you’ve done a lot of different things as we just talked about in the opening.
So maybe you could identify for us or for our audience some key turning points or things that led you from engineering into business information technology and cybersecurity education. Were the things that happened in your life or in your academic or professional career that led you to where you’re at?
Arthur Carter:
Well, I thank you for this opportunity to be here and talk to you and be happy to talk about that. I think one of the things as an undergraduate, I really was interested in technical things and that led me into engineering and it led me into my early career in nuclear power, which I found to be technically very interesting.
But I also recognize that life is a balance of things. It’s not just what you do for a living. And my experience with being a nuclear engineer for the Department of Defense was it was a very demanding position time-wise and I didn’t see myself going on to that.
I didn’t see myself working 60, 70 hours a week for the next 40 years. So I really knew that there had to be some kind of change. I think having a technical background really made it possible to leap into other areas.
And actually that’s one of the things I advise students is always keep in mind that what you’re laying in college is a groundwork for what you’re going to do next, which is probably not what you’re getting a degree in or not what you expect it to be.
Exactly. So as I was there, I looked really as what would provide a better lifestyle for me and my wife, what would provide an opportunity for me to have a balance of life and family.
And then I moved into the technical side of newspaper production. And I found that to be fairly interesting, but I also still, I was always keeping my eyes open. And while I was working on my MBA, I actually talked to some of the MBA professors and was just kind of interested in what their take on where things were going, what was interesting to them and what they thought about their own jobs.
And every one of them all said, “Well, it’s great. Maybe that’s what I need to be doing.” So as I finished up my MBA while I was still working, I talked to them a little more seriously and the opportunity was there to go ahead and start a PhD program. And so I decided at that time to go ahead and do that.
And so the thing, I think students need to keep in mind is don’t get too hung up in a paradigm where this is what I’m going to do and not keep your eyes open for other opportunities, learn from what you enjoy about a specific job and learn from what you don’t enjoy about a specific job and then look for opportunities that can further move you in the direction that you think will provide a more satisfying job and a better lifestyle for you because it’s not just the job, it’s also the lifestyle that it provides the opportunity for time with your family, other things that you’d like to do.
There’s plenty of people I know that work and have worked 60, 70, 80 hours a week and I don’t find very many of them are particularly satisfied with that job after a certain period of time because it just costs too much.
Steven Bowcut:
That is so good. That is such great advice. I really appreciate you starting with that because it’s important I think for students to realize that they’re making very important decisions in their lives right now and they should take that seriously and they should apply themselves to their studies.
At the same time, they need to understand that there’s a very good chance that you’re not going to end up doing what you think you’re going to be doing.
And largely that is because your priorities in life will change and you just need to go with that and not beat yourself up if you don’t turn out to be exactly doing the thing that you originally thought when you started your undergraduate work, you thought you were going to do one thing, but your life changes and your priorities change and that’s really good advice for all of us. Thank you. I appreciate that.
Arthur Carter:
Well, also with that I would say is when you’re an undergraduate, you’re 18 years old and you’re picking a major and a field to study that is going to change very hugely. There’s just been huge changes in technology and advancements. It’s not the same.
If I went back and looked at mechanical engineering, it would not be the same job as I signed up for at 18. But also at 18, you haven’t worked in those fields. It’s hard to say, “Oh yeah, I’m going to put four or five years into this degree and this is exactly what I want when you haven’t even worked in the field yet.” So you have to be into those changes as you adjust in your life as you get older and decide different things are important to you.
Steven Bowcut:
Exactly. So you’re learning a trade or a skill, but you’re also learning things about yourself and you kind of have to factor that in as you learn them. Excellent.
So in kind of a related question then it would be interesting, I think to try and understand how your academic background, the different things that you’ve done, how does that combination shape the way that you teach cybersecurity and security management today? How does that all fit together?
Arthur Carter:
Well, I certainly, with engineering, the reason I got into engineering was because I like we’re working on cars. So I wound up as a mechanical engineer because in high school I worked in a body shop and then I worked in an auto mechanic shop and I still to this day enjoy working on cars some and it’s kind of a side hobby that I engage in some.
But I realized that that wasn’t how I wanted to earn a living. Certainly by the time I was 17 or 18, it’s like, “Well, this is enjoyable. I like it, but I don’t want to spend the next 40 or 50 years doing it. ” So that’s why I decided to go on to mechanical engineering.
So that interest in hands-on working has always been something that I like.
And so when I look at what we’re teaching, I know that these students, especially in the early part of their career, are going to be very integrated into hands-on side of whatever their field is. And then as you go along, you will move into more of a supervisory role and ultimately likely a management type role. That’s just the likely career path.
And so I’ve done all of those things and I try to make sure that in teaching is we prepare them for those early jobs, but also prepare them for the expectations of what’s going to be necessary to succeed in the jobs that are coming in the three to five, maybe 10-year timeframe. I think those are important things to make sure you prepare your students for them.
Steven Bowcut:
Yeah, very good. And for our audience, many of whom are new to this field, they’re still kind of evaluating whether cybersecurity or information assurance management is the kind of thing that they want to do.
So for those students who may not be familiar with the differences, maybe you could explain the difference between a hands-on technical cybersecurity role and a cybersecurity management role, how would the day look different for those two roles?
Arthur Carter:
So a lot of folks start with the hands-on type job. They might work for security operations center called a SOC and so they actually go into, and it’s not quite like the movies where there’s this big room with all these screens around it and everybody’s sitting there trying to battle the bad guys.
It’s not really quite like that, but it typically is an area that’s set aside where the employees will be sitting at a computer and then they will get in. Things will come into them that they have to evaluate and is this warning that’s come up actually a security issue?
And they will have to make a judgment on whether that is something that needs to be looked at further because way more warnings come in than can actually be investigated in depth.
And it’s one of the areas that AI is probably going to be really effective in our areas to try to help cut down on the false positives or false negatives that are out there to create scenarios where we’re reducing the amount of work that we have to do or things that we need to look into.
So those folks will go in and they will look at specific things that have happened or happening or alerts and then try to resolve whether they actually have a security issue.
If there is an issue, then they try to figure out exactly what’s happened and then they move into the appropriate incident response depending on the level of what’s happened.
There’s also folks that will work for more of an administrative side from the perspective of you got to have procedures, you got to have policies in place. There’s all of that that has to go on to all of those things require a fair amount of actual sit down work on what does this procedure need to be? How do we need for our technicians to install new software and make sure that we have, or they have correctly implemented all of the security controls that are necessary for that software.
And so you could be creating documentation that would be another kind of … It’s somewhere between hands-on and management. There’s also folks that work in the training side, what are you going to do for training? How are you going to decide what training is done? And then so those are some of the more hands-on and there’s a wide variety of what employees could do.
Managerial positions are more making decisions on how are you going to do those things and how are you going to allocate resources? So within cybersecurity, we really almost never have enough money.
If I talk to CISO’s chief information security officers, they across the board will almost always say, “We don’t have enough money. We can’t implement all of our security.” And so CISO is going to have to make decisions on how am I going to take this limited number of people and this limited number of hours that I have in this limited budget and how am I going to apply that to ensure that I am maximizing the protection of my software and my data and my resources, my little intellectual property and also the employees.
We don’t want our employees’ data stolen. We don’t want people breaching our systems in that way. So there’s always this balance of what am I trying to accomplish with the amount of money that I have and how am I going to allocate people and money to accomplish those goals?
So that would be the idea of moving into the managerial side of it when you move away from actually doing specific tasks and trying to assign other people to do those tasks. And part of the challenging of management is always to get other people to do the job, otherwise you’re a micromanager.
If you’re doing the job yourself as a manager, then you’ve kind of missed the point in being a manager. You really need to be figuring out how to allocate resources and motivate other people to accomplish the tasks that need to be done.
Steven Bowcut:
Excellent. Thank you. And that raises a couple of questions in my mind. So first of all, we probably need to establish for the audience, and I’m sure they’ve heard this a lot of times, but not everyone is suited for being a manager.
There are certain personality traits and things that you enjoy and things that you don’t enjoy that may preclude you from moving from a technical field to a more managerial position. And there’s nothing wrong with that. That not everyone is suited to being a manager. But now that we’ve kind of set that groundwork.
So at Radford, if I have this right, you offer a BS in cybersecurity and a BS in information science and systems with a security management concentration. So we’ve talked a little bit about the difference in those two roles, but maybe what I’m trying to get at here, I guess, is if we’re talking to a student and we want them to do that self-examination or learning about themselves that we talked about at the top of the show, what kinds of things should they be looking for in themselves?
So a student, they should be asking themselves some questions like, “Do I like this kind of thing? Do I like that kind of thing?” So maybe you could identify some of those kind of things that I just kind of generally brushed over that it makes sense with that question.
I’m just trying to paint a picture for the student to be able to do a self-evaluation and say, “Well, I like this, but I don’t like that. So maybe a more technical or a cybersecurity role is more suited for me than security management.”
Arthur Carter:
Sure. So one of the things that’s true of the computer science and the difference between programs really comes down to is the BS in cybersecurity is a computer science or is an offshoot of the computer science program.
So there are a lot of courses in the cybersecurity bachelor’s degree that are also taken by computer science students. So they will take a couple semesters of programming. They’re going to take some of the more theoretical side of the computers and how they work and how operating systems work and how networks work and they need to be able to understand all that so that if there is some kind of breach when you start getting into, well, how did they get there?
What piece of equipment is causing this problem? What piece of software is they can really delve into that and they’ll understand a very technical level of how the computer operates and communicates and how it secures software or how the software secures databases and stuff like that.
So that’s kind of that side of it. We have quite a few students that will come in and they will take a few semesters and go, “Maybe this isn’t exactly what I want. Maybe I don’t want to spend as much time programming, maybe I don’t want to spend as much time just literally sitting in front of a computer.”
If the idea of sitting in front of a computer for six, seven, eight hours a day appeals to you and dealing with that, then that might be a better fit for you. If you’re probably more like I was, which is a couple hours in front of a computer a day is plenty for me, I’m kind of saturated at that point.
And maybe you are more into the, well, I like analyzing a problem and thinking about allocating resources, that kind of data where you’ve got some data on, well, we’ve got to do all of these different things, but there isn’t really a right answer.
And I think that kind of comes down to a computer science, they very much like the right answer. We don’t always have a right answer. We just have a best answer and then we’re making decisions. And then also is if you’re perfectly happy with the idea of, I’m going to make some decisions and I’m going to help people get this job done as opposed to, “Oh, I want to do this myself.”
If you really are somebody that has to do the task yourself, then being a supervisor or manager is going to be a very challenging transition for you and it’s not going to be particularly satisfying because you’re always going to be frustrated with the idea that, well, no, do it this way.
This is how I would do it. You got to let people do things as long as they’re completing the objective in a reasonable amount of time work or reasonable timeframe, then you kind of got to let them go and let them do the job the way they do. And you should have other things that you should be focusing on. And if you can do that and if you can let go a little bit like that and trust people and help develop people, then maybe the supervisory management track might be good for you.
Steven Bowcut:
Excellent, excellent. I love that. And maybe that half answers the next question I wanted to ask. I wanted to ask about specific skills or kinds of skills that the students probably should, or it would be to their benefit to come to either of those two sides of cybersecurity already having and maybe this ability to trust other people and let them do it their own way to some degree after having taught them as opposed to having to do it yourself.
Maybe that’s a good skill. I guess we could look at it that way as a skill that you might need to have if security management is something that you’re interested in. But let’s look at that more broadly. So what kinds of skills do we need to be successful in either of these two roles? So I math skills, coding, the students should be able to action.
Should they come to a program, a BS program already knowing something about coding? Should they just love math like I used to do or should they have some experience in policymaking or risk management? What skills should they come to the table with?
Arthur Carter:
So generally speaking, we don’t expect specific skills coming in. We certainly teach everything. We have introduction to programming courses for students that haven’t ever programmed before. The skill that probably is most important coming in is at least algebra, a competency in algebra.
And I’ve always said as I can teach a kid to program who doesn’t understand calculus, but it’s really hard to teach a kid to program if they don’t understand basic algebra or advanced algebras really.
And what a program is, is you start with some data and you have an objective for how that data is going to be analyzed and outputted and there’s a set of steps that has to be done to this data and maybe questions that have to be answered and so maybe you’re soliciting input from your users and it has to be done in the correct order and then the math has to be done correctly on it in order for it to output a meaningful answer.
So the process of generating a logical set of steps that can be fairly extensive, like easily hundreds of steps in a longer program, you have to be able to logically be able to work through that kind of a process. Certainly variables are a big deal. \So I’ve encountered students that the concept of abstracting things to the point of using variables or arrays where we’re storing variables and arrays is really challenging to them and that makes it really hard to learn how to program.
And so the technical side of it, if you go into the computer science, they’re going to be at least into calculus in most of those. In our area, we want at least algebra, advanced algebra for the business side of things. And then in business, we’re going to also go into things like you’re going to take an accounting, you’re taking an econ, you’re going to take finance.
And the reason for that is when I talk about making managerial decisions is you have to understand what are the consequences of that decision. They all have consequences as far as money goes. When you’re making decisions in a business, there’s an impact on money. And we in the cybersecurity arena are what would be called a cost center.
We’re not making any money. We’re not doing anything that’s going to bring more money into our organizations. We are just trying to protect our organizations to ensure that they don’t have major losses and we’re trying to do it as cost effectively as possible.
So if those are things that are motivating to students, then they may be more interested in the managerial side of it versus the technical side of it. And that might help people figure out if they enjoyed their econ classes and more than their algebra classes, maybe our side is the security management side might be more interesting.
If they envision themselves being CIO or CISO or something like that, then it might be you may want the business background going into it because you’re probably going to want to get an MBA at some point if you’re trying for one of those senior executive type jobs.
Steven Bowcut:
Yeah, interesting. Okay. And you may have already answered this question because I feel like I know what this falls right into what we’re talking about.
But so in the research that I was doing prior to this interview, I noted that Radford cybersecurity ecosystem, if you will, appears to include technical programs, information systems, digital forensics, criminal justice, mathematics, statistics, all through this, what you call the Center for Information Security.
So it’s very multidisciplinary approach. And so maybe you’ve covered it adequately, but is there anything else you want to add about the importance of this broad? It seems very broad to me, broad multidisciplinary approach that you take at Radford.
Arthur Carter:
Well, I think you will find that most universities look at cybersecurity as being a somewhat multiscipline type fields. So you talked about criminal justice and some of the other fields.
The bachelor’s of science in cybersecurity requires some of those so that students will have some exposure to the operational area, maybe some legal issues that could arise.
So on our side, for those of us that are working more towards the cybersecurity management, our interdisciplinary areas really gets into we’re going to have them take accounting, we’re going to take finance, we’re going to take marketing, we’re going to take management courses so that they understand the environment in which they’re trying to make managerial decisions concerning cybersecurity.
So you have to be able to interface with leaders in these other areas because there are a lot of scenarios where they don’t understand cybersecurity, they just want their program to work.
And it’s like, well, there’s issues with that. We need to make sure that things are put into place and they will see it as, “Well, you’re making it harder for this program to do what we need it to do. “
And you have to be able to explain to them how it is that we need security to be at a certain level and we can’t do certain things, but on the other hand, we need to make sure that we don’t unnecessarily limit their ability to utilize software and data to the point that impacts revenue for the organization.
Steven Bowcut:
Yeah, exactly. Okay. Another thing that I ran across doing the research prior to the show, you’ve got this impact lab. So tell us about that. So it has an online self-paced cybersecurity certificate? It does. What’s the purpose of that?
Arthur Carter:
That is a competency education-based program. So the idea is it’s more hands-on and really the goal with that is that lab is to produce education for people that are not able to come to the university or not able to engage in normal traditional classes.
The classes are completely online.
They don’t lead to a degree program, so you’re not going to get a Bachelor’s of Science out of them, but it can provide knowledge for people who are working and want to learn something about cybersecurity, either because they’re trying to change careers or trying to get into a different position within the organization, or maybe the position they’re in has some requirements for them to have understanding of fields that they don’t understand at this point and they want to gain some knowledge in those areas.
Steven Bowcut:
Excellent. Okay. So as we started this conversation, not everybody fits into that mold exactly of completing high school, starting your BS and getting your undergraduate degree and then moving on to a graduate degree. We do lots of different things in our lives.
We make decisions that sometimes find us working before we go to school and then coming back and trying to do that online and after hours and those kinds of things. So that’s one side of providing quality education to the community that you’re in.
And the other side is this idea of building the pipeline.
So talk to us about what Radford does to build the cybersecurity pipeline, working with students before they even get there.
Arthur Carter:
Well, we certainly try to reach out to students when they’re in high school so that they understand what opportunities might be there. There’s obviously recruiters go out and we will go out and try to reach out to them.
We try to obviously put things on our webpage that students that are seeking knowledge about what opportunities there are, we’ll put that up there and it’s kind of standard for everybody. One of the things that the cybersecurity program or the faculty in the cybersecurity program run is a capture the flag competition that’s run for high school and community colleges.
And that is a challenge for those students where they go in and they do specific tasks, they’re cybersecurity related tasks to just try to get them thinking about, wow, this is kind of interesting how they’re trying to hide things and we’re trying to find them.
And so what they do is they go in and there will be things that are hidden within all kinds of different things, anything technical, they’ll hide stuff in it and the students will have to go out and they will have to find those things that they’re told to look for.
And so it just gives them an idea of what it would be like to be always looking for answers in technology or trying to find something that’s hidden in a program or something like that. And we have quite a few students that have come out of that challenge that they did in high school and been interested in coming into a security program here.
Steven Bowcut:
Okay, excellent. All right, we are about out of time, but I want to end with kind of a forward-looking advice type question, not that we haven’t given a lot of advice because you have, and I appreciate that.
I think that you’ve done a really great job of offering good sound advice for potential students, but for a student who’s listening now to this podcast, who’s interested in cybersecurity but not sure whether they want to be a technical specialist, an analyst, a manager, policy focused professional, what advice can you give them about how to figure that out about exploring the different fields before they choose an educational pathway and maybe that’s not the answer.
Maybe the answer is you need to just pick something and then see if you like it and then change if you don’t. How would you sum that up?
Arthur Carter:
Well, I think you have to decide whether you want to go to college or not. There’s kind of at that point when you graduate from high school, do you want to go straight into trying to find a job and working in an area if college isn’t your thing, if you don’t think the experience of four years of learning in a classroom environment is what you want to do, it may suit you to take a year or two off and work for a while.
I’ve had a number of students that they’ve taken that gap year or two and then they’ve come in and it can focus them on the idea that, yes, this is what I really want to do as opposed to coming in and not really knowing, I don’t know what I want to do, I don’t know where I’m going to go. So that is an option that students can consider.
If you do know that, hey, this is what I want to do, I want to get a degree, but I’m not really sure what I want to get a degree in, then I really think that the best thing for students to do is in that first year really try to take classes in different areas that you might be interested in.
Generally speaking, you can get away with changing your major certainly after a first semester, your freshman year, there’s very few programs you can’t change your major after one year and still get out in four years. When you start going a little farther along, you really do need to be a little more thoughtful about exactly what you want to do.
Certainly by the time you’re in your sophomore year, if you don’t have a pretty good idea where you’re going with your bachelor’s degree, you’re going to have a tough time getting out in four years.
So I definitely recommend that first year, you need to nail it down if you don’t think you know what you’re going to do. But with that, and I can look at my own background is what I even got my bachelor’s degree in. I did work in it for a while, but it’s not what I stayed in.
And I think that you just need to try to get a degree that will provide Provide you that starting point to launch your career and recognize that really what your degree is that launching point. It’s the launching pad that’s going to send you off, but once you’re off and going, you’re going to make changes.
You may decide to go back and get another degree in something else like a master’s degree in an area that’s outside of what your undergraduate was in. I may decide to take classes in a specific area. A lot of professionals will get certifications in areas and those can be as meaningful as additional credentials, credential master’s degrees or whatever somebody might go after.
I think the big thing is try to get something that will provide you a solid foundation for as many of the areas as possible that you might delve into. Then just keep your eyes open and look for what opportunities present themselves and try to be open for changes that weren’t what you expect. That certainly has served me well in my life.
Steven Bowcut:
Excellent. Very good. Thank you so much. I really appreciate that. And thank you for joining us today and for helping our listeners better understand cybersecurity education and security management and the opportunities that are available to students specifically at Radford University. It’s been fun.
Arthur Carter:
Great. I appreciate the opportunity to talk with you.
Steven Bowcut:
Cybersecurity is a broad and rapidly changing field and one of the important takeaways from today’s conversation is that students have multiple ways to enter and grow within the profession.
Some may be drawn to deeply technical roles, while others may find their path in security management, governance, policy, risk, or organizational leadership. Programs like those at Radford help students explore these options while developing the technical, analytical and management skills needed to contribute in meaningful ways.
To our listeners, thank you for spending time with us today. Be sure to visit cybersecurityguide.org for more information about cybersecurity degree programs, career pathways, scholarships, certifications, and other resources designed to help you take the next step in your cybersecurity journey.
Thanks again for listening and we’ll see you next time.