Dr. Ayad Barsoum is the interim chair of computer science and graduate programs director for cybersecurity at St. Mary’s University in San Antonio.
Summary of the episode
Dr. Ayad Barsoum of St. Mary’s University discussed how the school’s NSA/DHS Center of Academic Excellence designation translates into real value for students, rigorous standards, shared resources, grants, and internship opportunities, while preparing graduates for both private-sector and government roles.
Barsoum describes building a comprehensive cybersecurity master’s program with a strong technical core plus business/management and law/ethics, and explains the stackable pathway: a 12-credit graduate certificate (four courses) that can be tailored to goals (e.g., cloud, wireless, cryptography, forensics, risk, policy, AI/cyber, CISSP prep) and then fully applied toward the 33-credit MS.
He also outlines prerequisites for non-tech majors, the MS capstone choice between project or research thesis (especially for PhD-bound students), and how the curriculum emphasizes hands-on competence through course projects, demos/defenses, and career supports like internships-for-credit, career fairs, and industry seminars.
Listen to the episode
Read a full transcript of the episode
Steve Bowcut:
Hello and welcome to the Cybersecurity Guide Podcast, the show designed to help students and early career professionals make smart, confident decisions about cybersecurity education and career pathways.
I’m Steven Bowcut and today’s guest is Dr. Ayad Barsoum. He’s the interim chair and professor of computer science at St. Mary’s University in San Antonio and the graduate programs director for cybersecurity.
Dr. Barsoum also serves as the director of St. Mary’s NSA and DHS Designated Center for Cyber Excellence, and he led the efforts to develop both St. Mary’s Master of Science and Cybersecurity and the graduate certificate in cybersecurity, along with advancing the university’s cybersecurity lab capabilities through external grant supports.
In this episode, we’re going to unpack what St. Mary’s National Center of Academic Excellence in Cyber Defense designation actually signals to students and employers. And we’ll walk through how to choose between a graduate certificate and a full master’s degree, including how to stack courses and certificate and how students can select courses to match career goals and what hands-on really means in the curriculum.
If you’re evaluating graduate programs considering a pivot into cybersecurity or trying to turn education into real traction, internships, portfolio projects, or your first or your next role, this conversation will give you a concrete framework for making those decisions. With that Dr. Barsoum, thank you for joining me today. Welcome to the show.
Ayad Barsoum:
Thank you so much, thanks for hosting me.
Steve Bowcut:
Alright. This is going to be fun and interesting. I know the audience is going to love it. There’s a lot of information, interesting information, valuable information that we’re going to cover. So let’s start as we want to do on this show.
Let’s start with a little bit more about you and I was particularly interested in learning more about what experiences in your academic and professional pathway thus far in your life have most shaped how you design cybersecurity education today.
So there’s had to been some influences that we all do that, that you’ve drawn from your experience and how does that work in shaping how you design cybersecurity?
Ayad Barsoum:
Oh yeah, of course. So it has been a long journey for me. So I was born in Egypt and after I completed my undergrad degrees, the family immigrated to Canada and I completed my grad studies at the University of Waloo. That was in Ontario, Canada. And after I finished my PhD, I worked as R&D research and development in one of the companies in Toronto, Canada. And I spent some time working in industry, but then I found myself that my passion is more towards academia.
That’s why I decided to go back to academia. So the question is what exactly or how I shaped my journey to cybersecurity during my PhD. The term or the topics of cloud computing at that time was brand new, so not many, many people working on the area related to security over cloud computing and me and my supervisor were investigating what should be done in cloud computing security.
So that was something actually very interesting to me to figure out this new technology and how we can secure your digital asset while it’s not under your own control or this is in the hand of somebody else. So I did research related to cloud computing security more specifically related to data integrity over cloud server. And we have done, I think, very interesting research work has been published in many prestigious conferences and like journal papers.
So after completing my PhD, as I mentioned, I work in an industry and then after some time I figured out that my passion is more towards educating people. So I started to look for academic positions. I did interviews in some places and when I started my journey with St. Mary’s University, I do remember at that time the dean of my school, he called me while I was still in Canada and he told me, I would like you to come join us and do something for cybersecurity for St.
Mary’s University. I asked him actually a clear question, what exactly would you like to do for cybersecurity for St. Mary’s? He said, okay, let’s join us. Okay, join the team and then we can see what should be the plan. I joined St. Mary’s in late 2012, early 2013, and at that time we didn’t have a program in cybersecurity.
We had some elective classes in cybersecurity and I spoke to my colleagues and I said, okay, if we would like to put St. Mary’s on the cybersecurity map of San Antonio, it’s going to be something that we have to offer like a degree, not only elective classes. So we said we are going to offer a degree in cybersecurity at St. Mary’s University.
And the next question for the team or for the group was if we would like to offer something, it has to be different than all the other degree programs that were offered in the area because for me it doesn’t make any sense if you’re going to just duplicate or replicate what’s already there.
You have to be different. You have to provide or to offer something unique. So we did some research about the programs offered in the area and around, and we found that many of the programs were focusing at that time on the business flavor of cybersecurity. So I told my colleagues, I think we found our target, we can focus on the technical aspects of cybersecurity, but at the same time, we didn’t want to neglect the other flavors of cybersecurity like the business flavor or management flavor.
So we came up with a comprehensive program in cybersecurity. It was a master’s degree and I could imagine the master’s program we have at St. Mary’s University here in San Antonio, Texas is like an object with three legs. The longest leg is inside the technical aspects of cybersecurity.
Plus we have two more legs, one inside the business management, the other or the third leg is inside the law and ethics. So this is a comprehensive program that we developed and offered. I think that was in 2015-2016. So this is a nutshell my journey and how we shaped the cybersecurity at St. Pan’s University in San Antonio, Texas.
Steve Bowcut:
Alright, thank you. That was interesting. Very informative and it fits very well into the next question. I wanted to, my next question, I wanted to zoom out a little bit, and if you look at what I’m terming the ecosystem, the St. Mary’s cybersecurity ecosystem, and that could include you being a for a center for cyber excellence, the partnerships that you’ve built, student opportunities beyond class, all those kinds of resources and things that you guys bring to the table.
So if you look at all of that, when someone evaluates St. Mary’s for cybersecurity education, what should they understand first? So what would you hope that people discover first or very quickly when they’re starting to think about coming to St. Mary’s for cybersecurity education among those kinds of ecosystem things that I mentioned?
Ayad Barsoum:
Okay. So as I mentioned, the program at St. Mary’s is a comprehensive program. It can handle different flavors of cyber and when we develop the program, it was very important for us to get a prestigious stamp on the quality of what we are offering at undergraduate level.
Maybe people heard about accreditation, something like a accreditation related to cybersecurity. There is a prestigious designation for cybersecurity programs. This is done by the NSA National Security Agency. So when you are offering a program and you would like to make sure that you are meeting these standards, so are looking for designation or this type of accreditation for your program, and this is done through the NSA National Security Agency.
After we developed the program in 2014-2015, we looked at the different designations or accreditation we can get for the program and we went to apply for the NSA designation.
I do remember this is a very long journey that we went through and it was really interesting and I can tell it was a very, very heavy learning curve for myself. I learned a lot through this journey and now because of what I have learned and I’m now also serving as a mentor and reviewer for other institutions who would like to go through this journey and be designated by the NSA.
So back to the designation, when you are looking at designation, this can open the door for students, number one, to make sure that they are getting something prestigious, something being up to the standard and the cutting edge technology in the field. Also, it can open so many opportunities for them.
For example, there are internship opportunities. Through this designation, there are collaboration opportunities. Also, there are some community of resources. So in the NSA CAE. CAE stands for Center of Academic Excellence.
We are sharing resources between each other. We are collaborating, we are opening or we are having grants or funding opportunities. These funding opportunities will allow students to work on research projects with professors or to work on internships.
So this is very important for students plus to be designated. It’s very important to prove that you are teaching students not only the science, but also the hands-on experience. We teach students how they are able to do things not only understanding the basic foundations, but as well when you are in real life scenario, how you can act can react.
So these hands-on experience projects, labs comes with the designation that we are having at St. Mary’s university and we would like to make sure that we are preparing students to be ready for the real market. So that means once they graduate, they will be able to work in companies and they’ll be able to sell their expertise, whatever in the private sector or the public sector.
Steve Bowcut:
Yeah, and that was, thank you for that because that was a question that just came to my head when you were talking. I was thinking, well, this has come up for me in the past. So it’s an NSA and DHS. So government entities created this designation and there are certain things that you have to teach and ways you have to teach.
And so in one sense the students can rest assured that they’re getting a quality education. But there might be, and this is where I want your input, there might be in some students or prospective students’ mind, there might be a thought that says, well, I don’t really want to work for the government.
I’m not really interested in working for DHS or NSA. So is a school that is a national center for academic excellence in cyber defense, are they going to give me the education I need to go work for Google or Apple or one of the big companies? So how do you address that question?
Ayad Barsoum:
Absolutely. So when I said about the designation, that doesn’t mean that we are preparing students to work in the public sector or the government. No, that doesn’t mean that It means we are preparing and providing students with expertise that they can sell at any place.
For example, I have a database of my graduate students and some of our graduates, they are working in companies like Google. Some of them are working at Microsoft, some of them are working at Amazon, some of them are working at the NSA.
Some of them are working in the government. So we have a wide spectrum of places at which our students are able to serve and also as I mentioned, to sell their expertise. But the designation itself, it means that we students will be rest assured that they will study from very highly qualified professors. They’re going to study a prestigious program and they will be able to be equipped with what is needed in the real life.
Because when we are teaching to our students, for example, we are giving them cases, studies, scenarios, and we are asking them in real life, you may face cases like that or scenarios like that. How you can apply the knowledge and the tools and the skills that you have to resolve that. So that’s how we are teaching our students and how they are able to be in the market, whatever in the private sector or the public sector.
Steve Bowcut:
Perfect. Okay. Thank you for that. That was a great explanation. Let’s shift our focus a little bit and let’s talk a little bit about your graduate certificate. So maybe you could explain what is the graduate certificate, who’s it for, why does it exist and who is the ideal candidate?
If I’m a potential student and I’m listening to this podcast right now, how am I going to know whether that’s something that I should pursue or not?
Ayad Barsoum:
Okay, so that’s great. When we designed our complete master’s program, the master’s program itself is 33 credit hours and some students, maybe they don’t have the bandwidth or the time to be committed to a full master’s program. That’s why we designed the subset of this master’s program as the graduate certificate. So students can have 12 credit hours of the master’s program, which going to be four classes or four courses, and these will be the graduate certificate.
Students can pick from the classes according to their needs. For example, if some students would like to have more of technical flavors of cybersecurity, so they can pick technical classes, if they would like to know more about business or business flavor of cybersecurity, they can do that. So students will be able to customize a package according to their needs.
The nice part or the interesting part, if some students after finishing the graduate certificates, they figure out that, oh wow, this is something I really would like to pursue. This is something that I would like to learn more. In that case, we transfer all the credits that they have received from the graduate certificates to the complete master’s program.
That means the students are not losing anything. Based on the statistics that I have from the program, I can tell almost like 98 or 99% of students who completed the graduate certificate. After that they decided to pursue the complete master of program and we have transferred.
Steve Bowcut:
Wow, that high. That’s amazing. That’s good.
Ayad Barsoum:
And we have transferred all their credits. That means they are not losing anything. Plus also some students, sometimes the students would like to start with a certificate, not maybe because they don’t have the bandwidth, but they would like to test the water, assume, okay.
Some students would like to know, I’m not very positive if cybersecurity is my field or I would like to continue that field. So I’m telling them, okay, you can start by the certificate and then you can test if this is something you would like to do for your career.
Steve Bowcut:
There we go. I like that test, those flavors that you’ve been talking about and some of those, and let me tell you what my research shown. You can tell me if this is correct or if there’s more to it.
So the courses can come from areas and so the flavors that the potential student could test would be like network security, cloud security, cryptography, digital forensics, policy and law, risk management, software security. Is that pretty much it or are there more?
Ayad Barsoum:
Yeah, there is a wide range of classes you already mentioned. Some of them I can add to that. There are classes related to cloud computing security. Through this course we have partnership with AWS, so students are able to have hands-on experience on the real Amazon cloud platform.
We have course related to wireless security. Also, we have classes related to preparation of security certification. For example, in the market there are some standard certificates like the CISSP, this is one of the highest certificate in the market. Some students who would like to be CISSP certified, we are offering a course that can help them to be prepared for the CISSP.
Also, we have classes related to AI and machine learning if some students would like to learn about that and how this can be integrated with cybersecurity or the marriage between cyber and AI. So this is also a core. So there is a wide range of flavors of core classes that students can customize according to the needs.
Steve Bowcut:
Yeah, interesting. Alright, so let’s talk about prerequisites to give the audience a little bit of an understanding there. So as I understand it, the certificate program expects that you’re going to have an undergraduate degree and it’s not a large list, but it’s a computer or security related degree and then you’re going to be proficient in some other topics as well.
So I guess the question is how do you help applicants honestly assess if they’re ready? How are they going to know and can you help them know if they’re ready for the program? For the certificate program?
Ayad Barsoum:
Yeah. Both the master’s program and the graduate certificates, both of them, these are graduate programs. That means students are expected to have undergraduate degree in a tech related area by tech related area. That means students could have undergraduate degree in computer science, computer information system, information technology, software engineering, computer engineering, you can name it.
It’s a long list, but what if there is a student who has an undergraduate degree but it’s not in a tech related area. In that case, there are some prerequisite classes we do ask students to have. That way they will be prepared for the program because we don’t want students to come and sit in classes and think that, oh, they are coming from a different planet or they are not equipped with the prerequisites that would be required to succeed and excel in the program.
That’s why I’m always encouraging students to apply and if I see that the student, for example is or for example doesn’t have the prerequisites in the application itself, we are listing prerequisites. We can tell, okay, you can apply, you can get the certificate, but please these are prerequisites you need to take before you get the graduate classes. That way we would like to make sure that students will be able to excel in the program.
Steve Bowcut:
Okay, perfect. Alright, so let’s focus now on this the pathway. Let, let’s say the pathway between the certificate and the master’s degree. I assume that oftentimes you or other instructors there are asked by students to help them decide whether they should stop with the certificate or whether they should go on with the MS.
From what you’ve told us, with your success rate, I think you almost always tell ’em to go on with BMS. So let’s ask that question in a way. Are there cases where you tell a student, you know what for your goals, what you’ve told me about what you want in your career and maybe your financial resources available to you right now and your family situation of those kinds of things?
Are there certain circumstances when you’ll tell the student you’re better off just stopping with the certificate going into the workforce maybe for a year or two and then reevaluate whether you want a master’s degree?
Ayad Barsoum:
So there are some scenarios, but let me start. For example, if a student is coming to St. Mary’s and he or she’s interested to get a PhD in cybersecurity, I’m telling them, okay, if you would like to get a PhD, you cannot have a certificate, you have to have the complete master’s program.
But if a student is coming, for example, if a student has a career and he’s working and he would like to add some expertise or let’s put it toolbox for his career, that can be used for cybersecurity that way, okay, we can tell them, you can start with the graduate certificate and after that if you figure out you would like to grow, you would like to continue, then you can go for the master’s program.
But I can tell based on my experience, many of our students, they are working professionals and their employers will fund their grad status and in many employers they do not fund a certificate. They fund a complete degree. That’s why they are coming to St. Mary’s saying, okay, no, I would like to be in the master’s program not inside the certificate because my employers will not pay for a certificate.
The employers will pay for a complete degree. Adding to that, also we have international students from different countries. For example, we have students from Saudi Arabia, we have students from Africa, we have students from America.
So students who are funded by their governments the same. The government will not pay for a certificate, it will pay for a complete degree. If a student’s going to pay out of his or her pocket, then we can say start by certificate test. If really this is something that will be of your interest and you would like to continue that path.
After finishing the certificate, the students will be able to tell, yes, I would like to continue or maybe this is enough for me. Students who would like to start with a certificate, it’ll be very important that we can have mentoring or advising session.
Through this advising session, we are setting with the students and would like to discuss what the students need the cybersecurity for, what skills he or she needs to develop, what are the career goals. Based on that we can customize the credit hours or the classes that will benefit the student.
Steve Bowcut:
Perfect. Okay. Thank you. Excellent. Great explanation. Alright, so let’s focus now on the master’s degree. So is it a thesis or a capstone or both? And if it is one or the other, how do you go about guiding students to choose one or the other?
Ayad Barsoum:
Okay, so the master’s program, as I mentioned in the beginning, this is 33 credit hours and there is a capstone part At the end of the program, the capstone can be a project or can be a thesis.
The difference between them is the project is a three credit hours course. The thesis is six credit hours course because the thesis is done over two semesters, one year of research work, students who are interested for research type of activities, I advise them to be in the thesis track. If the students would like to develop something or create a product or develop a software ated to cybersecurity, then we advise them to be in the project track.
That doesn’t mean, that does not mean that students in the thesis will not develop a product or a prototype. At the end, the students will develop something, even for thesis, they have to develop the proof of concept of their research ideas.
But we are advising students according to their career goals. If a student would like to go for a PhD after graduation, then thesis will be the best friend because students at that path will be able to develop their research skills. If a student would like to get more of hands-on experience, then the project will be the best friend.
Steve Bowcut:
Yep. Okay. Well said. Alright, so looking at both the master’s and the certificate program, one of the things that questions that invariably comes up on this show is how do you ensure the students can demonstrate competence, not just knowledge.
It’s one thing to learn how these things work in theory, it’s another thing to be ready to go into the workforce. How do you handle that at St. Mary’s?
Ayad Barsoum:
Okay, that is a great question. Okay. I can tell almost all our graduate classes, they have a project component inside the course itself. That means students are required to work on a project and the project will be something that we are testing their competencies on, the skills that they have learning. I can give some examples.
This semester I am teaching a course in cryptography. So in the course part of the assessment is related to projects. So I am giving students list of projects that they can pick from or they can develop some other ideas under the umbrella of cryptography and students are required to submit a proposal about their project, what they would like to do, and at the end of the semester students say defense or demo their project, and that way we can assess that students are able to demonstrate their competencies, not only the theoretical part.
So this is how we are doing that. Another part at the end of the capstone, at the end of the master’s program, there is, as I mentioned, there is a capstone and these capstone students are using all the skills and all the knowledge that they have developed through the program to develop a capstone product or a capstone thesis that has, as I mentioned, a product and when they defend their thesis or project in front of a committee, at least like three faculty members, sometimes even from outside the department. That way we are assessing the skills and the hands-on experience that students gained through the program.
Steve Bowcut:
Got it. Okay. All right. So we are, unfortunately this has been fun and the time gone by too quickly, but we are about out of time. So I want to end with a question that I know all the listeners are going to want to know the answer to or those that are looking to get into cybersecurity, their goal through the whole program is going to be to get a job.
So let’s talk about career launch guidance or resources like internships, scholarships, early career positioning with people in the community that you’re working with. What have you done on that front and what advice do you have for students in regards to those things?
Ayad Barsoum:
Okay, so one component of the master’s program that we have, this component is called internship. Internship. I call it a when situation, why I call it when number one, through the internship, students are able to get real life experience before they graduate.
Many of our students are working through these internships with employers or with companies and they are getting paid. So this is real life experience. This will put some money into their pockets. Plus also this internship is considered three credit hours toward the master’s program. So students are getting the first one, they are getting real life experience.
Second when, they are getting paid. Third when, this is three credit hours toward their master’s program. Through the NSA designation, we have so many internship opportunities for our students. So these opportunities can be in government or even outside the government.
Adding to that, at St. Mary’s University, we have a career fair, this is done every year and we are inviting employers from our area and around and through these event students are able to meet with the employers and they are able to speak to make connections and even to provide their resume to the employer. And many of them they are getting internships and sometimes full-time possessions through these event.
Adding to that at St. Mary’s University also we have a set of seminar events or seminar classes. These classes are open to everyone in these classes or in these seminars. We are inviting representatives from different companies. The representative will speak about the activities or the company and what they are doing.
Also, they are offering or providing what opportunities the company has and what they are looking for. So these are how, this is the connection and the opportunities we are offering for our students to be able to already, because we don’t want our students just to go without helping them to be prepared.
Steve Bowcut:
Very good. Alright, thank you. You’re very welcome. Alright, Dr. Barsoum, thank you for joining us today and for breaking this down. In practical terms, how students can navigate in and build their skills in credentialing and eventually to have positive career outcomes. We sincerely appreciate it.
Ayad Barsoum:
Thank you so much for hosting me. It was my pleasure.
Steve Bowcut:
All right. For our listeners, here are a few key takeaways to reflect on after today’s conversation. A few of the things that we talked about today. So if you want an accredited way to build graduate level cybersecurity skills, the graduate certificate in cybersecurity can be a strong on-ramp for that, especially when paired with a deliberate course selection strategy that aligns with the role that you want eventually when you start your career.
Also, if you’re aiming for deeper specialization, maybe leadership growth research and advanced work, then you might want to look at the master’s degree in cybersecurity offers both the thesis and the capstone project pathways. So it depend on what your inclination is there, and so you can align the degree plan to your career direction.
And importantly, designations and centers matter most when they translate into real student experiences. And I can tell you what we’ve talked about with the Dr. Barsoum so far. I think that they’re doing a great job at St. Mary’s. You’ll get hands-on learning, mentoring competitions, professional community engagement, and all those things that will prepare you to go into the workforce.
So to everyone listening, if you found this episode helpful, please follow or subscribe wherever, get your podcast and share it with a friend or classmate who’s trying to make a decision about cybersecurity education. Thank you for spending time with us on the Cybersecurity Guide podcast. I’m your host, Steven Boko. Until next time, stay curious, keep building and we’ll see you in the next episode.