Ben Crenshaw, the head of cyber and AI education at Work ED, discusses his approach to bridging the gap between academic cybersecurity learning and the practical demands of the industry.
A summary of the episode
Crenshaw emphasizes the importance of aligning education with industry needs, providing hands-on, industry-relevant experiences, and nurturing ethically grounded cyber professionals.
He describes Work ED’s comprehensive cybersecurity education programs that progress from middle school through early career, featuring partnerships with industry leaders, ethical hacking exercises, and the integration of emerging technologies like AI.
Crenshaw advocates for weaving ethics into every aspect of cybersecurity education, as he believes this is the fundamental difference between cybersecurity defenders and threats.
As cybersecurity and AI converge, Crenshaw highlights the need for adaptable, future-focused curricula that prepare students for the evolving challenges in this rapidly changing field.
Listen to the episode
A full transcript of the interview
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I am a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening.
Today, our guest is Ben Crenshaw, the head of cyber and AI education at Work ED. This episode is entitled “Bridging the Gap, shaping the Future of Cybersecurity Education”.
Let me tell you a little about Ben before we bring him in. Ben Crenshaw is the head of cyber and AI education at Work ED, where he bridges the gap between academic learning and the practical demands of the cybersecurity industry.
With a background as a senior vulnerability analyst at Oracle and a former cybersecurity teacher in the Canyon School district. Ben brings both industry expertise and a passion for education to his role at Work ED. He focuses on developing hands-on industry-relevant programs that prepare students for real-world challenges while fostering comprehensive career pathways.
Ben is also a mentor for the US Cyber Games and a Trace Lab’s search party, CTF Coach helping shape the next generation of cyber defenders through open-source intelligence initiatives.
As the author of Teaching Cyber Building, the bridge between education and Industry, he advocates for aligning education with industry needs and emphasizes ethical, hands-on experience and continuous learning to nurture skilled, knowledgeable, and ethically grounded cyber professionals.
With that, I’m very happy to welcome to the show Ben Crenshaw. Welcome Ben. Thank you for being with us today.
Ben Crenshaw:
Steven, thank you for having me on and be able to talk about one of my favorite subjects.
Steve Bowcut:
Perfect. Because one of our favorite subjects around here as well, so we’re glad that you’re willing to give us some of your time to talk about this today. So let’s to get started.
Before we get into the topic, let’s look at some of the background maybe and the mission. So help our audience understand what inspired this transition for you from being a senior vulnerability analyst at Oracle to becoming the head of cyber education at Work ED?
Ben Crenshaw:
Sure. As a high school teacher in Utah, I taught cybersecurity, so I was able to see firsthand how engaged students would become when they were working with real world concept hands-on labs and things like that. And at the time doing vulnerability analysts at Oracle as you mentioned. And I noticed a growing disconnect between what the industry needed and what the students were learning.
Really there was especially a pivotal moment when one of my students discovered a significant vulnerability in one of the local company’s networks with permission. During one of our supervised exercise working with the company and really her excitement when she realized that she could make a real impact, that’s when I knew that education was where I could make the most significant difference.
So really the transition to Work ED felt natural because they shared my vision of bridging that education industry gap. There was an organization already doing innovative work in career education and they wanted to build out their cyber programs to prepare students as I was doing in the classroom. So leading Work ED cyber education initiatives really allowed me to take everything I learned from both industry at Oracle and develop the programs that work.
Steve Bowcut:
I love that idea. So it’s something that you’re passionate about, but what better way to have a larger impact than to teach? So you teach others how to do it, you’re going to have a much larger impact on the industry, so I appreciate that. So let’s maybe focus a little bit on some of the unique approaches or key initiatives at Work ED, how do you achieve this?
Ben Crenshaw:
I think what makes my approach and absolutely aligns with Work ED’s approach and what makes it unique is that we build everything backwards from actual industry needs a cybersecurity term as we kind of reverse engineer our programs.
So we take our externship programs for example. We don’t just teach concepts in isolation. Each of our modules and activities and experiences are tied into real-world scenarios that cyber professionals deal with daily. In fact, many of the experience that I had to deal with at work at Oracle.
One of our key initiatives is our cyber pathway, which is comprehensive and really it progresses even from middle school through early college and early career. For example in New York, we’ve partnered with community colleges and steam centers really to run our cyber and our AI programs. For example, currently we’re working at Amazon’s Manhattan headquarters with the borough of Manhattan Community College where we’re also working with districts in Fresno Unified California and the goal is just to integrate that cyber education into real career pathways.
So really what I think sets our programs apart is the focus on the hands-on experience, the day-to-day of a cyber professional. And while teaching in Utah, I saw students really learn best by doing, and I think every teacher agrees, and I think I’m lucky to have taught cybersecurity because really that’s what you can get into is you can actually get into project-based learning where students are working with actual cybersecurity tools and participating in Capture the flag events and getting mentored by industry professionals.
I’ve really found that bringing industry into the classroom is not just beneficial to the students, but it’s benefiting the companies as well and they love doing it. They love coming into the classroom and seeing what these students are ready to go into the field. They’re not only just as concerned as the companies about cybersecurity, but they’re getting the tools and the experience to do something about it.
Steve Bowcut:
And those are two elements that I’ve always found extraordinarily important. I always ask guests that are educators, how they keep the curriculum relevant to the industry’s evolving demands. So things are changing so quickly in cybersecurity.
So it seems like it would be a pretty big challenge to keep what you’re teaching relevant to what industry needs. And it sounds like that’s something that you’re focused on and also the real world application. How do you actually do that? It’s great to teach theory and I know that we all need to understand the theory behind these things, but you’re not really equipped to go to work in the industry and tell you’ve had some hands-on experience.
So maybe you could elaborate a little bit on what that actually looks like and maybe focus on the hands-on experience. You refer-enced earlier one of your students poking around a little bit in a partner’s network. Is that the kind of thing that they could anticipate is that they’re going to be able to poke around in somebody’s network with permission and not break anything? Or how does that work?
Ben Crenshaw:
Yeah, it’s definitely ethical hacking, which just basically means with permission. And I really do think that’s the best way and that is what our students can look forward to. And Steven, they really do look forward to doing that. It’s kind of the motivator for most students to be able to, for me getting interested in cybersecurity was because I like to take things apart and see how they worked.
And many times that’s exactly what’s happening is we’re capturing that curiosity but also putting it literally to work our curriculum. The curriculum that I’ve built at work at is really manifested on three pillars, the technical skills, the real-world applications and tools and what I like to call the hacking mindset. That’s probably the most important thing. What’s going to keep you going in any career, in any part of life is that curiosity that’s fostered, which for a lot of people, if they try to break something, they’re going to get punished for it.
Well here we encourage you to break things, figure out how to fix it, how to make it better. I mean we’re truly hacking ethically, but it’s always at the benefit for the students and it’s always directed towards what’s needed in the industry. So the excitement for that is it’s very real and it’s there. And the teachers that I teach who are going in and also going to be cyber educators, they love it too because they are now in a classroom where the students are excited every day to ask the question, what’s next? So it’s really the real-world application piece. It blends in with the lecture, which is difficult for most subjects I think.
Steve Bowcut:
Yeah, absolutely. Thank you. I want to pivot just a little bit now. So I’ve noted that you’ve written a book and I know that that’s not an easy undertaking unless you’ve done it. I don’t think you quite understand how difficult that could be. So a couple of things about that. First of all, what was your inspiration to write it and then what are maybe some key takeaways that people that read your book or will read your book come away with?
Ben Crenshaw:
Oh yeah, great question. That was my first book that I’ve written. I actually write short stories, short fiction, and I enjoy doing that for many years. But this was the first time I actually felt like I needed to write a book.
And it came from seeing both sides of the equation working in the cybersecurity industry and teaching in the classroom. I saw a gap between what schools were teaching and what companies needed, as I mentioned earlier, and I kept thinking about all the lessons I learned the hard way at Oracle and other places I’ve worked and I wanted to share those insights with other educators.
And I would say the main takeaway is that effective cyber education isn’t just about the technical skills, it’s about creating problem solvers who understand the bigger picture. And I included in my book Real World case studies from my teaching experience in the classroom and also from what I’ve learned myself from running our cybersecurity programs with work in New York, California and other states.
And it really just showcases how to make complex concepts accessible while maintaining real world relevance. So the book’s really written for educators who many are new and a lot of the cyber educators that I am still involved with and mentor, they’re the old driver’s ed teacher or they’re the English teacher who are now told, Hey, you’re teaching cybersecurity now. And really they don’t have any idea what it is, but we really need to not only just build the cyber workforce, we need to build the cyber education front as well. And so that’s what this book really addresses and it’s for everybody because this is our world now.
Steve Bowcut:
Everybody needs to know something about cybersecurity. And I love what you said there because seen that a lot as I talk to people in the industry that kind of like the old adage that the history teacher becomes the coach or vice versa at that level. I think we do that a lot in education, particularly in the high school education. The people that are given the responsibility to teach cybersecurity are not really industry professionals. They need some guidance. They may have the one that, they may be the one that has the most technical acumen, but they really don’t know a lot about cybersecurity. And I’ve seen that quite a bit. So I appreciate that there’s a resource out there for them to,
Ben Crenshaw:
And just one other part, what I say to the students and the teachers, even if you’re not going to teach cybersecurity or cybersecurity is not going to be in your job path as a student, you’re not interested. That’s okay. You’re still in the right place because this is the world we live in. And just to know the etiquettes and how to protect yourself and your family is important. I mean, cybersecurity should be taught as just as a driver’s ed classes where we need a driver’s license while there’s no driver’s license for the internet, we’re just unleashed on it and it’s more dangerous than being in a car sometimes.
Steve Bowcut:
Yeah, no, I agree. Everyone is going to be exposed to risks, digital risks, and they need to know how to handle that. So thank you. So another thing that you had mentioned earlier that I wanted to maybe drill down a little bit as these industry partnerships, it’s a fascinating concept and I’ve got your website up on my desk and on your website it scrolls through and it shows some of the industry partners.
And with your permission, I’m just going to read a few of ’em. There’s IBM, Amazon, Oracle, Humana, the Brooklyn Navy Yard. That’s just some of them that are scrolling across here. Now I’m assuming, and correct me if I’m wrong, that not all of those partners allow students to come poke around in their network, but maybe they do. What are some of the other ways that these industry partnerships help the program be successful?
Ben Crenshaw:
Our partnerships are crucial. They’re the ones that provide the real world context that was missing when I was first teaching cybersecurity. And for example, our collaboration with Amazon is a perfect example, and this is where students work on actual cyber and AI challenges in a corporate environment where they can experience simulations that you just can’t do in a traditional classroom in a setting where it’s just say, a textbook learning.
In fact, that’s one of the oddest things that I’ve seen in my travels teaching teachers is actual cybersecurity textbooks. And because I always think as soon as that was published, it was outdated. There you go. So we really try to keep industry involved and I think it motivates our partners to think, well, what should I be looking for as well? Because for me, I learned more about cybersecurity teaching it than I ever have in the decades working in it.
OAnd I think when industry gets to do that, gets that opportunity, they’re learning about their own profiles, their own stature, their own cyber securities or insecurities at times as well. Yeah, these partners often they tell us they see a noticeable difference in the work readiness of our graduates. And it’s just fantastic to see the students I’ve worked with specifically in Utah or California or New York, many of them are now working with these partners in some capacity. So it’s exciting for everybody.
Steve Bowcut:
That is awesome. Alright, cool. And another thing that I think I picked it out of your bio that maybe I could get you to comment on is the US Cyber Games and Trace Labs, Open Source Intelligence. Could you talk about that a little bit?
Ben Crenshaw:
Yeah, so I got involved in those things because I guess I didn’t think I was busy enough, but when you love what you do, then it’s not really work, I guess. Well, that’s what people tell me.
But yeah, my involvement in the US cyber games and if people aren’t familiar with that, think of it as the Olympic team of cybersecurity, where students usually college level compete against national and then especially international cyber teams and capture the flags and other contest for the glory and the prizes.
And the US cyber team is definitely competitive and I get to provide mentorship for them, some of it technical, some of it professional development as well, which we encourage. And I’m currently a coach for season four. I’m working on the web security development for them for Trace Labs. It’s really been invaluable. I use these lessons I use at Trace Labs and the US cyber games. I bring that right into my programs right back to the students.
Trace Labs is interesting, that’s more concentrated into OSINT, which is open source intelligence and their whole reason for being is to find missing people. And for example, their competition is a CTF where the team is given from law enforcement, a list of missing people. And these are real cases and we’re using OSINT tools and just the team cohesiveness to try to solve the mystery and its points are awarded and things like that. And then all of that information at the end of the competition is then turned over to law enforcement who then just has a much bigger, it just scales up their investigation, which I absolutely love working with Trace Labs on this.
Steve Bowcut:
Yeah, I’m sure the students do too. They do. That would be so exciting to be involved in something like that where you can actually make a difference in people’s lives.
Ben Crenshaw:
Absolutely.
Steve Bowcut:
That’s very cool. Another thing that we’ve mentioned a couple of times that maybe we can get you to elaborate on is this idea of nurturing ethically grounded cyber defenders. It’s hard for me to imagine how you do that because I don’t know, ethics and morals, they have to come with the student. So how do you develop that in the individual student and help them understand the importance? And I assume you spend a lot of time talking about where the lines are, don’t cross these lines, this is where the lines are at. But you have to somehow nurture in them this desire to not cross those lines when sometimes I think it would be so easy to do.
Ben Crenshaw:
It really is easy to do, and I think that’s one of the biggest reasons why we are in the cybersecurity mess that we are as a nation and the world. And for me, day one, we start with ethics. Ethics isn’t just an add-on module in our programs. It’s woven into everything that we do. It’s taught every day alongside with the tools.
I learned from my time at Oracle that the technical skills without ethical judgment can be dangerous because as a vulnerability analyst, I had access to very sensitive information and equipment. And if I’m not bounded by my own morality, by my own ethics already, then yeah, problems can be caused in bad things happen on both sides.
So I incorporate the ethical decision-making in all our practical exercises, in all of our real world scenarios to help students understand the implication of their answers. I always tell my students, if you want to work in cybersecurity, this is a position of trust.
Steve Bowcut:
Exactly.
Ben Crenshaw:
And be good is what I say. That’s my mantra. You must be good. Because if you’re not good in just your life with your community, your friends, your family, that one little hiccup, that one little mess up could really blacklist you from future endeavors and things like that. So practice being good, do the right thing.
Steve Bowcut:
You can’t really compartmentalize it and be not so good in your day to day. But when you come to work and put on your cybersecurity defender hat that you’re going to all of a sudden be ethical. So a hundred percent sometimes refer to that as the make your bed principle, right? Make your bed and your day’s going to go better, your life’s going to be better if you’re the kind of person that gets up every morning and makes his bed.
So if you’re the kind of person who does everything ethically and to the best of your ability, that is naturally going to just translate into being a better cybersecurity defender and somebody that somebody can trust. And I appreciate that you mentioned that as well, because there is so much trust that organizations need to put in, they need to trust their cyber defenders, and if you violate that trust, you’ve probably just sunk your whole career.
Ben Crenshaw:
Well, Steven, the only difference, and I say this, preach this in the classrooms and beyond is the only difference between the threat actors and our cyber defenders is the ethics. Because it’s not the skill, it’s not the tools we use, it’s the ethics. And that’s why it needs to be woven in from the beginning so you don’t go to the dark side.
So the temptations may be there, they’re more understood and fully contextualized and that line doesn’t get crossed. And so that’s one of my jobs, that’s one of cyber education’s jobs is to make sure that that line is very well outlined.
Steve Bowcut:
I love that. That’s a really succinct way of putting it. I’ve not heard it quite like that before. The only difference between the good guys and the bad guys is their ethics. They’re using the same tools, they have the same knowledge and skill base, but one is ethical and one is not. So that’s great.
Alright, so we’re going to need to wrap up here. We’re about to our time, but I do want you, I’d like to get your perception about the future and particularly because I know you teach AI as well and you’re knowledgeable in that area. So particularly with the advancements of AI and increased cyber threats that we’re all aware of, how do you see cybersecurity education evolving in the future?
Ben Crenshaw:
Yeah, I enjoy teaching our new AI discovery program, and I kind of call it AI is the new cybersecurity because cybersecurity was the big thing that really students wanted to learn about. And all of a sudden it seems like now there’s artificial intelligence in the mix
Steve Bowcut:
And
Ben Crenshaw:
It’s something we’re very focused on at work at and I’m definitely focused on, I’ve just recently got a couple of Amazon AI certifications, which they’ve just recently released. And our programs in New York working with Amazon incorporate a lot of the AI components that we teach our students and we teach them the same thing in cybersecurity.
We teach them the tools and the skill base, but again, we’re also weaving in the justice component. We’re weaving in the ethical components because definitely AI is something we need to step back from to the point where we need to have a really full perspective of what we’re doing.
We’re at the point where we were about 20 years ago with cybersecurity, with the internet, we could have made better choices 20 years ago. And I think we’re at a point now where we need to make the right choices with AI and the tools, and that’s what I try to instill as well while teaching the skillset. Yeah.
Steve Bowcut:
So is it fair to say, and maybe this is just obvious, but is it fair to say that you really can’t teach cybersecurity today and going forward without teaching AI at the same time because they need to have an in-depth understanding of the relationship between AI and cybersecurity? Is that a fair statement?
Ben Crenshaw:
I would say it’s even more fair because it’s almost like the DNA of AI is in cybersecurity, and maybe that will be vice versa in a year or so. But it’s definitely become more adaptive. Our programs are more personalized than they are with cybersecurity.
We’re developing programs very quickly to respond to the new AI threats and not just the cyber threats, but in a way they’re the same thing. It’s the same type of problem. And while maintaining a strong foundation in those core principles, I feel we’re still preparing students for the upcoming challenges. And I always say the biggest problem with AI right now is the one we don’t see, the one we don’t see yet.
And it’s also, it still comes down to the job though, the job roles. I think the best jobs in AI are the ones that the students are going to create. They’re going to have an opportunity to create their own job roles and functions and even the new skill sets with artificial intelligence wrapped in perhaps a cybersecurity layer.
And I think the most valuable security and AI professionals now are those who can adapt to the new technologies. And that’s usually the thing that holds up analysts and technicians and people who’ve been in a company for years is that adaption. So that’s one thing I try to really focus on is things will change and they’ll change fast whether you like it or not.
And there’s always the conversation, well, should we have AI in classrooms, should we not? It doesn’t matter. It’s going to happen. So that’s the wrong question.
Steve Bowcut:
Yeah, exactly. By the time you’re done asking the question, it’s already happened. Things are changing so quickly.
Ben Crenshaw:
Yeah, we’re always looking ahead. We want to ensure our students are prepared for whatever comes next in this very rapidly evolving field.
Steve Bowcut:
Yeah. Awesome. Alright, Ben, we’re out of time, but thank you so much. I genuinely appreciate you giving us some of your time today. What we’ve talked about, the insights that you shared is going to be invaluable to our audience, both students and educators, and so we really appreciate it.
Ben Crenshaw:
You’re very welcome. It was a pleasure.
Steve Bowcut:
Alright, a big thanks to our listeners for being with us and please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.