Bryan Deehring is an associate professor at Anne Arundel Community College (AACC), a nationally recognized institution certified by the NSA as a Center of Academic Excellence in cyber defense.
A summary of the episode
Deehring emphasizes the importance of hands-on experience through labs, simulations, and competitions to prepare students for real-world cybersecurity roles
While technical skills are important, Deehring finds that hiring managers often value soft skills like communication, confidence, and the ability to learn quickly over extensive prior experience
Key in-demand skills include CompTIA Security+ and ethical hacking certifications, though Deehring cautions that certifications alone do not make a well-rounded cybersecurity professional
Deehring’s advice to aspiring cybersecurity students includes staying current on threats and technologies, getting hands-on experience, and actively networking through platforms like LinkedIn
Listen to the episode
A full transcript of the interview
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I am a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening.
Today, we are joined by Bryan Deehring, associate professor at Anne Arundel Community College, a nationally recognized institution, and the first community college certified by the NSA as a Center of Academic Excellence in Cyber Defense. We’ll talk about what that means a little bit more in just a minute.
The topic for today is cybersecurity education and training at AACC. Let me tell you a little bit about Bryan before we bring him in. With over 20 years of experience as a cybersecurity practitioner, trainer, and educator, Bryan has built security and privacy programs for organizations ranging from Cisco systems to international government agencies.
His expertise spans cybersecurity, cyber operations, and network security, and he has taught at both the US Naval Academy and AACC helping shape the next generation of cybersecurity professionals.
Bryan’s passion for cybersecurity education and hands-on training makes him an invaluable resource for students and early career professionals looking to enter the field. With that, welcome Bryan. Thank you for joining me today.
Bryan Deehring:
Thanks for having me.
Steve Bowcut:
All right. This is going to be fun. I’m looking forward to it. So as we like to do, we’d like to start with a little more background. I know I read your little short bio, but that doesn’t tell us all of the inside stuff.
So tell us a little bit more about, and two things really that I guess I’m interested in here, your journey, how you got interested in cybersecurity. Are you one of these guys who had 12 years old just decided cybersecurity is where you want to spend your life, or did it happen later in life?
And then also, if you want to add to that, how did you transition from being a practitioner to an educator, and what was the inspiration or motivation for that?
Bryan Deehring:
Wow. Alright. Yeah, when you said, I’ve been doing it 20 years, it’s probably more, but we don’t need to tell the world
Steve Bowcut:
Yeah, I know, right?
Bryan Deehring:
So when I definitely didn’t start, I definitely was in technology and when I was in high school, I was building webpage, but I was building webpages on 386 computers, which for those listening might not even, they’ll have to go.
Steve Bowcut:
Yeah, they’re saying, what is that exactly? Right.
Bryan Deehring:
And installing games with three and a half inch floppy discs. But when I went to college, my buddies and I, we were really interested in, I know it sounds so cliche for the young mind, but where the money was. And so we’re like, oh, we should go into geological engineering, which is a great way to stop a conversation.
Steve Bowcut:
Yeah, exactly.
Bryan Deehring:
So we’re all in this engineering program and in the first year it’s all general and then that’s when you decide after the first year, is it going to be industrial systems, is it going to be geological? Is it going to be computer and electrical, whatever it may be. And so at the time, they said the money was in rocks. So most of my friends went to rocks. I chose computer and electrical engineering. So by junior year, all of my friends were back with me. They realized how boring rocks were.
Steve Bowcut:
Rocks.
Bryan Deehring:
But it turned out it worked out well. So the program that I went to for undergrad was really, if you can do the work, then you can get through it. But it was a lot of work. And upon graduating, there’s, I think regardless of school, whether it’s a community college or a four year university, they always have the job fairs interlaced and the career fairs.
And I actually, I started talking acronyms that I’d read in one of my textbooks to one of these employers. They’re like, do you know what A VPN is? And I’m like, yeah, it turns out I, I had to go look it up before I met with them later that day. But they were very impressed with how confident I was that I knew what A VPN was. So this was circa 2000.
So as a result, I went on board this startup, I was a man number four or five, and we grew it in about three years from just, I think it was like a $15,000 investment to a company that got acquired.
And so that was my first experience in information security as we called it. I was a security consultant for them. And even looking back on it, the title and role was security consultant, but my job was to go into customers or hopeful customers, and I’m the educator next to the salesman. So I was already kind of educating and training even at that early phase.
But what started there, once we got acquired, we had been selling products, so firewalls and antivirus and all the things that you would sell at that time in the market. And we also had professional services, and I really liked the people side of it. And so when we got acquired, I eventually resigned and started my own shop. I started consulting.
And that was a very interesting experience when you have no business experience to try to pay your rent and eventually your mortgage by just knocking on doors and saying, Hey, I’m the security expert. Do you have a need?
Steve Bowcut:
Exactly.
Bryan Deehring:
But that also was successful and it’s something that is still tied to me to this day, even in transitioning from being a practitioner to almost a begrudging educator. I say that because I still, I’m a virtual ciso, chief information Security officer. I still have clients. I think that’s probably what keeps me fresh and gives me some fresh perspective when going into especially an intro class where I think there is a lot of foundational knowledge that students need to be transferred into their brain.
But there also needs to be, I think, a fair amount of inspiration to help see where there’s some affinity for students wanting to get into the field. But so I skipped over some things which might come out in other important aspects of how I go about being an instructor and a professor. But yeah, that’s how I got to be here.
In fact, it was a good friend of mine who said, you know what? You like this idea of front loading your work week and doing these compressed lots of work at one time and then having a little bit of time off, which was true in consulting. And it’s true in another season of life that I had, I worked in the entertainment industry as an actor and producer.
And when you work on a film, it’s hurry up and wait, hurry up and wait. It could be when you’re in principle of photography, it could be six weeks of filming, 80 hours a day it feels like. And then there’s nothing to do once it goes into post-production. So all of those aspects that a very dear friend of mine said, you know what? I think you’d really enjoy being at the community college. And I was like, why is that?
She’s like, well, it’s the same thing. You have 15 weeks of crazy chaos going through the semester. You get a little bit of a breather. I was like, alright. So I did a try and turned out that I enjoyed it. So that’s how I got into the position I am today, which isn’t necessarily, Hey, I had this huge drive to mentor students. That’s something that kind of grew on me or shape whatever’s next.
Again, that part kind of falls in the lap when you realize that, by the way, you’re now responsible for all these young souls who are trying to decide if they want to go into cybersecurity or not.
Steve Bowcut:
Yeah. I love the idea that you’ve, so you still got, if I understand you correctly, you still got one foot in industry as a practitioner. And then so there’s a lot of current things that you can bring to the classroom. So your mind is not completely academic, it’s not textbook one’s. Part of you is actually practicing what you’re teaching. Is that a fair assessment?
Bryan Deehring:
In fact, eventually my deans will probably listen to this and be like, you’re not supposed to say some of these things. But just from the standpoint I’ve had my hand slapped numerous times, I am a practitioner. So one time I shared about an experience with my students and I was like, well, this isn’t the real world yet.
As defined by the classroom in the labs and no matter how realistic we can make them. And at the time they didn’t like me saying that. But I am very much kind of the anti academic because I’m very much a professor of practice.
And so my experiences, whether it be with huge publicly traded company like Cisco, which incredible experience and all of the brilliant people, egos good and bad associated with training them and to also government agencies where it has its own culture and dynamics and learning how to work with and be effective with that group of people all has informed what we call in the academic world the teaching philosophy.
Steve Bowcut:
And that’s really where I wanted, really where I wanted to go next is it would be interesting if there’s a way to articulate that, how your past experience training professionals and all the things that you’ve done in your past influence what you’re doing now in the classroom.
Bryan Deehring:
Teaching philosophies come up rarely, generally in a job application or if you’re going through some type of professional development and trying to improve your skills, something like that. But when I think of teaching philosophy, three things come to mind. I think of the role models that I’ve helped inform my path, my faith comes into play. And then also just the ability to more than just keep things current.
So I think my experience with all of these different markets and sectors, small and large business inside and outside of technology as well, meaning entertainment as well as being in cybersecurity tells a certain story. And it’s helped me raise the stakes. So I guess in one way you could say I have some unique perspectives, but one thing that I find very important is that at least in my experience, it’s been easy to get stale.
I’ll agree that everyone’s different when you come into cybersecurity, people have different passions and different aptitudes for different areas of cybersecurity. But I’ve found that as you raise the stakes, it can get, I don’t know if more spicy is the word, but it can become actually more relevant when the stakes are so high.
People think the story is ridiculous. So what I mean by that is, so taking a story, real world. So it’s one thing to say that we are there to protect the data that’s kind of benign, maybe even boring for some people. But if you then attach a soul to that, and now we’re responsible for the data and a human life that’s responsible for it, the stakes are now a little bit higher.
So an example that I often give, and there’s numerous unfortunately, but if we’re talking about real risk, and that’s part of our job, we’re being trained up to go into a workforce, whether it’s in operations or as an analyst or as a strategist, whatever it may be, to make sure that we can defend, that we can protect not only the data, but very often the human life around it and life safety around whatever the organization may be.
So let’s raise the stakes and let’s not have it be just, I don’t know, a bank or I don’t know, a small business, maybe a franchise plumber or something like that. Why don’t we make it the Navy? So now we’re working with and forget the whole offensive and guns and kinetic warfare.
You just think about souls on a ship. And the fact that a ship is a network just like a corporate network, it has all the same redundancies actually it has more, it has an organization behind it, the humans. And so for example, one example USS Yorktown, it’s since decommissioned, but it’s a ticonderoga-class cruiser has 330 souls aboard.
Now the Yorktown, if you’re familiar with it, epic history awards for safety records and commanding fleets and warfare time awards for how effective it was both tactically and in support functions. And so it has this amazing history of doing its job, kinetic warfare, and it also was used as a test bed for what we call SmartShip technology. And during one of these tests, one of the sailors puts in the wrong number into a field.
So as a result, the database gets a divide by zero error. That database error causes a network shutdown. Turns out that even in 1997, the propulsion systems were tied to the computers. So now you have an Atlantic Fleet Cruiser, this 560 foot long vessel with 330 souls aboard dead in the water for three hours. And if it was wartime, they’d all be dead.
Now, do you want to get into cybersecurity to defend against that?
Steve Bowcut:
I really like that idea. That is a great way to teach cybersecurity, to get people excited about it. As you pointed out, data has no intrinsic value except how it impacts humans. So it’s all about humans.
Whether regardless of the data that you’re trying to protect, the reason you’re trying to protect it is because it has some impact on humans or there would be no value in the data at all. That’s interesting.
Bryan Deehring:
It’s often forgot. And just to tie something else that you had asked, or at least how I was kind of parsing my teaching philosophy, I had also talked about role models and thinking of two role models without spending too much time on them.
Both come from the world of psychology, one from industrial psychology, and one from more like the HR perspective of organizational management and leadership. And in fact, they were both aunts of mine, which is wild.
But from my personal and professional experience with them and growing up with them, I learned a great deal about just team building and organizational theory and things that helped me in the classroom to say, Hey, we need to approach this differently. We’re obviously not connecting or this isn’t making sense. So all of that gets wrapped up into what I have put into that bucket of my teaching philosophy.
Steve Bowcut:
Awesome. Thank you. And thank you so much for sharing that kind of personal insight to who you are and how your experience in past influenced what you do in the classroom. Let’s pivot a little bit here and look at AACC a little more directly.
And I think it would be interesting for our audience, and many of them may know this, but there may be many that don’t talk about this center of academic excellence. And what does that mean? If I’m a student and I’m considering my various options for educational opportunities, why do I want to look for this center of academic excellence? What does that mean for me?
Bryan Deehring:
So there might’ve been a Freudian slip that almost happened there. It might’ve been the Center for Accidental Excellence, accidental, but actually I think, and maybe I just heard it, but totally relevant, here’s why. So there are thousands of community colleges throughout the country, equally as many colleges and universities and academic credentialing is kind of this blah blah, or what are you even talking about? Type of realm. Things need to be regionally accredited just to simply print degrees. And I don’t mean that in any kind of derogatory way, but some standards are required.
And the Center for Academic Excellence, which is birthed through the National Security Agency, is a standard all of its own, specifically for the curriculum focused on cyber defense. How do we defend against and thwart against the adversary and attackers and the NSA has now that has grown, it’s been around, I’m sorry, I don’t know when we started it, but for as long as I’ve been in the academic realm, so that’s closer to 10 years.
NSA has had this and it has grown and improved and matured. It now has a focus. So an organization or a community college or just college in general who wants to get this, they can focus on the offensive side, cyber operations, they can focus on the defensive side, they can focus on the research side. You just have to meet their standards, go through their rigorous qualifying and peer reviewing and all the documents that are required to meet standard.
And then you get to put the badge of honor on to say, guess what? You come here. And the level of rigor, the types of technology that we use in-house, the specific resources that we have available additionally with the support of the NSA comes through that accreditation.
So it’s worth noting that if you’re shopping around for community colleges, that you look for the ones that do have these designations because they’re bent. Their bias is towards not specifically, Hey, we want you to go into a three letter agency or work for the government, but that you have a specific curriculum that’s been accredited specifically for our market as cybersecurity professional.
Steve Bowcut:
Excellent, thank you. Appreciate that. And another thing that’s unique to community colleges, I guess it would be interesting to unfold and look at here a little bit, is so when students are coming to a community college, some are looking to get the education they need so they can go directly into the workforce. And some are seeing it as really just the first step in their academic career and they’re going to move on from there.
And I think intuitively I would know the answer to this and the audience probably would too. It would be interesting. From your perspective, how do you counsel those students and what kind of recommendations do you give them to help them decide to evaluate their goals and decide what it is that they need to do academically?
Bryan Deehring:
There’s this accidental thing that happens with at least community college professors, is sometimes you feel like you’re kind of this role of this advisor even if you’re not trained on it, or even counselor sometimes if you’re not trained on it. So you do have to be careful about that because you do establish a relationship with your students and you want them to succeed.
And so they inevitably share things with you. And if we’re focusing just specifically though on the career aspirations, I see two specific directions that we go with this for the way we have to handle this because you have the students that don’t know what they want to do, period. And then those that do have some type of plan.
So for example, my oldest son, he’s a freshman in high school and he has to go through this same type of process with his guidance counselor and with his parents son, what do you want to do and where do you think you’re fit and what’s your interest?
And he’s interested in going to the Naval Academy. And so he’s in a specific program at his high school where he has to take these certain honors classes and AP classes. But his specific scenario, he’s on the, I know what I want to do. If you go to the Naval Academy, they don’t care about AP classes. You can’t get credit for AP classes, so you just have to do their program.
So what’s the standard he needs to meet is different for his track. So if it’s a student that knows they want to go onto a four year, then they’re already seeing what the articulation agreement is, they’re already working with both the guidance counselor and with most likely a faculty advisor within our department to say, here’s the courses you can skip, here’s the ones you need to take. But for the ones that don’t know, my best advice is to A, don’t let that scare you.
So I often have students come saying, I have to figure this out. And I find it very interesting that they have to figure out something that is an industry that is now, gosh, 25, 30, 35 years old, it’s gone from one area that we just call it information security to, we have linguists and physicists and computer scientists, we have all kinds of disciplines that fall under this interdisciplinary world that we call cybersecurity.
You can’t possibly have experienced all of these or heard all of the stories or seen people in all these different types of jobs that exist under this big bucket or umbrella of cybersecurity. So my encouragement to those students is work the program. And as you go through the program, so there’s always encouragement to look at the internships that we have available.
We have a very active local community with defense and healthcare and tech associated with bringing in students for either internships or we’ll call it first level or entry jobs like working help desk or operations as an analyst or something like that.
And those beget the next opportunity. In fact, the NSA prides itself on this idea of moving new hires into all of the areas of the organization so they can see where their interests lie, and then build on that, yes, we’re bringing you in on help desk, but we expect that you’ll be gone from help desk in 18 months.
There’s an expectation that the first job is not the last job. So I try to impress that upon all of my students that, listen, you might get this first job and it might stink, or it might be the B’S knees and you just love it. And that’s the exact advice I’ve given multiple times. And looking back at these students who are now on their third or fourth promotion within that first job, they’re like, oh, it wasn’t so bad.
Steve Bowcut:
Exactly. Alright, so a thing that we’ve touched on a couple of times that maybe we can drill down a little bit more is this idea of preparing students for real world roles. Obviously your experience helped you understand what those roles are, and we’ve talked about hands-on experience and the value of hands-on experience.
So how do you put those together? So in the classroom, how do you provide hands-on experience that helps the student prepare for what they’re actually going to be doing and maybe another layer of complexity there, given all the various roles you’ve just described? There’s a lot of ’em.
Bryan Deehring:
Yeah. So in the first year program at AACC, it’s all going to be either third party vendor labs like emulated software or simulated environments. And then when we move into second year and terminal programs and capstone classes, that’s when we’re hands-on with the racks and the hardware and virtual machines, the specific operating systems and vendor tools that they might be using for whatever their particular project is.
As far as I’m processing your question, I see the world differently as a practitioner than as an academic. So as an academic, we need to hit these learning objectives and even objectives for the degree, which still don’t necessarily translate. Now what I mean by that, and this doesn’t mean the organization didn’t do a good job when they created the program or created the degree, but oftentimes the softer skill is a more predominant need than all of the technical outcomes that we can deliver for the students.
So in preparing my students, what’s most important to me is that three things specifically. One is that their ability to articulate communicate has improved that their way of thinking or in an academic term, their higher order thinking has at least been tapped or primed so that the third thing can actually spark, which is that curiosity and that we’ll call it just an inherent desire to solve the problem in front of them.
Because too often what I see, and maybe this is from some previous conditioning or earlier schooling, is just give me the skill. What are the steps on the keyboard so I can get the job and I have to give them the reality that I will not hire you if that is your way of approaching the interview and the skills that you’re attempting to curate and catalog and prepare to use. So in fact, our board of advisors for our degree program, which are again, small and large companies within our region will echo the same thing. These soft skills are not to be second guessed.
If you cannot communicate or not working to communicate better, then we don’t care that you can manage the keyboard. We need to know, we know most of you, you’ve gone through the program, you’ve potentially gotten your first certification. We know you can learn technology. We need to know that you can communicate and that your focus is on the task at hand and not just someone that can collect certifications or that can say they can use the next tool.
Steve Bowcut:
That is such a valuable idea. When I think about many of us, and you’re probably in that boat, you’ve been on both sides, you’ve been the interviewee going into an interview, and then you’ve also been the guy who’s conducting the interview. And I know for me, what I didn’t know when I first started interviewing for my first jobs right out of college was that they didn’t really care what my technical knowledge was.
Because in their mind they’re thinking, well, I can teach you the technical knowledge that I need you to know. What I need to know about you is are you going to fit in my organization? Do you think we think, are you going to be a hard worker? Are you going to get up and be in the office every day and do the things that I ask you to do?
So there’s a whole, as you kind of term the soft skills there or the characteristics, the personal characteristics that they’re probably just as interested in as they are, how your way around the keyboard or the software or whatever the skill may be, that’s a very valuable thing I think for students to learn early so they could work and develop those attributes as well.
Bryan Deehring:
Don’t you think they resist it? And I think that, I find my peers will agree with this, that it doesn’t matter how many times we beat the nail with the hammer on this when they deliver lab reports in a formal lab report setting and it’s just data output and figures and there’s no narrative and there’s no objective and there’s no clear conclusion for what they did.
At least in my courses, they find that they’re challenged and frustrated like, well, I did the work. I was like, no, you hit a button. I need you to communicate what you’ve done because this might the white paper that needs to go onto the website or needs to go to the customer and they’re not going to understand this at all.
Steve Bowcut:
Yeah, it’s excellent. Okay, let’s move on here a little bit. So what I wanted to ask you about, the next question I want to ask you about is what kinds of jobs that your students typically end up with? And then it occurs to me that in many cases you don’t know because you are training or educating people, some who are going to go to work right after they’re, they’re done with their associate’s degree and others are going to move on and get a more education.
And those you may lose track of. So you don’t know what kinds of jobs. So for, I guess maybe it’s a two-part question. So what percentage or, and I don’t need any accurate numbers here, but how many of the students that come through your program are going to go to work right after? And if so, what kinds of jobs are they getting and how many of them or what roughly you’re moving on to a higher degree or a bachelor’s or a master’s degree.
Bryan Deehring:
So I can give you one step better, which is not going to make anyone happy that’s listening. So I have an incredibly competent, skilled, highly intelligent student, graduated top of his class valedictorian. He’s a career changer now.
Young career changer, he has worked in a previous field which has a level of risk management, incident response and exigent circumstances that is far superior than anyone within a security operation center is ever going to have to deal with. And it took him 18 months to get his job.
Now, that’s why you don’t put me on the keynote at some places. But so what’s interesting is that there is a gridlock between hiring managers, the HR filter and those that are truly wanting to get the job and it hasn’t been solved yet. And every year we go to conferences and we try to come up with new solutions and we try to figure this out.
It’s like a combination lock with maybe there’s like six dials now on it, maybe there’s seven. We’ve only figured out four or five or six of them. So there’s been a challenge even with the top of class professionals with entry level certification to sometimes get the job. And so that’s not to say it’s all a wash, but the point I want to make is it’s not the same as going into retail.
You want to get into retail, show up at the store, they’ll tell you what days they do interviews. If you want to work in restaurant tourism, again, there might be even a posting when you go to that particular restaurant or place of business to say, Hey, here’s how we do it and please come and show up for the interview with a lot of even entry level positions, and this will actually get back to soft skills.
They’re stuck on wanting a 30 year professional who in the workforce might charge $250k, $400,000, $700,000 a year. Someone like me who if I left academia, those are the things that are out there and someone who’s 20 years old or 21 years old just coming out of school, they want the entry level analyst with all of this perspective and experience and they need a bit of a reality check.
And again, this comes back to me, what I encourage my students and kind of train them up to with interviewing, in fact in the classroom we call it main board versus sideboard stuff. And what I continually, so sideboard can be current events, it could be stuff that’s not being tested on but’s relevant to the topic. And it’s also including things that need to come through when you’re interviewing and presenting yourself. And that has to be, and this sounds cliche, but confidence wins overall.
You could be in the room with Caesar or some charismatic enigmatic leader and confidence attracts it can’t be dumb confident, it can’t be like this false confidence, but the confidence will come through even at entry level through honesty, and that has to present itself. Otherwise you’re going against their false reality that they’re getting a 30 year professional and you need to crack the code to say, listen, you’re seeking someone new and hungry and they’re in front of you.
Steve Bowcut:
That is so fascinating. So let me interject here just a little bit. I hear the complaints in the industry. The hiring managers are given a list of all the things that they want and they’re giving you an entry level income. And industry academia is saying, well, that’s not very realistic. I mean, you’ve just described in your job notification, somebody who’s got 30 years industry experience and you’re going to put them in the soc.
So there is that tension that I’ve noticed, but what I don’t maybe have a firm grasp of, and you would have a better view at this than I do, is do they really expect that that’s what they’re going to get? Or will the student coming out with a brand new sparkling degree if he exudes some confidence and just is honest with them, said, no, I don’t have all of these things that you’ve asked for, but this is what I do have.
Are they hiring managers actually expecting that they’re going to get everything that they’re asking for, or are they just putting that there to say this is like a pie in the sky, what we wish? I don’t know.
Bryan Deehring:
So let me answer backwards. So yeah, a lot that’s how job descriptions are written. Even the required often is the reach
Steve Bowcut:
They say it’s required, but that’s not really required, right?
Bryan Deehring:
Yes, correct. But again, it’s almost as if it’s programming. And so here’s comes some of my communication background. If it’s what they do every day in and out, I’m thinking with the lens of the HR manager, then the expectation is now set. It’s been programmed that this is what we need. So there’s a little bit of, I wouldn’t call it a glass ceiling, but there does need to be programming in the reverse.
This is where the confidence comes in to say, listen, this is the job that you’re looking for here. Let me help educate you on the levels within the industry as far as years and experience. And if you already have your CISO and you have someone running your soc, but no one to actually be in front of a computer at the soc, then guess what? You’re looking for me? You’re not looking for the manager that’s looking to hire me.
And again, that literally is confidence, truthfulness and honesty about where I am in my job role. I am at the beginning you are seeking someone at the beginning. And so again, I’m not going to flower it up and say it’s easy when a top contender can take months to get the job. Then I want to set the expectation so that through the frustration you don’t have despair. There’s a reason why there’s an application process and not everyone gets the job.
I’m not going to say it’s easy, but here’s the flip side of it. Here’s where the reality and the truthfulness needs to be communicated right back. As you go to a cyber seek, you go to, gosh, you go to Indeed, you go to nice. You go anywhere where it’s presenting data on the job needs for cybersecurity professional. The top two categories, this is laughable, is implementation and operations and governance and oversight. That’s like saying which side of the coin both. It’s like all of it. There’s a job needed at all levels.
Steve Bowcut:
That is so fascinating. And that leads right into the next question that I wanted to ask. So what skills certifications or programs, let’s say educational programs are in the highest demand right now, the feedback that you’re getting from industry or from your students that this is what they’re telling me that I need.
Bryan Deehring:
So from a certification standpoint, if you’re looking traditionally, we go defensive. If there’s, I put an 80/20 filter on everything, the 80/20 rule, 80% is going to be more on the side of looking for a CompTIA security plus
Are going to be looking for the CEH, which is more on the offensive side, certified ethical hacker. And then with more years of experience, the default or even the Cadillac is getting your CISSP, but there’s some nuance to the certification side as even certifying nonprofit bodies are seeking to increase revenues.
So they’re looking for ways to capitalize on what other new asserts can we get and where do they fit. So even ISC squared, which presents you with the CISSP, which requires at least five years of experience in the industry, they have kind of associate level entry into that provisional certification.
They also have what they call their own entry level certifications, SSCP security systems, I can’t remember something professional which only requires the one or two years experience, but it’s not as common as the security plus exam.
The security plus exam has continued to increase. Its I think validation. Its tests have continually gotten harder as it’s gone through revisions, and yet it’s still considered entry level one to two years experience. So it’s a great third party validator for the technical side to be relevant to get the job
Steve Bowcut:
Right. So Bryan, sometimes I think I sense in the industry a little tension between academia and professional certifications. I think it would be interesting for our audience to get your view on that. As you kind of alluded to a bit ago, these professional certifications kind of indicate that a student has met the minimum technical standards.
And so now the hiring manager doesn’t have to worry about that, and he doesn’t have the technical expertise to ask those questions anyway, but academia sometimes frowns a little bit on these certifications because it doesn’t really represent that the student has the more well-rounded knowledge. So what would be your views on that?
Bryan Deehring:
So at Anne Arun Community College, we invite, we have actually overlaid the curriculum with CompTIA security plus exam with the CompTIA net plus exam because of how valuable they are to show that third party validation that, oh yeah, they got the tech stuff out of the program. There you go.
Now there’s a whole part missing though. If you just go out and you grab the book or you do the bootcamp and this goes back, you’re going to keep hearing this from me, they haven’t gotten necessarily any challenge to their level of thinking to how they approach problem solving to, yes, there’s a certain grit associated with being able to pass one of these certification exams, but also there’s no soft skill associated with it.
So that’s where there’s like if we had a Venn diagram, that’s a little bit of the overlap. There are some institutions which may frown upon it, but I think that’s more if they’re just kind of a consumer driven higher education institution rather than looking at getting the best out of both because they are required these certifications for many of the jobs, especially within government contracting and federal agencies within our market, that it’s an absolute necessity.
So it makes sense for us and we don’t pile them on. We have what is relevant is in there. Now another thing to keep in mind is that, and again, this might be a little bit more geographically focused, even though we have agencies and contractors all over the country that are federal, and then there’s also contractors at state level. So nationwide with respect to, there’s some new federal guidance through OPM that’s saying, you know what?
We’re going to move away from requiring a degree for some of these IT job placements and go to a competency-based platform. So that actually leans more to the side of, Hey, if you can prove you got the skills, sometimes I just need the skills. In fact, even within the INT intelligence services, they historically, if there’s been an absolute need, they will hire someone that might give people a little bit of fear through the background process in the hiring process if there’s the specific skill needed for the task.
So again, there’s no clear cut answer there. Some people will absolutely want the two year degree and then the four year degree. Many organizations are going to require that if you want to get into management or leadership. But if we’re just focusing on entry level, then at least within say the federal space, it’s moving towards that competency based, at least from our purview. I don’t see it affecting us as far as retention or number of students or anything like that because we do provide the whole experience which the students are often desiring.
Steve Bowcut:
Right. Okay. Thank you. I was going to ask you a question about two year degrees and four year degrees. I feel like we’ve probably covered this adequately, but I’ll give you an opportunity here if there’s anything else that you think you’d like to contribute to the conversation about why some students, why you would steer some students to take certain courses at AACC, because they’re going to be able to go on to get a bachelor’s degree.
And then when I look at your website, I can see clearly that the whole program is designed at for most of the degrees, and I won’t speak to your cybersecurity degree, but they’re like different tracks. Here’s the track for the folks who are going to go on and get a bachelor’s degree, and here’s the track for the folks who really want to go to work right after they get their associate degree. So is there anything else that you want to add about that, or is it pretty self-explanatory?
Bryan Deehring:
One example comes to mind, it was when we had a cohort of students, it was called our cyber cert program, and they basically spent two years with us and then they spent their next two years at gw. And it was a relationship that we had with that four year institution. And some of the anecdotal data that came back was that these students who started as freshmen at GW are like, Hey, we want to work with these community college kids on the labs because they really know what they’re doing.
Steve Bowcut:
Oh, okay.
Bryan Deehring:
So that’s one of those wins where they’re like, yes, but it’s not like there’s necessarily a tipping point where the whole world knows that maybe they will after they listen to our conversation. But you’re right, we have a S degrees which are applied science. It’s like going into a trade and specifically wanting that trade to go, then use that trade.
And that folds very well back into an interviewer saying, Hey, we’d really like it if you would do such, and well, are you looking for this specific skillset or do you need the whole thing? That’s where, again, from that cornerstone of just being honest about, I came here to be your keyboard jockey, if that’s the role you want, I am ready. We’ve been using the industry standard tools, we’ve been using the third party software. We’ve been hands-on for two years. I’m ready to go.
Steve Bowcut:
Right. As we come to the end of our time here, I would like to get maybe some forward looking perspectives here. So what are the biggest cybersecurity challenges that you are seeing with the connections you still have to industry and the perspective that you have there? So what are the biggest challenges that you see that you try and bring into the classroom?
Bryan Deehring:
Well, what everyone wants to talk about is AI
Steve Bowcut:
That happens.
Bryan Deehring:
So I would like to take a different perspective on that. Any business generally, a successful business is about 30 years of work into an overnight success.
Steve Bowcut:
Yeah, exactly. Yeah.
Bryan Deehring:
AI is no different. It’s been around since the sixties. We’re now at that point on the graph where it says, look, it’s just an overnight success. And yet if you look at all of the VC money that has been put in worldwide, there’s been no competitive advantage or we’ll call it even evolutionary solution that has said AI can now solve this other than increasing productivity and speeding automation of tools.
I’m happy to debate this with my AI friends. They’re like, I was like, when you give me a first order tool that has second order impact, then you can tell me that the billions of dollars that have flooded the VC market and the research market to build some AI tool that changes the world, then I’ll be on your side. I’m not there yet.
So all the tools we use, they now say have AI in it, and I say that tongue in cheek, most of ’em have some form. They can say, oh, we do some machine learning. We do some ai. We use, we do tie in with this particular LLM. Okay, great. But even as far back as, oh god, WannaCry, so the WannaCry virus, there was a AI vendor, or I should say there was a antivirus vendor who was already using some ai, and it was great proof of concept because that thing propagated the world in 13 or 14 days.
Major economic impact. And yes, there was one software vendor that had a much less impact because their AI software was doing its job. So great. But that’s not a challenge from the standpoint of AI is going to get us as a defender. The challenge is the adversary is coming up with new tactics faster, but that’s not unlike any calendar year in the history of the world in cybersecurity.
We have very short memory spans. And if you look at the news from last week, and you look at the news from last year, last week, they’re saying the same thing. We have attacks that have increased from last year, so we build the wall higher. And I don’t mean this to say what are we doing? I mean this to say that they’re simply, the attacks are going to come a bit faster, so we need to learn how to pivot and build the wall afoot higher, a little bit quicker.
And while that’s abstract, that is a real challenge. And that might mean that, oh, maybe there’s a tool that will help us do something faster. And so I’m going to be a little contrarian here for a second. If we already have vulnerability management and we’re using software, a computer processors to already scan for vulnerabilities, tell me how AI is going to scan faster or do we just need a faster chip? I’m just speculating for conversation
Steve Bowcut:
Sure.
Bryan Deehring:
My point being, there’s not like the, Hey, check out the app store, got the new AI tool solves all vulnerability management issues. It’s not there yet. So a little bit of a digress, but I’ll pull it back to things that are more the threats. So whether you love or hate Verizon, their annual report is great and comprehensive. They talk about the human element and they give a metric on that.
They said something like 68% of breaches last year involved human factors such as social engineering. That’s only going to increase because I see the improvements of whether it be secure software development, AI agents helping with quality control of tools still has, yes, that will improve, but it’s still humans that are creating all this stuff. So we’re still going to run into these vulnerabilities.
And what’s, I guess the sad but true still issue is that the exploitations are not sledgehammers breaking down doors. They’re not sophisticated, not too many sophisticated, advanced persistent threats. It’s exploitation of existing vulnerabilities because things haven’t been patched. I mean, I’m going to retire and be six feet in the ground and it’s still going to be vulnerability management.
Steve Bowcut:
And I don’t want to put words in your mouth, but if I condense down what you’ve just told me, it sounds to me, while everyone wants to talk about AI, you would say that a bigger cybersecurity challenge is still social engineering and the human
Bryan Deehring:
And the fundamentals.
Steve Bowcut:
The fundamentals and the fundamentals. Blocking and tackling of cybersecurity.
Bryan Deehring:
Yeah, security operations is very boring to some people. And it might, even when you’re good at it, you might be like, well, this is just the same old hat. Like, okay, we wake up and we come to the office and we got one red, two yellows and 25 greens. As far as things, we got to look on the priority list for possible events that could be breaches like, well, yeah, that’s the job it is to block and tackle.
We are defending the breach and we hope that we can continue to make the, I should say, the breach wide so that the adversary can’t get in. But automation is kind of the second order of the ai. So it does have to do with speed, I think speed to thwart the attack, which is already horrendous. It’s like 270 days on average and it’s not going away. So part of that could be inspirational. It’s like awesome. There’s always a fight every day.
Steve Bowcut:
Okay, so we’re out of time, but I want to end with kind of a broad forward looking question here. So what advice, if you were sitting down now with this student who’s either thinking about getting to cybersecurity, or maybe he’s just started, may he or she has just started in that direction. So what advice would you like to give to them?
Right, and I’m thinking not in terms of we’ll take this class and take that class or learn this skill and that skill. I’m thinking more in terms of habits. If you want to be successful, this is what you need to learn how to do. Is it communication or is it just make your bed every day, right? Be that kind of person. What kind of advice would you give this person?
Bryan Deehring:
So it is an industry where you do need to keep reading, you do need to stay current. There’s a tension in that too. You can get caught up in the White Knight Syndrome where your whole day is hunting and watching threat feeds and not actually get any work done.
80%, 90%, 95% of the time, everything on that threat feed is not relevant to maybe your schooling or maybe the organization you’re protecting or whatever it can be, I wouldn’t say a time waster, but it’s kind of that temptation. I want to go be white knight, I need to go focus on what the new thread is when maybe that’s not where the focus needs to be.
But as far as students, more specifically getting experience that is more maybe even tactically, hands-on, going to competitions, capture the flags. I mean, innumerable number some, which are even specifically for non-experienced people within the industry, one that we do through a E the cyber games is a capture the flag, but the requirement is you have no experience.
And so CAE provides the gymnasium and the sandboxes to learn all of the basics, and you get, I wouldn’t call it a guided capture the flag, but there are people that are overseeing the competition to kind of help you when you’re stuck. So it’s a great kind of first time experience to then jump off and do things like cyber patriot or some other capture the flag that’s out there.
Aside from that continuing to network, I know there’s, within our area of the country, some people are hesitant to get on social media because they’ve been through security awareness training, knowing that they shouldn’t necessarily be on social media if they want to get into an intelligence or three letter agency or work for the government.
However, LinkedIn can be a good in-between because it is a professional network. You don’t have to share your life on it, but it is an opportunity to significantly grow your network and find opportunities that you might not find elsewhere.
Steve Bowcut:
Yeah, I like that. I like that advice because young people are going to be on social media, but they do need to remember that they’re leaving bread crumbs that they’re going to have to live with the rest of their life, and they just need to take that seriously because there’s great networking opportunities depending on the platform that you’re on, and you can break into some of these professional communities that way.
So that’s excellent advice. So thank you very much, and we are out of time, but Ryan, thank you so much for sharing part of your day with our audience. We sincerely appreciate it.
Bryan Deehring:
Absolutely, Steve. I enjoyed it.
Steve Bowcut:
Alright, and big thanks to our listeners for being with us. Please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.