Chris Carroll is a teaching professor and program director at Drexel University, where he prepares students for careers in cybersecurity and IT. Drawing on nearly 30 years of industry experience, he brings practical insight into networking, cloud computing, ethical hacking, and secure systems design.
Summary of the episode
Professor Chris Carroll explains how Drexel’s cybersecurity program combines technical IT training with cybersecurity education so students can build practical skills and real career options. He emphasizes that many graduates begin in roles like networking, server administration, or support before moving into cybersecurity, and that Drexel’s co-op model helps students gain that experience early.
He also argues that strong fundamentals matter more than chasing every new technology trend. His advice to students is to build good academic habits, explore different areas of IT and security, and pursue certifications strategically once they know their direction and can align them with employer needs.
Listen to the episode
Read a full transcript of the episode
Steve Bowcut:
Hello and welcome to the Cybersecurity Guide Podcast, the show where we help students and early career professionals make smart decisions about cybersecurity education and career paths. I’m your host, Stephen Bowcut.
Today, my guest is Professor Chris Carroll, a teaching professor and the program director for Drexel University’s Bachelor of Science in Computing and Security Technology, often referred to as the BS CST. The BSCST is Drexel’s undergraduate degree program designed to blend cybersecurity with strong IT and computing foundations. Chris brings a deep industry background to the classroom.
Before joining Drexel full-time, he spent 28 years in industry holding infrastructure leadership roles, supporting large enterprise environments at organizations, including AstraZeneca, Quest Diagnostics, Pfizer, and Chubb. His work included leading teams responsible for servers, storage, LANs, and WANs, and secure network configurations, especially for internet-facing applications and business partner connections.
His research interests include cloud computing, server virtualization, cybersecurity curriculum, ethical hacking, cryptography, and designing secure networks. Academically, he earned his MS in computer science from Drexel University and an MA in mathematics with a minor in computer science from St. Michael’s College. With that, welcome, Professor Carroll. Thank you for joining me today.
Chris Carroll:
It’s nice to be here.
Steve Bowcut:
All right, this is going to be interesting. We like to start with a little background information on this show for our guests. So please tell us a little bit about your origin story, what drew you towards technology and security and the steps along that path for you.
Chris Carroll:
So I always like to tell undergraduates or students that are going to go into college choose a degree. Is the way I chose my degree in mathematics many years ago, someone asked me, “What classes do you like a lot?” And I said, “I like a lot of math classes.” So I said, “Could I major in mathematics?” So I first just started, I started majoring in mathematics.
I went to St. Michael’s College because it’s in Vermont and I’m a skier. I like to ski. There you go. Once I started taking these math classes, they also had a computer science class and I took a computer science class in programming, and then I just kept taking more and more computer science classes.
And then I wound up with actually just six credits shy of getting a computer science degree as well as a mathematics degree from St. Mike’s. And then it made it easier. Kind of at college, I drew to computer science, so then that’s when I decided to get a master’s degree in computer science at Drexel.
Steve Bowcut:
Okay. All right. And then the other part that I find very interesting that I can hope I can get you to elaborate on a little bit. So you spent many years in industry working, actually doing the job that you now teach people about how to do it.
How did that work for you? And I’m thinking of our audience, people in our audience that may be working in cybersecurity right now, but they’re thinking, well, maybe I would like to teach at some point in my career. So what was that like and what kind of real world lessons do you bring from your industry experience into academia?
Chris Carroll:
Yeah, so a couple things I had in mind by getting a master’s degree, I always did think it’d be good to have. So I think people, if they get a specialized degree, a postgraduate degree, it’s a good idea.
And I kind of knew when you’re in IT, as you get older, you kind of think they look at younger people because when I was younger in IT, they may be the people that come up with the better ideas as time goes on, which is not always true, but there’s a little bit of that. But another part of it was I started out as a network engineer. I was also a server engineer. Then I became a manager of a network engineering team and keep moving up.
Eventually, my last position was the vice president. And what I missed was the days where we were talking more about the technology and how to configure things because when you move up in the organization, you’re dealing more with HR issues and finance.
A lot has to do with budget. And budget is kind of cool to do, but I still missed a lot of the technology. So I became an adjunct at Penn State through my career thinking like, well, it’d be a good thing to be an adjunct. And then eventually Drexel had an adjunct position open and I was working for Chubb at the time that is right downtown in Philadelphia where my office was.
So it was three train rides away to go to Drexel. So I became an adjunct at Drexel and then a position opened up at Drexel full-time position and the dean told me about it and I said, maybe it’s time to do this. And I did, and I’m very happy
Steve Bowcut:
That I did it. Excellent. Thank you for that. I think that’s going to help a lot of people. A lot of our audience who are thinking about that, that it’s good to have them, particularly if you can, if you’re in a position where you can get a graduate degree that will help you move in that direction at some point in your career.
So this BSCST, talk to us about that. And I guess I’m particularly interested in the balance between cybersecurity and broader IT foundations. It sounds like it’s maybe different than what people are used to.
Chris Carroll:
Yeah, and there’s a couple reasons for that. So at Drexel University, we also have a co-op program. So many students actually, undergrads spent five years with us. And what they do is do three co-ops, which are like internships as part of their program.
So what we try to do is give some skills to students so that the co-op partners that we have, with very strong co-op program, know that they have certain skills. So for instance, sometimes we meet with some of these partners and they told us a while ago like, “Hey, have them take Linux earlier in the program.” So they actually also influence a little bit how we do this.
So we’re trying to give students some technical skills for IT roles as well as cybersecurity skills for a cybersecurity role. And as it turns out, most people don’t realize is it’s hard to get an entry level position in cybersecurity.
Most companies want you to have two to five years experience in their business. So you kind of understand what that business needs to protect. If it’s a pharmaceutical company, they’re really, really focused on protecting their intellectual property about the next compound in the pipeline that might be a blockbuster drug.
If you work for a Quest Diagnostics as a lab testing company, it’s all the HIPAA test data when you give your blood to them and they give you a report back, that HIPAA data, the patient privacy data, that’s really what you need to protect.
So what we try to do is position students. So they might be able to get a network engineering job or a server engineering job or some kind of a support job first, and then they can move into cybersecurity, or they could choose to stay in an IT role.
Steve Bowcut:
Oh, that’s interesting. Okay. So the partners in this co-op program, they know that these students are interested in cybersecurity, but they also know at the same time that you may need to cut your teeth in some other area before you move into it. And they are in fact helping you design the curriculum. They’re giving you some feedback, some input on what that curriculum should look like.
Chris Carroll:
Correct.
Steve Bowcut:
Alright, very good. Thank you. So this is kind of a fun one. So it’s kind of the who’s it for? What kinds of students tend to thrive in this program? And I know it’s really hard to put labels and categorize people like that, but is it people with really strong math skills or computer science skills or maybe it doesn’t have to be as technical?
Chris Carroll:
Yeah. So what’s interesting about that is Drexel is very known for its computer science program and is a very computational computer science program, which means there’s a lot of math in there.
And that was the reason why I was attractive to Drexel when I got my master’s degree, to be quite honest. So we do get a lot of students that started computer science and realize they’re going to be writing a lot of software and they come over after their first year, sometimes in CST program.
And then there’s other students that come into the CST program because they’re usually curious just how does my Wi-Fi laptop send it to the Wi-Fi printer? Understanding how do these things work. And I think some of the early courses, like the introduction to networking course goes over a lot of the protocols that are out in the IEEE and have been written.
Steve Bowcut:
They were written 10, 12 years, 15 years ago, most of them, and we use them every single day. So I think most of our students have this curiosity on just how does technology work? And then as they learn the building blocks and the pieces on how it works, they engage and they really like the program.
Interesting. So to make sure that I understand, so it is a pretty technical program. Some programs focus maybe a little bit more on the behavioral science part of cybersecurity. And I’m a big advocate of saying there’s room in cybersecurity for everybody. Maybe psychology is your thing. Guess what? We need you in cybersecurity.
So that being true, not every program caters to full broad spectrum. So would it be fair to say that your program there is a little more on the technical side? You need to want to learn how to code and understand math and like math. Yeah,
Chris Carroll:
It’s on the technical side, but actually what’s important to point out is the computer science program requires you to take calculus and the BSCST program requires to take math analysis. So the math concentration is not as present in the CST program.
It’s much more about understanding the way technologies connect to each other. So I would lean towards when you use the word technical. So it’s much more technical to understand how these things go.
Now we do have courses on security policy and the other softer side of cybersecurity, but I would say there’s much more emphasis in the BSCST program on the technical piece, so we are definitely more technical.
Steve Bowcut:
Perfect. All right. So let’s talk about how the curriculum might flow, all the bits and pieces and how do you put them, and I know we can’t go through the whole thing, but maybe at a high level, you could give us an overview of like from year one to senior year, what can a student expect?
Chris Carroll:
Yeah. So if you’re an undergrad coming straight into Drexel, and also we do have a lot of transfer students that can also come in and go to a two-year, go to a community college or something like that.
But normally, yeah, their first two years they’re spending, they take two courses in network administration, they take two courses that covers Linux, they take a course that covers Windows.
And the Windows is important because every time we authenticate, we use Active Directory. So they build an active directory server and understand how Active Directory works for authentication and directory services.
And then they also do take an IT security one, IT security two, like an information security class intro and then an advanced information security class. All in their first two years, we try to get that in. And then the electives are on top of that, that might specialize in things like wireless technology or things that might relate to cloud and more on virtualization.
But another thing to point out about the students that take the five-year program, now well over 85% of our students take the five-year program is you actually come here and you take courses your freshman year. And then in your sophomore year, if you’re on the fall co-op, you go into industry after just taking one year of college courses for 20 weeks and you do a co-op.
Then you come back and take courses again, and then you go onto a second co-op for 20, 22 weeks. And the reason why I say 22 weeks is what happens is there’s weeks between the terms and the employers, the co-op will say, “We’ll hire for another week.” So sometimes when you’re getting students back in the classroom, they literally just stopped working on Friday and they’re there for their Monday class. And the five-year program, they do that three times.
So then when they graduate, most of our students have really good LinkedIn profiles. We encourage them to build a LinkedIn profile early on because often they have three entries of where they’ve worked in industry already and they have contacts from those experiences. Wow,
Steve Bowcut:
That is actually amazing. And I think it’s pretty unique. Certainly you’re not the only one doing that, but you don’t hear about that as often as maybe I would like to see it happen. Yeah, we do have- Actually getting some work.
Chris Carroll:
And we do have a four-year one co-op, but most students come to Drexel for the co-op.
Steve Bowcut:
Okay. And I next wanted to ask you about technical depth areas and how the students get hand-on exposure, and maybe you’ve just answered that question.
So they’re working these co-op programs, so they’re actually getting some hands-on experience as they’re learning, but are there any other things along those lines that you’re doing to make sure that they’ve actually touched some stuff and had some hands-on experience?
Chris Carroll:
Yeah, we spent a lot of time on that. I spent a lot of time on that. So we have what’s called VCL, which is virtual computer lab that students use to get images to do lab exercises. And then we also have something we call vCenter, and that allows a student to really have much more control over building a server or something like that.
So for instance, in our courses, they actually will install an operating system from bare metal, if you will, from the ground up. And we have a facility virtually where they can do that. And that includes online students that are taking our courses online, they’re getting these same lab exercises as the face-to-face students because everything has been built in these virtual environments.
We do use sometimes some outside cloud providers for a few of our lab exercises. So in the ethical hacking class, we do use some of these labs that are provided that use a lot more of a better sandbox environment to put a student in to use Cali Linux to attack a whole bunch of things.
So we have a blended combination of that. Recently, we’ve been actually partnering with AWS a little bit more. So AWS is doing a pretty good job, in my opinion. We can cherry-pick some of the AWS lab exercises that they use in their industry certifications and then just put them into our curriculum.
So in other words, in our course shell that a student, every one of our courses has an online course shell, you’re reading about this in the chapter in the textbook, but then we can go over to an AWS lab exercise that is close to it. So a lot of times we try to think that we’re teaching really good IT and cybersecurity concepts and providing students with practical hands-on exercises that gives them skills. Yeah,
Steve Bowcut:
Interesting. And I love what you said there. So that kind of ties into where I wanted to go next. So cloud and modern infrastructure, things are changing so quickly in the industry.
I hear back from students and people in academia from time to time that curriculum can get a little bit stale because things are happening so quickly. So maybe you could talk to us a little bit more about that. How are you teaching students to secure modern infrastructure when it changes so quickly?
Chris Carroll:
Yeah, and that’s actually a very difficult question for professors these days to be able to keep up. And I guess the way I look at it, and with cloud, it’s actually even changed a little bit more. I sometimes think you need to understand more fundamentals because you understand fundamentals. Those things don’t change.
Really what’s happened with all these technologies, they layer on top of each other. So you have the physical server, but then that we don’t really connect to physical servers as much anymore because we have a hypervisor that creates virtualization, so we can create virtual servers.
Then the cloud is on top of that so that you can build things and create your own virtual private cloud using the virtualization. So sometimes what I think now with cloud, there’s different fundamental items that I have to reinforce because when you go to a cloud provider and you pull down a menu choice, it shows you many things.
And when you click on those, you have to understand, well, which one do I want in my situation? And then what that kind of boils back to is, well, do I fundamentally understand the way that works? So a good example would be DNS. That’s the thing we use when we resolve a website to an IP address so we can connect there.
So with a cloud provider, you can use their DNS server to do that. You could build your own DNS server, but when you get choices about DNS, the first thing is best to understand is like, well, how does DNS work? Because then that would make it easier for you to say, “Oh, based on the way DNS works, I’m going to choose the cloud provider’s DNS service.” Or, “No, I don’t want to do that. “
So I tend to gravitate towards teaching students a little bit more fundamentals, but what’s real challenging is you feel like there’s too many things that a student needs to know.
So it’s up to the professors. And I run a curriculum committee, so we have other professors to think about what are the best things for students to learn, and then we try to focus on that.
Steve Bowcut:
Perfect. Yeah, I love that. I love that idea. There’s lots of good things you could teach them, but you really need to figure out what’s going to be best for what they’re going to be doing. And of course that kind of begs the question, what are they going to be doing?
And it’d be interesting if we talk about career alignment, the BSCTS graduates, can you identify the job roles that they’re filling when they graduate and go out into industry? And does that somehow align with these co-op partners or the work that they’re doing at the co-op partners, or maybe not so much that’s just part of the educational piece?
Chris Carroll:
No, a very high percentage of students wind up taking a position with one of the co-op providers. Really? Okay. And so most of the co-providers are doing what we phrase at Drexel, try and buy. They’re bringing students in, and then some of them will bring them in for a second co-op.
So they know that in a year they’ll be on a call-up again. If they like that student and they think they’re very capable, they’ll bring them in again. And yeah, some of the firm, I mean, we have call-ups with Johnson & Johnson and Lockheed Martin and PWC. And then we have some smaller consulting firms like Security Risk Advisors does a lot of consulting, Protiviti and Cybersecurity and even 7x.
And I think that’s some of the more of the consulting ones. But a couple of places I’d just like to point out is a lot of the smaller consulting firms are definitely looking for students that can do pen testing because I guess there’s a shortage of people that stick with pen testing because that’s very technical.
So students are very aware, like with the ethical hacking class, I do teach the ethical hacking class that that’s an avenue, but then a lot of students realize, wow, this is really technical, this is not what I want to do. And then we also do have a lot of companies looking for server engineers and network engineers to help build infrastructure and things like that.
So it is kind of like a blend of what they’re looking for. And one thing I do like about how we approach the program, sometimes we do talk about, because of the co-op is so important at Drexel, like in a server class, we’ll talk about like, “Here’s what a server engineer does.” A network class will talk about what a network engineer does.
And sometimes I have students, especially in my networking class, sometimes I want more students to become network engineers because I think it’s a good place to be.
I’m like, even if you have no interest in being a network engineer, you kind of know what network engineers do because when you’re in IT and something slow and you might accuse the network, well, if you speak a little bit of a network engineer’s language, you’ll be able to get a response from them.
And also it’s a good way to understand as you go through these different kind of technology areas, which one you gravitate to and which one you don’t like. So when you have some coursework in the various different areas, what we hope is a student can kind of understand, this is what I want to do.
This is what I think is most interesting. And then if they can align up a co-op that aligns with that, then they have a good chance of really knowing what it’s like to be working day-to-day in that field or that job role.
Steve Bowcut:
Yeah. And as she pointed out, they may change their mind. They may not be exactly what they thought it was, which I find interesting. Another thing I find interesting is, so oftentimes what I hear from professors and others in the industry is that students will oftentimes come into a program thinking they want to be ethical hackers.
That seems like kind of the sexy thing that people want to do, and yet there aren’t that many opportunities for them to actually start their career there. There’s usually something you kind of have to spend a few years paying your dues before you get to that point.
But it sounds like from what you’re telling me that can happen, at least at Drexel, that you could, if your co-op programs work out that way and that’s what you’re really attracted to, that you could start as an ethical hacker. Is that true?
Chris Carroll:
Yes, because there’s a few consulting firms that are on our co-op list that I think what’s happening is more businesses want a formal ethical hacking exercise performed to get a report back, a penetration test, and there’s a pretty good demand for that.
So they’ve found a way to identify some of these students that are very interested in that, and then they try to cherry-pick those students basically. But not all our students become penetration deserts. There’s a lot of students that have much better skills around security policy, security awareness, like even training and things like that.
It’s just what we try to do at Drexel is provide enough knowledge about the different areas so that a student, by the time they get out, they gravitate to one that they really enjoy.
Steve Bowcut:
Perfect. Okay. All right, so we are about out of time. We do like to try and end with maybe some advice to our audience from someone in your position that I think would be helpful to them.
So if a student is considering Drexel for cybersecurity, what would you tell them to do to set themselves up for success and in three different areas if you can do that for us academically, professionally, and even personally, the kinds of things, habits and things that they should be doing.
Chris Carroll:
Yeah, I’ve been asked this question before, and usually students are disappointed because if they want me to point them to YouTube videos to learn something, then what I typically tell them is be a good student. So if you come to Drexel, some students are like, “Maybe I should learn Linux before we come here.”
It’s like, now you can take the introduction course that goes over Linux and you’ll learn it and earn your three credits, and then you’ll go on to an advanced Linux class and learn that. Same thing for networking, same thing for security, same thing for servers, but be a good student.
In other words, if you’re a good student, when you come to us and you take our classes, you’re going to learn a lot more because you’re going to have good habits. So typically that’s what I tell students is it’s not about trying to get a hunch by going out to YouTube and watch some kind of HackFive video or something to learn about these items.
For people that are working in industry that might want to try to already have some credits and why don’t transfer them to our program because it’s online available for people in industry.
Yeah, I think what you need to do is look at the opportunities, do some research on the opportunities that are in cybersecurity. There are a lot of open job positions in cybersecurity, and really what the challenges with that is people are looking for people with certain skills.
So examine that and determine if you want to make a career change and go into that, just make sure that you look at some of the job titles, look at some of the companies that provide those job titles that might have openings and see if it’s a fit for you. And then decide you’re going to take on this journey to complete your degree in the BSCSD program online and then try to get a job in that field.
Steve Bowcut:
Yeah. Interesting, as you just said, something that kind of made me think. And so oftentimes I think particularly on job boards, students are going to see professional certifications are required for many jobs.
So how do you address that with the students? Do you encourage them to seek those on their own? Do you help prep them for that or tell them which ones they should or shouldn’t be looking at? Do you address that at all?
Chris Carroll:
Yeah, so I get that question a lot from my students, to be quite honest. And here’s my advice. So interesting certifications are much more narrow than a course that covers concepts in a program like the BSCST program.
So the best way to get it, so by narrow, I mean in a server certification or even like the Certi+ certification, they’re going to ask a little bit more specific questions. And what’s best to do is when with your an employer is get the employer to pay for the industry certification.
And it’s also best if you are in a role that’s related to that industry certification, because you’ll probably know a lot of the narrow questions they ask because of your role day-to-day, and then you only have to study the offset. So that’s what I recommend. And when I was in industry, we had a lot of industry certifications.
What I used to do how I used those was engineers, I was trying to find out the engineers that were going to stick with me. In other words, which ones really like where they are? And when you work for a large company, most people know, but the other positions open up.
So you could have a server engineer suddenly says, “I’m going to become a database administrator. I see something’s moving over there.” So I used to use them when I was in industry to say, “Hey, I’ll pay for an industry certification. You like to get it. “
And then the people that did that I knew were very interested in staying in that lane, if you will, whether it was a network industry certification, a server industry certification or some kind of security, then I know that they probably want to stick around for a while in that because they’re interested in it and they’re not looking around to maybe go into another role.
Steve Bowcut:
Okay, interesting. So maybe if I condense that advice down, you’re saying that maybe you want to wait until you’ve found an employer that you want to work for and know what certifications are attractive because otherwise you could end up playing kind of a whack-a-mole with certifications.
You get this certification, “Oh no, that was a Cisco. We don’t use it. We’re not a Cisco shop.” So you could play some whackable with certifications if you did already have something that you knew you wanted to do and probably where you want to do it.
Chris Carroll:
Yes. And that’s a great question to ask on an interview.
Steve Bowcut:
Yeah, exactly.
Chris Carroll:
I would take a job with your company, would you invest, you invest in your employees by paying for industry certifications, and if it’s a good firm, the manager will take that as a good sign that the person wants to advance their education and get an industry certification.
So then you can almost set it up. So when you get there after a year or two, you say, “Oh, by the way, I want to get this industry certification.” Because yeah, now I’ve settled on, this is the one I want because I agree with you. I think there’s far too many industry certifications out there now.
It’s overwhelming how many different ones there are, so it’s hard to piecemeal exactly which collection is going to advance your career. So I think it’s best to get to a company and have them invest in you.
Steve Bowcut:
All right, perfect. Thank you so much. Professor Carroll, this has been a really helpful overview of Directional’s approach to cybersecurity education and what students can do to turn a degree into a real career momentum. And thank you so much for joining me today.
Chris Carroll:
Thanks for having me. I appreciate it.
Steve Bowcut:
And to our listeners, if you’re exploring cybersecurity degrees and trying to figure out which path fits your goals, we’ll have more resources linked in the show notes. If you found this episode useful, please follow or subscribe wherever you listen and consider sharing it with someone who’s exploring a cybersecurity career. Thank you for listening, and we’ll see you next time on the Cybersecurity Guide podcast.