Dr. Diane Murphy is a professor and the director of Marymount University’s School of Technology and Innovation.
Summary of the episode
Dr. Diane Murphy of Marymount University explains why the field now offers multiple entry points for students, career changers, and professionals who want to protect systems, data, and people in an increasingly digital world.
Drawing on decades of experience across industry, government, entrepreneurship, and higher education, Dr. Murphy shares why modern cybersecurity education must go beyond theory. Her perspective makes a strong case for experiential learning, workforce readiness, and future-focused skills that prepare students not just for today’s jobs, but for the challenges still coming next.
Listen to the episode
Read a full transcript of the episode
Steve Bowcut:
Hello, and welcome to the Cybersecurity Guide Podcast, the show where we help students and early career professionals make smarter decisions about education and careers in cybersecurity.
Today’s guest is Dr. Diane Murphy, a professor and director in Marymount University’s School of Technology and Innovation. Dr. Murphy is an accomplished educator and program builder, and her work has been recognized at both the state and university levels.
She was one of the Commonwealth of Virginia’s Outstanding Faculty Award recipients in 2020, and she received the Marymount University’s HALA Award for distinguished faculty in 2021. She has a Bachelor of Science in Chemistry, a Master of Science in Library and Information Studies, and a PhD in information science.
Early in her career, she worked in the European pharmaceutical industry and became a leader in chemical informatics, applying technology to predict biological effects of chemicals. After coming to the United States in 1980, she worked on advanced projects, including early artificial intelligence systems for the Environmental Protection Agency.
She also spent time as a serial entrepreneur founding two technology companies and a nonprofit to support young entrepreneurs. Since joining Marymount University in 2002, Dr. Murphy has been instrumental in developing new technology programs, including pioneering Marymount’s Doctor of Science in Cybersecurity and helping shape other innovative offerings.
Her teaching spans cybersecurity, software engineering, digital transformation, technology management, business analytics, and workforce readiness. Her research interests include the technology workforce, detecting and preventing disinformation, trustworthy AI, and technology that supports aging in place. With that, welcome to the show, Dr. Murphy. Thank you for being here today.
Diane Murphy:
Well, thank you for the introduction.
Steve Bowcut:
Okay. Well, we appreciate your time. I know the audience is going to get a lot out of this, and I’m looking forward to it. So as we like to do on this show, let’s start with a little bit more about you, if you will.
So your pathway is unusual in the best way, chemistry to information science, to cybersecurity. So what are some of the pivot points in your academic and professional journey or lessons that you’ve learned that you can share with …
And I’m thinking in particular about students who might be thinking that they’re not really sure that they fit the cybersecurity industry. And I think someone with your kind of experience and background may be able to shed a little light on that.
Diane Murphy:
Well, it’s interesting because obviously when I went through college, cybersecurity was not a discipline. Not a thing. And so over the years, we’ve seen it progress from maybe a segment of computer science to pretty much now its own discipline. And it’s not just technical anymore.
We also have a lot of behavioral aspects, a lot of threat intelligence aspects. So the field is changing every year. And so today, when I think about my journey into cybersecurity, obviously I did a PhD in information science, which was a precursor of computer science.
But over the years, I’ve been aware of all the changes in just the technology industry in general. If we think back right now, we’re obviously in the AI generation. But before that, we remember the internet search workforce, and then before that we had the work processing workforce. So there’s been a lot of developments in technology.
If you’re not really sure if cybersecurity is for you, I think your best bet is to start thinking about, let me get into technology. You cannot do cybersecurity and protect our networks and our data if you don’t understand the technology behind that.
So again, it’s not necessarily one pathway right into cybersecurity. You may want to try your hands, community college, something like that, looking at whether you like networking, whether you like problem solving, whether you like all the different aspects of cybersecurity.
So from my experience, you learn, you watch, you read, you find out what’s going on, and you do your research. So again, lots of different pathways, lots of different ways. You don’t have to do it straightaway.You can start looking at what you’re protecting, how you’re protecting long before you actually do a cybersecurity program.
Steve Bowcut:
Excellent. Thank you for that. And if I could add to that a little bit, I worry sometimes, I don’t know that this is true, but I worry sometimes that students might hear us use terms like embracing technology or understanding technology and think in their minds, oh, that means I have to like to code or that kind of thing. And I like to point out, and I would be interested in your input on this.
So because say for example, social engineering is such a big part of cybersecurity, there’s plenty of room in our industry for people who they understand technology, they know what it is they’re protecting and why they’re protecting it and some of the threats against it, but maybe they’re more interested in the psychological side of it for that, why do we give away our password?
Why do we click on that link when we’ve been told a million times, don’t click on the link and we do it anyway. Would you agree with that idea?
Diane Murphy:
Absolutely. And there’s all sorts of jobs now that aren’t as technical. When cybersecurity, I first started in cybersecurity in about 2014, most of the emphasis was on network security. Today, it’s very different. You brought up behavioral. There’s also a lot of governance and risk management, compliance.
All of these aspects you have to know a little bit technically, but you’re not actually coding, you’re not actually doing that. However, we are seeing now, if you want to be a cybersecurity professional, you do have to know how to code, not so much because you’re going to be writing a program, but because everywhere in cybersecurity now they’re trying to automate everything.
So you’ve got to know how to write a script. You’ve got to know how to process different transactions. So it is a little technical if you want to get into true network security or cybersecurity analysts or cybersecurity technologists. So again, lots of space for everybody.
Steve Bowcut:
Perfect. Thank you. I appreciate that. But you’re right. It is a technology field, so we don’t want to lose track of that idea either. So your history, your professional history, you’ve worked in industry, in government, entrepreneurship, and now academia. How have those experience shaped what you believe cybersecurity education should deliver?
Diane Murphy:
Well, as I said, it’s changing. There is no doubt today cybersecurity education is not just theory, it’s not just computer science. We have to spend a lot of time on the experiential learning part of cybersecurity. And there’s lots of mechanisms for doing that inside a program and outside a program.
Probably the most vital of them all is participating in Capture the Flag and other competitions where you actually are demonstrating that you can problem solve in cybersecurity, that you have some understanding of the tools and techniques that you need to use.
And so I really think that if you start thinking about cybersecurity education today, and I encourage people, it’s not all theory. I know there’s lots of acronyms in cybersecurity. For sure. But really and truly, it can be fun. And I’m telling you that we have so many different competitions out there, social engineering competitions, capture of the flag competition. All of these are great opportunities, not just for you to work by yourself, but you to work in a team.
And again, cybersecurity today is a team project, not an individual project. A lot of people are looking, oh, I want to be a penetration tester. And again, that is no longer an individual pursuit. Now it’s a teamwork. So teamwork is very important. So again, it’s important to understand that most cybersecurity programs are going to give you some experiential learning or some research or some way of demonstrating that you can do the work.
Steve Bowcut:
Perfect. Thank you. I appreciate it. That is so critical. And in fact, I think I’m going to ask you a little bit more about that in a little while, but before we get there, I think maybe the most important question that I have prepared for you relates to, if you’re a student, and most of our audience is going to be students or early career professionals or people that are thinking about getting into cybersecurity.
So I think probably the most important thing that we can do for them is help them understand that what are the cybersecurity-related programs and options at both the undergraduate and the graduate levels that would be available to them at Marymount? And maybe even in addition to that, do they need to live, you’re in Virginia, for example, they need to live in Virginia or are there programs that are remote and they could live other places? How does all of that work?
Diane Murphy:
Obviously the world changed with COVID. Yes. Before that, most of our activities were on campus, but obviously today remote learning is a big part of all programs. So I’m going to start out at Marymount starting at the undergraduate level.
And again, we do have a Bachelor of Science in Cybersecurity for those who know that they want cybersecurity. However, we also have an option where you can do a BS in information technology with a specialty in cybersecurity. So these are for the people who aren’t sure.
You don’t know that you want to do cybersecurity, you don’t know if there are going to be cybersecurity jobs by the time you graduate or whatever. So we’ve been very successful at it. In fact, that is where we started back in 2014, developing a BS in information technology with options that include cybersecurity, include data science, include network security.
So you can think about moving into it slowly at the undergraduate level. We have a similar approach at the master’s level. At the master’s level, we are now, again, looking at two sets of the population. One is the career changer. There are a lot of people out there who have degrees. They might have a degree in psychology, for example, and they want to get into cybersecurity. So again, we have a similar approach.
We have a master’s in information technology with a specialty in cybersecurity where we can say, okay, use your knowledge base that you’ve developed either through educational working and come in and apply that to cybersecurity. And it’s really important to make sure that we have a cross-section of the population, particularly as you said, when you get into social engineering, when you get into threat intelligence.
And there are many, many fields where some of the social sciences can be really valuable to detecting cybersecurity incidents. So again, I’m not quite sure, but I want to get into the tech field. We also have a master’s in cybersecurity, more designed around people who are IT literate and who want to come in and take that technology fundamentals that they have and apply it to cybersecurity.
And that cybersecurity program, we also have a couple of specialties. You can do a specialty in data science. Again, data is a huge part of cybersecurity today, not just protecting the data, but using the data logs or whatever you have to find and stop incidents.
So again, the other one that we specialize in is digital health since healthcare is one of the areas where there are the most incidents today. Ransomware has been huge in hospitals. So again, you’re combining somebody who is a nursing background. We have quite a few nursing background people coming in and saying, “I want to protect my patient data.” So that’s another area.
And the third area is probably our doctorate in cybersecurity that you mentioned before. Here, we are looking at professionals working in the field who want to take their knowledge to the next level. It’s a research-based doctorate in cybersecurity, and we have such a vast collection of students in there that it’s really learning from each other.
I know I have learned so much now from my students. It’s truly amazing, but that is a program where partly we’re trying to get working professionals to become teachers. There’s a real shortage of teachers, qualified teachers with both the experience and the credentials to teach at the community college level or the four-year school level. So we’ve been very successful there.
I think since we started in 2018, we’ve now graduated about 160 doctoral students, some of whom are academics and some who are going to be academics once they retire from the government or the military. So those are the range of options that we have, and they all work together. So again, research is a big part of cybersecurity today.
New things are coming out all the time. So now we’re looking at cyberphysical systems. How do we protect our electricity grid? Hugely important today. So cybersecurity is not just about information, it’s also now about our physical security and our way of life.
So again, a lot of research going on in AI and AI’s applicability to cybersecurity, a lot of research going in to quantum computing that’s on the horizon, not here yet. So being aware of all these changes in the cybersecurity field and doing research with senior people is really one of the benefits we have.
So the other aspect I think it’s important about Marymount is our location. We are in the DC area, so a lot of our faculty, some of them are full-time, but we do have a lot of part-time faculty that join us from government agencies, from the military. So we’re able to give people a really good look into what working in cybersecurity means.
And I think that’s really important. Yes, we do have remote classes. In fact, our doctoral students are all over the country, and actually we have Chevron overseas. I have a student in Japan. Oh, nice. And we have a couple in the Middle East. So again, they’re doing it all remotely, and we’re working with them in different countries and different cultures. It’s really fascinating to see how cybersecurity is a global problem today. And you can get a job anywhere.
Steve Bowcut:
That is fascinating. Before we get off the topic of the Doctor of Science in Cybersecurity, I want to just delve into that just a little bit. So you said it’s essentially a research degree, but it’s also geared toward teaching. So let’s say that I’m working in cybersecurity, maybe I have a bachelor or a master’s degree already.
This degree then would be applicable to me in either of those areas. If I just wanted to be in research and I wanted to get a doctorate degree and work as a researcher, maybe AI and cybersecurity, that kind of thing that’s cutting edge, this would be an applicable degree. Or if I wanted to teach at a college level, then this also would be the degree I would want to search that I would want to pursue. Does that make sense?
Diane Murphy:
Yes. And again, the research is there are a lot of hard problems in cybersecurity. And if you’re a working professional, you are so busy fighting fires, you do not have the time to get into anything in real depth.
So it gives people in the field an opportunity to look at something in depth, understand the significance of what other people have done in the field, what contribution they could make, and to do a dissertation in their chosen area. So again, it’s an interesting way of expanding their knowledge and also giving them some credentials if they want to go into academia.
Steve Bowcut:
Perfect. Okay. So someone in your position probably gets questions from students quite often, I would assume, along the lines of, what will I actually learn and be able to do? And that could apply to any of the programs that we’ve talked about so far.
So I think it would be interesting to hear you explain how you answer that question. So the core skills that they’re going to learn at Marymount, we’ve talked a lot about these are technical skills that they’re going to be learning, but there are some other behavioral skills that they may be learning.
So how do you explain to students what it is they’ll be able to do with the education that they’ll receive at Marymount?
Diane Murphy:
Good question. And as I said, one size doesn’t fit all. So we do have a core in a curriculum where we’re saying you must understand how technology works. So you will have to do a little bit of network security, a little bit of coding, a little bit of all the different pieces that make up technology.
Now, we’re not asking you to be a programmer or a developer, but we do want you to understand a little bit about logic, a little bit about how you would apply that to a lot of the automation tasks, which are really prevalent today in cybersecurity.
So there’s a little theory there, there’s a little practice there. We like to get everybody to get their own computers up with virtual machines and all those other things which are common today. We have some electives also, so you could do a malware analysis course where you were interested in digital forensics.
We have a variety of different courses around social engineering, and we also require our bachelor of students to do some liberal arts fundamentals. You got to be able to write. Writing is so important today, writing, presenting, teamwork. So we try to get all the soft skills in there as well as the technical skills. So again, a lot of options.
The culminating courses in their senior year are one, a capstone project where you are actually applying the stuff you learn. Maybe you learn how to use wireshark to do network analysis, whether you use reverse engineering in your malware analysis class, and you can apply that to a project under the supervision of a faculty member.
Some are individual, some are group. And then the final one is our attack and defend class where we’re really looking at how you behave as a penetration tester, which is a lot of the ideals of many students.
I want to be a penetration tester. Yeah, I know. Right?
Steve Bowcut:
That’s
Diane Murphy:
True. Although it’s really tough to start out as a penetration tester.
Steve Bowcut:
Yeah, it’s not normally an entry level
Diane Murphy:
Position.
Steve Bowcut:
And this is probably a good time to bring up that subject again. Earlier, we started talking about the workforce readiness, the things that you do at Marymount to make sure that the students are actually ready to enter the workforce when they graduate.
So internships, we haven’t really talked about that. We have talked about some of the capstone and some of the lab stuff, particularly the capture the flag kinds of things. So including internships, is there something that you can tell students about that or are there other things that you do to help them to make sure that they’re ready?
Some universities really focus on professional certifications. So you can respond to an advertisement that says, we’re looking for whatever the certification is. Do you focus on those? How does it work?
Diane Murphy:
So a couple of things. We’re one of the few universities that has a required internship to graduate. So we requiring you either between your senior year or in your senior year to actually have an internship. And we work very closely with all the government contractors in the area, government agencies in the area to try and place people.
Now, right now it’s pretty hard given the situation that we find ourselves in, but we’re still pretty successful at getting people into that. So internships are very important. You can get an internship, then we will provide you with a research experience that simulates being an internship.
So again, everybody has a practical experience before they graduate. Okay? Excellent. Now, certifications are really important. So some of our classes are designed around preparing students for the certification.
A few years ago, we also implemented certifications for credit. So those courses that you might want to take at the university that maybe let’s just use security, come to your security plus as an example. So we have a course that prepares students for that.
However, we also say to students, if you want to get a waiver from that class, you can go and do the security plus certification yourself and we want credit. So again, you’re recognizing at the end of the day, an employer is looking for somebody maybe has a degree, has certifications, has experience, all of those are essential and we try to prepare our students as best we can.
And so it’s been interesting looking at all the various certifications that are out there. Some of them are over cybersecurity, project management is another one that we look at. And so again, you’re just thinking about how do I get the students the best education I can?
Steve Bowcut:
Yeah. And I would presume, again, that when students, particularly when they’re just starting their bachelor’s degree, that they probably have in their minds that I want to be a SOC analyst or an incident responder, or as you mentioned earlier, you want to work in governance, that security engineer, any number of these roles that they may have heard about or they know somebody who works in one of these roles, how do they get directed towards that?
Or do you maybe discourage them from focusing too highly on an end role, if that makes sense? Because I know that if you want to be a SOC analyst, I guess that’s a noble aspiration, but maybe once you’re two, three years into your bachelor’s degree, you’ll decide you don’t really want to be a SOC analyst or that you want to maybe start there, but you want to move on to be a security engineer. I’m just wondering how you advise students along those lines.
Diane Murphy:
One size doesn’t fit all. Everybody has a different perspective, but we do offer in the sophomore, junior and senior year, I personally offer a workforce readiness seminar and I get the students in. It’s a one-credit seminar, it’s required, and I go through the workforce, what jobs are available, what skills you need in those jobs, how you go about getting a job, including networking, how you go about getting an internship.
And so we really work hard in the program and also through our career center to make sure that students have good resumes, they have good LinkedIn profiles, they have good understanding that they have to get out there and network. Most jobs come through networking.
The whole job process now with all the automated reviews and so on is very difficult to get noticed. So again, we work really, really hard with the students to understand you got to differentiate yourself if you want the job that you want.
And they’re all … If you have a solid background in cybersecurity, you can move from job A to job B to job C, but you’re not going to start out as a CTO or a CISO. You’ve got a progression. And so we work hard to say, you’ve got to do the basics, you’ve got to know where you’re going, and then once you’re there, you can then start looking at new certifications, new ways of doing it, but it is a progression.
And so we work really hard with our students to help them understand what it takes to work, both the professional skills or soft skills that you want to call them, as well as the technical skills.
Steve Bowcut:
Excellent. Thank you. Appreciate that. So every conversation about cybersecurity these days has to include the topic of AI. So let’s talk about that a litle bit. In fact, the research that you’re working on or have worked on includes detecting, preventing disinformation and trustworthy AI.
I would be interested, and I think our audience would be interested in knowing how that research or your interest in those areas shows up in the coursework. Are we teaching AI to the students or are we just … Well, I don’t even want to speculate. So how is that showing up in the coursework?
Diane Murphy:
Again, in fact, this we I think in my seminars, I am looking at gen AI, generative AI, because that’s where most of the workforce is focusing now, although we thought a strategy always were getting into agentic AI where AI is actually making decisions and starting processes.
But again, I emphasize the vulnerabilities, I emphasize what their role is, and also I emphasize with AI, human factors change. You have to be able to validate, you have to be able to evaluate, you’ve got to be able to write good prompts. So we go through all the processes to make them be able to use AI in their cybersecurity job, whatever it is.
So yes, we don’t have a specific course, but we have a lot of research projects funded by government and other people where we actually say to students, okay, come and do this AI project. And so if we’ve got a grant, we can offer them payment for that, but many of them just volunteer to get the experience.
So the word today is AI fluency.
Used to be AI literacy, but it’s moved to AI fluency because it’s not just about not knowing what AI is, but knowing how to use it. And so we’re making the assumption that in cybersecurity, you will be asked to use AI, but you have to use it ethically and professionally. So that’s some of the newer material that we’ve added into the program.
Steve Bowcut:
Excellent. Thank you. So you just mentioned grants and funding. So you’ve received grants from organizations like the National Science Foundation, the National Security Administration.
What impact does that have on students in the education that they’re going to get or maybe internships or projects that they may be involved in? Well, obviously it does or you wouldn’t have the grants, but those grants and that funding, how does that filter down to what the student is doing day-to-day?
Diane Murphy:
Right. So again, we are hiring our students to work on these projects. So the one that we just completed for the NSA, for example, was a cybersecurity clinic. So we were able to, through funding through NSA, we were able to take 18 of our students, train them as SOC analysts, have them develop a SOC locally, have them go about providing services to not- for-profits in our area.
So again, it’s a way of getting that interest in learning, interested in applying, and then also interested in certification. So again, actively involved in many of the aspects of the research that we do.
So another program that we have through the Department of Labor is called Caretakers to Breadwinners, but we are training unemployed or underemployed people who came out of the workforce for COVID or whatever to enter the tech workforce. And so we’ve engaged all our students in mentoring these people, in supporting the coursework they do.
They’ve just all finished up TechPlus, and now they’re going on to CloudPlus. But the students really learn a lot by having to teach and mentor and work with these students who have much lower tech knowledge than they do. So those are just two examples of how we’ve used our grants to engage students. Mentoring is a great way of making sure they understand the concept they’re learning and also helping out in the community.
Steve Bowcut:
Absolutely. Oh, I love that. Thank you. All right, so we are about out of time. I want to ask you one more question, and this one I just find fascinating. I’ll be interested in your response here. So you’ve been appointed the champion for the Center for the Innovative Workforce. Tell us about that. What is the missions for that center and what does that mean to students?
Diane Murphy:
So the mission for the center is really what’s next? One of the problems we have as educated is the fact that we’re teaching students who may not be working for three or four years. What is going to be the workforce requirements in three or four years?
So right now, we’ve seen a real change in the role of a programmer or a software developer with the use of AI. We’re going to see a great change in cybersecurity when quantum comes into effect sometime in the next five, 10 years. Okay, we’re not sure of the date of that.
So there’s a lot of changes out there, both in the expectations of employers and what employers are offering. Think back 10 years. If I got a entry-level job at say Boeing, they would put me through maybe six months or a year’s training program. It’s not like that anymore.
Employers are expecting people to be ready to roll into their jobs right on graduation. So again, understanding what people are looking for, doing the research, understanding what the employers in our area are looking for, working with them to make sure that they understand the role of internships, how they can engage with the students.
And so again, it’s looking forward a couple of years to make sure that our students can work in whatever new areas arise. I mean, one of the big things that right now is really all about semiconductors. So that’s an area that most people are not preparing students for. It’s a little bit of computer engineering, but there’s also a lot of other activities.
So again, understanding where the jobs are going to be in three or four years and preparing our students for them. So that’s my main function. A lot of research, a lot of working with students, a lot of grant writing, a lot of getting money.
Steve Bowcut:
That is so totally fascinating. Not only is that innovative, but I believe it’s fairly unique. I hold these kinds of conversations with lots of people in academia, and I think this is the first time anybody’s actually pointed out that they have one eye looking down the road two or three years, because you’re absolutely right.
The students that are beginning today, things are changing so fast in technology that what they need to be equipped to do could be totally different than they are when they’re actually starting. So it makes so much sense to do what you can.
Obviously, none of us can predict the future, but if you’ve got one eye looking at what employers are going to need two or three years down the road, that would be so helpful. I find that fascinating. Thank you so much.
Well, we are out of time. So Dr. Murphy, thank you so much for joining me today and for walking our audience through the different pathways, programs, options, and career outcomes that are available at Marymount University. We sincerely appreciate it.
Diane Murphy:
Well, thank you very much for your good questions, and I hope my answers are going to help somebody understand that cybersecurity is a great field, many different options. You don’t have to be a programmer. You don’t have to be deeply tech. There are lots of opportunities, and we need cybersecurity people to protect our nation.
Steve Bowcut:
Amen to that. That’s the whole point of the show, and thank you so much for your just spot on. So to our listeners, if you found this episode helpful, please follow the Cybersecurity Guide Podcast wherever you listen and share this episode with someone who’s exploring a degree or a career transition into cybersecurity. And thank you for listening, and we’ll see you next time.