Douglas Rausch is and associate professor and program director of cybersecurity at Bellevue University.
Summary of the episode
Rausch shared his nontraditional path from software and military communications into Air Force cyber operations, and how that experience shapes Bellevue’s workforce-focused cybersecurity program.
He emphasizes mastering the systems you defend, prioritizing risk management and business context, and building adaptable, career-ready skills through flexible online/on-campus options, hands-on cyber range scenarios, and a curriculum aligned with national standards and continuously updated with industry input.
Listen to the episode
Read a full transcript of the episode
Steve Bowcut:
Welcome to the Cybersecurity Guide Podcast where we speak with the educators, researchers, and industry leaders shaping today’s cybersecurity workforce. I’m your host, Steven Bowcut.
Today, I’m joined by Douglas Rausch, Associate Professor, Maynard Endowed Chair and Program Director of Cybersecurity at Bellevue University. Douglas brings more than three decades of experience in communication systems, cyber operations, cybersecurity policy, and enterprise risk management across both defense and commercial sectors.
During his distinguished Air Force career, including roles at Air Force Space Command and US Strategic Command, he led major cyber operations, accreditation programs, and policy development initiatives. That operational depth now informs his academic leadership at Bellevue University, where he oversees one of the region’s most recognized and workforce focused cybersecurity programs.
Bellevue University has become known for serving working adults and online learners through flexible, applied, and career aligned cybersecurity degree pathways. Under Douglass’s leadership, the program has expanded its hands-on learning environments, strengthened faculty expertise, and deepened integration with national cybersecurity standards.
We’re looking forward to exploring his professional journey, the evolution of Bellevue’s cybersecurity offerings and how the university prepares graduates for meaningful careers in the cybersecurity field. And with that, welcome, Douglas. Welcome to the show.
Douglas Rausch:
Well, thank you. Thank you very much. Kind of looking forward to this. It’s always fun to have these chats and talk about the program.
Steve Bowcut:
It is. And we appreciate you donating some of your valuable time to our audience to help them understand what’s going on with respect to cybersecurity at Bellevue University.
One of the things we like to do on the show is we like to explore the background or the professional journey of the guests to help our audience understand how various people got to where they are and the career paths that they may want to follow.
So tell us, if you will, please, about your journey. How did you become interested in cybersecurity and how did that lead you to where you are at?
Douglas Rausch:
Yeah, I mean, I think like you led with there, I’ve been at this a little while. And I think really if you talk to any of us in the field that have been at this for a while, we did not get to cybersecurity via straight route.
Steve Bowcut:
Yep. Almost everybody I talked to has the same
Douglas Rausch:
Comment.
Everybody came from a different direction. Certainly I’ve been involved and interested in technology. I actually started in software as a programmer. And honestly, it was way, way back in the day. Going back to high school days, I think one of my first opportunities to look at security was we had a game we played on the old Apple two computers and I figured out the source code and act the source code.
So I got some codes in there and so I won from there. But yeah, so I started in software. My background initially was computer science. Got into the Air Force and started in software and then we kind of shifted off of software a little bit in terms of what I was doing and went to what we called traditional communications.
And that really meant for us communicators things like radio, telephone, the radar systems, the airfield landing systems, how do we manage all of those systems?
What was base communication? Did that for a while. Certainly as world things shifted, I shifted into tactical communication. So now it was, how do you go to a bare place in the patch of dirt somewhere and set up all that infrastructure? And so how do all these pieces work together?
And then slowly, as we started bringing in more of the networks, and then as I kind of moved to other aspects, we really started looking more and more about, “Hey, these systems can be vulnerable and these systems do need to be protected.” And so slowly from the communication standpoint, we started getting more and more what we had now see traditional cyber defense type actions brought into that.
They keep moving. So then the next thing I transitioned to was really we came up with this thing called cyber and moved into cyber operations. And I really finished up working a lot with, and you mentioned my time at STRATCOM.
So I worked cyber operations, cyber defense, cyber policy as related to nuclear command and control and also our space systems. And so that was a very much, again, a bit of a shift in terms of where it was going.
But yeah, I think you talk to a lot of people, certainly have been at this a while. We kind of see ourselves as a little bit of experience across the entire spectrum of cyber. More of the folks coming in today probably get much more specialized. I tell students, it’s impossible for you to know everything on every part of cybersecurity. And so yeah, it wasn’t a direct route, but that’s kind of where I ended up.
So of course then ended up here.
Steve Bowcut:
Excellent. Okay. So I think it would be interesting to get a feel for, of all that experience that we’ve talked about, which aspects of that experience would you say most influence your teaching and leadership at Bellevue? Because you’ve got people that are going to be in many cases, in most cases, I would assume, just entering the workforce in cybersecurity. So which of your experiences lends itself best to that?
Douglas Rausch:
I think there’s probably two aspects. And if I don’t answer your question exactly, we’ll redirect here a bit, but one was an aspect. I really do talk to students and let them know it’s like, if you want to be really good at network security, you need to learn networks. If you want to be really good at software security, you need to learn software.
And so coming through the field up through software, communications, looking at all these systems, certainly I felt my role as a cyber operator was very much informed much better by knowing, here’s where people make mistakes, here’s where flaws are in the systems.
And so you don’t necessarily know that unless you’ve been with those systems and operated those systems. And so that first piece we really try to put across to students is pick an area that very much interests you and become an expert in that area.
And so we even look at some of the initial roles that students take either as internships or coming out. Just because you may be starting in that help desk role, that’s not different from cybersecurity because you’re going to see where users have issues and you’re going to learn those systems or system administration.
So that’s the first piece, which is you need to learn the systems, whatever those might be. Second aspect really, and I think it very much was informed by the military, the defense asked the defense department aspect of this. I think that other piece I probably would’ve picked up in any other job necessarily as well.
Everyone looks at the defense department as having unlimited budget. We don’t. There is a limit to the money, there is a limit to the time. And so cybersecurity really comes down to risk management, and it was a matter of being able to identify, analyze, and manage that cyber risk, and how is that done?
And so that really has been brought in as well and something we really stress to the students, this aspect of there is no organization you are ever going to be a part of that has unlimited resources. And generally, cybersecurity is not a cost. I mean, if you’re a managed service provider, maybe there’s a few other organizations you can find where you’re getting paid for your cybersecurity services.
Generally, you are a cost to the organization. And so really it’s that aspect of how do you understand the business, understand the business objectives. Defense department’s got business objectives, obviously. It’s just a little different than the bank or the grocery store. But can you understand the business objectives? Then can you apply to how cybersecurity can be utilized to further those objectives and stay within the budget? And so it comes down to risk.
And so I think those are probably the two takeaways there, if you will, that we really try to impress upon the students is understanding the technology, understanding the processes, but also understanding the business and then risk comes together there.
Steve Bowcut:
Yeah. Excellent. I think there’s some very valuable takeaways for our audience there. Cybersecurity, and it’s changing, but it’s becoming more and more diverse. And I mean that in the sense that there are so many different ways that you could specialize in cybersecurity, networks, software, any number of things, social engineering, any number of things that you could specialize in.
So I think that’s important for our audience to understand that. Learn one of those. Which one of those really interests you and really gets you excited, learn that, and you’ll be a better defender of that space if you know the space you’re defending. So I think that’s extremely
Douglas Rausch:
Important. Yeah. And very often with students, especially students coming into the program, we’ll have what I call the, what do you want to be when you grow up discussion.
Steve Bowcut:
Yeah. Okay.
Douglas Rausch:
Because they come in and it’s like, I want to do cybersecurity. It’s like, great, what does that mean to you? And that’s where you have a problem. And I think part of it is we’ve done a disservice to ourselves. Everyone watches CSI, whatever, and it’s the clicky, click, click, click. I’ve got the satellite clickity click.
I’m on their cell phone, clickity click. Okay, we’ve got them. It’s like, yeah, that’s not the way it works in the real world. And so really trying to get students to understand these are the roles you can have and the jobs you can have. Some are very technical, some are non-technical.
They’re not technical, but you’re dealing more with the policy, you’re dealing more with the governance side of it. And so there’s a place for everyone and not everybody likes each of those areas. So really trying to focus a student to say, “This is where your aptitude lies.
Let’s build on that. ” Exactly.
Steve Bowcut:
All right, thank you. So I think it would be interesting then to find out, I mean, someone with your experience and background could have gone to many institutions, academic institutions, I’m sure. So what drew you specifically to Bellevue? What did you like about their program or their …
Douglas Rausch:
Yeah, similar to the other aspect of the … It wasn’t all at once. I retired from the Air Force and then moved into consulting and actually did consulting with a number of organizations, generally in the defense, space sector working for that. And I was approached by a friend of mine.
He said, “Hey, you’ve got some interesting skills. Would you like to adjunct for us at Bellevue?” And I was familiar with the organization. I liked the program. I liked what they did. And it’s like, “Well, I wouldn’t mind teaching one or two.” I think we always said the way you master a task was you see one, you do one, you teach one.
Steve Bowcut:
There you go.
Douglas Rausch:
And so I mean, I really realized there was that aspect of to really sharpen the skills, can you explain to someone how to do them? And so then the other aspect of that was, so part of that is, okay, there’s some learning I can do.
The other half of that is I can only do so much damage out there, but boy, if I teach a whole bunch of people, I’ve got a whole bunch of minions that are out doing the same type of thing. And so we’re very short. We still are short in the community of cybersecurity professionals.
And I think anyone that does any type of teaching or, and that’s even in an organization, you’ve got to believe you have a skillset that if more people had that or more people could learn from your experience, that would be valuable.
So I adjuncted another class and they said, “Hey, would you like to come on full-time?” And so it just kind of grew from that aspect. But what I saw in Bellevue then was this, we are a very fast-moving institution that as things, new issues arise with cybersecurity, new opportunities arise. I mean, we can put stuff through it and have a course or have a course.
I can change a course this term that we’re running and say, “Okay, let’s teach this instead.” I mean, there’s certain rules obviously with designation and accreditation and stuff, but we really work almost, I kind of called almost a startup mentality in terms of how fast can you put new things in place.
And so I was not coming here to go ahead and just do things as they’ve always been done. It was something we could be very reactive to the environment and put together programs and modify programs and aspects that was responsive to what was happening in cybersecurity. And Bellevue allowed that, and I saw that benefit to the students.
Steve Bowcut:
Excellent. All right, so let’s see if we can identify something or some things that may be unique or mostly unique to Bellevue. So at the top of the show, we mentioned that your reputation, your long history in serving working adults and online learners.
So that brings with it, I’m sure, lots of its own challenges. So is there something you can point to that differentiates Bellevue’s approach to teaching cybersecurity? And maybe if you can, you compare it against other institutions that focus on the working adults and online learners and or just a regular to sit in a classroom, four-year university that is probably more common.
Douglas Rausch:
Right. And we do have both on campus and online programs. You can be a cybersecurity student, come on campus, do the program. It’s fantastic. You can do it completely online. You can kind of jump back and forth between both. There’s a few things we do. We don’t have an online program and on campus. We’ve been very purposeful.
I’ve been very purposeful in making sure that no matter which format you’re taking the program, you’re getting the exact same material. And so it’s not like, oh, I’m a graduate of the on- campus program. Oh, I’m a graduate of the online program. No, you’re a graduate of the cybersecurity program. You’re going to get the same piece there.
There’s some challenges, I think, to that that we’ve had in terms of … And they’re just different types of learners. Some people are really more of the online learner because that’s the way their brain works, that’s the way they’re … But some of it, and you mentioned the working adults, because that’s the way their life works.
I am working five days a week. I’m working six days a week. When can I go ahead and do this course? And so part of that challenge always is anything a student should be able to do if they were physically in a classroom in terms of accessing any of our labs, accessing instructors, whatever the case is, should be no different within reason to an online.
I mean, you’re not going to have the instructor physically show up at your door, but you can reach out to them and use your videos and various aspects there. So there’s that aspect in terms of how the instructional material is presented.
And as we look at labs and skills in the cyber range and those aspects, what you can do on your system versus a school system should be should be the same. Not unreasonable when you consider how many jobs are remote and how many individuals do jobs from a remote aspect.
But then there’s the aspect, like I said, some people’s just lives are different. We have, and depending upon the program or where people are in their career, we have students where I can’t do spring term because I’m actually working on installing a data center in Europe, or I can’t do this because I’m a military individual and I’m deploying and I’m not going to be able to do X, Y, and Z.
And so we really do make the program something that’s much easier or portions of the program, depending on which path you take, it’s much easier to start and stop and then come back and come back in.
Everything’s asynchronous. And so whether or not we have synchronous opportunities, they can get on Zoom with a professor, obviously, if you’re online, but there’s that aspect of, I can do pretty much learning from everywhere we can match your lifestyle in terms of what it’s at.
That’s worked out fairly well. I think that’s responded to a lot of individuals. I think it’s responded to a lot of individuals in fact that we are seeing more and more first-time learners come into the program.
So those guys that are high school graduates, not yet been in the career field, not yet been in the working, are coming into the program because that structure works with what they want to do as well.
Steve Bowcut:
Yeah. Okay. Well, thank you for that. That really resonates with me. And maybe it’s because that’s the way my educational experience was, is that if you’re married and have three kids at home and you’re working full-time, it’s pretty tough to get a meaningful education that’s going to really get you into the workforce where you want to be.
But a program like this may just very well do that if you’re willing to put in the hours. And like I said, it’s asynchronous, synchronous. So you may be studying at midnight if that’s what it takes, but we all have those periods in our lives when that’s the kind of effort that it takes to get where you want to go. So I really appreciate that.
So one of the things that’s kind of unique, not exclusively unique, but kind of unique to Bellevue is that you are designated as the National Center for Academic Excellence in Cyber Defense.
So tell us a little bit about that designation. What does it mean from a student’s perspective? Does that mean they’re just going to learn how to do government stuff or is it something that’s more broadly across all industry? What does it mean?
Douglas Rausch:
Yeah, so kind of go back in history, how we got here, the federal government recognized early, and this was back probably around the early 2000s, whatever, that we had this huge need for cybersecurity and there was not a lot of cybersecurity programs out there.
And there was certainly a number of skill sets they would like to have seen taught both for people coming into the government as well as people in the commercial sector. Cybersecurity is one of those very unique spots where you can take someone doing a military job loading a missile on jet. There’s really not a terrible civilian job for that.
Steve Bowcut:
Exactly.
Douglas Rausch:
Cybersecurity is one of those things where it’s pretty much not only the same tasks you’re doing in the government sector as you would in the private sector or public sector, but beyond that, you’re defending the same type of assets.
If you are defending the bank network or defending the hospital network, that is critical infrastructure for the United States. And so there’s a benefit to doing that. So what happened was this program got put together called the Centers of Academic Excellence. And the idea was that there would be a set of criteria whereby an institution could apply for designation.
We say designation, not accreditation. So for example, we are accredited by the Higher Learning Commission. We are an accredited institution. In fact, to be designated as a Center of Excellence, you have to be accredited by another agency. And so what the designation does is says, you have one, put together a program which follows and teaches a specific set of what we call knowledge units.
And those are put together by academics. I mean, it’s not the government putting this, it’s in partnership certainly, but it says, listen, to work in a certain cybersecurity area, these are things that are critical for you to know, peer reviewed list, the whole bit. So our courses are looked at to make sure they align with that.
The secondary piece then is the institution to say, are you doing the right things to further cybersecurity in the community? Are you good practices of practices of cybersecurity yourself? And so you have this aspect where the programs are approved and designated, the institution is designated, and so it’s a big process.
But what it means for students is they can come into the program and know there has been a review of this program that says, if I succeed in this program, the skills I am going to take away from it are things that academic and industry individuals have looked at, have peer reviewed and have said, “This is valuable.” It’s not just something that someone came up with in the back of an envelope.
And therefore, that means to employers when they bring a diploma from the institution, they can look at it and go, “Oh, I understand what you were taught because that’s kind of the underwriter laboratory or good housekeeping seal of approval on something that says this has been looked at in your teaching.”
It doesn’t mean every institution’s the same because we’re allowed to specialize in certain areas. And so inside the program itself, you have defense institutes, research institute and ops, we’re defense, but even inside defense, you have some institutions focus more on forensics, some focus more on risk, some focus more on something else. And so each institution’s allowed to be unique in that, but yet have that seal of approval.
Steve Bowcut:
Excellent. Thank you. That was an excellent description of how that works. Thank you. I appreciate that. All right, so let’s get into, I guess we could say the nuts and bolts of what a student may expect if they’re considering coming to Bellevue for their education.
So there’s undergraduate degrees and graduate degrees in cybersecurity or cybersecurity related traditional and accelerated programs. Talk to us about those and what the options are.
Douglas Rausch:
Yeah. So I mean, I think at probably the most basic level, you got bachelor’s and master’s and your listeners know what that is. How we structure those inside cybersecurity at Bellevue is we really look at historically what have our graduates moved into.
And so we really see those graduates of a bachelor’s program moving into more of that technical hands-on role as opposed to maybe managing a program, leading people, working the organizational piece. The master’s graduates we would typically see are the people coming into a master’s program are really looking to … I’ve done that lower level type stuff.
I’m looking to move into a SOC lead, security operations center lead. I’m looking at moving into some sort of team management. Man, I’d love to be a chief security officer, a chief information security officer at some point. And so structured towards that.
So I always tell individuals, if you look at cybersecurity, you can kind of go there, really we would say our technical tasks and those governance risk and compliance type aspects. And so both the bachelor’s and the master’s cover both, but if you were able to look at a pie chart, I would say the bachelor’s is really two-thirds focused on those technical pieces, and then about a third on that governance risk compliance.
The master’s is the flip of that. And so yeah, we’re going to talk about technical stuff, but really your focus is governance, risk, and compliance, and how do you go out and manage the business of doing cybersecurity in an organization and manage those individuals that were doing other things. So that’s at the top level of that.
Then we have, how are you going to do that? And so we have what we call our traditional and cohort programs. Traditional is probably what you would look at, looking at any university. We have here four terms, fall, winter, spring, and summer.
Each term is 11 weeks in length. And so if you would get in, decide traditional is for you, you work with an advisor, we call them coaches, and you’re going to look at the pre-reqs and you’re going to figure out, okay, how many classes am I taking each term?
Am I taking terms off? What am I going to do with that? Conversely, the cohort, every nine weeks, you get two classes and then you just kind of go. It’s all scheduled out for you and you get on that training, you don’t jump off it until you get to the end station. We pick the electives for you, and so you just go.
Difference between the two when I talk to students is you have, again, some learners that just say, “I know I need to do this, and once I start, I just need to keep going because if I stop, I might not continue for whatever reason.”
Cohort is great for them because it’s all programmed out, they can see what it is, they can start, they know what that graduation date is going to be as long as they stick with it, and it’s just going to move them through.
They’re with the same students, so it is a cohort that the same students are their classmates all the way through that. Traditional really speaks much more to that student that says, “I’m going to take three, four classes a term, I’m focused, I’m a full-time student, I’m maybe not working at the same time.” If you’re working, you’re taking fewer classes, obviously, and I’m just going to go through with that.
I want to maybe structure my electives a bit more. I don’t want to do summers or maybe for whatever reason I want to be able to start and stop again. That’s much easier in the traditional program to do that.
But then even outside of that, we have got your different areas where a student may come in to web development or software development or maybe data science and they want to get some focus in cybersecurity.
So we offer options in our management of information systems, our MIS program, our MBA program, our CIS program where students can come in and go, “Well, I really want to do the software development, but I want to be really the guy that’s smart on cybersecurity.” So there’s options for them to do that as well.
Steve Bowcut:
Okay, interesting. It’s kind of a question that popped in my head as you were speaking there. Would you say it’s more common for your students at Bellevue to come in and get their bachelor’s degree and then move on to their master’s?
Or because it’s kind of geared for people who are actually working in the industry, do you see more, and I’m sure you see some of each, but do you see more students that just come in for the master’s program?
Maybe they’ve been working for five years or 10 years in the industry and they got their bachelor’s degree at some other institution and now they want to get their master’s degree. I’m sure it’s both, but do you see one that’s more prevalent than the other?
Douglas Rausch:
Most of our master’s students are not coming directly from a bachelor’s, if that answers that
Steve Bowcut:
That was really the question.
Douglas Rausch:
Yeah, that’s the question there. We probably see an equal mix from, “Hey, I got my undergraduate at Bellevue and I liked it and I want to do the master’s as well.” They may have been out in the field for a while, or they may come from a different institution.
Even if I’ve got a bachelor’s student that’s kind of like, “Hey, what’s next?” I really do encourage them, get out in the field and go work for a couple of years. The master’s going to be much more valuable to you coming in because now the master’s is so much, it’s analysis.
And so if you know what’s actually happening in the business world, you know what’s happening in cybersecurity organizations, you’re much more able to take a look at what we’re teaching you and say, “Okay, here’s how that would apply and what really happens and how I can analyze the situation and build on that. “
Steve Bowcut:
Yeah, that’s true. And you really need to know what you’re building on, so you need to know the basics first. And that’s probably true about all master’s programs, I would assume. I think returning students are more typical in master’s programs across all industries.
So one thing that always comes up when we have a conversation like this, and particularly if there’s some kind of a non-traditional, non-brick and mortar campus-based learning involved is how do we achieve the hands-on learning environment?
And you kind of alluded to this earlier, that with cybersecurity, that’s probably not as hard as it would be with auto mechanics or something, because your job may very well be remote for lots of cybersecurity professionals, that’s true. But talk to us about how you’ve incorporated hands-on learning, what that looks like, and how important is that for students.
Douglas Rausch:
It’s very important. And I think if you look at the program over the years, you just see more and more of that task-oriented, skill-oriented learning coming into play.
And so what we really looking at, and we caution students because we do have students that come and say, “Why are you having me write this paper? I’m in cybersecurity. I don’t have to write anything.”
Steve Bowcut:
You don’t have to be able to write. Okay.
Douglas Rausch:
And so I don’t want to say we don’t look at the other, we look at as employability type things or those, I hate to hear it called, but we hear them called soft skills.
When I talk to employers, the things we hear is the students need to be technically adept, but they also need to be able to communicate what they’re doing and communicate through those presentations or the written technical documents or whatever it is.
So yes, the skills is incredibly important. We do not get rid of the communication piece from that. But from the skills standpoint, yeah, we really look at how do we do formative and summative work in this? And so how do they practice skills? And a lot of those practice skills certainly will be, I need to do a wireshark capture, I need to do some wireshark analysis of a packet capture, I’m going to do a scan of a network.
But then we take those building blocks and move them into more of a scenario like you would see really in a large organization. So our pen testing class, those students are dropped into a, you are a pen tester that’s gone to this company.
They start with a document that says, “Hey, I’m hiring you on. ” And so the entire course is walking through the stages of a pen test where they are doing every week they are, “I’m going to do the OSINT on the organization. I’m going to bust into the wifi for the organization. I am going to scan and enumerate. I’m going to figure out what vulnerability can I find? How do I use that? ” But then they can’t stop there.
Then they have to come up and say, “Okay, how do I fix that? What are the recommendations for adjustment?” And in the end, generate a pen test report because that’s the report.
We always say no one ever paid for a pen test. They always paid for a pen test report. They’ll generate that document. If they’re working into more of some of the business continuity stuff, we have scenarios they will work through in that.
And so we actually have a large virtualized environment, and that’s really kind of key to this because that way it’s accessible to students as they’re online as well as off. And so what we really look at, let me expand here a little bit perhaps. One of the things that goes along with the, what do you want to be when you grow up aspect
Is we’ve used either the NIST workforce framework, if you’re familiar with that, or the one we’re really focusing a lot more on now is the Defense Cybersecurity Workforce Framework, which parallels the NIST, but it defines a number of job roles you would go into, a number of skills and tasks that you must complete to be able to be proficient at that role.
And so we have emphasis areas in our program. We have both the bachelor’s and the master’s, but I’ll just use the bachelor’s as an example. And so based on the NIST where you have an emphasis area called Secure and Defend, another called Security Provision, another called Operate and Maintain.
We also have governed ones. And so that kind of scopes, when you go through the course, you get these core courses, which really should make you good in any site. It’s the skills you need for any cybersecurity task role.
And then you use the electives and you can specialize on, are you going to need a couple courses on incident response? Okay. Well, if you go into the incident response, you are a cybersecurity operator at a bank. And so now you’re looking over, you get on, it’s Bellevue Bank and Trust, you’ve got an analyst workstation, that’s your workstation and you are being faced with the issues that you’re having to go.
And so this is all presented up through our cyber range. If you are in the pen test, you’re pen testing Happy Accident Labs. That’s the organization you have there. And by doing these tasks then, you can then see how well you’re progressing on towards those roles.
Here’s the key part we think to that task aspect a little bit as well is, and this may not dig at students or employers, but we find students are really, really bad at being able to describe to employers what it is they can do.
We find employers are really, really bad at stressing in their job descriptions, what is it we need you to do? And so part of what we need is that communication to occur. And if we give students a set of tasks and things they’ve done, they’re much easier able to go to that employer and say, “Hey, I can go ahead and do this because I’ve done these different types of things.
Is that what you’re looking for? ” And the employer can go, “Oh yeah, no, I recognize those tasks you did. That’s what we’re looking at having done.”
Steve Bowcut:
Very good. Thank you. All right, so let’s talk a little bit about curriculum development. And so obviously there’s lots of things that go into that, but I think it would be interesting to get a flavor for that, if you will.
So you’ve got your expertise and experience. You’ve got the other instructors at the institution and their expertise and experience. And then you’ve got, I would assume that you’ve got input from industry partners.
So how does that all come together and how do you weigh all that and manage all that to come up with the curriculum or changes to the curriculum? I’m assuming you modify it as you go along.
Douglas Rausch:
Yeah. Yeah. So we do have a industry advisory board. It’s made up of individuals from really many sectors. So we’ll have the public sector utility, public utilities, the power company. We’ll have individuals from the financial institutions in the area, medical institutions in the area.
They are cybersecurity professionals doing work in those different industries that can come in and we ask them questions. And we usually generally have some very general things we’ll ask as well as what are we working specifically on? And so it’ll be a matter of, okay, what are you seeing for employees or what are you lacking in employees that are coming to you or what are you seeing that’s working well?
Or, hey, we’re really questioning this particular tool or technique. Do you use that? How do you see that? And so it kind of gives us an opportunity to, as we have these ideas or have these questions, we can come up with ourselves, but it gives us a board to go out to and ask those questions too. All of our faculty full-time as well as adjunct faculty come out of the industry.
Everyone has spent some time in the industry and usually several years in the industry. And so they’ve decided that either as they are currently working in the industry or if my full-time faculty have decided they want to really focus on the teaching piece, but they’ve got a deep background in terms of the industry side.
And so I was mentioning our incident response course there where you’re an analyst at a bank. Actually, our subject matter expert that really worked through that, he is a analyst at a bank.
And so it is very much modeled on that. And so essentially what we will do is we will see either through, like everybody else says, reading the news, wow, we are seeing more and more of ransomware or we’re seeing more and more privacy type things.
We need to look at how we build that into the course. We’ll go to the advisory board and say, “Okay, what are you seeing day-to-day that we need to focus more on? ” That ends up kind of either being focused into an existing course, how we need to update something or maybe a new course we need to put in place and an old one we need to retire.
And then like I said, we’ll go ahead and do the research. We’ll bounce them off of both quality assurance aspects as well as get experts in there to look at it and go through it and say, “Yeah, this is how this would work.” And then realistically, no course survives the first term because if you wrote that course, you’re the one that teaches it the first term and then you find out that is not what I thought the students were going to do with that.
And then you go back and you rewrite and tweak in terms of what’s there. And you’re right, we have very few courses that aren’t getting touched a couple times a year either to update something minor or a full course rewrite periodically just because, okay, that’s changed a lot. We do try to be very clear with students.
I use the example, and this is kind of what we really try to focus towards students with is I’m going to teach you cybersecurity and understand the specific tasks you learn may not be tasks you use again six months after you graduate because something’s changed.
However, our real job is to work through that cybersecurity critical thought that says cybersecurity itself hasn’t changed. We still have confidentiality, integrity, and availability. We still have the same ways that …
Those processes you use might adjust because now some new tool has come along, but the reason you’re doing it, how it fits in securing the attack surface and defending the attack surface, that doesn’t change. I use the example of way, way, many years ago, I came through and learned how to program and we had a Unix system and an IBM 370 mainframe.
We’re not doing that anymore. However, those same concepts still apply. And so I’ve got the critical thought to go and look at a new program, a new system and say, okay, this is how that potentially works. And so that’s what we really try to structure in a lot of the courses is here’s the academic background, the foundation you need.
Now let’s build on that with the actual task, but understand you might need to relearn those tasks. Good example perhaps. I had a student that kind of panicked, gave me a call, they’re doing a job interview and the questions that kind of came out from the employer were, “Hey, you need to go ahead and look at this.
Tell us about the LAMP stack for doing web development, Linux, Apache, PHP, it’s how you build a website.” And I said, “That’s really interesting. What job did you apply for? That doesn’t seem to be one that … ” I said, “We teach that at the university if you’re in the web development program.
We don’t teach that for specifically for cybersecurity.” Well, here’s the description. And I said, “Oh, okay, now that makes sense.” Well, I said, “Tell them how you would assess. How would you break the program apart?
How would you learn what you’re doing?” And the student gave me a call back, had done the interview, and they actually led with that, asked the employer, “Hey, you said about this lab.” Said, “Yeah, I don’t know why we asked that. We don’t use that. It’s a question that keeps coming Up.”
They said, “But tell me how you would look at that. ” And the student broke down critically, “Hey, if I have a new system I’m approached with, here are the things I’m going to look at, either how to learn it.
I’m going to spin up a virtual environment or where I look at the seams and gaps between those systems and got the job because they were able to be dumped into a new environment that didn’t necessarily have specific experience in, but we had taught them how do you analyze the new program, analyze the new aspect, look at those gaps and seams and figure out where security needs to be applied.”
Steve Bowcut:
Okay, that’s great. I love that answer. And that may actually even answer the question that I wanted to ask you next here, but I’m going to go ahead and ask the question and let’s see if you have already answered it.
So throughout the show now, we’ve talked about some of the curriculum that you offer such as risk management, instant response, penetration testing, cryptography, governance, forensics.
In a perfect world, what skills or outcomes would you ultimately want every Bellevue cybersecurity graduate to walk away with? And let’s talk about the bachelor’s degree.
Douglas Rausch:
Yeah. Well, I don’t know that it’s even different because I’m not going to drive down into a, they need to know Wireshark. What I’m literally looking at is, do you understand the concepts of security? What am I trying to do from a … What’s an attack surface and what are the aspects of an attack surface? And it’s going to be critical thought,
Analysis of the systems, understand risk. You have to have the technical foundation. They have to have the technical foundation coming out. I want them to be able to sit in and work multiple operating systems and do those things. But Windows 11, we just got it, but it’s not going to be around forever.
But if you understand the concepts of operating systems, how it applies to security. And so if you understand that technical communication, you understand the core concepts of cybersecurity and you can apply them with critical thought and analysis, that’s what employers are looking for.
I mean, they want someone they can bring in and dump into a new situation and say, “Fix that and walk away.” And so that’s the key piece there. We teach that with cybersecurity. And if you look at our program outcomes, they are kind of at that level in terms of how do you apply critical thought to secure an organization and use the latest tools and techniques to do that.
It’s not going to be, can you go ahead and secure a Jango web application that’s hosted on a WN-based Linux server and what security control would you tweak? Okay. That’s great, but that’s not going to be good six months from now.
Steve Bowcut:
Exactly. And that kind of leads me into this will be our last question. We are out of time, and I’m sure you’ve heard this question from students probably many times, and they’ll come and ask you, “What careers will this prepare me for? ” They want to get a picture in their mind of what roles they are going to be prepared for when they graduate.
So based on your experience, what are you seeing in the job market? What roles are you trying to prepare the students for?
Douglas Rausch:
Yeah, and you’ve watched the job market. It’s been changed in all sorts lately, right?
Steve Bowcut:
Exactly.
Douglas Rausch:
And it kind of day-to-day, it always changes. Cybersecurity is one of those neat things I tell students, and this is when we probably have to see it a lot more. We actually see it a lot more in the master’s program because we have those career changers.
We do see some of the bachelor’s as well where maybe someone got a two-year degree, went out and did some work for a while and came back in. And students are very, especially those ones of those, we deal with a lot, like I said, those working adults.
In their mind, they want to say, “I’m going to become a cybersecurity professional, so I need to dump everything I just learned.” That’s where it goes back to my path. Everything I learned along the way with software, with airfield systems, with space systems, with communications and radio is very applicable to cybersecurity.
So I’ve got that individual that used to be a healthcare worker and says, “This isn’t working for me anywhere anymore. I want to get into cybersecurity. What should I do? ” I said, “You should go back into healthcare. You understand healthcare better than someone who doesn’t. So take cybersecurity and apply it in healthcare.
So let’s really start talking to you about governance and privacy laws and how you work embedded systems and what’s there.” If had an individual that was coming out of manufacturing and said, “Well, I’m not really into the manufacturing bit anymore.
In fact, my job is being eliminated. I’m going to get into cybersecurity. What should I do? ” I said, “You should go back into manufacturing.”
You understand that business better than anyone else. You can do cybersecurity in there. In terms of specific roles, obviously part of the thing is, again, employers don’t do a great job with job descriptions, and so almost everything is a cybersecurity analyst, audit, whatever.
You got to look at the job description. But what we really try to coach those students to do is even the ones that come right out of high school, there’s something you like to do. You’re good at something. Cybersecurity is used in that field.
So let’s turn that cybersecurity into what you’re doing there because so much of it is about, do you understand the business and how you apply cybersecurity to that?
Steve Bowcut:
Perfect. Thank you so much. I appreciate that. Douglas, thank you for sharing some time with us today. I sincerely appreciate it. This has been fun and informative. I’m sure the audience is going to love it, so thank you.
Douglas Rausch:
Ah, not a problem. It was enjoyable. It’s fun to talk about the program. I think we got a good one and students enjoy it, and so I’m certainly happy to open that exposure to others that might be interested.
Steve Bowcut:
Excellent. For listeners who want to learn more about Bellevue’s Cybersecurity Degrees and the Center for Cybersecurity Education, we’ll put some links in the show notes and they can click through and learn more about that.
And thank you to our audience for being with us on the Cybersecurity Guide Podcast. If you enjoy these conversations, be sure to follow us on your preferred podcast platform so you never miss an episode.
And until next time, stay safe and keep learning.