Karla Carter is an Associate Professor of Cybersecurity within the College of Science and Technology at Bellevue University. With a strong focus on developing and instructing cybersecurity courses, Karla brings a comprehensive educational experience to her students. Her expertise spans various crucial aspects of cybersecurity, including social engineering and human factors.
Beyond the technical skills, she also leads courses that delve into the ethical issues surrounding information technology. These courses explore the balance between individual and societal ethical rights and privileges, covering topics such as speech and expression, privacy and security, intellectual property concepts, laws, practices, computer abuse, risk agents, and the broader social implications of technology. Through her work, Karla Carter significantly contributes to the cultivation of knowledgeable, ethical professionals in the field of cybersecurity and information technology.
Summary of the episode
In this episode of the Cybersecurity Guide Podcast, host Steve Bowcut interviews Karla Carter, an associate professor of cybersecurity at Bellevue University. They discuss cybersecurity educational opportunities at Bellevue University and the importance of ethical considerations in the field. Karla shares her journey into cybersecurity, emphasizing the need for a diverse range of skills and perspectives in the industry. She also highlights the importance of continuous learning and critical thinking in staying ahead in the rapidly evolving field of cybersecurity. Karla concludes by encouraging listeners to be skeptical, adaptable, and proactive in their approach to cybersecurity.
Listen to the episode
Read a full transcript of the episode
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening. Today, our guest is Karla Carter, associate professor of cybersecurity at Bellevue University. We’re going to be discussing cybersecurity educational opportunities at Bellevue and much, much more.
Let me tell you a little bit about Karla before I bring her in. Karla Carter is an associate professor of cybersecurity within the College of Science and Technology at Bellevue University. With a strong focus on developing and instructing cybersecurity courses, Karla brings a comprehensive educational experience to her students. Her expertise spans various crucial aspects of cybersecurity, including social engineering and human factors.
Beyond the technical skills, she also leads courses that delve into the ethical issues surrounding information technology. These courses explore the balance between individual and societal ethics, rights, and privileges, covering topics such as speech and expression, privacy and security, intellectual property concepts, laws, practices, computer abuse, risk agents, and the broader social implications of technology.
Through her work, Karla Carter significantly contributes to the cultivation of knowledgeable, ethical professionals in the field of cybersecurity and information technology. And with that, welcome, Karla. Thank you for joining me today.
Karla Carter:
Hi, thanks for having me. I’m delighted to be here.
Steve Bowcut:
Yes. This is going to be fun and interesting. I’m looking forward to it. So before we get too much into cybersecurity educational opportunities, let’s learn a little bit more about you. Can you share with us your background, how you got into cybersecurity, when that became interesting to you, and the journey that you took?
Karla Carter:
So my life is one of pivoting, because you have to picture the Friends scene where they’re carrying the couch upstairs.
Steve Bowcut:
Very good.
Karla Carter:
I started off actually, so the first thing I wanted to be was a geologist, but then my parents told me that they only worked for oil companies, and that sounded boring. And I wanted to be a geologist, this is when I was six, because I liked to collect rocks, and I was like, “Okay. What else am I going to be?” And then I thought, “Well, okay, a lawyer looks interesting.” And then we had a lawyer come to school to Career Day and told us what their job actually was like. I’m like, “Oh my gosh, that sounds boring. No, I don’t want to do that.”
And then I went to a summer camp for physiology. It was a summer honors camp, and I thought, “Oh, well, I could be a doctor.” That’s what smart people do, and I consider myself a smart person. “I’ll be a doctor.” And then I got to college. I was premed, and then I got to organic chemistry, and then I said, “No, I do not want to be a doctor. What do I want to be?”
So my declared major was actually psychology, because I’d always been fascinated by why humans do the things they do. And so, I did have a psychology degree. I emerged from college with a psychology degree, and then I wasn’t sure what to do with that, because lots of times with that degree, you have to go on and get more education. And after getting a psychology degree, I wasn’t sure that I was a good fit for the profession of psychology.
So I took a year off, did waitressing and bartending, and then thought, “Well, you know what? I like history.” History was one of my minors. So then I got a graduate degree in history. And then, at that point, I wasn’t really sure whether I wanted to go on in history or not. And so, I thought, “Well, maybe the law school thing is a little…” Maybe I didn’t understand when I was 12 years old. And we had the lawyer come to school, and didn’t give it… So I thought, “Well, I’ll just apply to law school again.”
So I applied to law school and got in, and then I thought, “Well, I don’t know if I really want to be a lawyer. Does the world have enough lawyers?” And so, I asked them for a year to think about it. Well, in that year, I was working at a market research company in Chicago doing technology. So I’ll have to back up a little bit the way I tell stories to get into, “How did you get into technology?”
Anyway, I ended up, after a year, telling the law school, “Thanks, but no thanks,” and then continued my journey in technology. So backing up, when I was getting that history degree, I realized one night that my trusty typewriter, and I’m sure this is revealing my age, because, obviously, I was going to college in the ’80s. My trusty typewriter and I were not going to be able to get through a 20-page paper overnight.
And I can say this because I’m sad to report that the professor that the paper that was for, that he passed away a few years ago. So he’s not listening to this. He won’t know that I worked on it just the night before, but that’s kind of my MO throughout life. So I had to get this paper done, and one of the other graduate students said… Mind you, this is about 4:00 PM. I’m kind of complaining about how I have to write this paper overnight.
And so, he showed me a computer, and he said, “Here, watch this,” and showed me the word processing aspects of it. I’m like, “Oh, wow. This is useful. This is cool,” because before that, I had actually been somewhat, I wouldn’t say frightened by computers, but there was a point where a couple of years before that, I had wandered into the Macintosh lab on campus. But I was a good typist, but I had no idea how to actually work a computer, as in turn it on, and how to store the data and all of that.
And all the people who were in there seemed sort of snotty, probably the best word to describe. And literally, I left with the disk in the computer, because I didn’t know how to get it out of there. And I was like, “Okay. That’s sunk cost. Let’s walk away from that.” But the other graduate student who showed me how to use it… It was like a PC DOS 2.0.
I mean, we’re not even talking MS-DOS. It had one 5 1/4 drive for the operating system, and then you had to take that out after you booted it up and then put in the word processing software, which was WordStar. And then it actually had a second bay for the data drive, which was high-tech, because that often didn’t happen. So anyway, I got my paper written. I ended up getting an A on the paper. Yay.
And I was so fascinated with this object that allowed me to be amazingly productive, and I was like, “Okay. I need to know how this works.” So I completely got over my fear, but it was because someone was decent and kind and didn’t just assume like, “Oh, you should already know this.” They just went through and showed me the basics, like, “Oh, okay. This is good.”
And then my dad was so excited that I was learning computers, because he wasn’t all keen on the whole psychology degree thing, and then like, “Why are you in grad school getting a history thing?” He thought a business degree would totally be the way to go. So the fact that I was learning a business device was so exciting. So he acquired some software, Lotus 1-2-3, and then a database software, and sent those to me as well. We can discuss the implications of what life was like in terms of copyright infringement in the late ’80s, early ’90s later on.
So I was completely self-taught, and that put me in great demand when I had to do temp work, because when I got done with my graduate degree in 1990, that was a recession, and people didn’t want to hire someone, even though I had an undergraduate degree in psychology and a graduate degree in history. And people didn’t want to hire me because I didn’t have a business degree. And so, I was doing temp work, which was very humbling, but people liked me because I had awesome computer skills.
And then I moved to Chicago and was working for a market research company, actually doing some supervisory work in their telephone center and then doing some database and spreadsheet work for them, helping them automate their systems. But that was in the evenings. During the day, I was doing temp work, mostly with Lotus 1-2-3.
And then one of the programmers on the corporate side, I guess, because we have the phone center side, and then we had the corporate side. The fellow on the corporate side was impressed with my abilities and said, “Would you like to come work as a programmer on the corporate side?” Like, “Oh, okay. I’ll do that.” So I learned that. We programmed in SPL and then C. And then from there, I moved to another market research company, where I thought I wanted to do more management work, and discovered, “No. I’m a technical person. I’m not a management person.”
And from there, I got into doing technical training and became Microsoft-certified, and then I was traveling the world. You can’t really say the globe, although I did go to Bermuda to teach a class once, which was awesome. So I was doing Microsoft’s certified training, and then when I moved back to Nebraska, there was a training center who said, “A local university needs someone to be able to teach…” It was like a three-week class. So I would have to drive over to Omaha every day and teach them how to do programming in order to help them get certified.
And so, that was how I got connected with Bellevue University, because the chair at the time, department chair, or actually, it was the dean of the college, he said, “This is awesome. Would you like to teach for Bellevue University?” And I said, “Yeah, sure.” And so, I was an adjunct faculty for a little while, and then a full-time position opened up. This is in 2006. So I started teaching full-time.
So I was mostly doing programming, just general information technology work. And then, about a year into it, they said, “We need to do ethics.” And I said, “You know what? I’m really interested in that.” So I taught myself ethics. I mean, yeah, taught myself ethics. I’m curious. I like to learn things. So then, learned how to teach ethics. And then from there, that was my gateway into cybersecurity, because one of the faculty who taught cybersecurity needed someone to teach the social engineering class.
And there’s probably a perception that that area, security awareness, social engineering, human factors, would be nontechnical, but there’s actually a lot of technical tools that are involved in it, and having a technical mindset is useful for that. So that was my circuitous route into cybersecurity. I am the poster child for career changers, even though I’ve technically been a geek my whole life. And, I mean, I was certainly doing the STEM thing.
Steve Bowcut:
Excellent. And I love that story, because I think maybe that emphasizes for our audience that in a lot of ways, what you really need to be successful or to find your way in cybersecurity is you need to have a healthy curiosity. Right? So you want to learn things. You want to understand what makes things work, and you don’t have to have had decades of technical experience, although, at least in your case, some technical experience was helpful.
Although I know there are some people that work in cybersecurity, and they’re not technical at all, it’s nice to understand programming, but you don’t have to have a deep technical knowledge, I think, to be successful in cybersecurity.
Karla Carter:
And I do need to add that then I did get a master’s degree in cybersecurity so that I would be able to competently teach all aspects as opposed to just the social engineering, although social engineering remains my baby, I suppose.
Steve Bowcut:
Yeah. Kind of your love. Interesting. And I’m the same way. I love the human aspects of it. The technology side is interesting, especially when new things come along, but the human part of it is probably the most interesting for me. So let’s take a 30,000-foot view then of the landscape and maybe how you’ve seen it change, the cybersecurity landscape and how you’ve seen it change over the years and, if you want to include in that, some of the more pressing challenges that we’re facing today in cybersecurity.
Karla Carter:
So, originally, there was no cybersecurity. If they had to go back and do it all over again, a lot of the decisions that were made in terms of internet technologies would not have been made, and I don’t know whether that’s a lack of imagination or not. So there was no cybersecurity. And then as various folks, who were either curious or criminal, came about, so you start off with some… I don’t want to say harmless worms, but the intention was not… The Morris worm. The intention was not to be malicious.
And I like to remind my students that even though people make mistakes, it doesn’t make them awful people. They can turn around and lead very productive lives. So you’ve got worms and viruses, and then people start to worry about intellectual property theft. I think industrial espionage has been going on since the beginning of time, but the difference about internet technology is that it allows it to happen so fast. When everything’s connected, then suddenly, the pace at which it can happen, the amazing ability for things to be duplicated quickly. And so, there was a lot of… Do you remember that classic video, Warriors of the Net? It came out in the late ’90s.
Steve Bowcut:
Can’t say that I do.
Karla Carter:
If anyone has not seen, Warriors of the Net is fantastic, because it is a video representation of what is happening with internet traffic.
Steve Bowcut:
Oh, okay.
Karla Carter:
So everyone needs to go watch Warriors of the Net.
Steve Bowcut:
Sure.
Karla Carter:
So I would say threats were mainly involved around connectivity and data. And then, the 2010s are when social media happened, and then you start to see different sorts of cybersecurity threats, the ones that, I would say, more involved people. So at its heart, cybersecurity has always been a people problem. It’s a business problem for sure, because it affects how we do business. And business isn’t just corporate business, business is your own business. Business is what nonprofits do.
But it happens with technology. So there’s a technical aspect of it. There’s a business aspect of it. But this is humans, because humans create technology. Humans use technology or abuse technology. And you can’t patch humans. If something goes wrong with your code, you can like, “Oops, let me just rewrite that and give you a new library there, and everything will run just fine.” You can’t do that with humans.
And there’s a saying out there that I really don’t care for, that humans are the weakest link. And it’s more nuanced than that. Humans are the biggest target, because you can’t patch them. You can’t just write software and patch them. Humans have so many weak underbellies that it’s amazing, and every human has a different weak underbelly, although some academics have kind of roughly categorized it into maybe six or seven different weak underbellies. But the ability of criminals to target human weakness is infinite, seemingly infinite.
And so, what we’re facing now is, the old threats didn’t go away. The network threats, the worms, the viruses, those sort of malware classifications, those did not go away. Some of the things have happened are social media. So you have a greater ability to get more people involved, get them involved psychologically. You’ve got different platforms.
It used to be just computers that were physically wired and had to connect through phone lines all the way now to, you’ve got wireless attacks. You’ve got tiny little phones, that people who get older, whose eyes may not be as good, they’re not going to be able to see the subtle signs, but maybe don’t click on that. You’ve got to worry about distributed computing. Where’s the data? “Oh, the clouds in this country versus in this country and this country has different rules that are associated with it.” And then, of course, you’ve got the nation-state mischief that has been going on since the beginning of time as well.
Steve Bowcut:
Right. Absolutely.
Karla Carter:
Great. Oh.
Steve Bowcut:
Thank you. Go ahead.
Karla Carter:
I guess I was going to say, Bitcoin and ransomware are sort of twins that have traveled together since the 2010s as well. So digital currency is something that… I’m not sure that ransomware could have become as successful as it is without that. But that’s getting into it, far beyond my expertise, but that’s just a perception that I have.
Steve Bowcut:
Okay. And the connection that you’re focusing on there is the fact that that’s how the threat actors get paid, is using Bitcoin. So if you didn’t have that secure and anonymous way to pay these folks, then it would be much easier to catch them.
Karla Carter:
I think so. Yeah. Yeah.
Steve Bowcut:
Yeah. Interesting.
Karla Carter:
But there are others who do work on that that are not me. So I would consult them about that connection. That’s my perception.
Steve Bowcut:
Excellent. Thank you. That was a great overview, I think, of where we’ve been and where we’re at today. I appreciate that. So now, let’s take that 30,000-foot view that we’ve had, and let’s focus in, let’s zoom in, if you will, to Bellevue. And so, talk to us about, for students that are interested in cybersecurity, what opportunities await them at Bellevue, what degree programs or other programs you have, and what’s cybersecurity about at Bellevue.
Karla Carter:
All right. First of all, I want to start off by saying we are a Center of Academic Excellence, which is a program that the NSA and the Department of Homeland Security have come up to make sure that if someone, that an institution that is designated as a Center of Academic Excellence, there are certain aspects of cybersecurity that we have to make sure we’re covering.
So we can’t just decide, “Oh, we’re not going to cover digital forensics because we’re not in the mood.” No. That’s part of what we have to… There are certain knowledge units that we have to make sure that we’re covering. And they do a pretty thorough audit process, not only to be accepted and designated, but just as an ongoing, continuous improvement sort of thing.
The next big thing that we’re going to be working on is competencies. So folks will be able to have on their transcript not only… There’s a little stamp that says that, “This is a Center of Academic Excellence, but these are the various competencies.” And those are mapped to various government designations of work roles. There’s lots of alphabet soup out there when you get involved with the government ones.
I highly encourage people to look into what it means to be a Center of Academic Excellence, but we do have two degrees. There’s a Bachelor of Science of Cybersecurity. It’s the undergraduate degree, and then a Master of Science of Cybersecurity. The undergraduate degree is more technical-focused, so there’s going to be a lot more hands-on and brains-on, but more hands-on. And then the master’s degree is nontechnical, but that doesn’t mean that there’s no hands-on.
So, for instance, in the master’s degree, folks do have to take a penetration testing class, but they wouldn’t necessarily be expected how to code. In the undergraduate degree, they do have to take a Python class to make sure that they are exposed to the fact that even if in the giant realm of all of the different cybersecurity jobs, you may never write a line of code. In fact, you may never touch a console. If you’re working in, say, the auditing sectors, you’re probably going to be going down a list of… They’re called controls, but not technical control.
Steve Bowcut:
Yeah. Yeah. Yeah. Yeah.
Karla Carter:
The verbiage and the vocabulary, learning the vocabulary and trying to get it straight, because, for instance, even in risk management, which is another one of those where you may never actually be touching a console keyboard, you’ll be doing a lot of typing, but it won’t necessarily be code.
Steve Bowcut:
Yeah. Okay.
Karla Carter:
We battle with people calling things risks that are actually threats. So vocabulary is important.
Steve Bowcut:
It is important. Yeah. Thank you for that. So help us understand, are all these classes, or most… Well, I’ll frame the question wrong here, but help us understand, is it face-to-face classes, remote classes, a combination? How does that work at Bellevue?
Karla Carter:
That depends. So if someone’s local, on campus, then certainly, you can take… Quite a few of the undergraduate classes are on campus. We offer them both during the day, and then we have night classes, because we do have some continuing education students who have jobs during the day. So they would need to be able to take a night class.
We have a very vibrant online program as well. And instead of having the semesters, we have trimesters. And so, we have a fall term that is 12 weeks, and then we have a winter term, and there’s a week off, and then there’s winter term that’s 12 weeks. But it’s actually 14 weeks, because there’s a two-week break in there for the holidays, and then we have a spring term that’s 12 weeks. We just started this spring term on Monday, and then we have a shorter summer term as well.
Now, these are all going to be switching to 11 weeks, but that’s later. We also offer what’s called a cohort option. So people get the classes done in nine weeks, but they’re with the same group of people the entire time. So they would start off with undergraduate. They would all be taking the introductory cybersecurity course along with the Python course, and then they sort of move lockstep through all of the rest of the courses.
So we know that they can go through the classes faster, because they have the prerequisites, and it’s fresh in their mind. We don’t have to worry that someone was unable to get into pen testing, so they took auditing. And it’s a little bit more of an elegant solution, but it does move fast because it’s nine weeks instead of 11 or 12 weeks.
Steve Bowcut:
Yeah. I like that idea of a cohort. So you’re moving through this program with the same group of people essentially, because that can contribute, I think, a lot to the learning process as well. You get to know these people. You build relationships. You play off each other. You help each other. So I like that. All right. We mentioned blockchain earlier and just kind of touched on it, but let’s delve deeper into some of these emerging technologies, artificial intelligence, blockchain, those kinds of things. Let’s get your perspective on that.
Karla Carter:
So one of the big things, I think, that people need to remember with AI is that this is new and no one has the answers, and that things are going to be changing pretty rapidly. So one of the things we really need to look at now is, it’s not that the AI is going to take your job. It’s that AI is going to change your job. So there are some aspects of work roles that AI probably could do on its own, but that frees people up to do something else that AI cannot do.
There are a lot of the subtle, human, nuanced things that AI, generative AI, or other AI are not capable of doing. So AI, in the best world, should be looked at as a very reliable assistant. It should never be the one who’s solely in charge of things. And in order to career-proof yourself, you need to know how to work with AI. That’s hugely important.
A couple of new job titles are emerging. One of those is prompt engineer, and then the other one would sort of be the person who oversees the AI that’s going out and looking for threats. I’m sure there’s a shorter title for that. That’s just sort of my description of it. So you’ve got to be sort of the AI wrangler. You need to know how to interact with it, how to write the prompts, because that is a skill. It’s not just copying an assignment and pasting it into ChatGPT, and then taking what it gives you, and pasting that. You haven’t learned anything from that.
You can have conversations with these generative AI models. They’re just fascinating. And you have to know your material in order to have the conversation to know what to ask it, and then how to probe it further to get more useful information, and then to know what’s the best way to use that information that’s out there. So if it says, “Hey, based on this, we think that nation-state actor X is probably going to launch this sort of attack against this sector,” you have to put that together with all sorts of other information.
And that’s where cybersecurity is not just… Or for the technology people. They definitely need social scientists. They need all the psychologists, the anthropologists, the sociologists. They need political scientists when we have a graduate class on information warfare. It takes an entire globe to make sure that we are doing things securely, and it takes people of all sorts of different skill levels.
And anything that we can offload to a machine that’s doing it accurately, then that frees up the human to do more critical thinking, more creative thinking. So a company shouldn’t try to get rid of its workers. They should be using AI as a tool to say, “This is going…” It’s like a typewriter. This is like a calculator. So, “Hey, you don’t have to write this out by hand. Hey, you don’t have to do these numbers in your head or with an adding machine.”
There are a lot of tedious reports out there, that people are spending good hours tweaking a report. The machines are good at writing the reports. They know what the reports look like. You give them the data. They fill out the reports. Heck, some of these things can listen to your meetings and do the minutes for you. Isn’t that nice?
Steve Bowcut:
Yeah.
Karla Carter:
The human still needs to verify that all of this is going on. So in a cybersecurity sense, let’s use these as tools, but always remember that they’re tools, and never let them run the shows. Supply chain attacks are huge, if anyone pays attention to cybersecurity news. And so, when you’ve got a system like that with lots of moving parts, AI would be able to take that 30,000-foot view, look at the whole scenario, and say, “Where are some of the vulnerabilities here, and how could we possibly use some sort of security controls to get those wrangled under control?”
Steve Bowcut:
Mm-hmm. Interesting. And I love that you’re emphasizing that AI is a tool. I’ve experimented a little bit with different ways of explaining this, different analogies that seem to make sense. I heard one just yesterday that I really liked, but maybe it’s coming from a guy’s perspective, and we’re really talking about the ethics of attribution, using it particularly in journalism.
So it used to be, decades ago, when you built something, you used a hammer and nails to build something out of wood, and then along came pneumatic nail guns. Right? So it’s a tool that really sped up the process, but no one ever said, “Oh, you didn’t build it because you used a pneumatic nail gun.” It was still you building it. And I think that’s probably the appropriate application for AI, is a tool that’ll help you do more, much, much faster, but you still need to stay in control, as you said several times.
And it does open some questions about attribution. Did you write it? And from a journalism perspective, did you write it, or did AI write it? And so, we have to be cognizant of that. With new tools comes new, both technical and ethical challenges that we kind of have to wrestle with. So I appreciate that.
Karla Carter:
From an educator standpoint, we have to figure out what we’re assessing, because the final product… And at Bellevue, our motto is, Real Learning for Real Life. So we get in there and we make sure that students are creating the sort of documents that they would see in the real world.
Steve Bowcut:
Right.
Karla Carter:
But in the real world, they want you to do the documents correctly, and that’s one of the first places that AI is going to be used. It’s like, “Okay. Take the information you have. Feed it into this document. Look it over. Don’t just trust it, and then move on.” So we’re going to have to move more to looking at, “How did you get this information? How are you putting it together? How are you editing, or editing from the editor sense, of what the AI gave you?”
And at some point, it will be ubiquitous enough that we don’t tell… I don’t tell people, “Hey, I used a spellchecker,” which is a type of AI. “I used a spreadsheet instead of just hands doing the numbers.” So I think there’s a point at which it will be assumed that AI had a part in this.
Steve Bowcut:
Had a role. Exactly. Yeah. Before we move off emerging technologies, maybe more on the more technical side, do you have any thoughts, or you feel like you have any expertise that would follow along with blockchain and quantum computing that you want to talk about?
Karla Carter:
So the quantum computing thing is one of those where I think when it’s here and when the bad folks are actually using it to break encryption, everyone will be in a panic. There obviously are folks who are working on making sure that we have quantum encryption before that time happens. But the people who are working with blockchain is actually in the negative aspect of the cryptocurrency that they need to figure out how to use when the bad folks launch a ransomware attack.
I did a paper on possibly using blockchain for a forensics chain of custody, but I don’t know. That seems to me to be one of the more positive aspects of it. Blockchain is one of those technologies that is so hyped that I’m just not sure that it’s…
Steve Bowcut:
Yeah.
Karla Carter:
Yeah.
Steve Bowcut:
The idea of blockchain, I’m fascinated with. I think it’s great. And there are probably a lot of positive uses for it, but it seems my personal perspective is, I guess, that the whole cryptocurrency thing has kind of put a shade over it, and a lot of people are just saying, “You know what? I don’t want to have anything to do with blockchain,” because they’re thinking cryptocurrency, not blockchain.
All right. Let’s get to maybe some hopefully actionable advice for our audience, some career advice. So if there’s anything that you can offer regarding what it would take to get into the cybersecurity… Skills that you would need to have, maybe skills that you want to get or, maybe I should say this, interests that you have, that kind of thing.
Karla Carter:
I guess I’m going to be that professor who tells it like it is.
Steve Bowcut:
Very good.
Karla Carter:
Even though there is a vast realm of cybersecurity where you don’t need to know code or you wouldn’t have to code, and maybe you would never have to really deal with a console because you’re writing reports, it is punishingly hard to break into cybersecurity as a new person, as a career changer without any sort of sponsor.
If you can get into a company, like if a small company hires you based on perhaps a shiny, new degree or a proven record of having worked somewhere else, and they know that you’re ready to go, they know that you have a baseline of knowledge that you are safe to work there without causing breaches, then they can get that.
But that’s not the reality. The reality is that a lot of folks are out there competing with everyone else and having to figure out how to wordsmith their résumé, how to get past that AI gatekeeping system. There are apparently really interesting things people can do with code words, like hire. You can put “hire me” in white text, and the AI reads that, and they’re like, “Oh, we should hire this person.”
Steve Bowcut:
Interesting.
Karla Carter:
But for now, you’ve got to lean into the technical. And that’s why our undergraduate degree does have a technical focus, to make sure that you’re not frightened of code. It may not be your favorite thing, but you do know Python code if it came up and bit you, so to speak. It’s also important to know networking, because that’s how these critters are happening. Right? It’s not that you have to know the OSI model and recite it from memory, although a late friend of mine actually has this wonderful OSI-Mafia analogy. I will send that to you so you have it, because it’s fantastic.
Steve Bowcut:
Okay. Great.
Karla Carter:
But if someone has the ability to set up their own computer lab, understand how virtual machines work, because virtualization is key to understanding how the cloud thing works. There’s nothing magical about the cloud. It’s just virtualization. Understanding how basic networking principles work, understanding what it is about code that needs it to be patched. So if you don’t know how an application is put together, then it’s harder to understand why it’s so important that we do keep our systems and our applications updated.
Playing around with digital forensics tools. Learning how to do things like open-source intelligence. Figuring out how to, maybe with permission, always with permission, break into your own computer or break into a friend’s computer, because that’s how you discover what the vulnerabilities are. So within your own protected realm, do red team and blue team exercises. And then the other thing would be, even if you’re younger, new career, still a student, join some of the professional organizations.
If your goal is to be an auditor, then, by all means, join ISACA. If you’re more sort of like general information technology professional with a twist of cybersecurity, because you can do cybersecurity things without having to have a cybersecurity degree. For instance, the BSCIS has a cybersecurity concentration that goes with it. So they take enough cybersecurity courses to be familiar with cybersecurity, but their basic degree is still information technology. So maybe something like the Association of Information Technology Professionals.
There are all kinds of four-letter, three-letter, six-letter groups out there, but it’s important to start to get to know people, because there’s a chance that those people could get you into a company. But a lot of folks are going to start off maybe with a help desk job, where they’re helping other folks troubleshoot how the system works, and then perhaps get into an entry-level cybersecurity position. But as wonderful as the Darknet Diaries podcast is, and I love that podcast and recommend people listen to it, you are not going to get a job as a physical penetration tester right out of the gate.
Steve Bowcut:
Right.
Karla Carter:
Not going to happen.
Steve Bowcut:
Okay.
Karla Carter:
I’m sorry, was that too grumpy?
Steve Bowcut:
No, no. That was perfect. Thank you. I appreciate that. We seek after the truth here, so that was good. I was going to-
Karla Carter:
I’m sorry. We need a Jason Bourne movie that-
Steve Bowcut:
There we go.
Karla Carter:
… glamorizes auditing.
Steve Bowcut:
Auditing. Exactly.
Karla Carter:
Yeah.
Steve Bowcut:
Jason will be an auditor and crack the cases. That would be great. I was going to, and I still will, but one of the things that I wanted to ask you about was scholarships and internships, and that seems to fit very well with what we’re talking about. We’ve talked about career advice. Do you have any perspective you’d like to share with us about scholarships or the value of them? Any specific ones that you know about, that kind of thing?
Karla Carter:
I know that it’s not always realistic for everyone to be able to do an unpaid internship, but getting in any sort of internship is important. We have a platform on campus called Handshake, that people have internship opportunities. The students go in. They apply. They look around. We can write letters of recommendations for folks to get internships. It’s important to get out there and see if this is the sort of culture fit for you, and also within the vertical sectors. So maybe somebody really enjoys working in finance, because that is a completely different culture than, say, working in utilities or working in a factory, working in transportation.
So internships are not only really good for people understanding, “How does this work in the real world?” which is often not what we… We try and teach in class at Bellevue, like, “This is how stuff works in the real world.” But even beyond that, a company may not have all of the resources to always do things exactly the way they need to.
And there are companies that are going to be so dependent on compliance. Other companies maybe kind of skate around the compliance. Understanding which vertical sector you would like to work in, or perhaps maybe more the ones that you can’t stand to work in is a good thing. So it’s the life experience. There’s the hands-on knowledge, experience, but I cannot emphasize enough that you want to understand your life experience, because no amount of money is worth dreading getting out of your car in the parking lot, or if you get a sick feeling in your stomach when you walk off the elevator or in the front door. That’s just not worth it.
There are so many opportunities out there. And it might take a little bit of time, but the earlier that someone could pursue an internship where they’re actually doing meaningful work, not making photocopies or getting beverages for people, that’s super important, that they are actually getting to do some sort of cybersecurity work. Now, we had another situation where a student was pretty much handed admin passwords on day one. We don’t want that either.
Steve Bowcut:
Yeah. Yeah. Very good. Thank you. I appreciate that. A couple other topics I want to get to that I think are quite important. I think you’re going to have some interesting perspectives. So, ethical considerations. That seems to be an area of expertise for you. So talk to us about what we need to know about ethical considerations in cybersecurity.
Karla Carter:
So you would think, “Okay. Well, as long as you follow compliance, that’s good enough.” Right? And compliance is the various regulations that are out there. So you would have government compliance. You might have some industry-specific regulations. You would also have internal company policies. And that word policy is really important, because that is like a law within a company.
But just doing those is not enough to be ethical, because ethics, first of all, laws cannot possibly keep up with changing technology or changing societal sorts of things. So ethics always needs to look at that little bit of, “Okay. I’ve done the compliance, but what else can I do to go above and beyond to make sure that this environment is safe? I want to make sure that people’s money is safe, that if you’re working in a hospital, that their life is safe.” I mean, that’s hard-core stuff.
If you’re working for a utility, how do I make sure that I’m not going to cause some sort of environmental disaster? And often in situations, folks who are very focused on getting their job done and don’t have time or haven’t really ever practiced the ability to look at the big picture, they don’t see how something they say such as like, “Oh, we don’t need to do integration testing,” that that could have a horrible effect on the whole system.
And it’s important that people practice these ethical scenarios in their mind or in tabletop exercises before the situation comes up so that you know, “Okay…” There are ethical frameworks out there where you can say, “Okay. Who are the stakeholders? How are they all going to be involved? What are some different ways we could look at this?” Because there’s more than one way to peel an orange. There’s different ethical schools.
And if you’ve thought about that before it ever happens, and when it happens, and there’s always going to be some when, it’s not an if, you will be able to say, “Okay. I’ve thought this through, and I think this is what we should do to make sure that we’re doing the right thing.” An instance that I always give is, the Titanic didn’t have a dearth of lifeboats merely because they were being cheap or they wanted to have more room for cabins or whatever. The law at the time said, “You need 16 lifeboats.” And they’re like, “Okay. Law says 16. You know what? We’ll put 20 on here just to be a little good.”
Steve Bowcut:
Yeah. I like that, because in my mind-
Karla Carter:
So that was regulation.
Steve Bowcut:
… that’s kind of what it comes down to, is that it’s a difference between what we can or must do and what we should do, and that is kind of what we’re talking about.
Karla Carter:
Right. And it’s the Jurassic Park question. Your scientists were so busy trying to figure out whether or not they could. They didn’t stop to think if they should.
Steve Bowcut:
Yeah. Very good. Thank you. All right. Just for a moment, let’s talk about diversity and inclusion. And I know this is a hot topic that politically gets a lot of attention, but I think it is important, because it is important that we include or at least provide opportunities for all people who want to work in cybersecurity. So what are your thoughts about diversity and inclusion as it relates to cybersecurity?
Karla Carter:
I think you really touched on it when you said, “We need to make sure that there’s an opportunity for everyone to be in cybersecurity.” You don’t have to be the stereotypical person who has been glued to their computers since age eight, and that’s all they do. We need a broad range of perspectives. We need people who come from different parts of the world, who look differently, who have different cultural practices, because let me tell you what, the threat actors, they’re all different.
Steve Bowcut:
They’re diverse. Yeah.
Karla Carter:
Yeah. We’ve got a very diverse set of threat actors out there. And if you do not have the defenders, who are also diverse, then either that’s just not going to work out. You’re going to have some serious areas of non-visibility that are in there. And technology is not as mysterious as it might seem. There can be kind of a culture out there of… It gets very club-ish, of, “Well, if you don’t know how to do that, then you’re just an idiot.”
Steve Bowcut:
Yeah.
Karla Carter:
I mean, there is something called an ID10T error-
Steve Bowcut:
Yeah, exactly.
Karla Carter:
… or PEBCAK. And there are ways that people talk about users that are not complimentary, and that gets back to the whole weakest-link-human thing. No, come on. We all need to work together, and not everyone’s going to be good at coding, nor should they be coding, but perhaps they are going to make a fantastic auditor. So let’s get people in who are younger, older, male, female. Regardless of what you look like, what your experience is, you belong in cybersecurity if you have a goal of defending the confidentiality, integrity, and availability of our information.
Steve Bowcut:
Well said. Thank you, Karla. I appreciate that. That was well said. All right. So we’re about out of time, but I do want to wrap up with a forward-looking question. We’ll ask you to dust off your crystal ball a little bit and look into the future, and see what do you think cybersecurity, given its current state of evolution, what’s it going to look like at any point in the future you’d like to pick.
Karla Carter:
Okay. So first of all, everyone, you have to keep learning. This is not a set-it-and-forget-it sort of thing. Please, please, please keep up with… The cybersecurity news can be a little depressing, but it is important to keep an eye on what sort of trends are happening. So you have to have a curiosity about life. You have to have a curiosity about what new is happening. So what sort of new attack methods are possible, what sort of new platforms are out there.
You’ve got to have critical thinking, because you can’t just react. You can’t be in reactive mode all the time. You have to think both tactically and strategically, and make sure that everything that you learn… If you do choose to get a college degree, there’s a group of courses they call general education that are attempting to teach people how to think critically, how to assemble information together, synthesize different concepts into one place, how to work with different groups of people.
I cannot emphasize enough all of those things that we learn about how humans work together, how human culture works. You really got to understand people, because until Skynet starts writing code, and we don’t really want to get there, these things are still… All of our systems are put together by people. They are used by people. They are attacked by people. My gosh, maybe get a minor in psychology or anthropology-
Steve Bowcut:
Yeah, exactly.
Karla Carter:
… or sociology or something, because that’s what you’re going to need. You need to be adaptable. You can’t sit on your hands. And I don’t know that there’s a profession out there right now that is set it and forget it, because the world does change so quickly. But there are some things that if you invest in being skeptical, not annoying, not to the point where you don’t believe anything, but the “trust, but verify” is huge.
Steve Bowcut:
Yeah.
Karla Carter:
Just because someone says, “Hey, my product is going to solve all your problems,” do not believe them. You need to investigate them. If you get an email that says, “Hey, click here and get your bonus,” do not believe it.
Steve Bowcut:
Yeah.
Karla Carter:
If someone tries to come up to you and say, “Hey, I work here, but I left my badge at home,” do not believe them.
Steve Bowcut:
Right. Yeah. All right. Very good. So we are out of time. But Karla, thank you so much. This has been a fascinating discussion for me. I’ve loved every minute of it, and I appreciate you spending some of your day with us and our audience. So thank you.
Karla Carter:
Thank you so much for having me.
Steve Bowcut:
It’s been fun. And a big thanks for our listeners for being with us. And please remember to subscribe and review if you find this podcast interesting, and join us next time for another episode of the Cybersecurity Guide Podcast.