Dr. Matthew Heath Van Horn, an assistant professor of cyber intelligence and security at Embry-Riddle Aeronautical University, discusses his career journey and approach to teaching cybersecurity.
A summary of the episode
Dr. Heath Van Horn emphasizes the importance of hands-on, practical learning over traditional lecture-based instruction, especially for students who struggle with passive learning methods. He highlights the need for cybersecurity education to stay relevant in a rapidly evolving field, leveraging industry feedback and keeping up with the latest trends and technologies.
Dr. Heath Van Horn’s key advice to students is to embrace opportunities and not be afraid to say “yes” to new challenges, which can lead to valuable learning experiences and career growth.
Listen to the episode
A full transcript of the interview
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I am a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening. Today we’re honored to have Dr. Matthew Heath Van Horn, an assistant professor of cyber intelligence and security at Embry-Riddle Aeronautical University. Join us on the Cybersecurity Guide podcast.
The topic for today’s show is Bridging Military Cyber Operations and Cybersecurity Education. Let me tell you a little bit about Dr. Heath Van Horn. Dr. Heath Van Horn is a seasoned information technology professional with a career spanning over three decades across military industry at academia. He holds a PhD in information technology from Capella University and teaches courses covering ethical hacking, network security, malware analysis, and cyber intelligence at Emory Riddle’s Prescott College of Business Security and Intelligence.
Before transitioning to academia, Dr. Heath Van Horn had an extensive military cybersecurity career serving as a cyber operations command in the US Air Force, a cyber planner at Air Force Reserve Command headquarters, and a software test engineer supporting mission-critical operations. Beyond teaching, he is also the author of Mastering Enterprise Networks.
With his experience and expertise in offensive and defensive cybersecurity, Matthew is passionate about equipping the next generation of cyber professionals with the skills needed to tackle today’s evolving threats. And with that, welcome Matthew. Thank you for joining me today.
Mathew Heath Van Horn:
Thanks for having me.
Steve Bowcut:
All right. This is going to be fun. I’m looking forward to it. So let’s get a little more information about you. Let’s help our audience understand how you got to where you are. So what was your career journey? Were you always interested in cybersecurity as an infant or did it come during your PhD? Who knows?
Mathew Heath Van Horn:
No. So I grew up in a town of 350 people, a farming town. I didn’t want to be a farmer. I joined the Air Force and I wanted to get into electronics. And so the Air Force gave me the electronics while I was doing electronics, I repairs of, I know 30,000 different pieces of equipment
And I got into computers that way and I really started to enjoy the blend electronics translating into computers. And then I started getting into computer science. I was pursuing a degree and I did computer science. I thought that’d be easier than business. So then the Air Force made me a cyber operations guy. They called it communications I think at the time. And I just went from there. It was just, wow, the more I got to deal with computers and I volunteered for everything coming down the pike, offense, defense, whatever support. I just loved it.
And then I retired, I opened up my own business because we were living in Idaho at the time and they didn’t need any hackers. This is a small farming town in Idaho, but I knew farming. So I said, Hey, if we don’t want to move, we got to do something. And so we started a shed business for $400. Really. And so as a business owner for four years, I can tell you right now I do not like business. I’m very good at it. We went from $400 to a million dollars in four years. But I did not like the business side of stuff, which is probably a good thing. I got a computer science degree and not a business degree and a college from New York contacted me.
They talked to a friend of mine and they were looking for someone to teach cyber to the deaf. And I was like, I don’t know ASL, why would you do this? And they said, well, it’s very hard to find someone to teach cyber, let alone find someone who knows ASL and cyber. And my friend said, Hey, I got a guy that’ll take on any challenge that you have.
And so they called me up, they said, Hey, we would like you to teach cyber. And I was like, you want me to teach? And I was like, I don’t know anything about ASL. And they said, well, we’ll have a translator with you and we’ll give you a smaller course load so that way you can learn ASL. I was like, I love the challenge. Okay, there you go. Then I dunno, three weeks later they found someone who knew ASL. So they said, I’m sorry, but we found, I said, no, that’s perfectly okay. I was fine. And then I was like, well, I spent a month working on this resume. I’ve never written a resume in my life. I’m the military. They tell you what to do.
Steve Bowcut:
Yeah, exactly.
Mathew Heath Van Horn:
So I sent it to another college in upstate New York. I was, I already planning on moving and I don’t even think I changed the title of the college I was applying for. I just sent it out. I said, let’s see what happens. And I got the job. Oh no, it was good. It a learning experience. I got to say those students were a little bit more challenging than anything I was used to and I thought I’d seen it all in the military. But yeah, I went from there. I did that for five years and now I’m at Embry-Riddle and doing a little bit of research and teaching.
Steve Bowcut:
Wow, okay. So you went from Idaho to upstate New York and now you’re in Arizona.
Mathew Heath Van Horn:
Yeah, this is my 30th move, so I do not want to move again.
Steve Bowcut:
That sounds like somebody who spent some time in the military. All right, very cool. Thank you for that. I appreciate that. So let’s talk about the work that you’re doing now, the teaching that you’re doing now. And I’m particularly interested in, given the courses that you teach, we outline those a little bit. What course skills do you intend or aim to instill in your students in these courses?
Mathew Heath Van Horn:
I am very much interested in what industry wants. I was used to the Air Force. The Air Force would tell you what you want and the Air Force, I thought we did a very good job at training and educating our personnel. And this goes all the way back to my electronics experience. They taught us the fundamentals and then they said, Hey, you can fix anything with this knowledge. And they also did the same thing with cyber is like, Hey, if we teach you how Windows works and how Linux works and how servers work, then you should be able to adjust those skills as the technology develops and matures.
And so I’m trying to do that in the classroom. And the classroom is typically lecture, drone on watch a lot of slides. And the students I had in New York, they couldn’t do that. They honestly could not read the slides, listen to a lecture, take notes. They had none of those skills.
And so I said, how am I supposed to reach these kids? I mean, I had one class that 72% of the class failed out of a hundred and some students. And I’m just like, okay, what am I doing wrong? And I was like, I’d never had this kind of failure rate in the Air Force. So I said, Hey, I’m going to go back to Air Force the way we trained in the Air Force and let’s see if they can, which is hands-on, you’re going to do this. It’s not a matter of can you pass a multiple guest test, can you actually build a network?
And it was a long battle because that is definitely going against the status quo in academia doing it that way. But my success rate with the students that couldn’t learn by taking notes went up astronomically. I still had a huge failure rate, probably 30% is probably normal. And after a while I started doing surveys of students. I’m like, why are you here? And so I would do that the first day of class and the college asked me to stop doing it, but I was doing it the first day of class.
I said, why are you here at this college? And they’re saying, because it’s the only college that would take me, oh, there’s a story for success. Yeah, there you go out. Well, it isn’t like, well, I always wanted to live in upstate New York or Oh, my parents went here. No, they’re the only college that would take me. I’m like, that is not a recipe for success. And I said, why’d you guys pick cyber?
Cyber is flipping hard career. And they’re like, well, I like playing games on my phone. I was left speechless. I mean honestly, that was the answer. It’s like, I’m going to do cyber because I like playing games. Again, not a recipe for success. So I was happy with a 30% failure rate, but I was very successful in that hands-on instruction and the hands-on assessment of their abilities that they were getting jobs that they never thought was even possible.
I mean they were going to college, their parents said, well, you can’t live here anymore because 18 and so what else are they going to do? Oh, well I’ll go to college then I’ll still have a place to live. But now they’re getting jobs that make more money than their parents combined and they’re just blown away. That was even possible for them. So I knew I was onto something that was fairly good. It was definitely a fight though because the academia does not like that sort of format.
Steve Bowcut:
That is so interesting. So most of it is based around hands-on, which I love that idea. So would you focus more, and maybe there isn’t a way to answer this, but was it more programming or network building or which of those skills took precedence?
Mathew Heath Van Horn:
So we’re not computer science, so we didn’t teach a lot of programming. I taught, they did teach Java for a few years and when I came on board they said, the kids hate Java, we’re going to teach C++. And I’m like, well, what’s the difference? And they’re like, well, C++ will be so much better and what evidence do you have of that? I mean, it’s almost the same language.
And they’re like, well, because it’ll be better and it wasn’t any better. They’re not programmers, they’re not computer scientists. And so I said this, I mean I taught it, but none of folks I know of got jobs as programmers because we didn’t teach enough programming, we only taught the two sections.
And I said, that’s not enough for someone to go into a career of programming because they’re not doing it for efficiency, they’re not doing it, they’re not talking with the customers, they’re not talking, how am I going to implement this on a wide scale? And what about patches? They’re not doing any of that. And they were just teaching the language. And I was like, well, if that’s what you want me to teach, I’ll teach. But that seems really silly to me. The networking aspect, I was much more successful in getting students jobs.
I even got, it was so successful, the accounting students would come in for the networking classes. I had one accounting student, she’d got an accounting job and they had network issues. There was a worldwide conglomerate, I don’t remember the name of the company, but they basically build movie sets. They handled the payroll wherever the movie set was and they handled all the locals and all stuff.
They just handled payroll and they were having network issues talking with all the different sites that they had. And she goes, oh, I can fix that. And next thing she knows she’s the program or she’s in the network administrator role instead of the accounting role. But I guess I did pretty good there because that was only three classes worth of work, but she understood networks in and out.
But yeah, that’s where most of the students were having their bread and butter. Some went on to help desk, but they didn’t stay there long. The ones that emailed me were just like, after six months or so, they’re like, yeah, they took me off the help desk and now I’m the overseeing some project with three other guys. And I was just like, I’m so happy for you. And they say, I never thought this was even possible. They never had to pass a multiple, multiple choice test. Excellent. It was all the Amazon assessment.
Steve Bowcut:
Very cool. So here’s something that kind of occurs to me and given your experience, so you’ve had kind of a broad background here. So if you were to give advice to students that we’re trying to decide, so the hypothetical here is a student is trying to decide whether they want a degree in cybersecurity, cyber intelligence or information technology. Is there something advice you would give them or in your mind, is it Yeah, either one. Doesn’t matter
Mathew Heath Van Horn:
The fields, those three fields, so close
Steve Bowcut:
Close
Mathew Heath Van Horn:
That. Honestly, it doesn’t matter. At least I don’t think so. I think there’s a firm difference between computer science and those three fields. Cyber intelligence, that’s more, I think you’re going to deal with people more. You’re also going to deal with a lot of reading, more it, I don’t know it you can go anywhere.
I’ve seen people go from a selling printers with an IT degree to designing new builds for office companies and they designed the whole infrastructure of DC lines in the company so it’s so wide. And then cybersecurity, while the emphasis is on security, I’d say a good 30% is customer relations. And so a lot of my process is how do I get students to actually talk like they’re human? Because a lot of ’em, I was surprised that they’re in this field because they really should be in computer science, but they’re enjoying the diversity that the cybersecurity presents.
Steve Bowcut:
Excellent. Okay, good. No, that’s good. That kind of shows the difference between those two fields. And I agree with you that you could probably get the same job, many jobs you could get if your degree is in any one of those three, you still qualify for that job you do. So it kind of depends on where your interest lies.
Mathew Heath Van Horn:
It does or it depends on, I mean, my goal, at least that’s why I tell my kids, is to get the best degree you can at the cheapest cost. Well, if one college is offering a different title degree, but it’s 20% cheaper, go to that one. I mean, it’s just the way it is. Money’s hard to come by. You don’t want to waste it.
Steve Bowcut:
Exactly. Alright, so we’ve talked about how practical hands-on experience or learning is the way that you’ve taught, the way that you’ve had the most success in teaching. And I certainly appreciate that approach, but how do you keep the curriculum relevant?
So things are changing so fast in cybersecurity, it’s got to be one of the fastest changing disciplines. And if you’re doing this all, I mean there’s new software, what you’re teaching in hardware or software this quarter or semester may not even be relevant next quarter or semester. How do you do that?
Mathew Heath Van Horn:
Well, especially when you’re teaching and not working it. Yes, that is very difficult. So I plan my week where I spend about six to eight hours just reading the trade magazines and trying some of the stuff that’s coming down the pike. And I take a best guess.
I have to develop my classes six months in advance so that way I have time to develop the hands-on projects and I take my best guess, and sometimes I’m wrong, but the idea is if I throw enough at a student, so when I teach password cracking, I don’t use one technique.
I use about four different programs to do the same effect. And if I throw enough at a student when they go out into the field and something new comes down the line, they’re just like, yeah, whatever. This is nothing. I can pick this up. I already had to do four. So picking up a fifth is not a big deal.
Steve Bowcut:
Some of the details may change, but you certainly understand the underlying principles.
Mathew Heath Van Horn:
Right. I try very hard actually. We’re not allowed by abet. We’re ABET certified. We’re not allowed by ABET to teach Cisco only interface. So we use a variety of different ones to teach the concepts and generally we pick which one is the easiest one to implement in a 60 minute lesson that the students can pick up. And Cisco’s good at some stuff and juniper’s good at others, and I prefer micro tick. It’s free. Students don’t have to buy anything. And that’s kind of how I do it.
The other thing I rely on is the students. The students go on job interviews all the time and they go for internships and they come back and they tell me, Hey, they ask me a question about this. And I’m just like, why would they ask you that? That’s not even. And then I ask ’em more detail and then I go, I better put that on my radar.
If they’re asking questions on that, then we need to start exploring should we be teaching that? We also have a lot of industry. We have an industry board. I think there’s like 30 people on the board and once a year they’ll come in and say, Hey, we think these are the hot topics and such as that. So we have a lot of way, but yeah, if you’re looking for a job where you only learn the material once and you never have to look at it again, cyber is not the one.
Steve Bowcut:
Yeah, exactly. All right. Very good. All right, so let’s move on here a little bit. I talk about, excuse me, I want to talk about certifications and or extracurricular experiences. And I think those are really two separate topics because certifications are one thing and they can be very valuable in my opinion, and I’ll get your opinion, but they could be very valuable in giving someone a job.
If the HR people said, no, you have to have this certification or we’re not going to talk to you, then it’s a good idea to have that certification. And then extracurricular experiences is different that normally happens during the educational process. Maybe there’s clubs and those kinds of capture the flag kind of things. And if I could get your insight on both of those, that would be great.
Mathew Heath Van Horn:
Sure. Okay. So certifications. I don’t remember how many years ago I was asking, I don’t know, maybe 2000. I was going to conferences. I was an officer then and they were like, Hey, you need to go to these conferences and mingle. Yeah, that’s exactly what a computer scientist guy likes to do is mingle. But anyway,
I went, I was told to go, I went and I would ask people, what are you guys looking for in your workers? Because I helped develop the Air Force cyber program for the enlisted and the officers, I’m sure it’s changed a lot by now. We basically threw something together to get it started and they said, oh, we’re looking for people with certifications.
And I was like, oh, that’s interesting. What certifications? And they’re like, well, we’re looking for people with a plus and network plus and stuff. I said, you mean those ones in the ads that says five day bootcamp guarantee pass? Those are valuable. And they go, not necessarily valuable for the knowledge, but they meet the criteria of 85 70, which was the military’s guide. You can’t touch a computer unless you have this particular cert. And I was like, oh, okay. And as far as certifications go, if there is one out there that says, Hey, guaranteed pass in five days or less, it’s not a certification worth having.
It really isn’t. My personal opinion and as a professional opinion, I’ll explain here in a minute that I think other people are picking up on that because 10 years ago I was asking people, the industry experts, I said, what are you guys looking for in new employees? And they’re saying, well, we’re looking for people with degrees. And I was like, oh, okay, well that makes more sense. You want someone who’s been immersed in this technology for four years instead of someone who did the five day bootcamp and that makes sense.
And three years ago about, yeah, that’s about right. I started asking people and they said, yeah, we need people who can do, we don’t care if they got certs. We don’t care if they got the degree. We need people that’ll show up for work and someone that can do stuff. And I was like, okay, now we’re in a field where I think we’re finally maturing enough to realize that the new military has gone to, you need to demonstrate skill, not just have a cert.
And so if the military is leading, well, they’re following, I think. But if the military is going that way, then I think that’s good. Last spring I went to a conference about cyber education and the deputy something, something, something from the FBI was there and he was saying exactly that to a room full of academics. He was like, guys, you’re not producing anybody that can do stuff. You were producing people that can pass an exam. And everyone’s like, but we lay the foundational. They were all upset. I mean they were all upset. I’m just like, yeah, buddy.
But he goes, but we lay the foundation. It’s up to you to mold that foundation into what you need. He goes, I am 30% manned. If you send me someone who has just got the basics and I have to mold them, I have to take somebody who’s doing production right now and now I’m 27% manned. You are not helping me.
And so all my research right now is how do we get this hands-on stuff into the classroom at a cost effective way and get away from the multiple guests exams that the students know how to take exams. They’ve been taught how to take multiple choice exams since whatever, they don’t have to know anything about the topic, and chances are they’re going to pass or maybe even do well on the exam. And their industry is looking at that and they’re seeing, I don’t care what certs you have. I know that was a multiple choice exam and it doesn’t mean anything.
Steve Bowcut:
That is so fascinating. If I put myself in the place of an HR hiring manager or anybody in the organization that’s responsible for making hiring decisions. So obviously certs make it really easy. Can you check the boxes? That means you’ve got a minimum, a minimum knowledge. You can do these things and degrees largely are the same thing. But if I don’t use that criteria now I have to actually assess your ability. That’s a much bigger job. Are you seeing employers that are putting mechanisms in place to test the ability of the potential employees?
Mathew Heath Van Horn:
Yeah, so I can tell how it’s evolved over the last four years. Maybe the feedback I get from students. So yes, you still need a cert to be able to apply for a position because HR doesn’t know cyber,
Steve Bowcut:
Right.
Mathew Heath Van Horn:
All they know is here’s the criteria and what do the cyber guys do? They don’t know HR. So somebody says, Hey, I need another worker. I need ‘EM to be able to do this. Well, what do you need ’em to do? Well, all this stuff and Network Plus would be good. And so they just put down Network plus cert and you’re just like, I don’t think that’s what he said.
But anyway, so there is still a lot of battle with HR on that. A lot of my students, I don’t teach to the certs because first of all, I just don’t have faith in the cert process. I think CISSP is on its way because it’s doing more where you have to have some knowledge outside of just passing the exam and certs are going that way too. CompTIA is going that way. EC-council is going that way where they are claiming that they’re doing more hands-on assessments.
The best ones were test out, but CompTIA bought test out and they nerfed all their certs. And I’m just like, the whole reason for test out was it was giving hands-on knowledge. I never had anybody with a test-out cert and test-out is not the Grade A of certs, it’s not the D one of college certs, it’s like D 10. But every single one of those students that a test-out- cert could pass the second interview. And the second interview is where they are asking people to do something. They will have a test bed and they’ll say in 15 minutes, can you build me OSPF network using these two routers? And my students can sit there and go, no problem. The ones that just take the certs, they go, I don’t even know where to plug a cable in. I’ve done everything online on paper.
And so they just look at you, well, what do the blue cables mean? What do the red cables mean? And I’m just like, oh my. And they don’t get the job they can’t do. So it’s going to take a while before HR comes up with something that they can assess people without the degree. But right now my students, they take my classes and they go study for two weeks and then they go take the cert and they don’t have any problem. They know how to do it. And so combine that with their already knowledgeable test-taking skills, they’re doing really well.
I’ve got students that are taking senior-level management certs while they’re still here and they’re juniors, so it’s not, which kind of gives evidence that the certs really may not be that much, but no, they’re doing it on their own because they know it is a problem. You got to be able to meet what the HR wants. Most companies, however, when they hire you, they’ll tell you what certs to get. They’ll give you six months to a year to get the certs and they’ll help you. They’ll buy them.
Steve Bowcut:
A lot of times they’ll buy the training materials, that kind of thing. Alright, so let’s look at, that was kind of a two part question. The other part of that question was these extracurricular experiences, and I guess probably what’s most important to discuss here is are those kinds of things part of the educational experience at Embry-Riddle? If someone comes to Embry-Riddle looking for a degree in cybersecurity or related field, will there be clubs and organizations and that kind of extracurricular stuff?
Mathew Heath Van Horn:
Sure. Yes. We do a lot of CTFs. Our current CTF team is so good that they had to kick members off the team before they competed again This year, like you guys won last year, you can’t come and compete again for the NCAE games, which is great because NCAE is supposed to be the entry level. I’m not a sports guy, but an entry-level sports like the JV of cybersecurity. And yes, if you dominate there, you shouldn’t be playing again. I completely agreed with that decision. And then we also do CCDC.
We did CCDC, the Collegiate Cyber Defense Competition. That’s the longest running cyber defense, not attack. It’s defense competition in America and it’s nationwide. I’m the lead judge for the northeast section, so I get to fly out there in March to go to a monster someplace. But those competitions are good. Everyone loves the CTF, because everyone wants to be the hacker. Ooh, I’m in.
Yeah, that’s a lot of fun. It really is. However, the chances of you being a professional pen tester is pretty low. It’s like how many people are going to, they enjoy playing football, but how many are making it to the NFL? It’s not that many. But that knowledge translates well to good security. Now you’re saying, Hey, why am I making these decisions towards security?
Well, it’s because I taught my 12-year-old how to crack passwords and they crack this one, and therefore, if a 12-year-old I trained in a skill, not a profession can defeat the security, well then we need to work on that. And I think that’s very valid. We have four different clubs. We have an attacking club, a defensive club, women in cybersecurity club, and there’s another one. And the students just put my name down on stuff all the time. So everyone’s emailing me, Hey, what’s this club doing? I said, dude, I have no idea they need a faculty sponsor and the students
Steve Bowcut:
And you’re it.
Mathew Heath Van Horn:
Yeah. And they just put my name down, which is, I have no problem with that. I said, I don’t have time because teaching hands-on and I’m constantly developing the new products. I said, I don’t have time to coach you guys officially. They go, we just need a faculty name. And it’s like, use my name all you want. It’s fine. It’s cool. And then when they win, districts are regionals and all that stuff and they have to travel, then it’s whoever’s free that weekend, we’ll go with them. But the students run it themselves and they come in as freshmen and by the time they’re juniors, they’re running the club. So it’s pretty cool.
Steve Bowcut:
Excellent. And it kind related to that then, I guess is this idea of networking, not networks, but the thing that goes along with the adage of it’s not what it’s who. So how much of that, how important do you think that is, I guess is what I want to ask. And is that also something that you’ve promoted Embry Riddle?
Mathew Heath Van Horn:
Oh yeah. No, we promote that a lot. We have Raytheon, Honeywell, FBI, CIA, DHS, DoD. We got three Roxy Detachments here on campus because all of our students, most of them qualify for top secret security clearance and they start recruiting these folks when they’re freshmen. We have 12 students right now who have full-ride scholarships and they get paid $30,000 a year just to go to school. And that’s how much these guys want our students, they really want that guy.
We have a major job fair every spring or every fall, and then we have a minor one in the spring. And if you don’t have a job when you’re leaving here, you’ve done something incorrectly. Maybe it’s your resume, maybe it’s whatever. But honestly, there’s so many openings in the field of cybersecurity that if you can do stuff and you’re getting hired.
Steve Bowcut:
Interesting. And this just brings up the names that you just mentioned there. So if a student, another hypothetical I guess is interested in working for either the military or let’s say a three letter agency and in a governmental role, what kinds of opportunities are there? Are there plenty of opportunities or do they really need to be looking at more of a government contractor? How much of this work is done on the contractor side or actual three letter agencies or military?
Mathew Heath Van Horn:
That’s rough to gauge.
Steve Bowcut:
Is it? Okay,
Mathew Heath Van Horn:
Well I mean, so I was in the military for 23 years and There’s a lot of games that are played. It’s like, oh, we’re, when they had a big drawdown of bases. Well, all they did was combine three bases into one and change the name. It didn’t really draw down, but on paper it looks like there’s now two less fees. Fewer.
Steve Bowcut:
Exactly.
Mathew Heath Van Horn:
They do the same thing with, am I a contractor? Well, they’ll say, oh, we need to recruit more of these guys. And they go, well, we can’t recruit ’em, so we got to hire ’em. So the job is still being filled, but it’ll swap back and forth between a military guy filling it. Then four years later, the DoD budget’s too high, so now it’s going to be a contractor filling it.
So now Raytheon’s got this huge contract and then it’ll go back to military. So it’s one of those things where the jobs are still there, but what hat you’re wearing or who you’re working under could vary quite widely. We probably have most our contractors either to the military or to the three letter agencies, or they work for the agencies themselves. Because I mean, we have lots of people that get picked up by the FBI, but they’re doing infrastructure work. They’re not FBI agents that there’s a whole different separation.
yBut same thing in, we got students who they start their internships when their sophomores, if their talent is good enough because apply, and they’ll get either summer internships or they’ll get co-ops, which I had never heard of before. But a co-op is when an agency hires the student for one or two semesters. They just basically pause their education and they work full-time for the agency, and then they go back and finish their education and then go back to their job,
Steve Bowcut:
And that’s their entry into that. Interesting. Okay.
Mathew Heath Van Horn:
Yep, yep. And so that is amazing. We have tons of opportunities for those sort of things. And some students, they’ve been in the job now, they don’t really feel comfortable coming back and getting their degree. It’s like, well, you still got to get your degree, man,
Steve Bowcut:
Yeah
Mathew Heath Van Horn:
But I’ve been doing such cool things.
Steve Bowcut:
Exactly.
Mathew Heath Van Horn:
I’ve been doing cool things.
Steve Bowcut:
So maybe is it fair to say then, from the student’s perspective, the work that you’re going to do is going to be relatively the same whether you’re working for the military or a three letter agency or a contractor. So the work is going to be fairly consistent, but there are other reasons someone might want to work for the military.
For example, job stability or travel or whatever. So there’s different reasons for the employer is going to be different. Your work experience, your relationship with your employer will be different, but the work itself is probably going to be fairly consistent.
Mathew Heath Van Horn:
Similar. Well, and that’s debatable too, because cyber is so wide. That’s true. And working for the military, I mean, the military made me in charge of a motor pool for 14 months and it’s like, I’m a cyber guy, why am I in charge of the motor pool? But I made the best of it and I learned a lot about fixing fire trucks and stuff. So it was cool.
And every industry has that. It’s like, oh, now I’m in charge of special projects. Why am I doing this? This sucks. It’s like, suck it up for six months and then you’ll get a different job. I mean, even in the civilian world, it’s that way. You’re not stuck anywhere for very long. Not in cyber. If you’ve got skills, they’re going to move you quickly.
Steve Bowcut:
They’re going to move you.
Mathew Heath Van Horn:
But sometimes they can’t just pause, well stay home for nine months. No, they got to give you a project until your skills are needed again.
Speaker 3:
Exactly.
Mathew Heath Van Horn:
So it’s not always this 100% job fulfillment, but a lot of it, you can make it pretty enjoyable on your own.
Steve Bowcut:
Yeah. Alright, so let’s broaden our view here a little bit and let’s look at cybersecurity generally. I think it would be interesting to get your perspective on the challenges that you foresee in the next five years, and then maybe we can add onto that how a student might prepare for themselves for that.
But is it AI? I mean, what is it that are going to pose the biggest challenge in nation state problems? I mean, there’s a lot of things that could be, but from your perspective.
Mathew Heath Van Horn:
So I don’t, in my opinion, so this is what I tell students because parents ask me, there’s two questions they always ask me. Well, one of the questions is something similar to this. What is going on? What’s the future going to hold? I’m not a very good psychic. I haven’t won the lottery yet.
I have made plans on teaching one thing and then that became dull, a dead end. But I always tell people, I said, if you watch that 1984 War games movie with Matthew Broderick, I don’t know if you remember that one, but I mean, I remember watching that. The drive-in everything in that movie is still present today. The war driving the back doors, the social engineering, the every technique used in that movie. And yeah, it’s fun to laugh at the cheesiness of the eighties, but honestly, every skill that was exhibited in that movie is still current today. That’s almost 40 years ago.
Steve Bowcut:
Maybe it is 40 years ago.
Mathew Heath Van Horn:
The thing is, if it’s still being done 40 years later, it’s still going to be done 40 years from now, 91% of all its cyber attacks begin with a successful spear phishing attack. So the thing is, if we can’t solve that issue, AI is not going to matter. And AI is a buzzword and well technology, but technology goes through the phase of, Hey, we discovered something new.
I mean, quantum Computing has been on the tip of everybody’s tongue since the nineties. I’m still waiting for my quantum desktop computer. But the thing is, first it comes out as, Hey, we’re going to do this. Then it becomes a buzzword. So everybody gets this funding, and then after a while it kind of peters out. We actually know what it’s going to do. And AI, I think is in that spot. It’s cool. AI is neat, and there could come a time where it’s AI versus AI, an attacker AI versus the Defender AI.
But honestly, when I play with AI, it’s not going to be much of a battle because once the human gets in there, they’re going to fix it. I mean, look, it took how many decades for Big Blue to beat someone at chess? I mean, and cyber is a lot more sophisticated than a chess game, and I think it’s going to be one of those things. And the other one that I think is going to be huge is going to be operational technology. We already have people attacking our infrastructure for water treatment pipelines, natural gas channeling power.
All this stuff is based on technology that was developed in the eighties and it was safe until somebody had the idea of, Hey, let’s hook this up to the internet. And you’re just like, no. None of those sensors and abilities have the processing power to stop a targeted cyber attack. Some of the attacks that have gone up, we’ve had people attack our dams where they shut off the water and if it rose any higher, it would’ve destroyed the dam.
And the thing is they were doing it for practice. They found someone who built using the same architecture as the target they really wanted, and so they attacked ours so that way they could actually launch the military wise attack at the target of their choosing, but they attack the US just because we were available. So I think OT is going to be definitely a future change.
Steve Bowcut:
Yeah, I agree. I think the critical infrastructure, if I was looking for a job, I think critical infrastructure is where I would look first because I know that the need there is enormous.
Mathew Heath Van Horn:
Young people like you wouldn’t believe. I think the average person, I was at an OT conference in October, and one of the things that they were complaining about is the average person working in OT is in their late fifties that new people don’t want to come in, oh, I don’t want to get into sewer management. Okay, would you like to be swimming in it and said,
Steve Bowcut:
Somebody needs to protect it.
Mathew Heath Van Horn:
Exactly.
Steve Bowcut:
All right. So look, we’re about out of time. I want to end with a, what might be an interesting question, so if you had to condense all of your experience and everything down to one piece of advice that you could give students that want to get into that want to build a cybersecurity career, what would that be?
Mathew Heath Van Horn:
Don’t say no.
Steve Bowcut:
Don’t say no. Okay. Elaborate.
Mathew Heath Van Horn:
Please don’t say no. Somebody says, Hey, would you like to take over this? I mean, I’ve gotten so many jobs just because I was the only one who raised my hand. I got to write software for nuclear command to control. I got to establish communications for our NAOC. I don’t remember what the acronym stands for, but it’s when you see on the plane and the president has this communications, and this is the button that launches the nuke that ain’t on the president’s plane, it’s on the NAOC now. The president rides the NAOC, but that’s not the part you see.
I got to, like I said, I got to work in the motor pool, and most people would sit there like, man, this sucks. It’s like, no, I got dirty with the rest of ’em, and I learned so much about vehicles and parts and supply chain and everything else is you use that to leverage your knowledge. Then it was like two years later, I had to interview someone. They wanted some sort of supply distribution system, and I knew what questions to ask them throughout the whole chain so that way they could build the database for the parts. It was like, that’s amazing where’d you learn that knowledge? I’ve been a project manager and I should have gotten my PMP, but I never did because it was just one of those things. It’s like, oh, great, another cert, but I have the skills. And so that helps me a lot with project management.
When we started writing the book, I had all the students write most of the chapters, and so we put all that together. They get publishing credit and people get free learning resources. We’re working on the second edition now. And so I would say, yeah, don’t say no. Take it as a challenge. And the thing is, your job is going to change so frequently that if you don’t like it, you say, no, I’ll do that. If you don’t like it, you’re not going to be there very long anyway, so just suck it up, do the best you can, and the next opportunity comes up. You say, I’ll do it.
Steve Bowcut:
Alright. So not only is that good advice for someone who’s looking to build a successful career in cybersecurity, I think that’s just good general life advice, right? If you don’t have to say no, don’t say no.
Mathew Heath Van Horn:
Right? Yes.
Steve Bowcut:
Yeah. All right. Well, Matthew, thank you so much for your time today. This has been fascinating. I’m sure that the audience is going to love it, so we really appreciate you spending some of your day with us today.
Mathew Heath Van Horn:
Well, thank you.
Steve Bowcut:
Alright. Thanks for our audience, our listeners, for being with us, and please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.