Dr. Saltuk Karahan, a clinical associate professor and deputy director at Old Dominion University’s (ODU) School of Cybersecurity, whose interdisciplinary background spans systems engineering, computer science, international security studies, cyber policy, cyber war, and information/disinformation.
Summary of the episode
Dr. Saltuk Karahan explains that cybersecurity is an interdisciplinary field requiring not only technical expertise but also strong communication, leadership, risk management, policy awareness, and understanding of human behavior.
The interview also highlights Old Dominion University’s broad cybersecurity programs and his advice that students build depth in one area while staying adaptable, strategic, and committed to lifelong learning.
Listen to the episode
Read a full transcript of the episode
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening.
Welcome to the Cybersecurity Guide Podcast. Today we’re joined by Dr. Saltuk Karahan. He’s a clinical associate professor and deputy director at the School of Cybersecurity at Old Dominion University.
Dr. Karahan brings a deeply interdisciplinary perspective to cybersecurity education. His academic and professional background spans systems engineering, computer science, international studies, cybersecurity strategy and policy, cyber war, information and disinformation, and the impact of technology on international security.
Before his work at Old Dominion, Dr. Karahan spent several years with NATO where he helped coordinate IT related programs and worked with technical, legal and strategic experts on cyber policy and strategy.
At Old Dominion University, he helps lead a school of cybersecurity that offers undergraduate, graduate, and certificate pathways designed to prepare students for a rapidly changing cybersecurity workforce.
ODU is also recognized by the National Security Agency as a National Center of Academic Excellence in Cyber Defense, Cyber Operations and Cyber Research, a distinction that speaks to the breadth and depth of its cybersecurity programs.
Our conversation today will explore Dr. Karahan’s career journey, ODU’s cybersecurity programs, the importance of strategy and policy, and how students can prepare for meaningful careers in cybersecurity.
With that, welcome to the show, Dr. Karahan. Thank you so much for being here today.
Saltuk Karahan:
Thank you. Thank you very much, Steven, for having me.
Steve Bowcut:
This is going to be fun and very interesting. I’m looking forward to this. One of the things that we like to try to do consistently on the show is start with a little bit of background.
So please tell us about your own academic and professional journey from systems engineering and computer science to international studies and cybersecurity and what drew you into this field.
Saltuk Karahan:
Sure. My path into cybersecurity was somewhat unconventional, but I’m not sure how unconventional it is because I saw many people coming from different several areas coming to cybersecurity.
I began, as you mentioned, as a systems engineer and later pursued a graduate study in computer science at the Naval Postgraduate School in Monterey, California. And that gave me a strong technical foundation.
But at the same time, I spent much of my professional career working in national security and metric environments where I became increasingly interest in strategy and policy dimensions of technology.
And a degree at Old Dominion University, again, in security studies, concentration, international studies, a PhD in security studies also helped me develop this academic path into security, then which evolved into cybersecurity.
What happened in my military career was that over time I realized that cybersecurity sits at the intersection of technology, human behavior organizations, and international affairs.
So that combination of several disciplines is the main thing that has attracted me to cybersecurity. I’m well aware that technical vulnerabilities matter, but what I realized was so does leadership make good decisions, organizational culture, international competition, and public policy and human behavior.
So cybersecurity is one of those fields that can combine all those different things coming together. And after a long military career which recently had happened at NATO, continued at NATO, I wanted to serve in academia within cybersecurity.
Steve Bowcut:
Excellent. Okay. So given that background, your background includes work with NATO on cyber policy, strategy, capability development.
So how has all of that and your international security experience shaped the way you think about cybersecurity education, what we need to teach students? How has that shaped how you feel about that?
Saltuk Karahan:
Yes, that’s interesting. Especially during my time at NATO, I realized that cybersecurity is fundamentally a team effort and a teams sport. So what I have seen that the challenges we see in the security environment are rarely purely technical and they involve coordination among governments at the highest level, material organizations and privacy industry, academia, international partners.
So having all these partners coming into the team in cybersecurity, I realized that we need to educate students beyond technical skills and today’s cybersecurity professionals must understand in addition to the technical foundation, how does risk work? How does policy? They have to be good communicators, the leadership skills and decision-making, especially under uncertainty, those are very important skills. And now I look at the education from that perspective.
I think that eventually all our graduates, in addition to their technical skills, should be well-informed about the society, how society has been evolving, how that technology affects society and the non-technical and how can they communicate their technical knowledge to a non-technical community across organizational boundaries. I often tell –
Steve Bowcut:
Go ahead.
Saltuk Karahan:
Yeah, I often tell my students at cybersecurity that very often the failures that we see in cybersecurity are not caused by a lack of technology. They occur because people fail to communicate or organizations fail to coordinate or the leaders at the highest level fail to understand the risks involved in this. So education, in my opinion, should prepare our students to address all those challenges.
Steve Bowcut:
Yeah, I really like that idea because more and more it’s not just a technical discipline. There are so many other things in order for someone to succeed in this field, there are so many other things that they need to have an understanding of.
And I guess that being said, maybe it’s important to point out for our audience that if you are very technical and that’s really where your interest lies, there is a place for you in cybersecurity.
I like to say there’s a place for just about everybody in cybersecurity, but to really succeed in the field, it needs to be this interdisciplinary approach where it’s not just technical because there are so many other things that you need to know and understand.
So I wanted to follow up on something that was in the introduction and I think this is interesting and should be interesting or will be interesting to our audience.
So ODU is one of the few institutions designated by NSA as a Center for Academic Excellence in all three disciplines, cyber defense, cyber operations and cyber research. So explain to our audience why they should care about that. What should prospective students understand about the significance and why that is important to have all three of those designations?
Saltuk Karahan:
Yes, sure. This designation is part of an accreditation system in cybersecurity in the academic sense and in the workforce development sense. And these designations are nation recognized by NSA and they are the indicators of quality and rigor in cybersecurity education.
So as you mentioned, there are three of these designations. One is cyber defense that focus on the protecting the systems, networks and organizations from cyber threats that academic curriculum is designed to address those things. And the cyber operations on the other hand emphasizes more advanced operation and technical capabilities.
And the cyber research designation recognizes the institution’s capacity to make significant contributions advancing cybersecurity knowledge through research. I’m happy to one of those 10 institutions, as far as I know, 10 or 11 institutions that hold all those three designations across the nation.
And for students, this means they have access to a very strong academic program, great research opportunities, experienced faculty, and a curricula that align with national workforce needs.
I also want to mention that this is a good news that I want to share with our audience that we are also starting a PhD program in cybersecurity.
Steve Bowcut:
Nice.
Saltuk Karahan:
Yeah. Coming up in this fall semester, we’ll be starting recruiting students for a PhD program in cybersecurity. So what we are trying to do is provide that bread across disciplines in an interdisciplinary environment, but also the depth in cybersecurity, including research, operations, and defense in cybersecurity.
Steve Bowcut:
Wow, that is impressive. So regardless of what you want to study in cybersecurity, it sounds like ODU has an answer for that. If you’re more interested in cyber defense or if you’re interested in operations or maybe you just want to do research, you can do all of those things and you can even get a PhD.
Saltuk Karahan:
Yes, exactly.
Steve Bowcut:
That’s totally awesome and quite unique. As you pointed out, that is quite unique. So for undergraduate students that are thinking about or have the opportunity to attend ODU, how would you explain the difference between the cybersecurity BS and the cyber operations BS?
They sound very similar and if you’re not familiar with the field, you may think, well, what’s the difference there? So what kinds of students or career goals might fit into each one of those two paths?
Saltuk Karahan:
Definitely. Our major program is the cybersecurity BS degree. That degree provides a broad foundation across technical organization and policy aspects of cybersecurity, as we had discussed. And in this program, the students learn about the network security, risk management, governance, digital forensics, cyber law, and all related topics.
It’s an excellent choice for students interested in security analyst roles or security engineering, consulting, risk management, compliance, or other leadership positions. And the nice thing about that program is that there are several actives.
So depending on their interest area, as they discover about cybersecurity, for example, a student who is more interested in a digital forensics area can take the courses in the criminal justice cyber crime area and direct themselves within that program or another student who tries to do penetration testing can pursue a path in that way, ethical hacking courses.
Cyber degree operations, on the other hand, is a smaller program. It is more technically intensive and operational focused. So students spend more time developing advanced technical skills related to networks, operating systems, programming, and cyber operations.
Those students will probably see a career in the government, hopefully if they want to stay in the legal area. So in simple terms, the students interest in understanding and managing cybersecurity across organizations often find the cybersecurity, the mean cybersecurity BS degree a good fit for themselves. And the students who enjoy highly technical and hands-on environments may be drawn to cyber operations degree.
The cyber operations degree actually requires a higher level of math and higher computer science courses in that sense. But both programs, I believe both programs provide excellent career opportunities. They just emphasize different aspects of the profession.
Steve Bowcut:
Excellent. Okay. Thank you for that. And in addition to that, so ODU also offers a cybersecurity minor for students in other majors. So I love this idea as well. So why might cybersecurity knowledge be valuable for students outside of computer science or engineering?
Saltuk Karahan:
Absolutely. First, I think we should acknowledge that virtually every profession relies on technology and data. So the business leaders make cybersecurity decisions, healthcare professionals, they manage sensitive patient information, PIIs. Public administrators, they oversee critical services and educators, journalists, lawyers, entrepreneurs all operate in a digital environment.
So understanding cybersecurity at that level helps all these individuals recognize the risk in their own business, make informed decisions and communicate effectively with technical teams, their technical teams.
Even if they don’t become a cybersecurity specialist in that sense, that literacy in cybersecurity awareness and knowledge about cybersecurity has become a very valuable professional skill for many students.
And some of them, even at the later stage in their career, might find it easier to switch to a cybersecurity area because of that background that they had during their undergrad education.
And that’s why we encourage students from a wide range of disciplines to consider cybersecurity coursework, maybe add a minor in cybersecurity to their coursework so that it can open more opportunities to them.
I do know that one of our students, for example, she was an undergraduate in leadership and she had a mind in cybersecurity and just a couple of years after graduation, she has become a cybersecurity professional and changed –
Steve Bowcut:
A leader in Cybersecurity
Saltuk Karahan:
Exactly. Yes. That’s what we need.
Steve Bowcut:
That is such a valid point because we all work with data, we all have cybersecurity concerns, and no matter what you’re going into, you need to know about cybersecurity. And so getting a minor in that seems like a great idea.
So at the graduate level, ODU offers an MS in cybersecurity as well as a certificate option. And now as you’re telling us about a PhD, let’s talk about the types of students or working professionals that these programs are designed to serve. What kind of roles would you expect graduates of these programs to end up in?
Saltuk Karahan:
Sure. First, I think it’s better to start that these programs, especially the master’s program, serves a very diverse population. Some students are recent graduates who want to deepen their expertise before entering the workforce.
Some are working professionals who are already in cybersecurity and they are seeking a career advancement specialization or a leadership opportunity within cybersecurity. And because of our area, we are in Hampton Roads area where the capital of the Naval forces, Naval Field Command is here.
So we have students coming from military government defense contractors also from private sector backgrounds. So we see professionals transitioning into cybersecurity from related fields such as IT engineering, but also from unrelated fields too.
Our program has also a bridge program that they can adapt easily to cybersecurity, take some courses and they can continue with, for example, a student with a psychology background can have a master’s in cybersecurity and those skills in psychology are very valuable in a further career on their way.
Steve Bowcut:
Excellent.
Saltuk Karahan:
So the first semester of our graduate programs also allows, we have several concentrations including cyber conflict and risk management, AI for cybersecurity or security of AI and overall cyber risk management if I might have mentioned that. And those flexibility allows them to gain advanced knowledge while balancing their profession and personal responsibilities.
Steve Bowcut:
Excellent. Okay. So ODU’s cyber risk management, as you just mentioned, certificate appears to focus heavily on the NIST framework, CMMC and compliance needs in the defense industrial base.
So I’m assuming that many of your graduates end up or are headed towards work in the defense industry, if you will. So why are risk management and compliance skills becoming so important in today’s cybersecurity workforce?
Saltuk Karahan:
Yes, definitely. Early on, we have always said that cybersecurity problem is a business problem and organizations are increasingly recognizing that cybersecurity is fundamentally about managing the risk. No organization possibly can eliminate every threat, so leaders must make informed decisions about priorities, investments, and acceptable level of risk.
So the frameworks, as you had mentioned, like such as NIST or the requirements such as CMMC provide those structured approach of managing the cybersecurity risk and demonstrating that they are complying with the requirements. So as those regulatory expectations continue to grow, the organizations need professionals who can translate the technical issues into business risk and help organizations meet those security requirements.
In our area, for example, CMMC is a requirement for all the other contractors and the students that having that background can professionally help all those companies and find the profession in those areas. And these skills are especially important for those organizations working with the government agencies, defense and some critical infrastructure sectors.
Steve Bowcut:
And I just want to comment there that for those of us who have been in this industry for a long time, several decades, it used to be in the old days that we spent a lot of time and energy trying to figure out how we can even get business leaders to pay attention to what’s going on with cybersecurity. But that has really changed just over the last few years.
Business leaders across the board are extremely interested in what’s going on with cybersecurity because they are now understanding the risks. And a lot of these compliance requirements I think was brought that about, and particularly CMMC.
If you’re in the defense industrial base, you have to comply with CMMC. And I think that’s just a wonderful thing because we have the attention of business leaders across the board. So that’s my view on that.
So your teaching and research includes cybersecurity strategy, policy, cyber war, misinformation and disinformation, which is always a fascinating one, and the impact of technology on international security.
So tell us how you feel about how students think about how the students should think about these areas as possible career pathways within cybersecurity so they can understand what that would mean to their career to pursue these various areas.
Saltuk Karahan:
Sure. As we had talked, the field offers a wide range of career opportunities and there’s a growing demand for professionals who understand cyber policy, national security intelligence or strategic competition, information operations.
So governments, think tanks, consulting firms and defense organizations and international institutions all need experts who can analyze how technology affects security and society.
The courses we offer, especially cyber war that I had taught for a long time, the students find it very interesting for sure when they talk about and when they discuss. And when they look at the world global events from that perspective, they find it very exciting.
And the rise of artificial intelligence and mission formation campaigns or influence operations, especially the geopolitical competition that now we see has just increased this importance of these AA areas.
And some students who are more interested in international affairs or public policy law and strategy can find that meaningful careers within cybersecurity without necessarily becoming the software developers or penetration testers themselves.
Steve Bowcut:
There again, I love that point because there is a place for just about everybody in cybersecurity if they want to work in that career. You don’t have to be a coder, you don’t have to have real strong technical skills.
Now there are some things that you need to know to be able to understand cybersecurity and what it is we’re trying to achieve, but people that are more interested in social engineering and that kind of thing, there’s a big need for that in cybersecurity. So there’s a place for just about everybody if they’re interested.
Saltuk Karahan:
Human behavior.
Steve Bowcut:
Yes. Human behavior is an important one. In fact, the latest studies all talk about how by far the majority of cyber attacks in today’s world begin with some kind of a social engineering or human behavior aspect. And so understanding why it is we keep giving our passwords away or resetting MFAs, that kind of thing.
And AI, of course, has just changed all that in meaningful ways. So we’re about out of time, but I do want to end with kind of a forward-looking question as we like to do on the show.
So for students or early career professionals, who is our primary audience here, for those individuals who want to build meaningful cybersecurity careers, what advice would you give them about balancing technical skills with leadership, policy, communication, strategic thing, all the things that we’ve talked about? What kind of advice would you give someone in that position?
Saltuk Karahan:
Sure. First, to avoid misguiding because we have talked so much about the interdisciplinary nature of cybersecurity and how all is related to each other, it can cause some confusion too, because I want to emphasize that first my advice to any future cybersecurity profession is to build depth in one area for sure and developing literacy across many others.
So while we emphasize that interdisciplinary nature is important, but also building adept and some technical foundation is for sure very important. So strong technical skills are important because they provide the credibility and understanding in the field, but professionals who often advance into leadership positions are those who can connect technology to organizational goals, can communicate effectively and think strategically. So those are equally important too.
If I could advise anyone, I would first tell them learn how to write clearly, how to present your ideas clearly and understand how organizations make decisions, develop some leadership skills and teamwork skills as well as that. Also stay curious about the policy, business and emerging technologies.
Cybersecurity is ultimately about helping people and organizations make better decisions in a complex, continuously evolving environment. And the professionals who can bridge that technical expertise with the leadership and strategic thinking skills will be exceptionally valuable throughout their careers.
They should stay lifelong learners and they should continue to adapt themselves to new technology, to new skills, but also very adapt in making that bridge between technology and other leadership and business skills.
Steve Bowcut:
Yeah, that is so important to be lifelong learners and particularly in cybersecurity or any technology, Phil, really, because the technology is changing so rapidly just because you knew a lot of things early in your career, if you haven’t stayed on top of that, you become obsolete pretty quick.
Saltuk Karahan:
Exactly.
Steve Bowcut:
So thank you so much. Dr. Karahan, thank you for joining us today and for sharing your insights into cybersecurity, education, strategy, policy, workforce preparation, and all that we’ve talked about at Old Dominion University. I’ve really enjoyed it.
Saltuk Karahan:
Thank you. Thank you very much for having me. And I just want to remind that we still have a big gap in the workforce demand and how we can meet that. So we need more professionals in cybersecurity. I hope more and more people can join us.
Steve Bowcut:
Good plug. Thank you. We try and do that in every show. We need lots of people in cybersecurity. There’s a big skills gap out there, so we need people that are educated in this field desperately as a country. So thank you.
And for students who are exploring cybersecurity as a career path, this conversation should be helpful to you. It should be a helpful reminder that the field is much broader than any single technical skillset. Cybersecurity today touches national security, business risk, compliance, critical infrastructure, international relations, and as we’ve talked, human behavior.
So programs like those at Old Dominion University will give you the opportunity to build both the technical foundation and the strategic perspective needed to succeed in this fast-growing profession.
Thanks as always to our listeners for joining us on the Cybersecurity Guide Podcast. Be sure to visit cybersecurityguide.org for more information about cybersecurity degree programs, certifications, scholarships, career paths, and other resources for students and early career professionals. And until next time, stay curious, stay prepared and keep learning.