Dr. Tony Coulson is the executive director of the Cybersecurity Center and full professor of Information and Decision Sciences in the Jack H. Brown College at California State University, San Bernardino. During his tenure at CSUSB, Tony has led more than 20 grant-funded cybersecurity projects totaling over $75 million. Dr. Coulson also led the establishment of a nationally acclaimed cybersecurity program that spans business, computer science, national security studies, criminal justice, and public administration. The program is designated as a Center of Academic Excellence (CAE) in Cyber Defense Education by the National Security Agency and Department of Homeland Security. Faculty profile.
Listen to the episode:
The following is a full transcript of the podcast:
Welcome to the Cybersecurity Guide podcast. My name is Steve Bowcut. I’m a writer and editor for Cybersecurity Guide and the podcast’s host. Thank you for joining us today. We appreciate your listening. Today our guest is Dr. Tony Coulson. Dr. Coulson is the Executive Director of the Cybersecurity Center, and Professor at California State University San Bernardino. And we’re going to be discussing education opportunities for cybersecurity students. We’ll focus on Cal State San Bernardino and the broader community as well, because Dr. Coulson has some expertise in that area, as he will describe.
Before I introduce our guest, let me tell you a little bit more about him. Dr. Tony Coulson is the executive director of the Cybersecurity Center and a full professor of Information and Decision Sciences in the Jack H. Brown College at California State University San Bernardino.
During his tenure at CSUSB, Tony has led more than 20 grant-funded cybersecurity projects totaling over $75 million. Dr. Coulson has also led and established a nationally-acclaimed cybersecurity program, that spans business, computer science, national security studies, criminal justice and public administration. The program is designated as a Center for Academic Excellence, or CAE in cyber defense education by the National Security Agency and Department of Homeland Security. So with that, welcome Dr. Coulson. Thank you for joining me today.
Thank you for having me.
All right. This is going to be fun and interesting. I appreciate you giving us some time today. We’d like to start these interviews with a little more background about you. So let’s start with how did you first become interested in cybersecurity? What was the driving force that got you on that course?
This goes back in ancient history. When I was 14 years old, I was playing around with computers and I put a proposal together to the city, to create a computer camp for kids, because I saw that as being the future. And the city said, “Well now, we’re not going to fund that.” So I actually created, with a partner, we created a business that was designed to train people, or train kids how to use computers over the summer. And that was actually really fascinating, because we had more adults show up than we did kids, because it was part of a recession at the time, and people saw that as the wave of the future.
Flash forward through that. I worked building computers and pushing them out to the masses at a computer store, and started looking into the various communities that had emerged. And there were these things we called bulletin boards in the day. Something you dialed in and you’d meet people that were, they called themselves hackers, and they had all these handles, and so on. And around that time, the movie War Games came out, the one with Matthew Broderick, and if you haven’t seen it, you should.
And a national newspaper contacted me because I was a celebrity at this point, having had this business and doing all of these things, a minor celebrity. Being 14 and doing this. And they contacted me and they said, “What do you think of the movie War Games? And I said, “Well, it’s great, but it’s created a culture of high tech vandalism.”
Because the hacking community at that time was not about looking at things, it was about defacing objects and getting your handle out there. And I just found that fascinating. After that I kind of was marked, and people were like, “Oh yeah, you think you’re a high tech vandal, huh?” And that started a whole bunch of things.
But it’s always been in my mind, especially when I get ahold of tools and things in the early days, black boxing and so on. How is this done? How do you defend against it? And yeah, I’ve been on and off in that arena since the ripe old age of 14. And as you know, right now I am only, based on, because you can see me on camera, but of course this is an audio podcast. I must only be 29, just for years.
Hey, that’s what I was going to say. This was just in the last few years that you’ve been… All right, well let’s fast forward to the present day. What are you currently researching or working on? What occupies your interest now as it relates to cybersecurity?
Well, the biggest thing that we work on at the university, but it is actually a national project called the Centers of Academic Excellence in Cybersecurity Community.
The National Security Agency created a designation that identifies colleges and universities that meet their strict standards on cybersecurity excellence in education. And we actually run the academic side of an association of 402 colleges and universities all dedicated to cybersecurity education. And we promote the collaboration of all of those institutions, trying to get them to work together, whether it be through conferences or sharing resources, et cetera. And also providing things for students and aspiring professionals.
Interesting. Okay. Has that been kind of a thread or a through line over the course of your academic career, or is that fairly recent? If you think about all the characteristics or aspects of cybersecurity, has there been any one of those aspects that has been consistent throughout your career?
Well, building community, when you become an academic, building a community of academics is not necessarily number one in your mind, but the number one in your mind is usually your discipline. And I do my research, I do all of those things. But what became very apparent to me early on in my academic career is, I had a great mentor who said to me, “As long as everything you do is for the students, you’re going to be okay.” And so I had come from industry, and a background as an entrepreneur, and I would sit in my office and I would think of, how could we make things better? How could we innovate and breed a culture of innovation? And when cybersecurity started with the spread of the internet and so on, and cybersecurity started getting in people’s mindset, it became very apparent there was a huge shortage in cybersecurity talent, and how can I help solve the problem?
But also at an institutional level, San Bernardino itself has suffered greatly, since base closings and economic collapses, and so on. We’re one of the worst areas in California for standard of living. I think we’re number two worst. We used to be number one, so things must be getting better.
And I said, “What’s amazing is at our institution, there are so many smart people that can bring resource and help solve problems, and be so creative. How can we harness that? How can we get that in cybersecurity, and encourage people to think bigger?” And so we started the cybersecurity program here, with this idea of, “How can I take people from an area with low expectations and show that they are world class, and that they went to a school mostly because of economics?” And then that started a snowball because we had such success, that other institutions were starting to talk to us, and said, “Well, how did you do that? And how did you do this?”
And then I looked at it and said, “How could we, instead of thinking that every cybersecurity problem is going to be solved out of the Silicon Valley or in the DC Beltway, the reality is there are thousands of institutions, especially community colleges, where there’s talent pools of very, very bright people. How can we energize them and show them that they have the ability to be in this field, an aptitude?”
And that’s kind of what gave rise to all the things that we’re doing, not only at Cal State San Bernardino, but that philosophy of reaching out through the Centers of Academic Excellence Community and say, “What are you adding to solve this workforce crisis, this gap that we have in cybersecurity talent?” And then, “You have a great idea. Why don’t you share it with this person over here? And let’s all work together.” And it’s really become a force multiplier.
Wow. I love that. That’s excellent. And that’s a perfect segue, because I wanted to ask you specifically what our audience, what cybersecurity students, what they might expect, should they go to Cal State San Bernardino? And then because of your experience with the CAE Community, maybe you could speak even broader than that.
What kinds of programs should students be looking for? And I know it’s going to vary depending on what the educational goals of each student are. Some people, they want to get a job, get a bachelor’s degree, get to work as fast as they can. Others have the resources and the inclination to spend a few more years getting educated. But what kinds of programs are available at San Bernardino, and then also that you’re aware of, across the whole community?
So the first thing that I realize is cybersecurity isn’t just bits and bytes, right? It’s very interdisciplinary. There’s cybersecurity and law; cybersecurity, public policy and privacy; cybersecurity intelligence, right? Predicting what’s going to happen as opposed to reacting.
And so we at San Bernardino created a broad amount. I think we have more interdisciplinary degrees than any other Cal State university. In California so there’s 23 campuses. We have interdisciplinary with public policy, criminal justice, computer science, information systems. We do all of that.
And then that’s where it spreads across the country, is when we are talking about the Centers of Academic Excellence Community, it isn’t just one type of degree. Students that would be listening to this podcast, if you go to CAEcommunity.org, there’s a map, and it shows every school in the CAE Community, and you can click on that school. And most of the time, if they’ve given it to us, there’s a profile on that school.
And you see the diversity of programs. It isn’t always just one color of program that says, “Oh, you must be super duper technical,” and that you must know all the Star Wars and Star Trek movies inside and out. But rather there’s something for everybody out there.
And so that has always been our philosophy, and I think we’ve carried that to the general community, of, “Let’s tell the story.”
Think about this. When we all, we’re in school, somebody made us take, more than likely in high school, an aptitude test of some sort. Maybe it was in a career center, and they made you take some battery of tests. I’m supposed to be a forest ranger, by the way, on those battery of tests. Or maybe you took something else.
And a lot of us dismissed that. We’re looking at aptitude in cybersecurity, as not who can and who can’t, but rather where do you fit? It’s a target-rich environment, when you have over, what is it, over 750,000 open jobs in cybersecurity. It’s a target-rich environment, and you can really groom your own career. And the resource I pointed out helps get you started on what direction your education might go.
Perfect. And give us that website one more time. We’ll put it in the show notes as well. So is it CAE.org or…
Community.org. Got it. Okay. We’ll put that in the show notes as well, so thank you.
And there’s another organization I’m part of, which is called NCyTE, the National Cybersecurity Training and Education Center, N-C-Y-T-E dot net. And they focus more on community college experiences, but there’s a lot of great resources there as well.
Okay. We’ll put that one in the show notes as well. All right. So a couple of times now you’ve mentioned this skills gap for cybersecurity workers. Some people call it that. I’m not sure that “skills gap” is the right, but it’s generally agreed that we don’t have enough cybersecurity workers. So I’d be interested in your perspective, how or if that shapes education, this lack of trained cybersecurity people that the industry is clamoring for. Does that change what you do in cybersecurity? How do you meet that need or prepare students to meet that need?
So what’s interesting about education. I’m at a university, and I would say, as a broader controversial statement about many universities, is that they don’t necessarily listen to what the employers are looking for, because they’re more interested in creating the future of doing things like research moving forward. That’s really kind of their goal. But a little broader.
The community colleges are more the tactical direct-to-employment enterprises. And we’re seeing that the community colleges, especially through NCyTE and others, are really investing a huge effort in creating technicians and other entry points to cyber.
I look at cyber as lifelong learning. And so I always go with the philosophy of, “How can I identify somebody?” Maybe somebody doesn’t even know that they could go to college. Maybe they’re in a career tech or what we used to call vocational ed. How do I identify them in high school? And give them an opportunity to say, “Hey, by the way, you can go to community college, and then if you started your career, how can I get you to a university? And then how can I get you to progress?” Because a lot of people haven’t figured out how smart they are.
So one of the efforts that’s very big in the country right now is something called apprenticeships, which have been big in Europe for a long time. And so we’re pioneering and working with other institutions. There’s a number of institutions nationwide. They’re actually looking at how do we pipeline people in, so they’re working in their career field while they’re going to school, but there’s a progression through higher education, which is more valuable and lucrative in your lifelong learning.
I know that the question was, “Hey, there’s this skills gap. There’s 700 and some odd thousand open positions.” Yes, but the difference with cyber is you always have to be learning something. And so we’re trying to create within the centers of academic excellence community, this lifelong learning aspect of it, so that people are moving along a trajectory, as opposed to just choosing your career, and you’re going to be doing this for the rest of your life.
Interesting. Okay. I like that. All right. So imagine that you’re talking to a, I don’t know, a brand new student, who’s just decided or is trying to decide whether cybersecurity is a good fit for them. What would be a reading list that you would suggest? And this could be books, papers, lectures, websites, or even conferences to attend.
Where would a young person get a flavor for what it’s really like? Because we all see the movies and we know what they do on CSI, right? But what it’s really like, so where would a young person get an understanding of what it’s like to work in the cybersecurity industry? What would you recommend?
Yeah. Well, there’s a couple different things. First of all, I’m going to plug the CAEcommunity.org website, but there’s something on there called the CAE Resource Directory. It’s called CARD, it’s links and other things that are interesting materials, that students and other people just might find interesting to look at. It’s a little bit of a curated list, and I recommend that.
Let me just say, I think everybody’s pretty smart these days to find out something about something, right? It’s easy, it’s Google. We don’t have to go to the public library to do it anymore. But I’d rather say, here’s some things you don’t want to do, because as you’re out there, stay off the dark web.
Stay off. Don’t think that you’re a hacker. You study something, you download something, you watch a podcast, and suddenly you’re going to start playing with advanced tools, because it’s kind of like going into a boxing ring. You might watch some Rocky movies or Creed or whatever and say, “Wow, look at those moves. I can do those moves.” And then when you get in the boxing ring and you get punched in the face, it’s a little different. So my recommendation is learn to walk and invest time in the skills, get involved in things.
Get involved in not only learning, but maybe small communities of students. And if reading is not your thing, and maybe not watching YouTube videos is not your thing, go pick up a class at your local community college, or go talk to your instructor at high school. Just pick up a class, a simple class, and see, a beginner’s class, and see if you even like it. Because I will tell you this, if you’re not interested in it, you won’t like it.
And if you’re doing it because you think you’re going to make a lot of money, you’re not going to like it. You have to really have a passion for it, and you’re only going to have a passion for it if you try something out.
All right. And that’s good life advice for any career. I mean, it doesn’t matter how much money you make, you’re going to spend just shy of that anyway. And so you need to be doing something that you really enjoy, or your life won’t be happy. That’s excellent. Thank you.
All right, so I’ve got one last question. This was kind of a fun one. This is where we ask you to dust off your crystal ball and look into the future, and give our audience an idea from your perspective, what will the cybersecurity industry landscape look like in five years or 10 years? What changes do you think you might see coming?
When somebody talks about miracle technologies, or miracle anything, always take it with a grain of salt. Especially AI. It’s a great example. Everybody’s saying they have AI now.
We used to just call it an algorithm, but now we just rebrand it AI and it makes people go nuts. Is autonomous driving really a thing? Right? We’re starting now to look and go, “Well, maybe it’s not really autonomous, et cetera.”
So always have a healthy dose of skepticism over all these miracle technologies. They’re usually pumped up more than they are reality. But having said that, my crystal ball tells me, be flexible and adaptable. That is the lifelong skill. If you, let’s say you learned on mainframes, by the way, there’s a huge job market for people that still know mainframe.
I can tell you that I learned on a mainframe operating system, and what I learned there is transferrable to what I’m doing today.
Parallel processing existed in mainframes, virtual machines existed in main… It’s all transferrable. So just be curious and always moving forward, you’re going to be fine. And to me, that is… In the crystal ball, is there a given technology? I think AI is, it’s going to be in the future. We’re probably going to call it something different. We’re going to categorize it a little bit more. But ultimately, if somebody was saying to me, what I should be interested in is, “Just be curious and you’ll kind of find and be guided along in your path.”
Okay, well that’s good. That’s a good answer. But that takes some of the pressure off. I know some students feel like they need to predict what’s going to be when they graduate in five or 10 years, what is going to be the hot thing that they need to make a decision about now? So that takes some of the pressure off.
Hey, I had a very good mentor as a professor, and he made us read this old book called Megatrends by John Naisbitt. And Megatrends was based on this idea of trying to predict the future. And it wasn’t so much the predictions, it was the method of how the future is predicted, which was, “Start reading your periodicals, read things, and if a lot of different things start coming forward, that tells you a directionality of the way things are going.” And it’s a mindset.
So I’d start getting curious and find more things out. Now we have Google, you can look at analytics and see what’s trending. But in those days, trends were all the rage. It’s really a skill to predict the future.
And that’s where that healthy dose of skepticism comes in. Because you can read a lot about AI and lots of products claim to have AI built in, but they haven’t changed it from 10 years ago. They’re just calling it something different now. I always find it interesting when I do interviews and I ask people to define AI, oftentimes that’s harder for them to do than you’d think it should be, if they really understood what artificial intelligence is about.
Well, thank you, Tony. This has been fascinating for me. I appreciate your insights and your perspectives. So thank you for spending some time with us today, and a big thank you to our audience as well, for being with us. Please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of The Cybersecurity Guide Podcast.