Trisha Clay is the Associate Vice President and Chief Information Officer at Hudson County Community College.
A summary of the episode
She discusses her journey into the technology industry and the unique cybersecurity challenges faced by higher education institutions. She emphasizes the importance of balancing accessibility and security, as well as the need for diverse perspectives on cybersecurity teams.
Clay also highlights the use of immersive video technology to enhance learning experiences for students. Additionally, she advocates for the inclusion and representation of women and minorities in the cybersecurity field and provides advice for students interested in pursuing a career in cybersecurity.
Listen to the episode
A full transcript of the interview
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide podcast. My name is Steve Bowcut. I am a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening.
Today, our guest is Trisha Clay. Tricia is an Associate Vice President and Chief Information Officer at the Hudson County Community College. I’m very excited to have Tricia on the show today. This is going to be a lot of fun and it’s going to be kind of a unique perspective from what we oftentimes do on this show, so please stay tuned with us throughout this episode. I’m sure it’s going to be just full of interesting information.
The topic, how we’ve kind of focused the show today, is the CIO perspective, cybersecurity, and modern higher education. So, before I bring Tricia in, let me tell you a little bit about her.
Patricia M. Clay is a strategic information technology leader focusing on the why of higher education, and we’ll talk about that a little bit later. She is particularly interested in innovation in teaching and learning, collaboration and business resilience, and information security.
She has frequently led complex multimillion-dollar projects to success. The latest has been over 40 immersive video installations across two HCCC campuses.
Before joining the HCCC team, Trisha served as the director of information Technology at De Sales University. She advocates for women’s leadership and inclusion in the technology industry, and we’ll talk about that, I’m sure.
She is a frequent presenter at local and regional conferences. Trisha is dedicated to technology that fosters student success. So with that, welcome Trisha. Thank you for joining me today.
Trisha Clay:
Well, thank you Steven. I really appreciate being here. And this is an area of particular interest for me, so I look forward to the conversation.
Steve Bowcut:
And that’s what makes it interesting is when we both have a passion for it. So before we get into the topic too deep, I think our audience would benefit from learning a little bit more about you.
So explain to us, if you will, your journey, academic and or professional journey, your background, your academic background, and then how that led you to become a CIO.
Trisha Clay:
Oh, that’s an interesting story because my original life plan was to be in early childhood or elementary school teacher. So I have degree in early childhood and elementary education from East Strasburg University in Pennsylvania.
It just so happens that when I graduated, there weren’t many jobs available in teaching in my area, and I went working in our family business, which was a printing company and for complexity printing and IT are right in parity, but I ran anything that had anything to do with the computer at that company.
Later, Printing industry is kind of difficult. We closed the business and I went to work for De Sales University. So I started working there as a desktop technician. So I started fixing people’s computers and working in computer labs at the university. Later I joined the enterprise applications team and started working on the ERP system and I sort of moved up from there.
I am largely self-taught in technology, but if you think about the timeframe in the eighties, I was programming basic and a computer in the junior high school. So it’s kind of immersed in it my whole life. So I just moved up in IT the way many people do In higher education, we tend to have small teams.
So if you’re willing to take on someone’s leaving, we need somebody to run the ERP system. Are you willing to learn to do that? Well, yes I am. And that led to project management integration, working with Linux, running Linux systems and things like that.
And so yeah, I just have a broad technology background and given that I was working in higher education, then I already had a degree in education. It helps that you understand the business itself. And then from there, I was moving and looking for jobs in the greater New York City area, which Hudson County, New Jersey is right up against the Hudson River.
So from my office you can, well, you can’t now, but used to be able to see lower Manhattan. We have a lot of large size towers going up, so, so the college was looking for a higher ed technology leader to take over. They’d had a lot of turnover in a short period of time. So I was brought in to kind of get back on a shore footing and take over the team. So that’s how I came to become a CIO.
Steve Bowcut:
That was so awesome. So I think a big takeaway for our audience from this story would be then it doesn’t really matter what your initial interest and or academic background is, you may have a degree in something that has nothing to do with cybersecurity, but if you have that technical acumen or interest in technology, there’s a path for you to get into cybersecurity.
And Tricia, I think you’re living proof of that. So thank you. Thank you for sharing that with us. And now, again, still before we get into the academic side of cybersecurity at HCCC, I think it would be interesting to talk about from your perspective as a CIO.
So you’ve got, and that’s why I’m so excited to have you on the show. So from your perch as the CIO, you see what’s going on in the IT network, the IT infrastructure for the college. So what are some of the biggest cybersecurity challenges that you face at HCCC? Or maybe we’ll talk more generally in higher education environments specifically.
Trisha Clay:
Yeah, higher education is a complex environment at our community college. I don’t have resident students, but if you think about universities or resident colleges, there’s a business, there’s a school, and then there’s a town and all of that runs through it.
And even without resident students, we have a wide variety of people accessing our network and systems. We need to balance having a streamlined, coherent technology experience for our students, faculty and staff as much as we possibly can and keeping everybody safe.
And that is extremely challenging because the attackers know that higher education is the complex environment that we try to keep an open environment that we want faculty to be able to explore and have broad access and that we have a lot of people also that come and go, right? And in a community college, we have students, this isn’t strictly speaking true, but let’s just say you should finish in about two years.
So that leads to a lot of turnover. We have up to 20,000 students that we’re serving at any given time in matriculated and also continuing education and workforce development. And then we have our employees. But that’s a lot of moving pieces.
And what we’re seeing a lot of in higher education now is gams social engineering to gain access to systems, either to trick people, to give them money directly to gain access to systems, to a business email compromise, to interject themselves into the business to get fake invoices paid to their bank accounts.
And lately we’ve seen people that are trying to change my banking information to steal my paycheck. So there’s all of that. And then there’s just someone who’s trying to upload their assignment to a canvas, which is our learning management system and running into problems. And so you have all of these people and all these different systems interacting.
And again, it’s complex environment. So we have the network, we have the servers, we have software as a service, and all of these things coming together, but we hope beautifully smoothly but also each one of those pieces could have vulnerabilities or problems that can be exploited.
Steve Bowcut:
I love that. And I think that is a unique perspective. I don’t think we really, typically, I don’t think in the industry, unless you work in higher ed, you don’t really think about that, how much complexity is involved. I mean, literally, there aren’t very many companies around that have tens of thousands of people that need access to their networks. And the turnover is just going to be a short number of years and they have to interact with the community.
And in the case of higher ed, you’re working with sometimes students right out of high school, so they’re not maybe the most technologically savvy people, or even like you talked about, the social engineering. They may fall prey to those kinds of things.
They just don’t have a life experience that’s needed to worry about that or to understand what those threats might look like. So very complex. I understand that it’s a very complex, higher ed is very complex systems and often, I dunno about a community college, but oftentimes there’s intellectual property and research and things that are going on that is very valuable to threat actors. So a lot of reasons that they would want to get into your systems.
Trisha Clay:
Yeah, it’s less so at the community college level. I think at Hudson, we do a fantastic job of getting students involved in research wherever possible, but typically we’re getting students ready to transfer to complete a four-year degree.
Steve Bowcut:
Yeah. Good. All right. One of the things that I wanted to pick your brain about a little bit that it was just interesting to me. So you’ve been described as a strategic IT leader focused on the why of higher education.
So talk to us about that philosophy and how does that influence your approach to cybersecurity or innovation or technology?
Trisha Clay:
Since my original life plan was to be an educator, I mean, education is very important to me. And I think currently and in the coming years with the rise of artificial intelligence, large language models, we need critical thinking becomes more and more important by the moment.
And I think that is critical for higher education to really take that by the reins, bring in our friends and humanities who are great at critical thinking. My daughter being a literature major, close reading and literature analysis, I don’t even understand it. I love reading books. I’m like, yeah, I love that book. And she’s like, well, the philosophy of it, I’m like, I don’t even know what you’re talking about.
But anyway, that subject matter expertise is critical to being able to identify the truth from hallucinations with AI. And AI is being used greatly in a lot of these attacks, particularly with social engineering.
But because students being educated and their success is the why, that’s what we are really there for. I have to talk to all of my teams about, our goal is for these students to get registered, take their classes, and be successful.
So remember, it’s not just, oh my gosh, how can these people need to reset their passwords five times? We need to keep our eye on what our actual goal and the mission of the college is. We’re an open access institution.
So as you alluded to earlier, a lot of people coming to us are English language learners, they’re learning English. So not only may they not be that sophisticated, they just have a high school diploma. They might not really understand English all that well.
Steve Bowcut:
All right, yeah, good point.
Trisha Clay:
So AI is fantastic for allowing us translate our website into any, not any but many 80 different languages. But now, okay, you were able to come to our website, apply to the school, and get you’re automatically accepted. Again, we’re open access, but now I need you to be able to use our systems.
So we need them to be as simple and streamlined as we can, but also protect your security while sometimes having to argue with you about why we need multifactor authentication. I try not to argue at all. I try to remind people that when you are accessing your bank or anything like that, you have to do these kinds of things.
You get a text with a code that you have to put in, and we’re putting those speed bumps in place to protect you, but that also protects the college. And yes, so every time we get a phishing attack that someone falls for, which then hundreds or thousands of emails go out to do the same thing to other people, it’s disrupting your education because now you got an email, you don’t know if it’s okay, it gets flagged to us.
We have automated processes that take care of a lot of this, but every once in a while some of these things get through and all of that is a disruption. So yeah, we’re always looking at what we can do, how we can innovate, how we can be better at detecting threats, how we can be better at, we were just discussing this morning, verifying identity when someone needs help to change their password, to update their multifactor authentication. And we’re always just trying to keep one step ahead of those attackers.
Steve Bowcut:
Yeah, absolutely. And I think we’ll come back to that idea here in just a second because that’s something I do want to talk to you a little bit more about. But before we get there, another one of the things that stood out to me in your background are the things that you have expertise in is, so there’s this immersive video installations that you kind of led a project, I understand, of these immersive video installations.
Could you just maybe give us some insight into how that initiative supports secure and innovative learning experiences for students?
Trisha Clay:
Yeah, sure. I’d love to talk about it.
Steve Bowcut:
What did it look like and how did it work?
Trisha Clay:
So the project started in 2019. Our president was very interested in being able to bring our two campuses together an immersive way. We have a one building campus in Union City, New Jersey, which is approximately five miles away, which is between 30 and 45 minutes by car, depending on what time of the day it is.
So we aim to provide full programs for our Union city, or we call it North Hudson, our North Hudson campus students whenever possible. And in 2019, that often wasn’t happening because some of the classes that you’re an accounting student, a higher level accounting class might only get two or three students in Union City.
And so those classes would be canceled and you’d have to travel for this one or two classes, which is very disruptive. And a lot of our students are work parents. So now interjecting an out best case scenario, an hour of traveling into your day just might not work.
And so now I can’t finish in two years because I have to figure out when I’m going to take these one or two classes at the Journal Square campus. So Dr. Weber’s task to me was to find, he said, look, in the nineties we had these point-to-point video systems, something like that has to exist in modern technology. And so we put together a task force and started looking for a solution.
We ultimately came up with using Cisco’s WebEx technology. Their room kit software is amazing, and it can actually connect two rooms together, and now we can add a WebEx meeting and join the world. But the idea was to connect these two classrooms where the students in the classroom, where the faculty member was not physically present would still feel a part of the conversation.
And so that technology that we use in classrooms, but we also use in some meeting and conference spaces, provides a much more immersive video capability. And as I mentioned, we started doing this in 2019. Well, it just turned out to be perfect timing because we had WebEx licenses for all faculty, staff and students available in the beginning of 2020.
And we were doing these room installations, which we worked on during pandemic lockdown. And then we were able to use for nursing and other clinical health education students where they were limited to how many people could be physically present due to social distancing.
And because the licenses and we have it set up that if I’m logged into my HCCC account WebEx account, I automatically come into the meeting, but if I’m not, so this makes it a little harder for threat actors. I don’t know if you all remember at this point the zoom bombing situation.
Steve Bowcut:
Oh, for sure. Yep.
Trisha Clay:
That went on. And so we had very little of that because as long as we all are logged into our accounts, we just come in automatically, anybody who isn’t held out in the waiting room. And so someone can look at that list and see whether we believe that that’s Stephen or not. So yeah, that’s how that came on board.
And then through some federal and state grants, we were able to roll it out to our culinary building for culinary students. We have a nationally renowned culinary program. And then also in our STEM labs where we added in both of these areas, we added cameras on a boom basically.
So the techniques that are being shown in the labs and in the culinary environment can be shown to remote participants or just on very large screens where we don’t have to all be in the literal sense breathing down each other’s necks in order to see what’s happening.
Steve Bowcut:
That’s so interesting. So that’s a really great example of the why that we were talking about. So it’s using technology to implement the why of what the school does. So I think we all know that by now that the research shows that students that are in a classroom environment are an interactive classroom environment where they have opportunity to participate in discussions will learn better than just watching a video or reading a text.
And so that’s a great example of how you can use technology to bring people in that can’t actually physically be there, and yet you don’t have to relegate them to, well, sorry, you can watch a recording of the class, but you can’t actually participate.
So I just love it when I see technology used in those kinds of applications to help people learn better. And then the other thought that I had while you were talking is that’s another good example. I think that we can look for silver linings or those things that came out of the COVID era that we can look back now and say, yeah, well maybe there’s some good that came out of that.
We really were forced to learn how to do some of this interactive, remote, interactive kind of things that I don’t know that we ever would’ve got there if we weren’t forced to do it. So thank you.
Trisha Clay:
Yeah, I agree totally. I mean, at the community college level, there were people that digitized 40 years of their work in weeks in two or three weeks, and it really was an incredibly heavy lift. And it never ceases to be a point of pride for me that our culinary group of faculty just loves to use technology. It doesn’t seem like,
Steve Bowcut:
Yeah, how do you taste that over WebEx?
Trisha Clay:
It doesn’t seem like chefs would be at the top of your list of really loving to adopt technology, but they’ve seen how they can record techniques while they’re doing them, and then students can go back later, I saw what you did. I practice it maybe, but I’m still having some trouble.
But now I can be at home and I can watch the video and practice even when I’m not in the kitchen. And of course, food network being what it is, also, it’s like that’s, oh, be these cool videos. It’s like food network, right?
Steve Bowcut:
Yeah. Alright, so now I want to circle back a little bit because we are talking about kind of this balance. So there’s always been a balance that we have to try and strike between security and convenience or usability.
So talk to us about how, from your perspective, how do you maintain seamless accessible environment for students and faculty and yet keep them safe? Obviously there’s some give and take, right? You have to teach, as I think you were pointing out earlier, you have to point out to students that know there are some steps you’re going to have to do to access our systems securely.
And yet at the same time, it can’t be so onerous that people either two things happen. They either give up and don’t participate because they don’t want to change their password or they forgot their password and it’s too hard for them to reset it.
Or they’ll find a way around the really clever ones, maybe with some technology background, we’ll find a way around to defeat the security that you put in place. And then that of course doesn’t serve anybody well at all. So talk to us about that.
Trisha Clay:
Correct. Well, I think what you’re trying to do is build with purpose, put interject security into the systems as you are building them, then putting in network segmentation, ideally when you first build the network, but that’s already builts too late,
Segmenting things off. And we’ve been adding more to our existing segmentation as we go along where the wifi network is entirely physically, logically from our enterprise networks is logically separated from any internet of things. IoT networks are separated.
So any of that that you can build in, you want to build in a system that as much as possible can automatically update itself, can flag anomalies, and zero trust is maybe not as big of a buzzword as it was.
I don’t say that we have zero trust, but we try to come from that type of perspective, which means I don’t know who you are, I don’t know what this system is. So until we can verify that the identity of that system, hardware or person we want to treat you like, okay, you can look at our website. I don’t know who you are, everybody can see our website. That’s fine.
And then you want to also look at when we’re doing implementations, it’s very important to me to look at data that we’re collecting and sending. I’m probably much to the chagrin of some faculty or staff saying, well, why are we collecting this information? Do we need it? Do you actually use it? Because any data we collect, we have to protect.
Now when I put on my other hat as an administrator, I also need data to know how students are succeeding. Are there any gaps? Are there English language learners having gaps in certain areas? Or maybe people with GEDs having gaps in some areas and things like that.
So we do need to collect information, but we also need to be intentional about what information goes where. A story I like to tell from many, many, many years ago, we were doing an ID card system that you also used to pay at the dining hall and we were sending, originally we were going to send birth dates, full birth dates.
And I was like, well, wait, what do we need full birth dates over there for? Oh, well we might want to say happy birthday to them when they’re checking out. And I was like, I don’t think that’s a good reason to have your birthday, your full birthday in that system.
But it’s having a philosophy of how do we make this technology work for the people using it? So what do they need? And as an IT group and for cybersecurity professionals, a mentor of mine always said, we try not to be the know the people of no. Right?
A colleague, David Cherry, who was the CISO at Princeton University, may have talked to him, may not. He said, I don’t want us to be the land of no. Right? We’re Yes, And.
Steve Bowcut:
I love that. Yeah, don’t say no unless you have to. You can always say yes, but if you have to qualify it, then you have to qualify it.
Trisha Clay:
So yes, and I need you to have that data in a secure system, yes, and only a small number of people are going to be able to see this. Yes. And you can analyze this data after it’s been anonymized.
So we try not to be in the area of saying no. Sometimes we have to say no because things just, no, you can’t have a download of the entire database. No, that’s not something we can do.
Steve Bowcut:
Yeah, okay. So thank you for that. I appreciate that further insight into that, which is always an interesting concept to me, making things usable and accessible and yet keeping them secure to the degree that makes sense. And you have to compromise on both sides a little bit.
So I want to pivot a little bit now, and this is something I think that you are passionate about, but we’ll get your input. So there’s this idea of inclusion and representation specifically for women, but also minorities that I think is important. It’s important, it’s an important conversation we have.
I think there are lots of women, especially young women who don’t see themselves in a cybersecurity role because they don’t really have any role models or other people that they’ve identified with in that role. So talk to us about that idea of including doing what we can to include women and or minorities to help them feel like, yeah, there is a place for you in cybersecurity.
And to even expand that a little bit, even if you’re not technically minded, if you’re not that interested in technology. You mentioned social engineering before. We need people in cybersecurity that understand social engineering and how threat actors are using it and how to mitigate against that kind of thing. And you could do that without ever even touching a system at all. So talk to us about that.
Trisha Clay:
Yeah. Well, not only is it important for women and underrepresented groups to be a part of cybersecurity and information technology because we need more people, but also because diverse teams perform better and people with different life experiences can really help.
It is so critical on a team, an IT team or a security team to have people that have backgrounds similar to some of your end users who can say things like somebody who’s have a long engineering background might not realize like, okay, this thing you’re asking these people to do that you think is simple, this little simple extra step isn’t simple and they don’t know how to do it, or the language you’re using doesn’t make sense to people.
They don’t understand what you’re trying to describe. That breadth of experience and diversity in the most literal sense of the word diversity, age diversity, background diversity, people have different come in from different educational backgrounds or different life experience or maybe they’re immigrants.
And so we support a lot of students who are immigrants. And so they might not even understand how a American higher education works or first generation students the same thing. No one in their family has gone to school. So gone to college. And much to my chagrin, there’s so many silos and weird terminology that we use, like registrar and births are like, what does that even mean?
Those terms don’t mean anything. But yeah, that’s where we need a diversity of perspectives. And as you were mentioning, there’s social engineering that we need to be able to communicate better, educate the community on, there’s communication that we as technical professionals need to do to non-technical audiences that is so important.
So in cybersecurity, there’s policy which is maybe more law procedure related. There’s the technical things that need to be engineered into systems. There’s people that need to be building these systems. There’s people that need to be integrating these systems.
There’s just so many different aspects of cybersecurity that I don’t think many people understand. We see something on TV and you got a hacker and a hoodie typing, and I’m like, no, that is not a hacker. They don’t have time to sit there typing. They’ve got scripts running, doing
Steve Bowcut:
Sure they’re using AI.
Trisha Clay:
20 different things at any given time. And then there’s the AI part of it. Not only are bad guys using AI, the engineers and those of us that are security practitioners also need to be using AI.
And So there’s just so many different aspects to it. And I agree with you totally that people don’t necessarily see what cybersecurity means. It’s a relatively new profession, and I don’t think there’s not the imagination around it in middle school that my daughter was in middle school years ago and I went to career day to talk about it.
And most of these kids were talking about being a nurse, a doctor, a firefighter, a police officer or something that they can see in the community. And so that’s why we really need to be active to try to interject really work experiences. And I don’t mean work.
I want eighth graders to work in an IT department, but job shadowing or career education where they can really understand what life as an IT person, life as a cybersecurity professional, what does that actually look like? What do you actually do? And that’s the thing that I don’t think in American education as a whole, as a whole, we don’t do a very good job of that.
Steve Bowcut:
Interesting. Okay. Thank you. We’re going to be running short on time, so I’m going to speed this up just a little. There’s a couple things that I still want to get to. One of them is certifications. So I know that you have some certifications. S
o let’s get your perspective on the important. Now let me back up a step first. So a community college specifically. And so that’s where you’re working now in a community college environment. You are preparing students to either go on to a university and get a four year degree and or start their academic career and get a postgraduate work.
Or some students are just going to work, right? They’re going to get their two year degree and they’re going to take what they can get from you and they’re going to go to work.
So let’s talk about professional certifications and the role that they play. And some people will just really love them and they say, make sure you get all the certifications you can. And others will say, focus on your degrees, get the certifications. You feel like you need to get a particular job. So what’s your take on that?
Trisha Clay:
Well, I think that there is a place for certifications and degrees, and there’s been talk at least over the last 10 years in higher education that we need to get better at showing credentials of the skills that people are learning in their degree programs.
That’s not always evident to employers. So one thing that we, and I think most community colleges are really good at is being in touch with the local workforce and employers and knowing what they need. And we try to embed those type of certifications into our associate’s degrees.
All of that being said, my advice even to my employees, Hudson, is very generous with providing $9,000 a year in professional development funds. And that can be used towards a degree program or certifications or also going to conferences.
So I encourage my employees and also students that work for us as work study students as part-timers to gain all the education and knowledge that you can and watch the local.
So there might be a particular company that you’re looking to work for, and they may publicize in their job descriptions or postings that we’re looking for people with security plus, or we’re looking for people who are CISSPs, which is, that’s obviously not someone coming out with an associate’s degree. You need a lot of work experience.
But what I advise people to do is look at your career goals and figure out in job postings or reaching out to people who are hiring in those fields, what are you looking for? I think the skills we’re providing at a community college level is something that if you have a cybersecurity AS degree, you should be able to pass the security+ certification without doing much prep other than prep you would do for any test. You don’t want to go into a test without having looked at the material in a long time.
But I think those certifications, it’s a signal to employers, the specific skills that you have. Many, many, many, many moons ago, I was a Microsoft certified professional when they first started doing those tests long, many low, many, many years ago.
And those were hard. I mean, those tasks were hard. You really had to know windows inside out and sideways. So I maybe don’t know Windows 11 inside out and sideways in the same way that I knew Windows 3.1, whatever. I don’t want to out myself on my age. There we go.
But really looking, and I encourage people to reach out to professionals on LinkedIn who have careers that you’re aspiring to or work in our higher education cause is a big technology group that is amazing. And you can really network and learn lots of great things and go to those conferences and meet people.
And I encourage people, anyone listening to this podcast, feel free to reach out to me on LinkedIn, explain where you know me from. Otherwise I get a lot of sales connections, but I’m happy to have brief chats with students on what their life plan is and what steps they should take to go forward on that path.
Steve Bowcut:
Very nice. That’s very generous of you. Thank you. I appreciate that. And our website as well. We have a ton of information about all of the different certifications that a student in cybersecurity may be interested in, but I like what you’ve said is two things.
Either look at the job you want to pursue immediately and see what certifications. You just go to these job boards and they’re going to tell you what certifications they’re looking for, and they’ll usually indicate whether it’s a must have or we would like you to have kind of a thing. So that’s one thing you can do.
And then the other thing you can do is look at where you ultimately want to end up. So who in the industry has the job now that you want to have someday and what kind of certifications and what’s their academic career look like? And you can kind of pattern it after that.
So I think that’s for young people especially, that’s a great way to figure out what they need to get where they want to go. So thank you for that. I appreciate it.
So let’s talk about roles and expectations a little bit. So somebody coming out of a community college with an AS degree in cybersecurity or related degree that has a cybersecurity component to it, what kinds of roles do you think they should reasonably be expecting to interview for or qualify for? What’s your experience been there?
Trisha Clay:
I would say mostly it’s some analyst positions or first level help desk with a security bent. It’s in the places where you’re going to be either doing a first level analysis of data, where you are starting to interface with whatever that business is.
You have to come in whatever, a cybersecurity professional, unless you work for an agency that that’s all you do. And then you’re interfacing with different companies who hire this agency.
And I would say even in that kind of, I’ve worked in a consulting role, you have to understand the business that those people are doing to really be able to help them most effectively. Right?
Banks, Financial institutions work entirely differently from a retail business, work differently from, I don’t know, a landscaping business or something, or a technology business. If you’re building a technology product, it’s just different levels. Okay, well, I have to analyze some data on a security incident at a bank and a security incident at, I don’t know, meta or something. It is just different,
Different kind of interface, different, and I think you need to understand the business on some level in order to do that. I think really if you are someone that your long-term plan would be to be working in a security unit at, I don’t know, fortune 500 company or whatever it is, well then you need to understand that business.
Now, if you want to be become a cybersecurity consultant and you want to become an expert on building secure networks or building secure servers or services or SaaS or whatever, it’s just like a divergent, it’s a path that will diver at some point.
So I think you’re looking at becoming an analyst, a helper, a technician, helper. It’s never going to say helper. That’s what I’m thinking in my mind, but I’m like, nobody’s going to ever put that in a job description.
Steve Bowcut:
Not anymore. But yeah, we used to use that word a lot.
Trisha Clay:
We used to use that word a lot. So one deficiency in the industry, and it’s coming up a lot now with AI, is just a limited number of truly entry level jobs. I talked to my fellow CIOs CISO all the time that we need to hire entry level people. No one is sprouting out of the ground as a mid-level professional. It just doesn’t happen, right?
And so I was talking to some recent graduates lately and I said, listen, if you are having trouble finding entry level jobs, don’t be afraid to volunteer for groups that you are interested in their mission anyway and help them with cybersecurity things.
You have the degree now you can. And people out there in the world, we’d like to think that they have some awareness of cybersecurity, but there are truly people out there that are doing things that will make your hair stand on end. And so those nonprofits and
Steve Bowcut:
Exactly
Trisha Clay:
Tools and soccer groups and whatever need your help. So that’s a way
Steve Bowcut:
For you that is so fascinating to me because you’re right, everybody needs cybersecurity at different levels. So your grandma has some cybersecurity concerns, whether she knows it or not.
So you come out of school with a two year degree, help the people around you understand cybersecurity, help the organizations, whether they’re paying you or not understand cybersecurity. That gives you some experience.
You start to interact with people and talk to them about cybersecurity, which could very easily lead to the other thing that I think you said that I think is really important, and that is understanding the various organizations or verticals that you’re interested in.
So the threats are different. So the threats for a bank are different than the threats for a university. Now, some of the attack vectors are going to look at the same, some of the tools that the threat actors are using, but you need to understand what is it you’re trying to protect?
Is it money in the bank or is it intellectual property at a university or is it personal information in a hospital? So you need to understand what it is you’re trying to protect before you can really do a good job at protecting it.
And I guess to answer the specific question, and I kind of expected that’s what your answer would be because that is the truth, is that you’re probably going to end up, when you come out of school with a two year degree, you’re going to start as an analyst and a SOC or something equivalent to that because that’s what you’ve been trained to do. But keep in mind, everybody started there.
So the guy who is now running the security organization for this Fortune 500 company that you’re working for, he too started in the soc, most likely either in that organization or some others. So that’s a valuable thing to remember as well. So we’re out of time. I do want to leave with one final question. I think it would be useful for our audience.
You have any advice? So if you picture in your mind a student either just starting their academic career or maybe they’re an early professional and they think they want to get into cybersecurity, what advice would you give them to get them started on the pal? What do they need to do to get started in a career of cybersecurity?
Trisha Clay:
Well, first you need to take every opportunity to learn more about that, learn more about cybersecurity. So start looking at websites, signing up for newsletters about Security Security Week. There’s so many, so I don’t want to waste a lot of our time. But listen to podcasts about cybersecurity.
There are lots of groups out there for women and underrepresented groups. There’s an organization called anitab.org that their entire mission is to increase and help women and underrepresented people in their technology careers. And they do scholarships or basically they pay for you to go to some of their conferences. And that exists in other, it’s not only that organization, I just happen to be familiar with that organization.
Make every opportunity you can to learn more about it and go out there and start your learning journey. I strongly encourage you to go out to your local community college. They will absolutely help you to get enrolled, and you can do it. You can afford it. Even if you don’t have two pennies to rub together.
There are ways that we can help you get through school. If you feel like that’s too daunting, you can start with something like a bootcamp and learn some more specific skills. If that feels like a longer, you’re not willing to commit two years of your life at this moment to do that.
So I just encourage you to get started. But get started today. Go look at those websites, sign up for those, and sign up for those newsletters or podcasts, however you learn best. Go YouTube. I’m more of a listener.
I tend to listen more to podcasts, but I know some people love videos and there’s so many videos out there and create people that you can go and follow. So just get started and then take every opportunity that comes to you and you’ll make a great career out of it. I guarantee it.
Steve Bowcut:
That’s perfect. Thank you so much. And that’s a perfect place to wrap this up. So Tricia, thank you so much. We appreciate you giving us some time.
We understand you’ve got a big job, a lot of responsibilities that you would take some of your time and give it to our audience, tell us something about you. So we really appreciate that you would do that.
Trisha Clay:
Well, thank you for inviting me. This has been a great conversation
Steve Bowcut:
And a big thanks to our listeners for being with us. Please remember to subscribe and review if you find this podcast interesting. Join us next time for another episode of The Cybersecurity Guide Podcast.