Wade Baker is a Collegiate Associate Professor of Integrated Security at Virginia Tech and part of the Business Information Technology faculty in the Pamplin College of Business. He teaches courses for the MBA and Master of IT programs and collaborates with internal and external parties to further the university’s growing list of cybersecurity initiatives. His research interests fall at the intersection of cybersecurity, risk management, business strategy, and data analysis. He received his Ph.D. from Virginia Tech in 2017, where his doctoral work focused on cybersecurity risk in supply chains. Faculty Profile
How did you become interested in cybersecurity?
After my undergraduate degree from the University of Southern Mississippi, I worked as a network administrator for USM. I was offered an opportunity to attend a firewall management training course, it sounded interesting, so I took it. Because of that training program, I eventually became the security person in our department at the university.
This was in the late 90s or 2000. In those days, security wasn’t such a specialized thing like it is now. I enjoyed security and started specializing in it. And within a few years, I was just focusing on cybersecurity or what we called back then network security or information security.
I quickly develop a passion for security after being exposed to it. It was interesting in different ways than IT and networking were. You had this human element, there was trying to figure out what was going on, and it was continually changing. And I just enjoyed the dynamics of the subdomain of security as it was back then. So I definitely developed a passion for it.
When I look at your bio, I see that your doctoral work was focused mainly on cybersecurity risk in supply chains. Is that an area of particular interest to you, or just something you concentrated on for your doctoral studies?
It was a mix of both. The department that I got my Ph.D. from did not have any security-related focus. There were many supply chain management professors there, and that was one of their concentration areas. It deals with quantitative approaches to business problems, I call it management science or decision science.
I asked myself how I can apply these principles to security. My dissertation studied how we manage cyber risk in the context of supply chains, so it inherited that departmental focus. That type of alignment is suitable for a dissertation, and I find it very interesting.
During my Ph.D. I was consulting and working in industry. I did this study and noticed that a large proportion of incidents tied in some way to business partners. Maybe not a classic supply chain where you talk about goods from a manufacturer propagating through to a retailer, but takes a broader view of the supply chain to include the entire network value chain of third parties required to produce whatever it is. I’m working on a study right now about third-party risk management. It’s very similar, and I think it’s a domain that’s challenging to study.
What kinds of things are your students at Virginia Tech interested in?
I probably should set some context. I teach in a program that is a Master of Information Technology. And then, I also teach for Virginia Tech in their MBA program.
When I first arrived, neither of those two were specialized cybersecurity degrees. There were a few cybersecurity courses that Master of IT students could take if they wanted to, to meet their electives. Most of the students were general IT developers or in similar jobs. They were commonly going back to school to move to the next step in their career and found cybersecurity interesting.
Now, fast forward a few years where Virginia Tech actually does have enough electives dedicated to cybersecurity that it’s a concentration area now. We have students coming into the program that want to specialize in cybersecurity for their degree. I definitely noticed a shift.
We now have people with cybersecurity roles coming in much more than we used to, and the classes are getting larger and larger. And even in the MBA program, which is more of a traditional MBA. It’s cool because it’s a tech-focused MBA. After all, you’re going to Virginia Tech for your MBA.
It seems evident that you are seeing an increase in interest in cybersecurity. Can you elaborate?
I was teaching a statistics class, nothing to do with cybersecurity, and we went around the room with a couple dozen students just to see what they did. A third to a half of them did something related to cybersecurity in an MBA program. I was pretty shocked by that, and I think that’s partly the area of Northern Virginia. Still, I think it also shows that there’s a lot more interest in cybersecurity as a focus area for both degree and profession.
Even just a few years ago, I had 20 to 30 students in a cybersecurity class. This summer, I had 150 to 160 students. It’s an online course, so it’s a different format, but I’ve seen a massive uptick in interest among students. And the cool thing about it is that it’s from a wide range of backgrounds.
Yes, there are people who work in cybersecurity coming, and that’s what they want to focus on. But I’m equally, maybe even a little more excited about the software developers, or the network administrators or the program managers that recognize that cybersecurity is something they need some level of exposure to. It might not be their primary job, but it affects them, or maybe they’re managing cybersecurity projects, or they’re a software developer, and they need to develop secure code. I see many people from other fields, wanting some degree of understanding of cybersecurity threats and controls.
We hear a lot about a skills gap in cybersecurity; how do you feel about that? Is the increased interest you see at the academic level an indication that we are making headway against that problem?
The gap is still growing fast. That is a problem that’s got to be solved at a bunch of levels. I do think that the education industry has risen to the challenge. There are many more programs out there where you can get either a specialized cybersecurity degree or get certificates. There’s lots of ways to get educated in cybersecurity, and that certainly helps.
One of the challenges is that there are many unrealistic expectations for entry-level cybersecurity positions. This is one of the things that the industry needs to figure out. If you advertise for a security engineer, architect, analyst, or whatever the role is and the job description looks like the candidate must have been in the job for five years and meet all kinds of requirements, you exclude entry-level employees. You are also excluding those for whom this would be the next logical step in their career.
I think we need to get a little bit better at facilitating people into entry level positions and then growing them and keeping them plugged in and challenged so that they don’t just leave. We can positively affect the skills gap at the entry-level, but if we lose employees later in their career to high-paying positions outside of security, we haven’t gained much.
You serve on the advisory board for the RSA Conference and the Fair Institute. How can these organizations act as a resource for students just deciding to get into this career or to start their academic path towards this career?
The RSA Conference is the largest cybersecurity conference in the world, I believe. At least it was the last time I checked. It has a phenomenal number of excellent speakers and sessions at the event. But also they’ve started extending that content throughout the year. So it is an excellent way to understand what the industry is talking about, get the terminology down, identify some sub-areas of security that you’d like to focus on, and figure out who the key players are in that domain. All of this helps with landing your first security position or going from wherever you are to the next step. So it captures the buzz of the industry, so to speak.
The conference is making it easier to access the various types of content involved with RSA. You don’t have to go to the main conference in San Francisco once per year, which tends to be kind of expensive, especially for students. But there are student discounts, and there are other ways to either go to the event or get that additional information. So I think it’s a great event, and any way you can get involved is beneficial.
My interest in the Fair Institute stems from my early career. I was interested in how we assess and manage risk and security. I noticed quickly that while there was a lot of “finger in the wind” gut instincts being discussed, we didn’t actually measure many things. When the business needs to understand the return on their security investment, quantify their risks and exposure, or invest more resources, more concrete data is required.
That’s where the Fair Institute has really grown up. It’s a professional organization around a particular framework for assessing and quantifying risk. FAIR: Factor Analysis of Information Risk. There are thousands of members in that community trying to transform the way we apply cyber risk management. They are attempting to strengthen our ability to have that business-level conversation. For me, that’s been one of the crucial ways to raise the visibility of security in the organization, make it more effective, and better present what we’re trying to accomplish at a technical level to the people who control the budget of the organization.
You can join Fair Institute. I think it’s free to join. And there’s also an exciting program called Fair University. There are student resources available where you can play with an application that they’ve developed to demonstrate how to do cyber risk analysis and present those results well.
So the last question that I’d like to ask is, what do you see coming down the road five years, or ten years from now? How do you see things in cybersecurity developing?
I always find these prediction questions challenging because you can’t really predict what will happen in the future to affect cybersecurity. I think this situation we find ourselves in with COVID-19 is a good example. If you had told me that a large portion of security budgets would be spent on things like remote access, I would have said, “no, that’s not going to be it.” But the thing that fascinates me, looking ten years out, is the convergence of everything. You start to see this with something like the internet of things.
I would say convergence is one of the significant security trends because, so far, we have not done an excellent job of building security into the technologies we produce from the get go. We constantly fix them after release. And if we continue with that pattern, it’s going to be terrible because there’s so many things out there and you just can’t scale retroactively in security. We’ve got to change that process. And if we do, I think the future could be brighter. If we don’t, it’s going to be terrible news.
I think DevSecOps and the cloud ecosystem that enables DevSecOps approaches are promising signs. These are gaining headway because we could escape the limitations of legacy systems and software that make it very hard to change how you do security.
I think it’s working reasonably well; obviously there are problems, but it seems to me to be a more effective and scalable infrastructure for growth than the past. So yes, I see it as a bright mark and a sign that the future could be better.
Thank you for investing your time to act as a resource for those entering cybersecurity. It has been a fascinating conversation.