How universities are evolving to teach cybersecurity

A massive number of Infosec students have come to us as part of the military, Pentagon, Department of Defense or other government departments, and many listeners and learners are likely interested in a career in cybersecurity that could lead to a career in the government. If so, you're going to find this episode quite interesting and enlightening.

Today's guest is Chad Hardaway, deputy director of the University of South Carolina's Office of Economic Engagement and a founding faculty member of the new Master's Program of Engineering Entrepreneurship and Innovation in the College of Engineering and Computing. The University of South Carolina Office of Economic Engagement created SC Cyber to be the central point of focus for academic, government and corporate collaboration in the area of cybersecurity. The results are a strong and connected pipeline between the academic study and research of cybersecurity strategies and military and government applications for them.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

Chris Sienko: Cyber Work with Infosec has recently celebrated its 100th episode. Thank you to all of you that watch and listen and subscribe to both the audio podcast and our YouTube channel. We're so grateful to hear from all of you and we look forward to speaking with you more about all aspects of the cybersecurity industry. To celebrate this milestone, we have a very special offer for listeners of the podcast. We're giving 30 days of free training through our Infosec Skills platform. Go to infosecinstitute.com/skills and sign up for an account or just click the link in the description below. While you're there, enter the coupon code cyberwork, one word all lowercase, C-Y-B-E-R-W-O-R-K when signing up and you will get your free access. You'll get 30 days of unlimited access to over 500 cybersecurity courses featuring cloud-hosted cyber ranges, hands-on projects, customizable certification practice exams, skills assessments, and more. Again, check out the link in the description below and use the code cyberwork, C-Y-B-E-R-W-O-R-K to get your free month of cybersecurity training today and thank you once again for listening and watching. Now let's get to the episode.

Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of Infosec professionals, while offering tips for those trying to break in or move up the ladder in the cybersecurity industry. Today's guest is Chad Hardaway, deputy director of the University of South Carolina's Office of Economic Engagement and a founding faculty member of the new master's program of engineering, entrepreneurship and innovation in the college of engineering and computing. The University of South Carolina Office of Economic Engagement created SC Cyber to be the central point of focus for academic government and corporate collaboration in the area of cybersecurity.

The results are a strong and connected pipeline between the academic study and research of cybersecurity strategies and military and government applications for them. Massive number of our students over the years who've come to us as part of the military, the Pentagon, the department of defense or other government departments. And it's likely that many listeners and learners today would be interested in careers in cybersecurity that could lead to career in government. If so, you're going to find this episode quite interesting and enlightening.

Chad Hardaway, welcome to Cyber Work.

Chad Hardaway: Thanks for having me, Chris.

Chris: So tell us a little about your tech and security journey. How did you first get interested in cybersecurity and how far back does that go?

Chad: So funny enough about seven years before I came to the university or seven years prior to me coming to university, I was a process engineer with Eastman chemical. And we were in the early days where we were using kind of the old VACS platform to run the process. And I know that while we were there, we were talking about merging the transporting the way we ran our chemical plants over to Microsoft. Over to a Microsoft platform. That was the beginning of what I would say was my cyber journey in a sense that, at that point viruses and malware on Microsoft machines and PCs was very common and really not understood as much as we understand it now. But I can tell you that was my first, I think, I didn't know it was called cybersecurity, but the first thought of having a operator in the control room go to a website and have it crash the entire chemical process was pretty terrifying.

I was an engineer there and I left there and went to law school and I came to the University of South Carolina in 2005. Probably about five to seven years ago, cybersecurity started becoming one of the buzz words. And I was very involved in helping promote innovation and education and doing other things where I was managing the merger between academia industry and government in terms of helping move verticals such as aerospace, healthcare, energy, manufacturing 4.0, things like that. And so we've had a journey probably the last five years in cybersecurity where, because of the manufacturing focus of our center, we started focusing on cybersecurity in terms of how do you keep IoT connected devices and manufacturing centers safe from cyber attacks and things like that. We also had Fort Gordon set up one of their major, or the army set up a major cyber command in Fort Gordon, which is about an hour and a half away from here in Augusta, Georgia.

So, I think we're closer to them than other Georgia Universities except for Augusta University. And so we really saw not only an opportunity in helping we created SC Cyber because we didn't see anybody on the state level that could provide that intersection and the ability to kind of intermediate between government, academia and industry. We'd been doing that for years in other verticals such as aerospace, manufacturing, healthcare. Like I said before, cybersecurity's the same type of problem. It really creates the opportunity for a lot of different disciplines to merge because it affects everybody.

And so the SC Cyber was kind of a natural product. It was actually the idea of a two-star general that we had in our office, General Lester Eisner. And Les really said, "We better do something about this or nobody else will." And so we did that. We created SC Cyber. And ever since then we've helped perform education in cybersecurity such as seminars. We've also helped with coordinating industry partners to come in and work with our researchers. And now we're currently in kind of the effort of organizing a curriculum and organizing training seminars for both our students inside the university and also for professionals outside as far as just continuing education and preparing more people to be effective in that field.

Chris: Okay. So how does the SC Cyber program differ from other academic cybersecurity programs in terms of curriculum and offerings? I mean, it sounds like you said you're sort of working backwards a little bit, but what are some of the unique features that you can only get with through your program?

Chad: Well, I think that we've had a seven-year relationship with IBM. We've had long industry relationships with people like IBM, Siemens, Samsung, Yaskawa. This has mainly come through our aerospace and manufacturing side. But I think one thing that we offer here that might be different from other places is that we have a very active industry component. We have industry people in our buildings every day and they're constantly bringing us the industry view and industry focus on, "Hey this is what we need in the industry. This is what we see as emerging trends. And we really need an academic partner that can be responsive in providing a timely education and preparing the workforce." But also they need an entity that can provide a playground for them where maybe they bring a piece of equipment and they simulate a cyber attack and where they can do that in a safe environment or a controlled environment versus doing that in their own facilities where it could be risky.

Chris: Sort of walk me through what that looks like on a day to day basis. So you have people on staff or in office from IBM and Siemens and places like that. And then, so how does that sort of trickle down to the actual sort of classroom situation? Are you getting kind of briefing saying these are the things we're looking for, to the sort of representatives sort of sit in on class. Are there just sort of discussions about these problems during class situations or is it like pre meetings or I'm just trying to get a sense of what students are seeing when they're sort of looking at all this.

Chad: Right. So it takes on a couple of flavors. I'll look inside the university first. Our main contact point and intersection point with industry and our students that are inside the university that are enrolled is through what we call our capstone programs. And so for example, I've got on my team, I've got an engineer that I hired full time to help put these demos together. And I work with the existing faculty in all kinds of disciplines, whether it be mechanical, computer science, integrated information technology. And what we're doing is the industry partner will bring a capstone project. And so we have a couple right now that we're in one of them. We're actually building a pharmacy robotics cell and so that's got nothing to do with cyber, but what we're doing is we're overlaying a cyber element to that.

So what I think also is different from us is we're very application focused. So we might bring in equipment and we might say, what are the cyber ramifications for that? Because frequently when we're putting together these demos, we're doing exactly what industry does. We're taking an established piece of equipment, but we're also pairing that with maybe very different other types of technologies, sensors or things like that. And we all know in the cyber world, those have different vulnerabilities. You may have a totally locked down robot in cell, but then you need to have a door sensor to see if somebody comes in that might be like a ring or something and that might be very easily hacked and the whole system compromised. So inside the university, our industry engagement arm is really, it's a lab that we set aside called the Digital Transformation Lab.

And so we actually teach cyber elements through the demonstration of those physical projects. And so we think it's important not only for kids to see that cyber and the cyber threat is real, we also want them to see, "Hey, this is the playground in which it manifests." Above and beyond that we are facilitating conversations inside of the university. Because another thing we're realizing in terms of workforce development and the cyber professional is that it's much more than just computer science and is much more than IT, we need people who are going to be cross-disciplinary. We need people who will be able to contemplate legal and policy problems. We'll need people that can reach across the aisle from a business perspective, maybe even from a creative perspective. Cyber is really, it's a terrible problem, but it's a very opportunistic problem because it's really making a lot of people work together that would never be together before.

So one thing we're also seeing is that yes, we need more IT professionals. Absolutely. Yes, we need more computer science people to develop, code and things like that. Absolutely. But the niche that we think we can really make a difference in is developing these cross-disciplinary people that can reach across all those aisles in those context to provide not only the computing solutions, but maybe the policy solutions and the communication solutions and the problem solving solutions for the future.

Chris: Yeah. So, I mean this sounds like a fairly radical style, I can't imagine there's all that many colleges out there that are doing something like this. Was the University of South Carolina immediately receptive to this or did it sort of hit them by surprise or did you have to sort of explain what was going to happen or were they immediately on board?

Chad: Well, everybody knew it was a problem. I think that one challenge that I'm finding across the board when I talk to people at other schools that are trying to do is that the typical computer science departments and even some of the IT departments, the teaching departments that is disciplines at a lot of universities, they're not very multidisciplinary and they don't work well with others and they can be fairly insular. And so I can tell you in the beginning we took CS Cyber to computer science and we were like, "Hey, this is going to be great. Don't you guys love this?" And they looked at us like we had a horn coming out of our head. And so that in my mind is the cybersecurity problem is that the people who we need to develop these solutions are not necessarily wired all that to all the time to say, "Yes, let's go do something different."

Or I don't know one IT manager that wants to throw his network into apparel to test some cyber software. I mean, their job is to keep things the same and so I get it. I think it's a cultural thing, but I will say it also permeates those disciplines in the universities. And so I'll say when we reach back down into those areas of the university, we didn't necessarily get resistance. We got a lot of, "Hey, how do I fit here? How does this work for me?" You've got to remember also universities and the faculty there are really there to publish papers and do research. And so I think the other part that's a challenge is that the cyber research funding of the federal level is kind of lagging. And if there is funding, it's top secret in nature.

So that also makes the funding opportunities for cyber not necessarily intuitive. And there may also just be built-in restrictions. So that's why we went to kind of the multidisciplinary side because we saw people in mathematics, in languages, in a supply chain and the business schools, in the legal context, they were very hungry to jump in and say, "Cyber gives us a very interesting way to, a new way to flex our muscles and expand our territory and our influence." And so that's why, I kind of said before, we're doing this kind of backwards, we're starting kind of outside of the realm of the technical and starting more from the side of how do we build the soft skills so to speak, or the policy driven side of cyber? And let that build the case to inform the technical side and help them be more effective.

And I'm an engineer. I get it. When I was a process engineer, I wanted everybody to leave me alone. Don't mess with my rates. Don't monkey with the process. You're asking scientists to do things that's kind of against their nature. Because cyber is a very uncertain realm. It can be very tricky and it can be very experimental. So I think that's a long answer to your short question. We had institutional support from our president, but I think that we had the same problem that most people do. It's like, how do we do this in a way that's effective? And so it's taken about two or three years to come to where we are now. But we think this is a pretty good approach.

Chris: So is this, I mean, since again, this seems like a fairly unique program is there a long waiting list for students? Is this a fairly sort of elite thing to get to and related to that, are there particular skills or backgrounds that you're looking for in students who might want to enroll in this particular cross-disciplinary program?

Chad: I would say that there's a lot of students that are very interested, anytime a cyber program comes out, students are extremely interested in getting involved. And so we have a waiting list to get into our university anyway. I think our application to acceptance ratio is 10 to 20 to one, so we already have that problem inside of the university anyway. But yeah, I think that we've seen great growth and tremendous growth in our engineering schools and in those disciplines. We also are seeing that growth and interest in the business schools and things like our data analytics programs, which is a big part of that cyber solution. And I would say that the law school is probably the one we're getting ready to really develop some things in.

But I would say, yeah, there's a lot of demand. There's a lot of interest and I think in the cyber realm, one of the big problems is we really don't know what that needs to look like. So there might be a law student is interested in cyber, but they don't know how to take it. Like, "How do I take a class that makes me more effective? I don't know." And so we're working on that and that's why we really treasure the feedback from our industry partners and corporate partners because they're the ones that come to us and say, "Hey, we need help with and a lot of times is silly things like soft skills. It's making people feel comfortable about getting out of their own networker or their own structures.

Chris: Okay. So that's part of the program as well then?

Chad: Yeah, absolutely. Absolutely.

Chris: Okay. So related to that, not just for students in our conversation before the episode, you noted that you've received support to create a portal for people in state government and military personnel to come in online and participate in materials for certain studies like CISSP. Could you tell me a bit more about this? What are the requirements for using this particular learning portal? Is this also sort of connected to the whole SC Cyber program or is it a separate thing?

Chad: Yes. So if you kind of look at our SC Cyber mission, I think we had four platforms and one of them was just education in general. The other one was research, the other one was workforce development. And then the fourth one was assets, building a cyber infrastructure and assets for the state. That was all done in line with the mandates that came out of the army for critical infrastructure protection. So if you look at that training piece and that portal that has the certifications in there, that fits squarely in our workforce development side. And so what we actually did is we have a faculty member in Integrated Information Technology, Dr. Jorge Crichigno, he went and got NSF National Science Foundation money to build this portal.

And we're working on that portal and we've developed content for it. We also, that's open to other partners. We have other partners that are developing or have products in the DOD space. And we're really trying to create a portal. And we ... our office because we're economic development facing, we work very closely with the Secretary of Commerce, Bobby Hitt in South Carolina. And the attractive part for Secretary Hitt was that we actually can provide a portal that could help his people, his state workers and people in the workforce go and get those certifications. And some of those are done. If it's a state employee, we're looking at having those done at a subsidized rate or free or funded by the state. Which is a big win for the state. And if it's somebody that's a citizen of the state, then they can get those at a reduced rate. And so far we're looking in state, that's just where we started, but who knows where it will end up.

Chris: Now, are these like videos into existing classrooms or is this more like sort of online study at your own pace kind of material?

Chad: More asynchronous kind of online learning? Some of the content we're developing, some of it we're bringing partners in and that's part of the education. There's a whole group of people out there that don't know certifications exist. Perfect example is iSec, information security auditing and that's an area where you may not need technical ability. You may just need to know how to do auditing or know how to track down those types of things. That's a very new field that's very hot in the cyber world because these are people that are saying, "Hey, I may not know everything that's going on behind the scenes, but I know how to audit a system and validate it for security." We find those certifications are even a learning tool for people where they go, "I didn't even know there's a certification for that."

Chris: Right. So I want to go back a little bit to your assertion that you're sort of working backwards in your curriculum creation, that you're getting these ideas from the companies or the government and you're creating the curriculum around that. Can you talk more about that? And in doing that, I mean, obviously we're achieving the goals that the people who are on staff, the government personnel and the corporation personnel and stuff they're getting what they want. But what is your process for taking those pieces of input and still using them to create a well-rounded cybersecurity threshold?

Chad: So we have to look at the existing programs that we have. One of the challenges that most universities have is they have to, any courses that come in and material that comes in either has to fit into an existing type of course or type of discipline or they have to create a new course for it. Luckily for us, and this is probably true for other schools as well, because we're doing the multidisciplinary approach, that actually gives us more flexibility to get other things in because sometimes those course requirements are defined very strictly. So for example, I may actually have a course or a subject matter that's computer science in nature, but I don't have a computer science class code or an approved class code that I could shove that into. So having the ability to push that cross disciplinary into math or business or even things like poly sci, I actually can teach that class and get it in.

This is part of an accreditation for university. So that's not a necessarily efficient and timely process in terms of helping universities produce classes that are maybe more relevant in the day and age. But I think that's also part of our innovation is that we're saying, "Hey, if we took the courseware that a partner wanted to bring in and we wanted that to be in computer science, well it would take us two years to do that." And in two years, the middleware they wanted, or the security software framework class they wanted would be out of date. We'd have the class, but the software will be out of date or the platform. But if I can take that same capsule of knowledge and put it into maybe like a math class or poly sci or even a business analytics class or maybe an AI class, then I get that done in real time. So I think that what we're doing is as much about innovating the way we get new and relevant content into university curriculums as much as it is, whatever the curriculum is we're focusing on.

Chris: Okay. So what types of cybersecurity research is currently being done through you in conjunction with government and military sources? And I don't want to give away secrets or anything, but what are the prominent areas of research that the college cyber department is working on with regards to the government and so forth?

Chad: So a lot of what we're doing is we're very interested in AI. And so a good example of how we operate, everybody we were dealing with on the corporate side kept saying, "AI, AI, AI, AI."

Chris: Yeah, everybody is saying AI right now.

Chad: Yeah, aren't they? So we looked at our asset base, we looked at our faculty, we looked at our research, we didn't have anything. We went to the chamber of commerce and we said, and this is another little tidbit that I think where cybersecurity professionals and the industry needs to maybe evolve. And we see this challenge happen everywhere from government to military is that we made it an economic development argument. Most people who are talking about cyber make it a technical argument or make it a, oh my gosh, the sky is falling argument, we made an economic development argument and we said to the university and to department of commerce, "Hey, it's in the best interest of the state and the university for us to have an asset in AI because that's the wave of the future."

And so we went and got Dr. Amit Sheth. He came from Wright State University. He's an amazing man. And I haven't said the word cyber at all. I've said AI. Well, Dr. Sheth comes in and he's very active in the field of what's known as chatbots. What's known as these of the computer aided helpers that are not real. And so that's a huge, if you look in the area of cyber and things like information warfare, deepfakes, that's a whole other area of cyber that we don't talk about or that's not as well discussed beyond the kind of bits and digits. And so that's a good example of one where we went and got, and this is the function of our office. We saw a gap. We were the one office in the university that we're not faculty.

We are, well I am, I mean we kind of bridge, we're kind of all over the place. But where that one office that provides the feedback loop to the university and I also think that's valuable. That's a value proposition for us as well. But we were the ones that said to the administration, the Dean of engineering, We got to have this asset in place." And we got everybody on it and we made the economic argument for it and we made, this is going to help us go get more grant dollars argument. And then we got that asset in. Now, I still have an issue but AI is going to be an area and chatbots are going to be an area where we're going to do a lot of research in cyber and that's extremely cross-disciplinary because that affects things all the way from healthcare to manufacturing, to the military side.

We recently got a new president of the university. He's a retired three-star general, President Bob Caslen and that's deepened our relationship with people like Fort Gordon and DOD. And I think that we don't have the top secret stuff going on right now. So the good news is I don't have any secret. I can't reveal anything because I don't have any secrets, but I would say that's also where we're trying to, we're also using those relationships as well. We also feel like the military is a great resource and feedback loop to help us build a better curriculum. So we're talking with people from Fort Gordon, we're talking to the National Guard, we're talking to the army about what their needs are and what can we develop through their soldiers out there as far as continuing education?

Research-wise AI is going to be big. We have a lot of people doing research in manufacturing and automation, cyber effects that. We do have people in our computer science area doing things on natural language algorithms and data structure and things like that. But once again, cyber from the faculty perspective, unless you've built your computer science school in the last five years, the traditional computer science faculty, that's not part of their vernacular. So I mean, it's part of their vernacular, but it's not necessarily what they're going to be teaching day in, day out or doing research. So I think that's also kind of the to be developed side of USC is, how do we take all these assets around us, our industry partners, and how do we let that inform just like with this AI hire, how do we change the face of research at USC?

Chris: Okay. So how exactly is research being conducted? Are the students and grad students doing the research themselves? What is the relationship between government, military contractors and I was going to ask if they get government security clearance, but it doesn't sound like it's quite that high level. But do the students do the actual research or are they kind of learning by watching like the professors and so forth?

Chad: So the thing that's really great about USC, which is very different from when I came here, I'm a USC graduate, is that we actually promote research engagement from day one. We have an existing research program called the Magellan Scholars program where undergraduate students can go apply for a grant and be funded to do research in a faculty in a PhD faculty led lab. And so at USC we have undergraduate students doing research that apply to that program. We have our capstone classes, which also the capstone classes not only intersect industry with the students, but also intersect industry with the students and typically a research faculty, because the research faculty are driving those demonstrations. And then the research faculty are kind of the lifeblood. They finally grant opportunities, they go get the grants. And what most people, a lot of people don't know how this works.

So here's how it works. You are a PhD faculty member, you have a discipline and you're combing the FedBizOpps website and you're looking for grants and you apply for one. And if you get one you write in students to be paid for and those students work for you. The students typically do the work. The day to day work, work. The faculty is there to provide the guidance, the wisdom and the knowledge. And so in a traditional university, this happens all the time. You have a PhD leading a group of what I call of PhD students or post docs. These are kids that are either have a PhD that are trying to do research for people that are on their way to getting PhDs.

I think the difference, the additional thing we provided is that capstone experience, which also not only leads them in contact with a faculty research but also an industry partner. And then we have the undergraduate side. And so we anticipate also the Magellan program maybe creating like a cyber undergraduate research opportunity or a cyber involvement. We don't have that yet, but we're seeing those things emerge as we build kind of these cyber demonstrations.

Chris: Okay. So the research that you provide to these government groups and so forth, is this proprietary to the government? And how do these specific findings sort of impact the way the classes are taught or do students also get case studies based on government findings and so forth?

Chad: Yeah, they can. They can. And so the way that works, is about, oh gosh, in the 1980s, there was an act called the Bayh–Dole Act. And what that allowed happen for universities is that universities before that, if a university got federal research funding and they developed something, it was owned by the federal government and they just kind of took it, you just gave it all back and it was like, "Hey, good to see you." After the Bayh–Dole Act that let universities take title to those inventions. The government still has some residual rights, but the title over those is held by the university. So one of the areas that I manage is when we have faculty develop patents or ideas or proprietary stuff out of that research funding, we patent those. And the funny thing is, our goal is to get that out there.

When we patented or get it out there, our goal is to get that out in the marketplace and publish it and talk about it. We use the patent process to protect that and to create value. So an industry partner will say, "Hey, it's worth it to me to come and get this technology and take it to the marketplace." There's value in protecting that because if we didn't protect it and nobody would commercialize it. If we have top secret research, which I hope that's what we're building towards is building some top secret research, top secret capabilities. That would be owned by the military and kind of delivered more on what I'll call a contract delivery basis than a pure research grant. But nonetheless, there's still that intellectual input. There's intellectual protection and then there's intellectual transfer to that entity that being said, the federal government, when you develop something, they're not in the business of making stuff.

So that also creates business and startup opportunities. Because if we create something even under top secret, we deliver that in the military, they're probably going to need a partner, a company, a small business to develop that.

Chris: Manufacturing. Right.

Chad: And we also believe that for your listeners is the opportunity in the future as well, is to be one of those companies that can partner with universities and develop joint intellectual property even if it's top secret and let that add to your business bottom line. We have a company right now called NineFX in our incubator, he was a guy, he's in the cyber guard. He's a national guard now, but he was on the inside riding the wrecks on cyber. He got out and he formed a company and he's going after federal contracts and winning them and he's using our students and faculty as resources.

Chris: So to that end, let's talk about the sort of pipeline from the academic sphere into the government. Does studying in this program give you a leg up into careers in government or military positions?

Chad: Yeah, absolutely. Because the ultimate goal is that you are coming here, you're in a curriculum, or a design curriculum or a program that's been designed by the very people that want to hire you. And so having that feedback from government and industry partners is absolutely what is absolutely geared towards preparing you to be hired by them because everything you've been doing has been informed by what they need. So, yes, absolutely.

Chris: Okay. So what tips do you have for our listeners who might be interested in getting into cybersecurity, especially in government or military applications? Are there certain skills or experiences or search or projects that they've completed that would make them more marketing in these sectors?

Chad: I mean, I think the first thing is learn about certifications and learn about what certifications you can go after and what's needed. So for example, CISSP is a great certification. The problem is you can get certification, but you're really not official till you have three years of experience. That being said and I'm getting ready to take it, is that ISACA the information security organization, one of the largest in the world by the way. They actually have a program and I can't remember what, I'm going to butcher it, but they have a program where you can be a non-cyber professional or non-computer science person and be a business person and you can go get the certification and it's called like a CyberX program or something like that.

And I know many people who were out in the working world and went back and got a cyber forensic degree, or cyber auditing type, specialty type degree. And so I think that for your listeners, I would say, look at what the needs are out there in the marketplace, look at where people need things and then go get those skills. And so I think that we are seeing also a strong interest in people that know how to do cloud development because cloud is becoming the platform where people are developing software more than just having the native apps. So if cloud is where stuff's getting developed, that's going to be where stuff's going to get hacked. And so really we see that we're not going to be able to create the curriculum that has all the answers and create and meets all the gaps.

But I think that the multidisciplinary part of that is something that also I would train people for the work environment. Because if you go to work, and even in government, even in industry, you're going to need to be able to work with a lot of different types of people. And so that's the way we're doing that. We work very closely with our state CIO and state department of administration. And so we feel like those people are giving us a good finger on the pulse of the type of people they're looking for.

Chris: So I always like to ask this because I think a lot of people feel sort of stuck in their day job or don't know where to go next. But for listeners who might feel stuck in their jobs right now who are looking to make a switch in career to cyber or climb up to the next ladder. What are some things they could start doing today that would get them unstuck? Are their services on your portal or site for civilians or absolute beginners who might be involved in say government that want to kind of transition over to cyber?

Chad: Yeah, I would say look at organizations. I've mentioned it before and I'm probably beating the dead horse, but ISACA is a great one. They're out there and there's a bunch of, look for cybersecurity professional organizations that are in your local area. Get on Google Scholar and look up cyber research articles. Get on some of these blogs and just see if there's communities out there of security professionals and that would be the place to start. And then start networking. And if there's some events near you where it's talking about maybe the state of the cyber industry or a cyber defense area or issue. Find a conference and just go talk to people.

We actually I've gone to a cybersecurity law Institute up at Georgetown law school. I do that almost every May. And then when I go out there, there's tons of companies. There's law firms, there's DOJ and because the first thing you need to figure out as a person, if you're looking for a job, is what are you interested in? And what areas in cyber are going to be the best fit for you. Some people are very suited to auditing, some people are very suited to policy. Some people love to be the button pushers. What we're seeing in the cyber world is that depending on where you fall, there's very different skillsets that are identified and needed. And you can do, like me, I've got three degrees, so I just kept going to school.

So find something where there's a program and just get into it. And sometimes those people, people I've talked to that have gone and gotten the information security degrees, they had no idea what they were going to do, but when they got that degree and they networked and they got in the community, that helped them get that job. But I think a lot of it's just there's a lot of it that's not resource based. There's a lot of that that has to do with the people themselves out there. But there's tons of resources. We have a website called sccyber.org. I don't have the website to the portal that we have, but those things are out there. And so just look into those and start asking questions and start making phone calls and having conversations.

Chris: So it's been on the table for over a year now in terms of hot topics, what is your perspective on the cybersecurity skills gap? Do you feel this particular combination of academic study in public and private sector cooperation maybe could provide a possible blueprint for solving the issue or sort of what is your perspective on it right now?

Chad: I think that is the challenge that we are trying to solve today. And I think that we'll be doing that forever because cybersecurity is so quick, fast moving. But I will tell you that, that to me is the big challenge for universities not only in cyber but in all areas in that we have to find a way to be responsible. And number one, we have to find a way to listen. The most important thing that I do is listen to our outside partners and then really try to hear what they say. And so yeah, I think that is the real problem to be solved in the future for universities in these types of fields that are so fast paced and changing. Because we know that the minute we get some curriculum put in, it's probably a year or two for being obsolete, but I think you've hit the nail on the head and I don't think that's true.

I don't think that's just true for cyber, I think is true for a lot of disciplines. That's why we love having this industry engagement center, this Digital Transformation Lab, because it's built kind of into the fabric of the university, that industry feedback loop. But I do agree because if we don't, as the universities, if we don't do the job of educating people. The industries will start their own new universities and the vendors and the companies will just start their own universities and that's just, that's going to be... And sometimes it's necessary, but I think that that's the job where the universities could really add value that we're not doing the job we could right now.

Chris: So as we wrap up today, what are some big projects on the horizon for you and SC Cyber? What are some of the directions that you're looking forward to in 2020 and beyond?

Chad: So right now we're participating in an exercise with the military called a Jack Voltaic exercise. This is put on by West Point Cybersecurity Institute and it's funded by the army. And they're going to run a simulated cyber attack on our port for Savannah, Georgia, and for Charleston, South Carolina. I was there three days last week sitting in a law and policy, tabletop exercise. So for us, 2020 for me is the year of really building those solid relationships with DOD and our military partners at Fort Gordon and doing exactly what I've been talking about. Meeting with them, finding out where the gaps are, finding out what programs or classes we need to add or adapt that are going to do a better job of meeting their needs. Another one that's from the military side, another one that's pretty interesting is just making it easier for military personnel to get regular college degrees in other areas of study.

We're also seeing the cyber professionals as something that's a positive for them is just going and getting another discipline study, making them more well rounded, more informed. But for me I think mission one is really working hard with the military on this Jack Voltaic exercise and letting that drive not only awareness in our local government and industry about where their gaps are in terms of how they respond to cyber attacks. But also what are the gaps in the military and how can we do a better job of that?

Because something that hit me last week in the law and policy tabletop is if you have a cyber attack on a company or it effects a state government entity that's only triggered company law and state law. And DOD is federal. And so I learned last week there's a huge process of events just to get the DOD and federal side involved. You don't always need to get them involved, but that's a perfect example of a policy issue, not a technical issue, but a policy issue that delays responses and delays how we react to these cyber events that can create tremendous problems for us.

Chris: All right. Well, Chad Hardaway, thank you for taking time with us today. That was really interesting.

Chad: All right. Thank you Chris.

Chris: And thank you all today for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice. And for a free month of the Infosec Skills platform that you heard about at the top of today's show, just go to infosecinstitute.com/skills and sign up for an account. In the coupon line type cyberwork. All one word, all small letters, no spaces for your free month. Thank you once again to Chad Hardaway and thank you all for watching and listening. We'll speak to you next week.

Subscribe to podcast

How does your salary stack up?

Ever wonder how much a career in cybersecurity pays? We crunched the numbers for the most popular roles and certifications. Download the 2024 Cybersecurity Salary Guide to learn more.

placeholder

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

placeholder

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.

placeholder

Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.