A (10:36)

name is Lara Ferri. As you said, I've been at Arizona State University since 2010. I got to know you Kim. You know, through my role when I was the school director that offered or you know, launched and offered a degree in cybersecurity and some related fields. And so initially got a crash course in that space, but now it is a space where I find myself often not just in sort of degree offerings, but now that I'm the vice president of research here at asu, I find myself being the one faced with cybersecurity concerns related to research, security and collaborating with a mutual friend of ours who's the CISO here at ASU to make sure that the research is secure and that we are leading the way in terms of meeting the requirements of our partners, contractors, federal government and so on. So cybersecurity has come to be a thing I know and love.

B (11:35)

I think you're amazing, but you know that anyway, it's worth, I think, the audience understanding just in terms of not only the diversity of background that you bring to the equation, but one of the things that I wanted to spend this podcast talking about, and if I were to break it down, there are probably two halves of this podcast. One half is talking about, for lack of a better term, the mechanics of academia. Because one of the things that I found, and it's not just because I went to a non traditional university, AKA West Point, but I didn't understand the mechanics as to how the courses worked, how courses were built, built, et cetera, and some of the challenges and hoops that you have to go through to put together new programs, even a new course within the environments. And then I want to talk about that controversial big air quotes topic here regarding the value of a four year education in general and some of the things that I do not believe our audience understands that universities in general and ASU in specific and have done to address that problem regarding the practicality and the utility of that four year degree. So. And you recall this 10 years ago? Believe it's been 10 years, 10 years ago when, you know, I came to ASU and said, you know, we said we're going to build the program, the mechanics associated with an accredited college or university creating courses and creating programs is something I don't think industry fully understands. Could you give us a 10,000 foot view of that for my audience?

A (13:22)

Absolutely. And you know, I'll speak to some issues that I know you and I ran into, but you know, interrupt me or, you know, ask me to elaborate or include things that I might be missing. But you know, the creation of even just a course in the university setting, it's not that it's overly complicated, it's that the course needs to be matrixed in with other courses. Right. So that we make sure whatever, whatever we're attempting to convey in the course, whatever course is supposed to become before that the students get what they need to flow in. And whatever learning objectives they're supposed to meet and take away from the course, once they complete it, flows into something else. Right. And so that there's value in it. And I know you might find this shocking, but everything that a particular academic might want to cover, we do have a certain degree of academic freedom granted to us to cover what we think is important in courses based upon our disciplinary knowledge. But that doesn't excuse us from making sure that the courses are matrixed in that way. Right. That there are clearly stated objectives so that the students understand how to succeed in the course and what success looks like. Right. And what they should be walking away with at the end of the course, they can point to it and say, I can do these things that should have some demonstrable advantage to them in the area that they're studying in their career field. Right.

B (14:53)

So let me dig down on that one a little bit in terms of what success looks like and what the learning objectives should be in general. And I know you do not speak for every academic institution out there, et cetera, but as a reference point, you're more knowledgeable and experienced than I am. And most of my audience is what is academia's willingness and or challenge with input from industry regarding this is what we need. So success should include this.

A (15:30)

Right? I would say very, very open. I think in my conversations with folks even at other universities, though I obviously don't know the ins and outs in the particulars. It is a strong desire of folks at universities to make sure that what we teach our students, we take responsibility for that and making sure that it is relevant and useful. It is what industry is looking for. But herein lies the rub. And you're gonna get a giggle out of this. Cause I know you've been on this journey with me. When we talk to our industry partners, each one wants something different.

B (16:07)

Shocked, I am.

A (16:09)

Each company would like us to teach these students to code the way they code and to use the software they use and to be prepared to step into a job at their particular industry so that that company does not have to do any on the job training at all. The graduate reproduces ready to take a job at Company X doing Company X.

B (16:33)

Pretty sure I know the answer to this one. So hopefully this is a softball. What is the challenge with that? Or what is the challenge with that? Expect us having that expectation from a university.

A (16:43)

Right. And I don't mean to paint everybody with a universal paintbrush. There's of course, folks who get it, but. But, you know, the problem with training a student to take a very specific role at a very specific company means that we have potentially trained them in a way that they cannot get a job at any other company. Right. Right out the door. And even with that specific company, if we've trained them to do what their company's doing right now, that person may not be able to pivot and grow with the company as the company changes the way they code the software they use, whatever tool it is we're talking about. Right. So as the company evolves and changes, the student we place at that company needs to be able to evolve and change too.

B (17:30)

Okay, so that begins the segue, and we'll probably end up bouncing back and forth. One of the things that academic institutions have been under fire for, and I'm not just talking political administration, et cetera, I'm talking the past decade have been under fire for, is too much theory, not enough reality, at a hugely expensive cost. Now, one go down a tree branch that I want our viewers to understand regarding the cost pieces, et cetera. I would love to begin to discuss what you would say to that for people who would criticize that or people who have the option to go to university and yet choose not to because they think it's meaningless. Talk to me.

A (18:23)

Yeah, I love this branch that we're on right now. And it is this balance of theory with the very practical hands on doing the skill, making sure, you know, you can lift up the hood, see how it works, if you know what I mean. That balance is something we think about a lot of. And I would say I do see this more and more across this degree area, at least in other universities as well. I see people listening. People understand that students need to not just theorize, but know how to turn a wrench, if you will. One of the things we have here, and you'll see this other places as well, is this category called experiential learning. Right. So in all ASU degrees, in fact, there is this experiential learning option, and in many degrees, to include our cybersecurity degree, the experiential learning part is a required element in the degree. And I would say that students who are looking at a university degree should look for a degree program that has that required experiential learning element.

B (19:34)

Are you seeing more universities, particularly within tech fields, requiring this? I know you're not speaking, but in

A (19:40)

general you're Seeing more in general, I see this quite a lot. And part of it is because the industry has demanded it, of course. Right. But part of it too is that we in many cases recognize the balance. We have actual practitioners like yourself teaching some of the courses, balanced with some of the more theoretical folks like myself, who've never been in the wild. Right. Balancing the more theoretical perspective so that, so it starts there, right. And translates all the way down to, you know, an internship, for example, where a student is working at a company doing the things. But that requires too, that the company meet us halfway and provide internships where the student is doing the things. Right. Not answering the phone and gathering coffee.

B (20:24)

Let's poke at that. And again, we're going all over, which is what we normally do. But let's poke at that a bit. What has been the responsiveness of this industry to providing internships and providing real internships? And let's talk a little bit because I know ASU does a lot of rigor for this.

A (20:43)

Right.

B (20:44)

You know, ASU has rigor behind internship requirements. So first let's talk about the rigor that you place regarding internship requirements and then let's talk about the responsiveness you've seen. And here's a heads up for gang or not seen regarding people willing to provide those. Talk to me.

A (21:02)

Right? Right. The rigor comes from the fact that we're actually awarding academic credit for this internship experience. Right. Like it will count towards their degree. That is our sign, or our signal, if you will, to the, to the folks engaged that we value this as a part of your degree. It is not do your courses and it is part of the degree now because it bears credit. Right. We're required by our board of Regents to ensure that this internship has a certain number of contact hours like a course does. It meets a certain set of learning objectives like a course does. And so we enter into a written agreement, called a student placement agreement with the internship host to ensure that there are stated learning objectives and that there are is a measurement of the students sort of acumen relative to those learning objectives by the time that is done. So there's a midterm meeting and an interim meeting. Right. Not an overly cumbersome, but an actual sort of analysis and project. The student has a paper, the student has to hand at the end stating, this is what I learned and this is what came of the time that I spent with this company. And so in those ways we make sure that they aren't fetching coffee and answering phones during this interview.

B (22:28)

Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch? What if you could build the hardware, firmware and software with a vision of frictionless integration, resilience and scalability? What if you could turn complexity into simplicity? Forget about constant patching, streamline the number of vendors you use, reduce those ever expanding costs, and instead spend your time focusing on helping your business and customers thrive. Meet Meter the company building full stack, zero trust networks from the ground up, with security at the core, at the edge, and everywhere in between. Meter designs, deploys and manages everything an enterprise needs for fast, reliable and secure connectivity. They eliminate the hidden costs and maintenance burdens patching risks and reduce the inefficiencies of traditional infrastructure, from wired, wireless and cellular to routing, switching, firewalls, DNS security and vpn. Every layer is integrated, segmented and continuously protected through a single unified platform. And because Meter provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade cycles. Meter even buys back your old infrastructure to make switching that much easier. Go to meter.com CISOP today to learn more about the future of secure networking and book your demo. That's M e t e r.com CISOP. What's been the responsiveness in terms of internships? Are you getting enough real internships to cover your cyber student base and are those companies stepping up? Talk to me.

A (24:24)

I would say there's never enough and as you know, it's a very popular degree and lots of students want to do cyber, which is a point I'll want to return to later. And so this internship piece is incredibly important. Not just so that they're prepared for you all out there listening, but so the student knows this is what they want to do. We do have many companies that have stepped up, but they can't. Their issue is that they're carrying too much of the internship burden, right? They're carrying so much of the load and we always need more companies who are willing to step up and to I guess maybe marketing piece to add to the companies. You do not have to pay the student. They're getting academic credit for this. So that is the carrot in all of this.

B (25:11)

You're aware, without getting into specifics, the story regarding me trying to get the attention for interns when I was a ciso of a global 1000 company of several universities and not being able to get response from that university to do what I needed to do, understand? So I guess the best question is how in general, if someone says I want to help, there are a lot of places Where I don't see the university outreach to the community. And there are a lot of places when the community goes to reach into the university. And I say this with all affection, the level of bureaucracy that exists within various universities. And if I'm not in the right school or not in the right place, you can get lost forever. And If I've got 156 things to do, that dog just ain't worth hunting for me. So how do you tell us, how do we go about saying I want to help? Where do I go? What do I do? Where should my starting point be?

A (26:21)

Yeah. A university the size of Arizona State University in particular. We call this the challenge. Finding our front door.

B (26:29)

Yeah.

A (26:31)

And finding our front door can be a little bit challenging for folks. I would say the improvements we've tried to make in our space on and our side is to create a very. Most people are using the web these days, right. To at least find a name of somebody. Then they might follow up with a phone call or an email or whatever. So we've created, and this is in response to several sectors I would lump together. Cybersecurity, anything related to semiconductors and microelectronics, various tech related degrees. Where we're using the term workforce development is a priority. Federally, locally, state level. Right. How are we preparing our youth and anybody for the jobs that are available now and into the future? And so this workforce development presence is now something you can find fairly easily. You can find a description of various ways to get engaged if you are a company. You can find a description of various things to take advantage of if you are seeking training. And it doesn't necessarily mean just college degrees through the workforce development pages that we've developed on the site. I'm not claiming we've nailed this perfectly, but I'm claiming we are trying to coalesce that together and make it easier to find our front door.

B (27:51)

So that's asu and that's great to hear. To be brutally honest with you. In general, I have listeners in many of the 50 states. I've got listeners in Australia. If someone says, I want to figure out how to. I know my university has a cyber program. I want to figure out how to get engaged to, you know, from an internship standpoint, from an advisory standpoint, what would you advise them to do?

A (28:17)

Right. I would say generally speaking, the best way to find a human being is to find the cybersecurity program. Like you said, find. Okay, this is the college or university or school that I would like to work with. Find their cybersecurity program. So the program will be housed. ASU will be housed in a college, the College of Engineering, for example. And at this point, you'll want to find that degree program, find out where it's housed, and then find the leadership of that college. Find the school director would be a title you're looking for, or department chair, or even the dean. Find that name and send that person a note and say, I'm trying to get involved. I have open positions where I would like to take interns from your program. Tell me who to talk to.

B (29:06)

Fantastic. A couple other things I want to hit, but I want to go back down that point you talked about, about wanting to enter the program. You said you wanted to come back to that. Talk to me.

A (29:17)

Yeah. I think we're at a particularly important moment in time where the value of a university is being challenged, not just in cybersecurity space, but everywhere. And I want to be really forthcoming in admitting this is a reputation we have unfortunately earned.

B (29:35)

We, meaning universities in general, meaning universities.

A (29:38)

Right. We have sat back on our laurels, in our ivory towers and said, just trust us. Right. We're doing great things. We're helping the young people think. And that is true. I mean, I do. I'm very much in favor of helping young people to learn how to think. But we haven't taken it upon ourselves to explain the value of a university degree and to. And to explain the ways in which we are trying to adapt and change and meet modern demands. But we're not communicating that well. We do recognize that the workforce is changing. We do recognize that students shouldn't be asked to spend 5, 6 years at university and graduate in mountains of debt and take a job there and where they may not be able to pay that debt off for 30 years. Those are things we're completely aware of. And we have taken really proactive measures to change, but we haven't communicated the change well. And therefore, we need adaptation.

B (30:39)

Yeah. Give me two examples from asu, or, you know, more if you have them, because I. And again, I have the advantage. We've had this conversation.

A (30:51)

Well, we've run into this one, right? Here's two examples from asu. I'm gonna compare myself as a college student to college students now. When I was in college at a university in Arizona, to remain unnamed, I. I'll never tell. Went to sign up for my freshman courses, and the freshman English class I needed was full and was told, that's just normal. You're not gonna be able to take freshman English until you're a SO and it'll probably take you five years to graduate from here, and that's just not acceptable any longer. You need to be able to graduate in four years, and we make sure that students are on track to do that by making sure there are enough sections of a course open and making sure we mark certain courses as what we call critical tracking courses. That means advising is going to check in with you at that point in your degree program, if they haven't heard from you regularly already, to say, are you on track to graduate on time? Because we have a burden to taxpayers and to the students and to their families. If our students are on Pell Grants and more than half of our students are, we need to make sure they graduate on time and that they graduate ready to enter the workforce. That's a responsibility we don't hold lightly. Now, the other example I want to point out, and you and I have run into this one because we talk, and we've talked about it in this podcast, too, is, you know, adding courses in so that students get experience. Well, that is great, except for the more courses we add, the longer it takes to graduate, right? So we are beholden to not put in more than 120 credit hours into. Agree that that is the number you can reasonably finish at 30 credit hours a year times four years. Right? And so whatever we put in, then we have to take something out. And that's the dance you and I have done to say, how do we add this element? We'll have to take out this other element. And there are elements in the degree we really want to keep in there because we also do want the student to learn how to think and communicate and talk. And one of the most painful experiences that I experienced when I was still a school director was having a CISO like yourself, one we know and love, reach out to me to let me know that they were accepting interns. But this particular student, as we advise them to do, had reached out, started a communication, you know, seeking possible internship opportunities. And the letter was unprofessional, filled with bad grammar, you know, typical. Not gonna label it, didn't use punctuation or capital letters, right? And this colleague of ours reached out and said this. I can't work with this, right? This is not friendly communication. This isn't a text. This needs to be professional communication.

B (33:38)

And let's add to that. And again, because of the communication, despite the fact that many professionals and many of my peers are saying these things are needed, these are the examples, the very things you talked about are the examples of things that are, quote, unquote, wasting students time because I need them to learn how to run Wireshark or I need them to learn how to do this or that or the other thing in the environment. And adding another point to what you said about that balance, because, yeah, the level of the puzzle is there are only 30. So if I put a course in and it's a three credit, credit hour course, I have to then find, you know, three credit hours to potentially take away.

A (34:21)

Right.

B (34:21)

And what are we going to drop from the program? And it also has to be dropped at usually a certain level within the program. So if I'm putting a 300 course in, I got to take a 300 course out, usually to try and balance that out within the environment.

A (34:34)

And that's on us. The burden of that is on us a little bit, too. To. To better explain this kind of conversation you and I are having. Right. Like, we have competing priorities here and none is superior to the other. Getting the student out on time is incredibly important. Making sure they come out with a useful degree where they have practical experience is incredibly important. All of these things must occur, and neither is higher than the other. So the burden is on us to explain. We hear your concern about students needing Skill X. It's here in this place. And the problem that we face is how to get the word out to the community around us. Is this meeting your degree, your needs, as the industry who might hire our graduates? Is this meeting your needs? And we've had, as you know, because you've been a part of them, roundtables and working groups and, you know, shared out with those community members. And we've gotten to the point where the people in the working group, they're like, yes, yes, this is what I want. This is exactly what I want. And then you've experienced this, too. Okay. Will you take my student as an intern? No.

B (35:45)

No. In fact, I used that example in an earlier podcast, and you know the one I'm talking about, Sam. So I'm going to shift gears slightly. It is your nature to be very kind. Doesn't mean you're less tough as nails. But still, to be very kind, you have been very kind to my profession. Today I'm going to ask you to stop for a second.

A (36:48)

Stop being kind.

B (36:50)

Stop being kind of. Because there is ownership that exists on this end of the table that bluntly, I would contend we are not taking that. Make your job harder. So lay it on me.

A (37:08)

Yeah, I would agree that it is profoundly frustrating When I've met with a group of 15 representatives from different industry to say, okay, now, now, have I built a degree you want? And now have I built a degree you want? And finally they all said, yes, you've built a degree you want. And then I can't place any in any interns at their industry. So, you know, that is profoundly frustrating and sorry, it's still in my nature to be kind.

B (37:40)

Please stop. No, seriously, part of what I want is, and part of why I asked you here is I believe, and you know this, I believe there's mutual ownership here. And I also believe that there are parts of my profession that are very good at pointing fingers at everybody else and not taking ownership for the problem. I want them to hear from people in the trenches like yourself that this is a problem and why. So please lay it on me.

A (38:09)

Yeah, the dilemma is we really, really need people to be willing companies to be willing individuals to be willing to host the interns or in other ways, apprenticeships. However, that looks to provide the students with the practical experience that then will be demanded when they go to apply for the job. And the dilemma the students face is that they go to apply for a job that requires a level of experience they probably couldn't even get in an internship. Right. So we are willing to meet you in the middle, but we need industry to take a chance on the students and place them in these internships so they can get the experience that the industry is looking for when they go to hire them.

B (39:00)

Is that getting any better or is it the same problem you and I were fighting in 2016?

A (39:05)

It is getting better, but it is not. We still have a gap to close. We still have students that are struggling to find the placement. We still have students that. And good students. I'm not necessarily. I don't claim that every student that graduates is ready to hit the ground running with an internship, which is a point I'll return to also in a minute. But we have many, many very good students that do have the communication skills, that do have the background in the training and took the courses that were requested and they just are getting crickets.

B (39:42)

So I want to shift gears a little bit and talk about two year community college versus four year community college. First part of this is an education for our users and it's something that I learned after being in the university system. ASU creates pathways for folks coming to community college to go into four year college. But there are certain degrees that exist at the community college level that do not create a decent pathway to the four year college. And there are two things I want to get to eventually as we talk about this and we've seen this, the ability for us to take that. I took Python my freshman year or my first year at the local community college. If that credit doesn't transfer to the state college in most states, it doesn't. And why? I want to make sure that our understands that. So talk to me, please.

A (40:46)

Yeah, let me address that on a couple of levels. So first of all, if the student knows that the community college is a stepping stone for them to a university degree, they should choose a program that they know maps the university. And at asu, being located in Maricopa county, we work with the Maricopa County Community College system and we make sure that if you graduate with a particular degree from one of those universities, it maps into one of our programs. And in fact, you can place yourself, it's literally called a pathway. You can place yourself on a pathway the day you start at the community college and it gives you a portal, if you will, within the ASU system so that each course you complete at the community college, you see how it articulates. At asu, you see that it will articulate, for starters, you see how it articulates. And you see how you're making simultaneous progress to your ASU degree while you're completing your community college degree. So that at the time you decide to move over, it should be seamless. You just come right over and all those courses are already in your degree program and count. You can see how they count. And that's not to say you shouldn't enjoy your school experience and take some fun electives. But what folks sometimes don't recognize is that they may spend two years at a community college, but if they don't choose the courses that are designed to articulate, then they won't.

B (42:32)

Laura, as always, it is a joy to talk to you. Thank you for sharing your experience and your knowledge and giving us some insight as to what it's like on your side of the street. And I really appreciate that.

A (42:43)

Hey, thank you for having me. It was my pleasure. Super fun.

B (42:47)

And that's a wrap for today's episode. Thanks so much for tuning in and for your support. As N2K Pro subscribers, your continued support enables us to keep making shows like this one. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show notes. Tune in next week for more expert insights and meaningful discussions from CISO perspectives. This episode was edited by Ethan Cook with content strategy provided by Mayan, Plot produced by Liz Stokes, executive produced by Jennifer Ivan, and mixing sound design and original music by Elliott Pelsman. I'm Kim Jones and thank you for listening. Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardware, or managing endless complexity. Meter builds full stack zero trust networks from the ground up, secure by design and automatically kept up to date. Every layer from wired and wireless to firewalls, DNS security and VPN is integrated, segmented and continuously protected through one unified platform. With Meter, security is built in, not bolted on. Learn more and book your demo@meter.com CISOP that's M E T E R.com CISOP and we thank Meter for their support in unlocking this N2K Pro episode. For all Cyberwire listeners.