Campus Technology Insider Podcast March 2025 -- Campus Technology

Transcript

Campus Technology Insider Podcast March 2025

05/21/25

Listen: Student-Led Cybersecurity: Bridging Talent Gaps with AI at Auburn University

Rhea Kelly 00:00
Hello and welcome to the Campus Technology Insider podcast. I'm Rhea Kelly, editor in chief of Campus Technology, and your host. And I'm here with Jay James, Senior Cyber Security Operations Lead at Auburn University, and Corey Lee, CTO for Security at Microsoft, to talk about how students are taking a lead role in protecting their universities from cyber attacks — while gaining in-demand skills for future careers. Jay and Corey, welcome to the podcast.

Jay James 00:36
Very happy to be here.

Corey Lee 00:38
Glad to be here.

Rhea Kelly 00:40
So let's start big picture. I think by now, everybody knows there's a significant global talent shortage in cybersecurity. So what is the reality of that today in higher education, like, how is that impacting your team, Jay, and what does that impact look like at your university?

Jay James 00:59
Oh, most definitely. And I think that this is an issue that I see all across higher ed, and we discuss with each other about how do we solve this problem of the talent and talent shortage? For us, we cover a lot of ground with a very small team, but even within that small team, we need talented individuals to come to the university, and it's very hard to come across, sometimes, to get individuals to move all the way across the country, to come work where we are, and to be in this unique atmosphere, because cybersecurity in the private sector is a lot different than it is in higher education. So we have to find a good fit, but also have that technical expertise to it. So we have to find creative ways in order to make sure that we keep our team staff, but also that they have the skills that they need.

Rhea Kelly 01:49
What I hear a lot is that there's a lot of multitasking involved. Are you able to have people dedicated strictly to cybersecurity, or is it more like your IT team is doing cybersecurity on the side, even?

Jay James 02:02
Fortunately, we do have a team dedicated to cybersecurity. However, because of the size of the university and the type of cybersecurity roles that we need, we don't have a particular individual that just focuses in on one type or domain of cybersecurity. So we have individuals that may need to learn how to function in the cybersecurity operations center, but also be able to work in vulnerability management and also be able to do security awareness and training. So there's a lot of overlap in a lot of our roles, because we don't have enough individuals to just focus in on any particular cybersecurity area. So that's something that we find is very tough sometimes to fill those type of roles too, where you have all of these different types of cybersecurity skills, because we have many in the industry that is focusing on one particular area.

Rhea Kelly 02:54
Can you give me some background on the security operations center at Auburn, how it started its mission, and how you started getting students involved?

Jay James 03:04
Yeah, and it's probably one of the favorite things I love to talk about. So we started the security operations center in 2019. From there, it just started off as an analyst and an engineer working together, figuring out what technologies we needed, what processes we needed to have in place, and we quickly realized that we needed more staff to help us be able to run the SOC. From there, we decided that we can hire student workers. We have different groups within our technology department that has student workers, so we thought it would be a great idea, and that was probably one of the best decisions that we made for the SOC. Originally we didn't plan for it to be a student SOC, but it kind of grew into that. So we started off with two students; that eventually grew and fluctuates around 10 students at a time. And with that, we are able to not only take on the workload that we originally didn't think we could take on, but also be able to train the next generation of cybersecurity professionals. So it's definitely been a win win across the board.

Rhea Kelly 04:12
It sounds like, when, you know, when, like, when you're setting up a SOC, did it suddenly turn into a much bigger project? You know, if you started out with two people. Tell me about that and how you determined what kind of resources you were going to need.

Jay James 04:26
Yes, so I think a part of that comes from we didn't know what we didn't know. We never had a SOC before, and when we started to put the pieces together and see the full scope of our environment, it, we naturally grew into doing more over a longer period of time. But also our threats changed. Emergent threats changed. The environment changed. Since 2019, the rise of AI and its impact on social engineering, that has changed. So as attacks became more complex, we had to grow with that as well. So we needed additional tooling, implementing automated, orchestrated technologies. We had to add a lot of things as we first started, so that played a big role in our growth.

Rhea Kelly 05:11
And tell me about working with industry partners. So I know that there's a connection with Microsoft here, like, what's that all about? And how did that sort of help you develop this SOC?

Jay James 05:23
Absolutely, and I think that was vital to our success in those partnerships. We worked very closely together in having industry understand our environment, so understanding how higher ed works, to help us be able to achieve those goals. Definitely played a huge role in us being able to implement these technologies in a much more efficient and effective way, but also understanding that, hey, we are a smaller team that has student workers. How can we make this work in our environment, and how can we be successful in this environment? So I rely heavily on these partnerships to help us successfully implement it and see it as a partnership as well.

Rhea Kelly 06:02
Yeah, I want to dive into the student component. Does that, knowing that you're getting students involved, does that change the way you're approaching building your SOC? Is there different like procedures or technology infrastructure required with that sort of student involvement aspect?

Jay James 06:19
Yes. So we have to one, think about how we implement new tools that a typical analyst would use in comparison to a student analyst, because, you know, they're starting off very green. They're very new to this environment, so we have to have tools in place where they can pick up on them pretty quickly, or we have a good system for them to learn the tools while working on them as well. So we think about it from that aspect, as well as they are students — so we have a revolving door where they come in as freshmen or sophomore, but they eventually graduate. So that means we have to have a good system in place to where, you know, we're off boarding and onboarding students where it doesn't have too much disruption in our processes. So we consider that as well. When we build out our playbooks and when we build out a certain automated and orchestrated things in our SOC, we take all of that in consideration, knowing that we do have students on the forefront doing a lot of this work.

Rhea Kelly 07:21
I've heard a little bit about how AI can help turn security event logs into something that's more like a conversational understanding of what what you need to do. It just occurred to me that that that might be something helpful for students. So if they're green and don't know, you know, what do I do with this information?

Jay James 07:42
Yes, and I think that Corey might have something to chime in as well for Security Copilot, but that actually was a, somewhat of a byproduct of what we intended it to be. We primarily wanted to bring this in for, you know, if it's something that can help us speed up our triage of incidents and being able to speed up our processes and help us scale more. So being able to ask Security Copilot, for example, tell me about, more about this particular incident, right? That will take a lot more time for us to triage individually or as a collective. But what we found was that the students were using it as a training platform as well. You know, it would ask Security Copilot questions around, Hey, I know that this is happening. Why is it happening? Can you help me, as a junior analyst, be able to understand this better? So it was, in a way had training wheels for our students to be able to help them understand what was going on, while not having to call on me or one of the senior engineers to help them every single step of the way. So absolutely, and that came from using the tool more than us having that as an initial requirement when we were first looking at it.

Corey Lee 09:06
Absolutely, I think this is a huge area of focus. Can't understate, as Jay mentioned, Security Copilot, or security AI tools like Security Copilot, there is a real unintentional byproduct of those tools advancing and seeing innovation like AI really hit its stride. And this notion of a security AI tool like Security Copilot serving as a training platform is really that key nugget, because oftentimes in the cybersecurity industry, I think we talk a lot about the cybersecurity skilling shortage, in terms of people, number of people. We also talk about it in terms of talent gap, meaning, what skill sets do those people have? An interesting area that we don't talk about is the time it takes to skill people to those levels and, so that they can actually do the work that they're required to do. And here is where it's always awesome to see when you can marry up a student who maybe does not have a lot of experience in the cybersecurity space, but you can use their curiosity married up with experience coming from AI. Now you have an opportunity to accelerate the learning journey for that individual and turn them into somewhat of a senior analyst in a shorter period of time, right? And I think that's huge. And when we're thinking about the skilling gap and the talent shortage, you know, I think what in the latest stats say globally, we have about 3.5 million jobs that are, that need to be filled; in the US, I think somewhere around 450,000. But there are only about 25,000 or so students that are graduating into cyber when we think about things like the US. So when we put those numbers in perspective, we absolutely have to have a way to train folks faster. And the beautiful thing about what Jay and the team are doing is training folks while they're actually doing real work, I think, is the silver bullet there to make sure that we're advancing the cybersecurity workforce, but we're also helping in the now, right? You know, we're moving the needle now.

Jay James 11:21
Yeah. And Corey also brought up a great point in terms of the amount of students that are actually graduating, but an issue is that in many programs out there, they're not getting that hands-on experience that is needed for a lot of these jobs that are open. Because one reason why the gap is so big is that there's not enough skilled, hands-on skilled professionals to take those roles. There are many people interested in cyber, but we have to close that gap from them getting their education, to get that hands-on experience, to then applying for these other roles. So that is one reason why I have been an advocate for student SOCs to other higher ed institutions, is because one, it helps us stay more secure at the university, but it's another one of those unique ways where we're meeting the students where they are, where they're still on campus, they can come into this environment, and they can get this hands-on experience while they're learning, and by the time they graduate, they have a few years of cybersecurity experience to be able to go into these roles and make an immediate impact.

Rhea Kelly 12:32
It's so interesting that students can use AI to help learn as they're using these tools to explain what their next step should be, or…. I'm just curious, do you find that students have a comfort level or a sort of a literacy level in knowing to use the tools in that way? Like, does it occur to students to be like, Hey, I should ask Copilot to explain this security event to me? Is that something that comes naturally to today's students yet, or is it still part of the learning process of maximizing the use of these tools?

Jay James 13:10
You know, just from experience, I've noticed that students sometimes don't know what questions just to ask in general, even taking AI out of the equation. When they're working with a new security tool, sometimes they just don't know what types of questions to ask until they start getting more experience in the tool. But what I'm noticing now is that in the generative AI space, they're used to asking just any questions to see what they get back. So they're learning how the tool works just by using it more and more. There is a little learning curve there, but also with the information that the security AI tools provide, so when they, when the students prompt and get something back from there, they, it gives them something to run off of to ask more and better questions. So yes, I do see that there is a small learning curve there. But you know, when I point them a little bit in the right direction, they're off to the races. So actually, they learn more from exploring and talking to Security Copilot quicker than having to rely on me to take a pause on an incident, teach them something small, go back to my job, and then circling back with them to make sure that they're good to go.

Corey Lee 14:26
Yeah, and I'll call out something that we're learning really quickly is that the curiosity of students is really creating a interesting dynamic where, with generative AI, it's designed, in many cases, to be conversational, but a lot of students, or really individuals in general, have a challenge with having conversations in the technology world. But what we see when we can stop using technical jargon and just start using English language and having a conversation, that we can actually improve the learning curve. Which I think is super important because, you know, as was described earlier, in a world where we have to make a student effective and efficient quickly, we also have to make sure that there isn't a new barrier that's introduced, aka having to try to figure out what questions are asked, and how we handle that is by making recommendations. So generative AI in a conversational manner, knowing how you're asking questions, but making recommendations on the next best question to ask. Because, as Jay mentioned, you may not know what question, you don't have 20 years of experience to go off of to say I should ask this question next. So this is where tracking what the intent of the individual is, and then being able to understand the questions they're asking and make additional recommendations, is a huge area to continue making sure that they're diving deep in the right direction.

Rhea Kelly 15:55
And just like any other generative AI tool, I mean, you have to evaluate the answer you're getting, right? So how are you teaching students to take what they're, what the tool is telling them, and making good decisions on what to do with that?

Jay James 16:10
So for us, particularly in the security operations center, we do have playbooks built out that are still those step-by-step guides of how we proceed in an incident, depending on what they find during triaging more about this particular incident, and there are indicators that will show that, Hey, maybe I need a little bit more information, or maybe I need different information, or maybe something feels off like I need to move in a different direction or learn more. So we do spend some time with the students understanding the environment and then teaching them, not necessarily every little technical details, but how to go about investigating, how to build a hypothesis and go off of that hypothesis. So not necessarily all of the fine details of every little technical aspect that takes time to learn, but how to just approach an incident and ask the right questions to yourself when you don't know the answer. So that plays a huge role in them, and they just progress over time.

Corey Lee 17:12
And another key piece there is oftentimes there's this conversation of best practices or impact that comes to the table that comes with experience. If I do X, it's going to result in Y, or Z is possible. In many cases, that level of, once again, experience only exists when you've been working in that space for a long time. But with AI, the ability to now bring that experience around situational readiness or preparedness can now be married up with what Jay is referring to, playbooks. Here's our standard operating procedure. But oh, by the way, there may be some context here where that might change because of something that's being observed that now can be highlighted by AI and allow for us to make more dynamic decision-making. So in a way, students having an opportunity to kind of fine-tune their problem-solving skills, if you will, on the fly, while still using the template and the blueprint for how we should normally proceed in this situation.

Jay James 18:20
Yep, definitely those problem-solving skills have to be to the forefront in this environment, because half the battle is understanding the technologies, just understanding cybersecurity and understanding security operations, but the other part of that is just institutional knowledge. You know, an incident that's happening at Auburn is probably a lot different than incidents happening at another type of university that might be more centralized, or a private school, or different federal regulations they have to abide by. And that institutional knowledge — you can't necessarily teach that, and that just happens from experience over time to understand the nuances, what happens in certain departments over others, you know, a lot of that is something that you learned after experience in the area. But I feel that when you have a tool that can help you speed up the process and learn, understand the technologies and get past some of those technical barriers of understanding every tool and what comes in, if you have that understanding, it helps you get a little bit faster and understanding the environment. So you'll start to get that institutional knowledge a lot quicker, because we're doing a lot more than we used to because of the tools that we have and that learning curve is starting to be overcome.

Rhea Kelly 19:40
That's super interesting. It's like, you have to know what the procedures are, and then know when, when you need to break from the procedure, or when you need to, you know, kind of find your own, your own way. So I want to hear about student recruitment. Like, where are these students coming from? You know, are they already working for IT in sort of work-study, jobs, are they coming from cybersecurity courses, how's that process work?

Jay James 20:07
Right. They are coming from everywhere. So I am a firm believer that if you have the aptitude, the curiosity and the passion for the space, and you show in that interest, and you prove that you're willing to put in the work, we are opening up our roles to anyone. We do target very specific programs. So the computer science software engineer from the College of Engineering, also looking at information systems in the College of Business. But we have hired from all different colleges that aren't included from those as well. And it doesn't matter if you are a junior or if you're a freshman, because I've seen freshmen come in with many certifications, that worked on tons of projects, participated in several Capture the Flag competitions, that were rock stars when they came in, and, and I know some juniors that were very green and early, but they had a passion for it. So we recruit from everywhere. We have some interviews with the students to see if they have a, if they're a good fit, and then we grow from there. And like I said, we hire a lot because the students graduate somewhere between one and three years. So we do bring in a lot of students, and a lot of students get that exposure, but we do rotate through a lot, so we pull from all different types of sources.

Corey Lee 21:34
This is a fascinating space for two reasons. One is, I think for a long time it was believed that cybersecurity professionals would only come from a cyber degree program. But the interesting revelation is that cybersecurity professionals come from backgrounds that are interdisciplinary. So you see students coming from, as was mentioned, business schools, like a management information systems program. You see them coming from arts and architecture programs. You see them coming from engineering and science programs because of how their degree area relates to the, the horizontal of cybersecurity, right? We like to say everything in the digital world technically has to deal with an interface with some cybersecurity risk or concern. Therefore, this means we should really be championing one, the influx of talent and students that can come from degree programs that aren't just traditional technology and engineering background so that we can continue to advance addressing the cybersecurity skilling shortage and the overall talent gap. So, you know, I love seeing when a business student is saying, hey, you know, I can really look at the cybersecurity landscape from a business risk perspective, and I can use what I'm learning with my hands now to also make it real, right? It's just, that's an awesome kind of example of how we connect the dots and, once again, continue to drive the workforce forward.

Jay James 23:12
Corey just made me think about something else. We make sure that when we do hire, we look at our current students that we have and try to fill any gap, or try to keep it as, you know, a diverse of thought as much as possible, because of the different skill sets that they bring to the table. Because our SOC does primarily function from the detection and response perspective, but it's more like a cybersecurity student program. The students respond to incidents, but they also have the opportunity to find a focus area within our entire team, whether it's security awareness and training, or cloud security, or somewhere else where they can have independent projects to where they're not only helping our SOC, but they're helping our entire cybersecurity team, and it's also building their skills for whatever specific cybersecurity area they want to go into. So there's many times where we've hired that business student that helped us with governance and risk and compliance a lot more. There's those students that had other backgrounds that they contributed to social engineering and security awareness and training space, and it's just helped us overall, and not just within the SOC itself. So having these students from different backgrounds have also helped us out in ways that we originally didn't plan on.

Rhea Kelly 24:29
Yeah, I love that, getting the diversity of thought in the room. What's the most surprising place that a student, discipline, or whatever that a student has come from into your SOC?

Jay James 24:41
That is a great question. I would say, because I originally thought that I would say one of the students that came from outside of one of the two colleges. But what surprised me the most was when we first started and we hired a freshman. Because originally we did not think that the freshmen were quite ready yet to hop into the SOC because they're new to the university and new to cybersecurity in general. But hiring a freshman a few years ago was probably one of the best hires that I've ever made, because of just their, their drive, their curiosity towards the space, and they probably were one of the most impactful students that I've had since we've started it. And they were still trying to figure out what was going to be their minor that they were working on, and trying to figure out what route they were going to go, so they were still trying to figure out their path, and they found their path while working in the SOC. So that probably would have surprised me the most, because originally we were only going to hire juniors and seniors because we thought that they would have taken these classes and they would have had more experience to bring to the table. But our entire thought process shifted to try to be as wide as possible and how we went about our recruiting process.

Corey Lee 26:03
Yeah, I heard from one university, which I thought was interesting, there's a veterans enablement program within their university, and I think one of the, the things that was highlighted there was they were shocked just at the treasure trove that existed with their veterans enablement program that they had never considered could be a great opportunity to source talent to go support their student SOC, because oftentimes we don't think about the continuous learner scenarios as well. Like this isn't necessarily always just students that are just coming into a university setting for the first time, there's a huge opportunity with the continuous learners, who are also maybe career changers, looking to go and, and take a different approach to their career and to go join in on the fight, right, with respect to cybersecurity. So that's just one thing that I've heard that I thought was super interesting, but Jay hit the nail on the head that I think we are quickly learning that the assumptions we're making about early-in-career talent are no longer valid assumptions in 2025. And in many cases, a freshman can turn out to be just as awesome of a resource as a potential senior or graduate student, which I think is a strong signal in the right direction, that not only is the talent pool changing, but also the world around us that's changing is now enabling that talent pool in a different way.

Rhea Kelly 27:38
It sounds like there's a, particularly maybe in K-12, some good cybersecurity training going on that's preparing people for this path. It's pretty cool.

Corey Lee 27:49
Yeah, CTE programs, which we're seeing a lot of energy around, that are now starting to expand, we'll call it in, you know, in our wider demographic beyond just computer science education to cybersecurity education. And I think not only does that mean we get closer to the students in their learning journey, but we also, and I'll say this maybe on the record, in the next couple of years, it would be awesome to now be seeing students who are coming in as freshmen, going to work at a student SOC, but they've already been doing the work for three to four years. That now is an entirely different conversation around how do we now take the foundation that those students have, build upon it, but we can also now make them effective and efficient faster with areas that are of critical need, like cloud security, AI security, and more areas as we continue to see innovation.

Rhea Kelly 28:46
I want to hear about any particular success stories that you could share, maybe from alumni of your SOC, that sort of highlight the benefits for Auburn students.

Jay James 28:59
Absolutely. And I would say that in my role, the favorite, my favorite part of my job is working with the students and helping them through their journey to graduate and then be successful after graduation. I can happily say that 100% of our students do get a cybersecurity role, or have gotten a cybersecurity role within the first six months of them graduating, and they have ranged everywhere from consulting, to cybersecurity companies, to their involvement in the military, to working at banks, to all across the board, and I really proud of where they, how much they have grown in this process. You know, even at the university, where they were tackling some incidents that had very big consequential impacts, like they found things that really saved us in a lot of situations, and the administration has supported us in our SOC and what we've been doing. The students have really been recognized across campus in various ways. One of our students recently won Student Employee of the Year at the university, which was a really big deal for a new student worker program. So I would say that there's a lot of success stories that's come out of it, and that has easily become the favorite part of my job.

Rhea Kelly 30:25
That's great. Okay, so any advice for institutions embarking on a project like this? I mean, you just mentioned administrative support, support from the administration, which we didn't get to touch on. But how do you get that? And you know, what are some of those considerations when you're embarking on building a student SOC?

Jay James 30:47
Yeah, so I say start where you are, understand where you are and where you're trying to go. For us, we wanted to build a SOC, and we had to learn that, well, we learned really quickly that we one, need to figure out what we want to do, like truly want to do. Are there certain types of attacks that we wanted to focus on? Is there a certain scope? So doing a gap analysis, right, of where you are and where you want to go, and then from there, really building out that business case for why we need to do this. Maybe it might be from a regulatory compliance type situation where you need to build a SOC, or it might be the fact that you're getting all of these phishing attacks happening, and you really need to have a dedicated team to help work on something like that. So really building out this case. And then in terms of the students, one thing that the students really helped us with as well is, when you support the education of students, that looks really good at a higher education institution. So being able to put that as a selling point where, hey, we're also educating the students to go on and be successful. So that also helped us build that case out for expanding the SOC, where we were able to hire more students because they saw the success coming out of the student program itself, even beyond us just supporting the further secure at the university. So those are some things I would think about, and then when you eventually get to the point where you're recruiting, I would just say, keep an open mind and keep it open. So I know that it's easy to say that we should try to recruit those juniors and seniors, but keep it open to different types of majors, backgrounds, whether it's a freshman, and you'll be surprised what type of talent you bring in.

Corey Lee 32:35
Yeah, I think there are three things that jump out to me as we look across the higher education ecosystem that are common for administrations to focus on. One is being able to leverage a template, meaning not reinventing the wheel in regards to starting one of those programs. There are definitely considerations that exist, and many of the universities that are out there have, in some way, shape, or form, started on that journey. But you know, as Jay mentioned, knowing where you are, but then also continuing the journey, I think, is super important, and a lot of that comes by way of prioritizing this as a focus area. Secondly, I think collaboration has also become an interesting thing, and both collaboration inside of the university as well as outside of the university, both with industry partners, as well as with the various schools within the university who maybe have students, but also have a need and want to intersect their programs with this type of effort. And then thirdly, I believe it's super important, going back to the gap analysis piece, to focus on where the gaps are in terms of program improvement. Oftentimes, a lot of universities may not necessarily have, once again, a fully staffed security operation center with every type of person with every skill set known to man or that's required, but where we can start small and strategically fill gaps in the security operation team, potentially leveraging students, maybe in some of those areas that we can't get to, like cloud security, it becomes a foot in the door and then the ability to expand and scale from there.

Rhea Kelly 34:14
Thank you for joining us. I'm Rhea Kelly, and this was the Campus Technology Insider podcast. You can find us on the major podcast platforms or visit us online at campustechnology.com/podcast. Let us know what you think of this episode and what you'd like to hear in the future. Until next time.

E-Mail this page

Printable Format

Featured

Chinese Startup DeepSeek Disrupts AI Market

A new low-cost Chinese artificial intelligence model is wreaking havoc in the technology sector, with tech stocks plummeting globally as concerns grow over the potential disruption it could cause.
OpenAI Unveils 'Operator' AI for Performing Web Tasks

OpenAI has launched "Operator," an AI agent designed to perform web-based tasks autonomously using its own browser. Currently available as a research preview for Pro users in the United States, the tool aims to automate everyday activities such as filling out forms, ordering groceries, and even creating memes.
Why the Education Sector Needs to Get Better at Cyber Hygiene

Despite the wealth of publicly available information about cyber attacks and the tactics used by malicious actors, many institutions appear unprepared to protect their students, faculty, and endowments from cyber threats.
Western Governors University Joins Open edX as a Mission-Aligned Organization

Western Governors University is the first organization to join the Open edX project as a "mission-aligned organization" (MAO), a new category of institution-level partnership supporting development of the Open edX open source online learning platform.