Aside from managing Tripwire's security research team, Tyler Reguly also teaches a college course on cybersecurity. On this episode, Tyler shares his experience teaching the next generation of cybersecurity practitioners who are about to graduate and enter the workforce.
The following is an edited excerpt from a recent episode of Tripwire’s Cybersecurity Podcast.
Tim Erlin: Today, I am joined by Tyler Reguly, manager of software development with Tripwire and we’re here to talk about cybersecurity education and Tyler’s engagement with it. Could you start by telling us about your teaching history?
Tyler Reguly: I first taught about a decade ago at Fanshawe College. I developed two courses for them: one like a generic “Intro to Security”-type course and one on malicious hacking tactics. Now, I'm teaching a malware analysis course that I developed over the summer.
TE: So, what's the makeup of the student body like in that class?
TR: I would say that the bulk of the students are between 20 and 30. There are definitely exceptions, as there always are.
TE: You said it was a malware analysis class. What's included in that syllabus?
TR: Rather than taking one aspect of malware analysis and diving really deep into it, I wanted to prepare students for anything they might encounter and give them a broad set of basic skills. So, we did things like the history of malware, the types of malware that you'll find. We did some programming using Python, and we applied it throughout the rest of the course. Then we did things like dynamic and static analysis, reverse engineering, and packet analysis. We used a lot of malware tests and reversing challenges, giving students sort of a core foundation.
What’s Changed in Cybersecurity Education Over the Years
TE: I think you're in a unique position having taught courses to students focused on cybersecurity some number of years ago and then having come back to that. What's changed since the last time you taught a cybersecurity course?
TR: Last time I taught, it was either general IT students who were just getting a taste of security or students who were coming back to add security onto a broad technical basis. This is the first time I've taught students who set out with a focus on cybersecurity.
TE: Is that because of the way the courses were designed, or is it because of a change in the student body?
TR: I think it's a changing curriculum. This is the first time that they've offered a three-year cybersecurity program at Fanshawe—as far as I'm aware, the first time that students have hit the third year of it. I can go way back nearly 20 years ago when I went to school at Fanshawe; it was all pure technical courses then. What we're seeing is the genesis of the courses as they've grown and changed over time with cybersecurity being much more at the forefront of everyone's mind.
TE: Yeah. Security was a discipline that you had to come to from some other place. Now, you can actually select it upfront and choose to head in that direction.
TR: Definitely. The big difference I'm noticing between a decade ago and now is that those students who were interested in the CIS admin-type careers were not interested in what I had to say. Whereas now, things are different. For example, this week, my student's lab was a packet analysis challenge where I created sort of a capture the flag. All the feedback I got was excitement. I've actually already had emails saying, “Do you know where we can get more of these?” This was tons of fun.
I see a lot of myself at that age in my students. They're all, you know, hungry to learn whatever they can and interested in whatever cool concepts I can teach them. And a lot of the classes end up becoming less of me teaching and more of a conversation, which is a preference for me, because I feel like it's a much better way for them to learn. And I get a lot more out of it, as well.
TE: Interesting. Did you say these were third-year students? So, after this year, they're off to enter the workforce. Do you have a perspective on what they're thinking about as they exit education and enter the information security industry?
TR: A couple of weeks ago, I did a poll. It asked whether they had a job lined up. I've got 20 students registered in my class. Four people had jobs lined up, so 16 of them, 80% of them, do not have a placement yet for when they graduate. If I could speak for them, I would say that I feel like they're feeling dread and terror. At least that's how it comes across when I talk to them. They were forced into online learning back in March, something that they weren't previously doing, and now they've done a semester and a half of it. Now, they have to find a job, and interviews are done over Zoom, and people are working from home. There's no workplace to go into and look over somebody's shoulder and learn in many of these cases. So, there's just a lot of fear of what the future holds.
Reflecting on the Cybersecurity Skills Gap
TE: We talk a lot about the skills shortage, or the “skills gap,” in cybersecurity. A lot of the conversations that I have with people who are cybersecurity practitioners are more around that difficulty in staffing, but on this side, we've got students who are out looking for jobs. Do you feel that they won’t find a job and that the industry feels like it doesn't have the staff to fulfill the jobs they need?
TR: I think that both of those statements are true. One of the things I don't think we consider beyond the two points that you made is that a lot of smaller companies have gone out of business over the pandemic, which means that not only are these students graduating with no real-world experience or limited real world experience, but they're also going to have to compete for positions against people who have recently lost their jobs and who have potentially years if not decades of experience on them. I think that is something that these students are very aware of.
TE: Yeah. So, what's the advice that you end up giving them in that scenario?
TR: I don't know if I give advice because I don't know. I don't know if there's anybody who's prepared to give advice. It's an unprecedented situation. It's also something that I really hope employers are aware of. If nothing else, provide feedback to those college graduates after an interview if you don't select them. At least let them know that they had everything they needed. There were just more experienced candidates available.
We don't provide nearly enough feedback to these new graduates. When they're out there looking for a job, we don't tell them why they didn't get the job. We don't tell them what happened a lot of the time. It's just a form letter that says this position has been filled. Thank you for applying. And I feel like we're doing them a real disservice, and I feel like that disservice is heightened during a pandemic.
TE: In some ways, aren't we doing ourselves a disservice, as well? Because we might very well want them to apply for a future position. And if they don't understand what they might've missed the first time around or why they didn't get it, then they might just not apply again.
TR: Yeah, definitely. I think that's something that a lot of employers could be proactive with. If you've had past candidates that were really good, reach out to them when you have a new opening and see if they're interested in a position.
Lessons from Teaching Cybersecurity
TE: You mentioned having learned some things from teaching this course. What are some of the things that you've learned?
TR: I don't know if it was reinforced or learned, but it's how much fun it is to share your knowledge and experience with other people. When you teach, it's a two-way street.
One problem that we have in the security community is that so many people hold on to knowledge. Some people look at it as job security. Teaching really reinforced for me the fact that putting knowledge out there is super important. It's something that we really have to do.
The other big one to me was the building of relationships and establishing new contacts. Even though they're just entering the workforce, they have a lot of interesting thoughts and ideas, and they've introduced me to new technologies that are up and coming that I hadn't seen yet. So, building relationships and networking is even more important, I think, in a pandemic than it normally is. It's a harder thing to do. So, you really have to put in some effort and make sure that it happens and keep up that contact and that sharing of ideas.
TE: Well, Tyler, thank you so much for taking the time with us. I know that you've got a couple of blog posts out there and one more coming up on similar topics. So, folks can certainly head over to Tripwire State of Security blog to look at those. I appreciate the time. I thought it was an interesting conversation.
TR: Thank you. It was fun to come on here and talk about it.