Episode 1: Cybersecurity in higher education | The Job Security Podcast

Introduction

The cybersecurity industry faces a critical challenge: a shortage of senior security professionals and limited pathways for juniors to advance. As threats evolve daily and organizations struggle to build talent pipelines, cybersecurity in higher education has emerged as a crucial bridge between aspiring professionals and industry needs.

But what does effective cybersecurity education look like? How do you teach a field that didn’t exist as a formal discipline just 20 years ago? And what’s the real difference between cybersecurity training vs. bootcamps and traditional academic programs?

In this episode of The Job Security Podcast, host Dave Johnson speaks with Matthew Gracie and Brandon Levene—two longtime security practitioners who became adjunct professors while maintaining their industry careers. The conversation explores their unconventional paths into teaching, what today’s cybersecurity students need to succeed, and why the industry desperately needs better training infrastructure.

From discussing the “Wild West” nature of cybersecurity in higher education curricula to debunking the myth that eight-week bootcamps can create job-ready security professionals, this episode offers rare insight into the challenges and opportunities shaping the next generation of cybersecurity talent.

The unconventional path: How security practitioners became professors

Brandon Levene: From crime research to classroom

Dave Johnson: Brandon, what was your cybersecurity education like when you first started?

Brandon Levene: I have no formal background in comp sci or security. In fact, my degree was obtained by going to the advising office, senior semester or first semester of what would be my senior year at FAU, and asking, what degree can I get the fastest? They said, psychology based on your previous coursework. And I said, cool, that’s my major now.

So I actually have no background in cyber, although psychology has been surprisingly useful, as you might imagine. I actually got started with cracking palm pilot programs when I was a kid. A lot of them used an XML registration protocol for licensing. Started reading PCAPs on hub networks when I was like 13 or 14, remember going to LAN parties when I was like 14 or 15, dropping Sub Seven on people’s machines when they went to the restroom.

My education really predates a lot of the cybersecurity stuff. There was not a whole lot out there. There was the SANS certifications, there was Security Plus, things like that. I ended up doing those after I got my first job in security. I did get a Security Plus pretty quickly early on, but then I did a lot of SANS courses because they were paid for.

How he became a professor:

The way I became a professor was much less formal. I was at the first Labs Con put on in Arizona, and at one of the after parties, I got to talking to Professor Thomas Rid who has multiple very interesting books. I knew that he had recently been named the managing director for the Alperovitch Institute at the Johns Hopkins School of Advanced International Studies.

A number of my peers were teaching as adjuncts under that program—nation state things, semiconductors and things like that. But I looked at the curriculum and said, you know, there’s nobody here that does cyber crime. So I went and talked to Thomas. We had a great conversation. I emailed a little bit back and forth. I said, hey, I’m willing to teach a cyber crime, cyber criminals course. I’ll develop it from soup to nuts.

I’m going into my third year now of teaching the course. I’m teaching at 8 or 8:30am on a Monday morning, by choice, because that is the time that works for me. I generally have to assume that using a computer is more of a challenge to some than others. And by the end, I have them using interactive labs to just find badness after I present them with threat actor manuals.

Why he teaches:

For me, I do it because I’m passionate about understanding and really communicating the threat. My goal is, if anybody, any student, or anybody that I lectured to is in a place to make even a 1% better or more informed decision having to do with cyber crime or just computer security in general, I am extremely happy. They don’t even need to necessarily make the right decision, but at least they thought about it.

Matthew Gracie: From B-sides organizer to educator

Matthew Gracie: I think Brandon and I came up at roughly the same time, so we had fairly similar experiences. When I was a teenager, back in the late 20th century, I was big in the local BBS scene and IRC. I saw a lot of the same software cracks and stuff like that that Brandon did.

When I went to college, I got there and was like, you know what? I am done being a computer nerd. I’m going to major in something else. So I ended up getting an English degree. But I paid my tuition all the way through by working IT help desk jobs. I graduated, and I was like, oh, so the only marketable skill I actually have as a holder of an English degree is IT.

I was working at my alma mater as a desktop support guy supporting the Macintosh users on campus. Our CIO said, you know what, we should probably have a dedicated security person. This was in about 2005 or 2006. He basically looked around the team and said, all right, Gracie, you’re our security guy. And he sent me to a SANS training. That was how it all started.

How he became a professor:

Years later, I wanted to start a B-sides conference here in Buffalo because we didn’t have one. I reached out to the school that I used to work at that I graduated from because they had just started this graduate program in cybersecurity. I said, listen, I think this would be a great opportunity. We’ll host it at the school, a good cross promotional thing for prospective students.

The director said to me, you know what? I love it. That’s a great idea. We could really use a B-sides conference here in Buffalo. Oh, by the way, I have a couple courses I need an instructor for. I was like, ah, okay, I see where this is going. I just got quid pro quo’d. That was kind of the deal that we struck.

So this is my fifth year. I started off teaching the network class, and then a couple years ago, in the fall, I switched to teaching what we call cybersecurity operations, which is the blue team class. I teach ethical hacking in the spring. So I teach the students how to defend stuff, and I teach them how to break all the stuff I taught them the previous semester.

Understanding cybersecurity in higher education today

The “Wild West” of curriculum development

Matthew Gracie: Cybersecurity as an academic field is obviously fairly new. None of us who are teaching in cybersecurity programs have cybersecurity degrees. We all learned it before this was a formal thing. I think we’re kind of in that same stage that computer science was back in the 60s and 70s when it was still mostly math professors who just happened to be teaching computer science stuff, and it hadn’t really coalesced.

Curricula at different institutions are not standardized. Brandon is obviously teaching a lot of policy focused stuff because he’s at a policy school. We have a cybersecurity program locally that grew organically out of the criminal justice program, and they have a very heavy emphasis on forensics and investigation. We have another program here that grew out of that university’s accounting school, so it’s very focused on audit and compliance and GRC.

Our particular program is overseen by the computer science department, so it’s very technically oriented—a lot less of that policy or compliance stuff and a lot more hands on, where do the packets actually go, hands-on-keyboard kind of stuff.

The challenge for employers:

If I see somebody on LinkedIn or I see a resume across my desk and it says, you know, I have a master’s degree in cybersecurity, and I’ve never heard of the school, I honestly have no idea what they might have learned during that master’s degree. It’s kind of an interesting Wild West time.

The value of practitioner-led education

Matthew Gracie: The way we’ve structured our program, I think the only tenure track faculty member we have is the program director, who’s actually got a PhD, and he’s doing the whole academic thing. All of the other instructors are like me. They’re all working professionals who are teaching on the side.

I will admit there are times that I’m very jealous of my colleagues in math who don’t have to update their calculus syllabus every time they teach it, because really not that much has changed. But like Brandon says, it’s very helpful to get that real world practitioner experience into the classroom, because this is a field of study that is constantly changing. The bad guys are constantly coming with new stuff. We’re constantly inventing new tools and defenses. That speed and that responsiveness kind of runs counter to a lot of traditional academic incentives.

Brandon Levene: There’s a lot to be said for practical expertise. The university, particularly within the Alperovitch Institute, has been very much leaning into the idea that just because you’re not career academia doesn’t mean you don’t have immense amounts of interesting things that we just don’t necessarily have the direct experience to think about.

Academia and private sector partnerships are equally as important, if not more so than public-private partnerships. If the people that are doing the jobs and the people that want to hire people to do the jobs don’t communicate what is necessary, what is actually practical, what we’re actually facing to academia, we’re going to end up with sort of paper tiger graduates.

I’ve got a master’s in cybersecurity, but I don’t know how to look at a packet capture. I don’t know how to differentiate arbitrary protocols using TCP for exfiltration versus legitimate traffic. I don’t know what this PowerShell actually does. Is this normal? Actually, surprisingly, PowerShell with base64 obfuscation is really common in legitimate use cases because it’s a kind of sketchy compression mechanism. You’d be surprised at how often the benign looks just like the malicious. It’s just intent.

Cybersecurity training vs. bootcamps: The harsh reality

The prerequisite knowledge gap

Dave Johnson: If a student was coming to you and asked, what should I have before joining your courses? What should they bring to the table?

Matthew Gracie: If I can nerd out for a minute—if you’ve played Dungeons and Dragons, you’re probably familiar with the concept of a dual class character. You’re one thing for a little while, and then you switch to being something else. You’re a fighter, and then you’re a wizard, or whatever.

I have always been of the opinion that security works best as a dual class in that sense. You come up as desktop support or help desk or network engineering, and then transfer into a more security focused role. The reason for that is that so much of security is thorough, competent, well documented operations. You need to understand operations and how it works and how people work and how operating systems work and how networking works before you can hope to secure it.

The bootcamp problem:

One of the really unfortunate things about our current moment in security is a lot of people look at it and they say, look, I have no technical expertise, but I just got a banner ad for an eight week boot camp that tells me they can teach me everything I need to know about security, and then I can go out and get a job making lots of money. I’m sick of working in service industry jobs or whatever, so I’m going to do that.

It’s possible that you can ramp up and learn a bunch of buzzwords and maybe even fake your way through an interview. You’re not going to understand any of the underlying principles. You’re not going to understand—you might know what an IDS is, but you’re not going to know how the rules work, and you’re certainly not going to know why a rule says something is bad after you go through one of these super quick boot camp experiences.

To get the most out of cybersecurity training, whether it’s formal academic training or something like a SANS course, you need to have a baseline of technical knowledge. Not anything super deep, but you need to know, like, what’s a TCP port. If I’m teaching you in the red teaming course, I can’t teach you about a buffer overflow attack if you don’t know anything about how memory works, or how networks work, or how that data gets injected, or why it’s bad.

Not gatekeeping, but reality:

I know that sometimes saying you need to have this knowledge before you start really getting serious about security—sometimes that’s interpreted as gatekeeping. Like I’m being mean and I’m trying to keep people out of the field. That is the absolute last thing I want. I’m teaching these courses, and you know, Brandon is probably in the same boat, not because of the fat adjunct paychecks, but I’m teaching them because I want future colleagues to be well trained and ready for this work.

Very few private enterprises are willing to put in the time and the money and the resources to build these talent pipelines and train people up themselves. I’m in Buffalo, New York, so I’m in a smaller city. We have a constant shortage of senior engineers and senior security people. What ends up happening is the big companies here are just poaching engineers from each other constantly because nobody wants to be the one to take that step forward and say, all right, I’m going to train up my juniors to be seniors, because they know as soon as it happens, their new seniors are all going to get poached.

We’re in this weird spot right now where we have a ton of people who are trying to get in. We have very few seniors, and we don’t have anyone building a bridge from one to the other.

Brandon’s perspective on aptitude vs. credentials

Brandon Levene: There’s this problem in the security workforce which presents itself: what if we train them and they don’t stay? And the counter is, what if we don’t train them and they do? I would much rather train them and have competence and they don’t stay, but incentivize them to actually grow and stay. That seems like a no brainer to me.

I empathize with graduates right now. I empathize with anybody trying to get into security, especially those who haven’t fallen into the trap of the eight week boot camp, because this job will burn you out. I didn’t use to look at ransomware or try to find victims or preempt ransomware stuff because I was getting paid a lot. I would have burned out if I was doing this for the paycheck.

That is a mindset that I think is missed in a lot of the dialog around, oh, you can make a lot of money with a cybersecurity career. Well, sure, that’s great, but you’re going to burn out in a year or two years, or you’re going to be really crap at it and never get a job. Not having the aptitude or at least the adaptive mindset is a recipe for failure.

My program differs quite a bit from Matt’s in that there’s zero expectation of technical background whatsoever. I’ve had a number of students that have pivoted their careers away from what might have been a lobbying or congressional staffer type of career to looking at intelligence analyst roles, to looking at analyst types of roles, which I think is a really particularly interesting pivot, given it’s an elective at eight in the morning.

Technical skills can be learned, but you have to be willing to actually put in the effort to learn them. There are countless resources out there to do that. I provide the class a definitions list of words that I will probably use and I just don’t have time to break down and explain to them—here’s your reference list.

How to get into cybersecurity: Advice from the front lines

What students should expect in graduate programs

Matthew Gracie: The biggest thing is that compared to my previous experience teaching undergrads, now I’m teaching graduate students, so they have to be handled a little bit differently. When you’re dealing with undergrads, there’s kind of a uniformity of experience. They’re for the most part 17, 18 years old. They’re all fresh out of high school. They’ve all got pretty similar educational backgrounds at this point.

But when you’re teaching graduate students, it’s a completely different deck of cards. Sometimes I’ll get a student who says, you know, I did my undergrad degree in computer science. I’ve been working an IT job for like five or six years, but I want to pivot into security. So I think that this graduate security program is really going to help me make that transition.

And I had a student a couple years ago who came up to me on the first day and said, look, I just got my undergraduate degree in accounting. Turns out accounting sucks. Hacking sounds really cool. Can you teach me how to do that?

I didn’t quite realize that difference the first year, and it really affects how you pitch the material. You have to come up with something that’s going to be interesting enough that those experienced veterans don’t get bored and stop paying attention, but it still has to be fundamental and introductory enough that those people who don’t really have a heavy technical background can still follow along and not get frustrated when you get to the hands on part.

Structuring effective cybersecurity education

Matthew Gracie: What I did was I ended up structuring my courses—I teach a night class. I teach once a week. It’s a three hour chunk. What I generally do is I’ll spend the first hour to hour and a half on lecture, introducing the subject, walking them through it, showing them examples, that kind of thing.

The last half of the period is all hands on lab stuff. I give them a set of challenges or problems that they can solve. I let them work on it for 45 minutes or so, and then I go through it with them on the big screen. So the idea is, if they’re new, they may struggle a little bit, but the documentation is there, and I’m there, and I’ll walk them through it at the end.

If the more experienced people blow right through it, I’ll usually have a couple of extra bonus challenges. Hey, you’re already done with that. Why don’t you see if you can figure out this piece? You’ve got the SQL injection to work. How about we crank the difficulty level up and you do it without using OR?

The diversity advantage in cybersecurity education

Brandon Levene: For the program that I’m a part of, it’s really interesting because I think I’ve had one student out of about 60 or 70 that has an actual comp sci background. I had one with a pseudo crypto background—I mean real crypto, not cryptocurrency, not magic internet money.

Otherwise, almost everybody that I’ve taught has been policy focused, which is par for the course for the School of Advanced International Studies in DC. I’ve also noticed the vast majority of my classes have been female in two out of four semesters. So that’s been very interesting to me. As I think most of us know, gender representation and diversity in our industry is not super high. I get a huge diversity of students in my class, which is fantastic to see, and that gives me some hope for the future.

We’ve seen kind of what the monolith of mono thought has given us in the last 10 or so years. Policy perspectives are really interesting as well. From my perspective, I’m not a policy person. In fact, I largely poo-poo on policy because it doesn’t actually put people—as an old mentor of mine once said, the best way to cluster threat actors is in a prison cell.

I don’t find policy always particularly effective at that from a timeliness or an efficacy perspective, but I’ve learned from my students. The usage of policy is an influence factor. Being able to communicate your desires for a policy cogently is 95% of the battle there. I learned a lot of that from my own students, which I found fascinating. The political perspective getting brought into my class from the get go is not something that I really have any professional experience with, and it’s been an interesting dichotomy to balance.

Building the cybersecurity workforce of tomorrow

What the industry needs to do

Dave Johnson: What is the practitioner of today going to look like once they graduate courses not unlike yours? What things do you think the industry needs to do to facilitate the students that you’re seeing come out?

Brandon Levene: I think from my perspective, a lot of it is identifying not just aptitude but supporting that as well. It’s great to have someone that is willing to learn. It’s great to have someone that is willing to put in the time, but you actually have to backstop that. Actually having support for that sort of apparatus is very important.

Communication skills are critical:

One of the things in which we struggle with as an industry—security in general—is actual communication. What is the SOC analyst’s absolute least favorite thing to do? Writing that short form narrative of what the hell happened. We have tools like AI and LLMs to help assist with that, but making sure that people understand how to communicate what they’re doing, why they’re doing it, is really important. I can’t overstate that enough.

You may understand exactly what you analyzed. You may be able to parallel reconstruct that malware compromise and everything that’s going on there, but if you can’t communicate that in any meaningful way, you’re going nowhere. Your budget is going to get slashed. Nothing’s going to be successful.

Supporting aptitude:

Those two things—facilitating the actual communications and understanding the mechanisms that we have available to us and the tools that are up and coming that help us communicate, and reinforcing the aptitude of those who are willing to take this risk and join an industry that is really stressful.

I’m 22 years old. I look like I’m 45. I’m a kid, but it can be a very stressful industry. There are times where I’ve worked 36 hours straight doing IR. I don’t do that anymore because I’m an old man, but I loved every second of it. I did the OSCP. It took—it was a 48 hour exam. I slept for like three hours.

That’s reality. It’s not a nine to five. You’re always on. There’s always bad stuff going on. There’s always bad things happening. That Friday four in the afternoon trope is real. Every goddamn Zero Day comes out on Friday at 4pm. Coordinated disclosures are terrible, but that’s reality.

It’s not an easy industry. It’s not beginner friendly. There’s really not a beginner friendly industry. You will get ground out and spit up. We really need to consider whether we want it to be. Do we have the appropriate support apparatus or understanding of what it would require for a real junior to be involved?

The adjunct professor model: Working as intended

Matthew Gracie: If I can soapbox for a minute—I think this is one of the scenarios where the concept of adjunct faculty is working exactly the way it’s supposed to. The idea is to bring in people from outside who have special experience and share it with the students, as opposed to the way adjuncts are used in a lot of institutions, which is we don’t want to hire a tenure track faculty member to teach freshman English, so instead we’ll hire three adjuncts and pay them starvation wages.

It would be very difficult for somebody who is a full time academic to also keep up with all this stuff.

Dave Johnson: Would you ever consider doing this full time?

Matthew Gracie: It sounds like the answer is no, because you’re concerned that your expertise might get stale, or you just might not have the freshest information to bring to the student body.

Brandon Levene: I’ve definitely thought about that. From my perspective, I don’t think—when I retire, when I’m at a place where I just don’t necessarily think I’m going to be able to keep up anymore, then I think it would be a little bit more attractive to me. But right now, where I am personally in my career, there’s just too much to learn every single day.

Just because you go through or you don’t go through a formal education program doesn’t mean you shouldn’t be learning. If you’re not learning every single day, especially in this industry, you are absolutely going to come out on the bottom or as just ineffectual.

Matthew Gracie: Personally, I enjoy the teaching part. I enjoy interacting with students. Everything else about being a real professor looks like a total drag, so I’m glad I don’t do it. The publish or die paradigm is still very, very real.

Key takeaways: Cybersecurity in higher education

The conversation reveals several critical insights for anyone considering how to get into cybersecurity or evaluating cybersecurity training programs:

For aspiring cybersecurity professionals:

1. Build foundational technical knowledge first. Understand basic IT operations, networking, and systems administration before diving into specialized security training.
2. Be wary of shortcuts. Eight-week bootcamps teaching cybersecurity from scratch cannot provide the depth needed for actual security work.
3. Expect to keep learning constantly. Security evolves daily. If you’re not prepared for continuous learning, this isn’t the field for you.
4. Communication matters as much as technical skills. Being able to explain what you found and why it matters is critical for career advancement.
5. Consider the human cost. Security work can involve irregular hours, high stress, and burnout. Make sure you’re joining for the right reasons, not just the salary.

For organizations hiring security talent:

1. Invest in training infrastructure. The industry cannot sustain itself through poaching alone. Companies must build pathways from junior to senior roles.
2. Support continuing education. Whether through conference attendance, certifications, or formal programs, keep your teams’ skills current.
3. Look beyond credentials. A cybersecurity degree from an unknown program may mean very different things depending on that program’s focus.
4. Value aptitude over credentials alone. The willingness to learn and adapt is often more important than specific technical knowledge at the junior level.
5. Partner with academic institutions. Provide real-world context, guest lectures, or internship opportunities to help shape more practical cybersecurity education.

For academic institutions:

1. Prioritize practitioner involvement. Adjunct professors who work in industry provide current, relevant expertise that full-time academics cannot match in this fast-moving field.
2. Standardization is coming. As the field matures, expect more alignment on core curricula across cybersecurity programs.
3. Hands-on labs are essential. Theory without practical application leaves students unprepared for actual security work.
4. Consider prerequisite requirements carefully. Programs should be clear about expected technical backgrounds and provide pathways for students without traditional IT experience.

Frequently asked questions about cybersecurity education

Q: Do I need a cybersecurity degree to work in security?

A: No. Both professors interviewed have non-technical degrees (English and Psychology) and built successful security careers. However, having structured education—whether formal degrees, certifications like SANS, or self-directed learning—provides important foundational knowledge. The key is demonstrating technical competence and willingness to learn continuously.

Q: What’s wrong with cybersecurity bootcamps?

A: Short bootcamps (8-12 weeks) cannot provide the foundational IT knowledge needed to understand security deeply. You might learn enough buzzwords to pass an interview, but you won’t understand underlying principles. Security works best as a “dual class”—first build IT operations experience, then transition to security. That said, intensive training programs can be valuable for people with existing IT backgrounds looking to specialize.

Q: What should I learn before studying cybersecurity?

A: At minimum, understand:

• Basic networking (TCP/IP, how data moves across networks)
• Operating systems (Windows, Linux basics)
• How applications work and communicate
• Basic scripting or programming concepts

This foundational knowledge allows you to understand not just what security tools do, but why they work and when they fail.

Q: How do I know if a cybersecurity program is good?

A: Look for:

• Instructors with current industry experience
• Hands-on labs and practical exercises, not just lectures
• Clear focus area (technical/blue team, policy/GRC, forensics, etc.)
• Strong industry partnerships or internship programs
• Regular curriculum updates reflecting current threats and tools

Ask graduates about their job placement success and whether the program prepared them for actual security work.

Q: Can someone without technical background succeed in cybersecurity?

A: Yes, but the path differs. Brandon teaches policy-focused students with minimal technical backgrounds who move into intelligence analyst or policy roles. These roles require understanding threats and impacts without necessarily doing hands-on technical work. For technical security roles (SOC analyst, penetration tester, security engineer), you’ll need to build IT fundamentals first.

Q: What’s the biggest gap in cybersecurity education today?

A: The lack of junior-to-senior talent pipelines. Many people want to enter the field, but few organizations invest in training them. This creates a shortage of senior talent while entry-level candidates struggle to gain experience. Academic programs can provide foundation, but industry must build career progression infrastructure.

Q: Should I get certifications or a degree?

A: Both have value. Degrees provide broad foundational knowledge and demonstrate commitment to learning. Certifications (SANS, OSCP, Security+) prove specific technical skills. Many successful security professionals have one or both—or neither, but extensive self-directed learning. Focus on building actual competence rather than collecting credentials.

Links from the pod

• KC7 Cyber
• The Rural Tech Fund
• B-Sides Buffalo (on X)

About the guests

Matthew Gracie is an adjunct professor in the cybersecurity program at Canisius University, where he teaches cybersecurity operations (blue team) and ethical hacking. He is also the founder and lead organizer for B-Sides Buffalo and organizes the monthly InfoSec 716 meetup. With nearly two decades of security experience, Matt advocates for better talent pipelines between academia and industry.

Brandon Levene is a product manager and adjunct professor at Johns Hopkins School of Advanced International Studies, where he teaches cyber crime and cyber criminals. Previously, he worked as a threat intelligence researcher at Microsoft Threat Intelligence Center, Palo Alto Networks, and Google. He specializes in cybercrime operations and threat actor behavior.

This transcript has been edited for clarity and readability. The insights and recommendations discussed reflect the personal experiences and opinions of the speakers and may not represent the views of their affiliated institutions. Individuals considering cybersecurity careers should evaluate their own circumstances, aptitudes, and career goals when making educational decisions.

For more cybersecurity career insights and industry perspectives, subscribe to The Job Security Podcast on Apple, Spotify, or your app of choice or visit expel.com/blog for the latest in security operations and threat intelligence.