867: LIVE From Ellucian Live 2024 - with ⁠⁠Josh Sosnin, SVP & Chief Information Security Officer, Ellucian, & Students, Christian Christovich, Alexis Obeng, & Natalie Rankin

Joe Sallustio: Welcome back, everybody. It's your time to up on the EdUp Experience podcast where we make education your business. We're here at Ellucian Live 2024 for a bunch of times. We've done a bunch of podcasts today with some amazing leaders in and around higher education. But I will tell you, and I mean this sincerely, this will be the most interesting episode of our time here. Why? Because we have real live warm-blooded students in front of us.

You know, typically it's a bunch of technology leaders which are super boring. No, they're not that boring. No, no, no. But we talk technology, we talk about what's happening to higher ed in its systems, and very rarely do we get a group of students in front of us to really give us your perspective on education, relevance, the cost of a degree, why you chose the major you chose. I'm probably taking all the questions away from my guest host, but I'm gonna bring him in here now.

Ladies and gentlemen, he's Josh Sosnin. He is the Chief Information Security Officer at Ellucian. Josh?

Josh Sosnin: Thanks for having us, Joe. You're back again for a second time. Couldn't get enough.

Joe Sallustio: Second time. And we're trying to go for the record. I don't know what the record is, but I'm going to try and beat it.

Josh Sosnin: I'm not sure what the record is either. Maybe you've already beaten it right now.

Joe Sallustio: Probably not. OK, well, we'll see what happens. So what we're going to do is go around to each of you guys. We have a crowd that's waiting to hear from you. So you're going to give us your name, your institution, and your major. And we'll start.

Alexis Obeng: All right, my name's Alexis Obeng. I go to UTSA, University of Texas at San Antonio, and I am a computer science major.

Christian Krstovich: Hello, everyone. My name is Christian Krstovich, also at UTSA, and I am a computer science major.

Natalie Rankin: I'm Natalie Rankin, currently at St. Mary's University, a graduate student studying cybersecurity.

Joe Sallustio: Cybersecurity, cybersecurity, computer science? Computer science. Computer science, cybersecurity. It's a lot of science and security and all of that. So first question, the most obvious one, and we'll start from right to left this time with you, Natalie. Why did you choose cybersecurity? Why did you choose the major that you're in? Of all majors, this is a very technical major. What brought you to it?

Natalie Rankin: I've always been fascinated with technology and I really got into cyber in high school when I had the opportunity to join my school's CyberPatriot team. Seeing how technology can be used maliciously inspired me to figure out how to stop that malicious behavior, and I pursued cybersecurity in my university studies for this passion to defend systems and mitigate security risks.

Joe Sallustio: Follow-up question, what is a CyberPatriot program?

Natalie Rankin: It's sponsored by the Air Force and it is a program that they offer to K through 12 students, specifically high school as well, where you're given different cyber challenges to solve that allow you to get some hands-on experience with cybersecurity.

Joe Sallustio: I had no idea that existed. That is super cool. All right, over to you, Christian.

Christian Krstovich: Personally, for computer science, my dad introduced it to me when I was really young and I always thought it was cool, you know, what he told me people could do with a computer. That inspired me to do cool stuff with a computer. And like Natalie, I joined my high school CyberPatriot team and that really just rocketed me to the next step of the journey.

Joe Sallustio: Interesting. I mean, so did you like attack systems or learn how to prevent attacks? I mean, is that what it was?

Christian Krstovich: The first thing was just sort of the impressive amount of control that a person can have on their computer system. And then it was a matter of like, well, I wonder if I can attack. And I was like, well, maybe that's not a good idea to do that so much. Maybe learning how to defend is a better choice for me legally.

Joe Sallustio: Smart move. Alexis, why computer science?

Alexis Obeng: So kind of like the same thing with them. I've always been interested in computers. And then my first year of high school, I joined CyberPatriot. And even though it ended in COVID, I ended up getting my Security+ certification during that same year. So that really sparked my interest and let me know I had a really good knack for cybersecurity.

Joe Sallustio: Josh, this must be like music to your ears as a chief information security officer to know there's a pipeline of talent out there interested in the nerdiness of, the awesome nerdiness of protection of data.

Josh Sosnin: Yeah, absolutely. Because I don't even know what to ask next, by the way, so I'm just gonna pass it to you. There's 600,000 open cybersecurity jobs in the US and we can't fill them.

As far as San Antonio goes, let's talk local a little bit. I was not aware of this. Do you want to guess? No, I'm just giving you the answer. Are you going to ask me a question live on my podcast?

Joe Sallustio: Live on the podcast, right?

Josh Sosnin: If you had to guess where San Antonio ranks as far as concentration of cybersecurity professionals in the US, one, two, three, 50, where would you guess?

Joe Sallustio: Two.

Josh Sosnin: It's two.

Joe Sallustio: I mean, that's really cool. I only know this because I think you told me that earlier today.

Josh Sosnin: I might have. So we started the poll on that thread to kind of understand. And there's, what do we got? We got nine local higher ed institutions that have cyber programs. And like we've already heard here from each of these folks, they've got some really cool K-12 stuff going on. So you mentioned CyberPatriot and there's this other overarching CyberTexas. I mean, they're just doing some really cool stuff. So I know you kind of touched on it, but does anybody want to go a little bit deeper on just the opportunities that you got prior to going into higher ed?

Christian Krstovich: I can definitely speak on that. So, CyberTexas here in San Antonio, they're a great organization that really connects with the different CyberPatriot teams here at all the schools. And they host a Cyber Cup, the Mayor's Cyber Cup, every single year. And it's a whole big event. And at this event, they give away scholarships, they give away internships to high-placing teams. They've given away even Microsoft Surface Pros to high-placing teams. So, it really does give the incentive to do well, not just nationally, but on a local level.

Joe Sallustio: So explain it like I'm five for me just a little bit. Explain it like you're explaining it to me. Yeah, right. So like we're two and three and I know all three of you have been in this and maybe we'll talk to Natalie on this. Like the competitions, just kind of walk me through a little bit. Like I know a little bit but I want to hear from you what you folks were doing there.

Natalie Rankin: Yeah, specifically one of the activities I had the opportunity to do was you were given a Windows system and they would ask you to go in and examine the different accounts on the system and maybe remove some user privileges, delete certain accounts, and also go in, check firewall settings, and ensure that the system is up to date, check for system updates, kind of essential things that need to be installed and ensured on the computer to make sure it's secure.

Joe Sallustio: How about you, Christian? Anything different?

Christian Krstovich: In the context of CyberPatriot? In competitions. I think once I, this is before higher education. I think similar to what Natalie said, I worked on the Ubuntu machine, so it wasn't exactly Windows, but there was a process of making sure that all of your systems are up to date. Users aren't administrators, they shouldn't be administrators. Removing unwanted software, closing off network ports, stuff like that.

Joe Sallustio: Have you continued any of this in higher ed? Any capture the flag type activity, anything like that anyone can talk about?

Christian Krstovich: I'll take it. Definitely since coming to UTSA, the competitions have skyrocketed. The first one I did was this one called Doctor Boom, which is very different than the normal ones where you were given the source code of a bomb detonation device and what you had to do is you have to look at the source code and you identified a command injection vulnerability. And then this is the coolest part: you get into a virtual machine, you get command injection on the person that's trying to detonate the bomb, and then you compromise their system. And just like, let's start the insanity. It was so cool, it was so fun. And just as like a little freshman coming to UTSA, it was everything I needed. It was so cool.

Joe Sallustio: I want to go back to school. I mean, we were programming compilers in VaxAssembly. It wasn't exactly as entertaining. So now I'm really jealous. Anything else on the opportunities before we kind of move on? We've got some other good topics, I think.

Alexis Obeng: I can definitely speak to some of the competition experience as well. So one of the competitions I did, the first one at UTSA was the Collegiate Penetration Testing competition. This one was like offensive security so that's hacking, actually getting into firewalls, breaking into systems and they also had a very good simulated business aspect to it so we had a signed NDA, we had to submit an RFP, had to communicate with the client in a professional manner of speaking, how to give a technical presentation. It really did help my soft skills building up all those.

Joe Sallustio: Penetration testing is one of the things I know institutions are working on now in higher ed is how, because we're porous, right? There's a lot of hacking in higher ed and penetration testing is one. I think it's more on the basic side of what you all do is just like, do you hack something?

Josh Sosnin: It is an interesting part of our industry these days. I mean, it depends. There's some stuff that goes way more in depth so I think the traditional pen test model, I think the return on value and return on investment has gone down. So at Ellucian, actually, it's going to sound like a sales pitch, we've got a hybrid model. So we do the traditional pen test stuff because our customers say we have to and their auditors say that we have to. But we have a hybrid model where we work with HackerOne. So we do pen tests that are basically paid if you find something. And then the amount of payment that a professional or an amateur hacker can earn grows depending on how serious the issue is. So it's crowd-sourced. If you don't find anything, you won't make any money. It's kind of cool.

Joe Sallustio: All right. The three of you, let's do a little self-promotion because this podcast is going to become part of your LinkedIn resume someday. Right? It should be. It should be. It should be. It should be. Right. So I know you've all worked on various projects. So we'll start with Alexis and we'll work across. Tell me about a project that you worked on and tell the crowd that at some point in time is going to listen to this as part of your interview for your next job. What have you worked on that you thought was cool?

Alexis Obeng: So in one of my research labs that I'm in, I am actually like a team lead for some of the undergraduates. And so we started on making a mock enterprise network. So it has like users, it has critical infrastructure as well, because those are always fun to mess with. So we can do different training on how to detect and defend against different attacks.

Joe Sallustio: Cool. All right, let's move on to Christian.

Christian Krstovich: I've moved on to, or I've started doing network administration and creating network infrastructure as a part of one of the labs on UTSA's campus. But personally, I started working on creating a Linux keylogger that reads keyboard events and pipes them to a file. And that's been pretty cool. It's been pretty fun.

Joe Sallustio: All right, let's go to Natalie.

Natalie Rankin: I'm actively working on a network intrusion detection system, and it's so exciting to me because it's made for a personal computer and there are already detection systems like Snort and Suricata out there but what's so exciting to me about the one I'm making is that it is specifically designed for someone's own personal computer activity so it's more tailored to that experience and can provide a better security option for them.

Joe Sallustio: Awesome. So you each told a story and when I talk to students earlier in the career and then you know as they move on I stress the importance of storytelling and what's interesting is that these three students here are literally cheating and jumping the line because tomorrow on the main stage at Ellucian Live, they're going to get to open for William Shatner in front of thousands of people.

Josh Sosnin: Nailed it. That's an extra story they're going to be able to tell.

Joe Sallustio: Kind of cool to be able to be a part of this. You guys are going to have exposure to thousands of leaders across education that are connected to business and industry leaders. Just take advantage of it. Make sure that you update your, if you guys don't have LinkedIn, you should get one. Make sure you attach anything that you do to your LinkedIn profile, because it becomes your digital footprint.

Josh Sosnin: Yeah, absolutely. You're right. Education obviously is the focus of this event. Robert Smith was on main stage yesterday and he mentioned the importance and impact of one person taking the time to educate. I know when we were talking earlier before this I said how you're all going to be educators by default and you know as we spoke I'd say I don't think you're going to be educators to your peers like I am because you and your peers got that level of security awareness as you were growing up. But you're going to have to educate us and you're going to have to educate me because I will start to not understand. In a couple years. In a couple. Yeah. Well, sooner than you think. And you're going to have to keep doing it. It's going to be your family. It's going to be all these folks that you're going to have to keep educating. So I think that's interesting.

It's not just that you're gonna be whatever you've chosen, maybe you'll go into defending, maybe you'll go into whatever aspect of security, there's so many of them, but you're just gonna have to be an educator as well, which is interesting. We're not gonna talk about AI because Christian doesn't want to talk about it.

We actually talked about it earlier and he said, I don't really want to talk about AI. But one thing, unless we get too much extra time, we'll circle back to it. But I mentioned earlier there's 600,000 open jobs in cyber, right?

What can we do to get students interested? I think that you all were lucky enough to have these opportunities that you took advantage of, but there's just all these other jobs that are not gonna be filled. And I would love for all of us to literally not have a job tomorrow. It is not going to happen. You're all gonna be employed for as long as you want, and literally I'm gonna be working for one of you three at some point in time. But what do you think we can do to get some people interested in this field? Let's start with Natalie, we'll walk the other way.

Natalie Rankin: I think that incorporating more cybersecurity education into the K through 12 classes that are already there for technology in general, kind of as you're showing someone how to use a computer, you might also want to mention don't do these things or avoid these things, kind of just putting it in there so that it's already a part of them and it's kind of instilled in them while they're already using that technology.

Joe Sallustio: Sounds good. Christian?

Christian Krstovich: I think that it can be important to incentivize it just in pop culture because there's a lot of that done for other fields. I mean, especially like sports, right, for example. And that's something that's very understandable and something that's easy for kids to attach to. But it's not as easy for kids to attach to being a nerd sitting in front of a computer.

Joe Sallustio: Is it cool or is it uncool?

Christian Krstovich: No, I think it's awesome.

Joe Sallustio: Well, of course we do. But do your peers think it's cool or not? What's it like?

Christian Krstovich: So that's the point. We have to help them understand that it's super cool. They may just view us as a kind of a bunch of nerds but if you can provide some sort of way to, I don't know, gamify it, then they would instantly come on board and they would instantly think that wow, this is something that I could really do.

Joe Sallustio: Alexis, for you, before you answer, do your peers think that you're doing cool stuff?

Alexis Obeng: Absolutely not. They just think I'm a nerd and they call me when they need tech help. I would definitely say just awareness of the different types of jobs because people don't really understand what cybersecurity is as a career field. So they don't understand the different domains and fields, the sub-fields within cybersecurity. So I think just the awareness that it is a thing, and that you have a lot of area to move around in.

Josh Sosnin: Yeah, it's not easy for sure and it's stressful but if you want a job in this field the barrier to entry isn't that hard to get started and it's a good career that will literally last as long as you want to work so you know the more we can do the better.

Joe Sallustio: One quick question for me. I'm the party pooper. My questions aren't really that good but gamify - if you said gamify, if you know, I think you said how to get people interested in cybersecurity and computer science. You tell them you're gonna hack into their PS5 and turn off their PS5 and then they're gonna learn cybersecurity to keep you out of the PS5. But I mean, as funny as that is, everything that we do, and I say we as humans now is gamified in some way. All the social media is gamified, right? You can swipe three seconds, right? So my attention span is longer than your attention span, right? The older generations and Josh, the much older generation.

Josh Sosnin: Much older.

Joe Sallustio: But our attention span is a lot longer than people your age. You're used to, right, skipping the intro on Netflix. If you want, right, like if you even watch, I don't know, you go to YouTube now, but if you, we can't even watch, we can't even watch intros anymore to our favorite shows. My nine-year-old has a meltdown when there's a commercial on Hulu. I used to watch commercials because they were commercial.

So if you think about gamification, it's embedded in everything we do. How do you gamify cybersecurity? I mean, how do you gamify computer science other than the fact that it builds those games?

Since you said gamification, Christian, I'll go to you. How do you think you do that? How do you gamify it?

Christian Krstovich: I think you gamify it by maybe postponing for a short amount of time the fact that there is a very technical corporate aspect. People like Alexis, like myself, like Natalie, we understand that there is a very technical and rigorous and C-suite involved process to cybersecurity. But if you can get people in front of a keyboard, you can get people, I mean, you know, cracking hashes, collecting flags, really making them feel like they're accomplishing something in the same way that they can often feel like they're accomplishing something on a sports team or in a video game, they'll be much more incentivized to see whatever they're doing through to the end.

Joe Sallustio: That's really good advice.

Josh Sosnin: Somebody listening, I tell you what, no it really is. And there are already platforms that are doing it very well. People, if anybody is out there and wondering, where do I get started, platforms like Try Hack Me, platforms like Hack the Box, and they're not just about hacking, they're not just going to train you to become, you know, an adversary and a bad guy. They also have blue teams and they're very specific about making this ethical, but they get you in front of the keyboard and then you're getting system flags and you can go through their academy and you learn all these things that you didn't know about before and it's a very rewarding process and I think if we give that reward to people that maybe beforehand thought that they'd just be sitting in front of a console and just sort of smashing their head into a keyboard, they'll be more incentivized to do it.

Joe Sallustio: Yeah, great advice. You know, there was this movement to make work play years ago, and I don't know if that's still in vogue or not. It might be. But that's what we do behind the scenes. We don't really advertise it to the whole company, but behind the scenes, we're making it fun. And we're a bunch of geeks and nerds behind the scenes and having fun and working through these problems. And not to say that it's not stressful at times, and we're up all weekend 24 by 7 when things happen sometimes, but you do that.

Josh Sosnin: Yeah, the work-life balance is decent in this field. And I think the more that we can kind of communicate that, the better. I do worry about the mental health aspect a little bit because, you know, the quote is the adversaries have to be right once and we can never be wrong ever. And that's not exactly true. People shouldn't be afraid. I mean, we have defense in depth. So if one thing fails, another picks up on it, there's alerting. We want to find out about it not in a month, a week, or a day, we want to find out in hours, seconds. So it's not as bad as it sounds, but there's definitely some stress involved. Have you guys seen The Matrix? How about War Games?

Students: No.

Joe Sallustio: See, and I think about cybersecurity and computer science and artificial intelligence and back in the old days, our old days, there were these movies and you just went, whoa, I could never believe something like that happening. Now it's happening. With Matthew Broderick?

Josh Sosnin: Yes. I love that movie.

Joe Sallustio: Yeah, I should have given you homework to watch War Games if you haven't. I mean, when around this conversation it is that you got to go watch that movie, you guys.

Josh Sosnin: Another plug for one movie is a movie called Sneakers that Christian watched. It's a little bit of an oldie right now, but it's there.

Joe Sallustio: It's amazing. There you go. Any other questions for the team here? I've got no more questions on my preparation cards here, but anything anybody else wants to talk about? I mean, I think we're having a great conversation here. I think we kind of shine the light on San Antonio a bit. I mean, you got opportunity that I think is just amazing. I don't know what percentage of students out there around the country are getting that. I hope it continues to build and build because it's just fantastic.

Well, there you have it, everyone. Another episode of the EdUp Experience. My favorite by far. No offense to you and the team, although that was a good one too. But when we get to talk to students, it just brings in a different element. One of the things that we all have to watch out for is what we're teaching you is what the business world wants. And you have to know that too. Like you have to go to the business world and say, am I learning what you expect me to learn so that I can get a job with you when I get out of here? And that's been something typically in some areas that higher education hasn't done a good job of staying up to date with curriculum. But in cybersecurity, I guess there's no choice, right? It just has to be new. You have to elevate and innovate.

So here you have it, ladies and gentlemen. I'm not supposed to say that anymore, but ladies and gentlemen, it's stuck in my brain. Alexis, Christian, Natalie, and Josh from Ellucian. Students, did you guys have a good time on the podcast today?

Students: Yeah, it was great. Thank you.

Joe Sallustio: All right. Not as scary as you thought it would be. You thought you'd sit down and it'd be like super intense.

Students: Yeah, this is so much better.

Joe Sallustio: Alright, tomorrow when you're on stage, just remember that. It was a little less, it was a little more disarming over here than it will be when you're up there on stage. Remember everybody. Be excellent to each other. You've just ed-uped.