Episode #70 Cyber studies from Certs to C-Level with Simon Jones


After what he describes as a chequered early career, Simon Jones settled into corporate technical and leadership roles in 2000. The problem space of financial services drove a shift in focus to Information Security, and he completed a Master's degree in 2017. This time served to fuel Simon’s passion for solving complex problems with effective communication, and he continues to work in banking as a cyber security consultant, as well as develop and deliver learning material for students in cybersecurity.

Simon shares why real world experiences assist in the cybersecurity curriculum; we discuss cyber qualifications; and how learning material and the way we educate has evolved.

Links:

Simon LinkedIn


Transcript

CP: Hello, and welcome to The Security Collective podcast. I'm your host Claire Pales and today's guest is Simon Jones. After a chequered early career, Simon settled into corporate technical and leadership roles in around 2000. The problem space of financial services drove his shift in focus to information security, and he completed a master's degree in 2017. This served to fuel his passion for solving complex problems with effective communication, and he continued to work in banking as a Cyber Security Consultant and to develop and deliver learning material for students in cyber security. Simon, I'm really pleased to have you on the podcast today.

SJ: Morning Claire, great to be here. Thanks for having me.

CP: So I've just mentioned in your bio, that you create and deliver learning material for students, what sort of courses and classes are you currently teaching and developing curriculum for?

SJ: There's been a couple of different sort of focus that I've had one is masters level courses, very much based around industry certifications, so quite specific scopes of subject matter. And in the undergrad space, the courses have been a mainly sort of introductory first and second level, cybersecurity courses, introduction to cyber security, some practical cybersecurity topics, which sort of follows on from the introductory stuff. So very much aimed at sort of first year students and second year students, and also some slightly more advanced stuff, a little bit of cryptography, which is sort of one area I'm quite interested in personally.

CP: So you've been working on these types of curriculum for a while as you mentioned, and you mentioned that they're sort of based on certs, but how do you bring the content together for curriculum in its totality?

SJ: It's a matter of sort of trying to tell a story about what the what the focus of the subject is about. So you know, we have sort of a generally a 12 to 14 week curriculum which we structure things around. And obviously, you know, cert courses especially can be quite focused over a single week ending in an exam. So to sort of, you know, structure that in a sort of a 10, or 12, or 14 part delivery cadence, it's about really sort of breaking it down into, you know, really a story about what's this subject about? What are we trying to get from the subject? How is it going to contribute to your professional development? What about the cybersecurity industry is it going to illuminate for you. And then just sort of, you know, depending on the level of the students, obviously, master's students have a different approach to the learning curriculum than undergrads do. Undergrads it's much more about a gentle lead, in starting to build up with some more complex topics, and then really bringing it all together towards the end of semester where it's, okay, so now we've done all the basics, we've learned five or six fundamental areas, let's bring them together in a practical assessment or some sort of assessment piece where you can draw on all of those previous topics we've done, and try and bring them together in a way that might emulate something in the workplace.

CP: When you do come out of a university degree, even with a masters, it doesn't necessarily make you job ready. And so how do you align your teaching, and the curriculum with real world challenges, real world opportunities, and so that the students walk out a little bit more worldly? If that's even possible. How do you do that alignment within the teaching space?

SJ: Yeah, look, it's I mean, it's challenging in any sort of short timeframe to achieve that. I think one of the one of the challenges we face when building a subject within a larger curriculum is you've got, especially undergrads and master students, you have them for a couple of years. So over that time you'd like to try and put together, you know, a cohesive whole that that guides them through that process. It's a fairly long time in anyone's career. And it enables you to if you have influence over that whole time, it enables you to really sort of shape the messages and the experiences and try and bring as much of the real world into the classroom as possible. To that end, I think the institutions, generally across the board, and certainly my experience, have spent a lot of time and energy over the last few years really bringing the professional and the academic worlds together. So they get professionals who have an interest in teaching to come on board, and act as teaching staff or mentors, or help create curriculum, as I do. But also from an actual day to day teaching perspective, I think one of the things that really resonates with the students is, you know, we cover topics that are quite academic in focus, a specific topic in cryptography, for example. Which looks great in a textbook, there's lots of texts out there lots of sort of raw data and stuff that you can consume. But then adding to that sort of anecdotes from the real world, where might you see this topic? What are some challenges I've personally faced when trying to work with this topic in the real world? You know those sort of real world stories really, really help the students link what they're learning in the classroom to what they're likely to see, once they once they graduate.

CP: I think you make a really good point about the fact that you are consultant and you are working as a security architect, and you're experiencing every day how our industry is evolving and the challenges that businesses are having. And so you're not simply coming at it from an academic perspective, you actually have your own, I don't know, war stories, if you want to call them that to apply in the classroom as well.

SJ: Yeah, and look, I think that's something look, in the couple of years when I first started the teaching process, I really was lost from an academic perspective. I had done the master's degree, and that that sort of gave me exposure to the sort of processes and structure that a degree would follow, and so I tried to emulate that as best I could. But I wasn't a teaching professional, but I did have quite a few stories to tell from what I had experienced. And I found in the early days, when I'd get student feedback, which I think as a member of teaching staff is really valuable, I try to encourage students to be as brutally honest as they can possibly bring themselves to be. And the feedback was universally it's really great to hear how this relates to the real world. And I found that that was just one thing that really, really clicked with the students. They're really thirsty not just for knowledge, but to sort of plan their futures. Where is this going to take me? And what am I going to do with this stuff? So and that's not universal, not every student has that sort of mindset. But certainly the good ones do and quite a few do. It's heartening to see even in the undergrad cohorts, so many students coming through really keen to not just learn the material, but to hear the stories and to work out what the real world is like.

CP: The point around them planning, a lot of your students I would expect coming in to do a Masters would be coming back in from industry and, you know, having worked, and what's your opinion around the difference between these young graduates who, as you said, come out of a Bachelor and straight into a Master's, or those that are maybe of mature age and have worked out in the world and have sort of seen some of the challenges? Maybe not necessarily in cyber but in other vocations? I mean, how do you see the balance between those that that don't have any industry experience, I suppose and those that do? Do you sort of see that they work well together? And they do they sort of prosper better within the studies?

SJ: Certainly have, my early experience was mostly with returning students and mature age, a lot of technology professionals or some completely from outside the technology realm who just took an interest in technology or security from some project or experience they had worked on. But look, I think universally students who are more mature and who have coming from a sort of working background, well generally, they're more structured, they're more dedicated to what they're doing, they're more focused. They can manage their time, and they're certainly more, you know, more attuned to what's required to achieve their milestones, their assignments, their study routine, etc. They definitely show a better aptitude for that sort of thing. I haven't had a lot of experience personally with direct to masters from undergrad. But my experience with even third year undergrads, even the really good ones is, you know, my advice to them would always be get out and live the experience first and then decide whether further study is what you need. I think the more effective master students I've experienced, I have worked with have absolutely been students returning to study after experiencing time in the workforce, and some of the really core skills are what makes a professional successful, as well as a student successful. Things like communication, your own ability to research problems, to make relationships, build relationships with people who can assist you. They're sort of second nature to someone who's been in the workforce for a period of time. So they just come with those soft skills to the study curriculum, and it serves them really quite well. So definitely, I think the advantage is definitely for students to come back to study after some time in the workforce.

CP: And when you're out in the workforce, and you're trying to decide the type of study that you want to do, and you might be biased, because you've got a master's and you teach masters. But obviously there's lots of industry certifications out there for most vocations, but particularly in cyber, it feels like there's plenty to choose from for professionals if they want to get a certification or if they want to get a masters. I mean, where are people better off spending their time? And is there sort of a process you go through that you could make that decision as to whether or not to do a masters or go out and get a particular certification?

SJ: I think first and foremost there is certainly certificates and there is certificates. There's definitely some very good thorough bodies of knowledge on it. The difference mainly is that a certificate is definitely a finite scope of material. There's a brute force acquisition of facts over a fairly short period of time. And if you're looking for that, if you're looking for a skill up in a specific area, then a cert isn't a bad way to do it. It's a fairly economical from a time perspective. They're not cheap. Most certs especially if you do the training with them can be quite expensive, certainly the good ones. And there's also an ongoing investment. If you look at the CISSPs or the CISMs, or the more sort of professionally-oriented certs, you didn't have an investment in ongoing self education in order to keep your points up and keep yourself certified and in good standing with the various societies that run them. So it's not a bad option. I think it suits many professionals. In terms of a Master's or more in depth curriculum like that, it's a different experience. If you're talking about one, two or three years of, you know, wanting to, you know, hopefully immerse yourself not just in the academic side, the facts and figures from the texts. But also to connect with the academics and professionals you'll meet who are teaching. You're going to be doing multiple subjects, potentially on different campuses, and really availing yourself of all of that material and sort of exposure that you'll get during that time. It's probably a bigger commitment, I think, and certainly, I think not to be taken lightly. I, I started my Master's in 2010, and didn't finish till 2017, because I worked all the way through, had young children at the start, who weren't so young by the end. But it was a really big time commitment, and, you know, a lot of evenings, a lot of weekends, and I sort of did one subject per semester, so I could really, really, you know, get into the material. And I was, you know, so definite about making that career change into cybersecurity, I really wanted to make sure I didn't miss anything, so I focused as much as I could. But a different experience, depending on what you're looking for. And I think it depends a lot too on the individual. Some people really thrive in a more sort of structured, multi year academic approach to learning. Others are very good at self study, they're very good at, you know, keeping their own skills and experience up and can just use those sort of stepping stones of the certifications to build or enhance that sort of finite scope of knowledge that the certification promises. I don't think there's a perfect answer. I think it depends on the individual. And there is also a thing I think, as you know, what we'd like to sort of call certification junkies. More certifications doesn't mean a better professional by any means. And that's something I haven't interviewed for some time, I've worked for myself now. But when I was interviewing in a previous life, there is certainly a type of budding professional who will certify themselves, you know, again, and again and again. And look, it's great to see from a prospective employers point of view, a, you know, a potential candidate who is active in self education and enhancing the knowledge and keeping themselves fresh. But there is a there is such a thing as trying to sort of push that too far. I think one should be judicious about what you do. Don't waste too much time head in the books, there's a lot to be gained just from getting out and living the experience, too.

CP: Yeah, I definitely agree with you that, you know, when I look at resumes if I'm doing hiring work, and I see lots and lots of different certifications, I mean, the certs these days too often are quite specific in in the skills or the understanding that you'll take from them. And so if people are doing a lot of them, it concerns me that they may be not necessarily focused on a particular area of cyber, and therefore, maybe not right for the job that I'm hiring for as well. I could, it's one thing to have a certification. But if you're just going out and getting all of them, it's sort of, I guess, a jack of all trades, but a master of none, if that makes sense.

SJ: I totally agree. And certs are generally capped off by a multi choice exam, which again, is a great way to test in a certain pressure type situation. Which again, doesn't suit all people, some people love exams, some people absolutely hate them. And it's not a reflection of how they'll perform in a workplace sometimes. They're not a great indication of their, of their aptitude. But yeah, that really isn't reflective of how one, you know, operates in a real environment, you don't spend your life filling out multi choice questions. You spend your life sending emails, and reading body language and talking to other professionals and trying to, you know, nut out complex problems. So having the time in an academic structure sometimes gives you that experience, similar to a workplace. But again, real world experience, I think there's nothing like it.

CP: Yeah, I actually have done some work as an industry advisor for some capstone years with one of the universities here in Melbourne. And the students came together in groups of five, and they were given a real world problem that had been sent in by a company to be solved. And so obviously, as IT students they had very specific skills that they had learnt through university. But this was forcing them to really think outside the box and think about marketing and think about people and think about the impact of this particular problem that they were given from industry. And I love this idea with capstone that it was free of textbooks, and it was free of format, really. It was just here's the problem, this is a real world problem. You have to solve it. Here's your client, you have to deal with that client. And it was such a rich experience for the students, because it took them totally out of their depth and showed them this is what it's going to be like when you step out and you become a consultant at a big four or you become an analyst at a bank or it really showed them what it was going to be like, which, you know, when I did uni 20 years ago, it wasn't like that when you stepped out the other side, you weren't necessarily job ready.

SJ: Absolutely. Yeah, the, you know, 20% paper, 10% paper 50% exam is all very regimented and structured and traditional. It's the way universities ran traditionally. And I think it suits some professions, but probably less so today, maybe once upon a time. But certainly technology and security is such a fast evolving field that you really just need to drop the students fairly quickly I think in their careers in their study careers, into a real world scenario, to say, Okay, this is how it's going to be, let's freeform this, it's not structured, it’s that there's a vague overview, a framework follow, and there's some milestone dates as you would have in any real world scenario. But yeah, let's work as a team, and with some guidance from one of the academics to solve a real world problem, I think it's really valuable.

CP: And, you know, to your point about the industry evolving, I'm interested to know, given what the students are going through now, the type of students, the number of them, you know, think these capstone subjects and the way that we're learning now, because, you know, there's always chatter about the skill shortage in cyber, and I've talked about on this podcast a lot over the last few years. Do you think that what we're teaching at universities and what the students are actually taking on board and taking back out to industry, are we getting the skilled workforce do you think?

SJ: The most important thing from what I've seen, especially the couple of years working with undergrads is the level of passion in the kids that are coming through, and I probably shouldn't call them all kids, because some are more mature age, but majority are sort of 18, 19 or even younger. There's some really keen and quite remarkably experienced, and I use that term, loosely as in they've wanted to go down this path throughout their teens. And they've actually spent time building machines at home or, you know, doing the research and following podcasts and all the sorts of things that you'd advise a professional to do. So, you know, absent education, you've definitely got a, I guess, a groundswell of people who are incredibly interested in the topic. And my first year teaching first years, a couple of years back, I was really blown away by I think I had a cohort of about 47 or 48 students, and at least half of them were mind-blowingly passionate about it. Which blew me away, I was sort of more expecting the 10-15% mark to be dedicated. So certainly, there's passion there. In terms of content, look I think there's certainly some catch ups going on. And I don't think, well, I don't think I've seen the perfect, I'm not sure what the perfect study pathway is at this point. If I did, I'd probably patent it and start my own university. Look, I think they're doing an admirable job in really trying to adapt to, you know, to what the industry needs. There is a lot of industry partnership going on. You'll have internships, and, you know, graduate pathways now are becoming the norm across many institution. LaTrobe has a fairly good one that I've actually had one of my students graduate recently and is working now at ANZ. She went there as an intern and loved it, and they loved her and now she's, she's kicking goals and I actually had her back recently to do a chat with my first year students again, to try and, you know, show them that there is not just light at the end of the study tunnel, but there are mechanisms within the system they can leverage to actually, you know, find themselves contacts within the industry using those mechanisms. And the unis have been very active in doing that, I think, which is great, you know, real feather in their cap. So, look, I'm, I'm confident, I think there's certainly the people, I think there's the desire both in the industry to partner with academia, within academia to partner with industry. Just, you know, the momentum needs to be maintained. And they need to keep changing. I mean, the last 18 months has shown us how volatile the world can be. There's quite a disparity, I think, between the institutions, and the curriculums of how ready they were for the transition to, what was for a while at least, fully online learning. So I think that's a big thing to be careful of too, is the learning format, the assessment formats. Again, you know, the examination at the end of the semester, is that really the best way to examine thing?. So there's work to be done, but I think most institutions that I've had experience with are actively doing that work to try and make sure that they're finding students, they're encouraging those students not just in their academic studies, but also in their career pathway connecting with industry and, you know, encouraging them to get out there and, you know, look at the next step beyond the study. So yeah, I think we're in a fairly good place. Time will tell but I'm happy to be a part of it. It's been great fun. I really do enjoy it.

CP: Oh, that's great news. And, and I think the evolution in this space will continue and you know, that knowing that we've got thinking like yours, and applying it to master's degrees and making sure that we are keeping our students up to date with what's going on in the world is incredibly important. And I really want to thank you for your time today Simon, I think it's  a really great path we're going down in terms of educating people, encouraging people to go back to study and continuous learning. So thanks for your time. And I'd love to have you back on the podcast in the future to talk about how things have changed once again, we could do that tomorrow! But you know, in the future, see how see how curriculums are changing and shifting. So thanks very much.

 SJ: No worries at all. Thanks for having me on. It's been great, good chatting.

Previous
Previous

Episode #71 The evolution of ransomware response with Chloe Sevil

Next
Next

Episode #69 Global Cyber Communities with Shamane Tan