Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Cybersecurity Education, AI, and the Skills Gap

Fortra
07/16/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


was around today, I think he'd agree that this sentiment especially applies to the world of security. And like some more traditional disciplines, you won't find the secrets to cybersecurity in dusty textbooks or ancient scrolls. Security is far more dynamic with thousands of collaborators trying to make sense of the latest technological trends and attacker behaviors on a daily basis, and sharing their insights freely in blogs, posts, and admittedly, some frequently refreshed textbooks. But to be successful, you need to embrace continuous education or risk becoming redundant. This is one of the main things that I love about working in security. But that said, the shifting goalposts of an adequate security knowledge can intimidate the uninitiated. Knowing where to begin and how to become a successful security professional could be an art in itself. So in this episode of the art of security, we'll be exploring cybersecurity education and seek to answer questions like, do we lack enough qualified professionals to fill security roles? How do you effectively teach or evaluate students in the age of AI? How can educational syllabi keep up with the threat landscape when professionals are learning on the job daily? And what even qualifies as a good security professional? My name is Josh Davis. I'm joined by my co-host Tyler Regoli. And today, our expert guest, Dr. Mansoor Alkarni of Fanshawe College in Canada. Thank you, Josh. My name is Mansoor Alkarni. You pronounce that better than I did. I am, I will give kind background and why I switched to cybersecurity and etc. So when I was young, my dad used to teach computer science, and I go with him to university. And I see how he helps the students and said, you know, I want to do the same thing. So they want to do, become a teacher. But after high school, you see, I like when I was young, playing with computers and things, and I said, you know, let me expand more. Let me go network security. So I got my undergrads in computer networking. I got my master's in computer science from Saudi. I moved to Canada I got my master's in computer science from Saudi. I moved to Canada in 2011. I got my master in computer science. And then was Vennett. I don't know if you know what is Vennett, which is Vehicular Attack Networks. So smart cars communicate in 2014 was only me couldn't find any smart cars. Like Tesla, they were studies research, very private, confidential, was a struggle field to find any research data. After completing two years, I did my master's in cyber security and AI. And he said, you know, let's go in general, then just focusing in smart cars and networking. After a complete finish, I reached out, they would like me to help in building a cyber security program with two of my colleagues. And that during that time, I met Tyler. After a couple of times, again, in cyber security, we all know it's, it's not just to learn that's the end of the road, you have to continue. 20 years ago, we don't have smartphones, we have only computers to secure. Now IoT everywhere. So I did my PhD in cyber security and AI for embedded system where kind of how to use the AI to test securities, but also AI themselves, it's not secure, you could test, we could manipulate the decision influence for AI. So that's where my focus was in PhD. And I am with Fencia College for about 10 years now. What kind of subjects do you cover? And how is that going at the college? Essentially, I teach kind most, I'm the program coordinator. So teaching, it's less hours, not really less, I teach two, three, four courses in the program. I review the entire course, courses we have. Actually, currently, now I'm teaching AI for cyber security. In the past, taught penetration testing and programming. And again, the courses we teach, we have to adopt and learn basically, college and universities, we are, we cater for them. So students, our goal, how can we give these students the best knowledge when they graduate to get a job? How can we improve the curriculums to make the best skills for our students when they graduate? How long did that process typically take? Because I think to use the easiest example of things you mentioned there, AI for cyber security, that module you talked about, it feels like that's an arena that's changing quite often. And these different vendors will have different positions on it or sell AI SOC analysts, for example. How do you square that with such a fast paced field that you're then trying to get these approvals for? And universities, colleges are maybe unfairly so, but they are famous for levels of bureaucracy and red tape that you probably have to get through in order to get something approved. And then is that even still relevant by the end of the course? Absolutely. So we do degree audit every year. When we change, it will apply the next year. But again, curriculums, courses, we update the courses every term. So we try to keep it up to date. So there is no delay. We do have the freedom to change a couple of the slides to keep it up to date. If somebody taught last term was, you feel there's a new textbook, you want to include the new textbook topics, subject, change the hand, like activities, practical labs. We support them and we can't engage with the development as well. So and Tyler knows teaching, it's really, it's harder when it looks like. When you come to develop, even courses has been developed, you just come and do teaching. It's not coming and doing a lecture. There's a lot of behind scene than the three hour teaching. And that's why it's really, really difficult and hard to find and hire people in our cybersecurity field. Like in some people, they are very excited. And they looking forward to come and teach in the college and university level. They work some of them, I've had this in the past, they come, they are very excited, they reach out and you give them a position. And after a week, two weeks there, they can't do it, they just drop out. And then we have to find another faculty to continue. This is, it's very common. We obviously have analysts burn up in the industry, don't we? And people having to, you know, practitioners working on a daily basis and the pressure of keeping your company out of the news from being breached or trying to layer on security controls when developers and everyone else is trying to innovate at the speed of light. So Tyler, I don't know if you can talk to a bit of that, because that's an interesting angle I haven't heard before that we, do we cybersecurity professionals generally suck at teaching? Or is there a pressure that we are built for that isn't the same as standing in front of a classroom? I, so I think, and I've, you know, I guess I've been on both sides of this. It, the thing that nobody tells you when you start teaching, and I can't think of a better way to put this, so I apologize to all the students out there, students are needy. Very, very needy. And so like, when I was teaching, at one point I was teaching courses during the day, which was really hard with a full time work schedule. So the courses I ended up teaching later were much more accommodating, I taught in the evening. And so my classes were six to 9pm, which was nice. The problem I had is that I would say every class that I taught, or at least every second class that I taught, would go till nearly midnight with student questions. And then I'd have to get up and work the next day. And you have to remember, and this is a shortcoming of the college system here, the, you know, I will say all post-secondary here most likely, you're only paid for the hours you're teaching. And so when I did the math for one of the semesters I taught, I was making $5.50 an hour. That's, you know, that's significantly less than minimum wage even, when you take into account all of the hours that you put in. And so I think one of the hardest things to do is balance, because we all know security is not a nine to five job. I mean, my average week is 60 hours, sometimes more. And so now if you take another 40 hours, 50 hours for teaching, there's not a lot of time left for sleep, even. And so I think that something that happens is you go in and you don't realize just how demanding it is. Luckily, I taught 15 years ago, and then again, five years ago. So I had a, I had a bit of an expectation going in the second time, but that first time, if it hadn't been, to Munsir's point about people disappearing, if it hadn't been the level of respect I had for the two professors that asked me to come in at that point, because they had been my professors 10 years before that, I would not have stuck with it. It was only because they were some of my favorite people in the world that I was like, you know what, I'm going to do this because they asked me to. And because I always wanted, I love teaching. Teaching is one of the coolest things you can do. And I don't think a lot of people realize that aspect of it either. It's just, it's fun. Every, even, you know, even though I was sticking around until midnight some nights, it was fun. The conversations were awesome. I loved it. I absolutely adored it. So, but you have to be able to balance that time. If you've got, I'm lucky, it's just my wife and I, I couldn't imagine if I'd had kids in that equation as well, trying to juggle two jobs and kids. I don't think anybody could probably pull that off successfully. So I definitely understand it. So. There's, there's something you said earlier about duality, having that job and then being a teacher as well. And yeah, I think that also makes you, you know, a very, an excellent teacher to have somebody who's actually on the front lines on a daily basis. And you're actually experiencing and living this and working this. Monsieur, I know you did some of that stuff in the kind of car testing, security testing world. Now, am I right to assume that you're just mainly an academic and focused on the teaching? Yeah. Actually I do consulting, cybersecurity consulting and AI, because I do have my own company for, it's called Noble AI Security, which we, based on building, which is my software project I built for the PhD, the five years you spend doing your PhD, you take your project, which is about an AI to do monitoring. So to run your network, monitor your network. And I do have also an extension using an AI to monitor your emails as an extension, like software. When you open your emails, it pops up to your email based on the content of the email. It's just going to show, hey, this is a scam. Doesn't interact. It's fully light. You could, doesn't read any softwares, any data. But again, when you come back to the AI, it just is, again, it's when you, when you are in education, as Tyler mentioned, it's, it's really fun. I don't, I do, I prefer doing teaching and staying in academia than in the field, unless I work for myself. Because if you work with somebody else, most of us do know, it's just cybersecurity. It's not just eight to four or nine to two. It depends. Basically, you might, some weekends you have, you got, your company got compromised. There's other things you need to do, there are tasks, et cetera. So academia, it's fun when you finish, but you still want to go back and learn something. It's not just also, you say, hey, I have my PhD, I'm done or have a master or have a degree. Especially in cybersecurity, we need everything's evolved. So we need, how can we keep up and improve? So it's, sometimes you get struggles and that's the experience. You laugh, you cry before final exams and et cetera, you're in sleep for two, three days. And then after a year, two years, when you graduate, you look back and you say, that is fun. I want to go back to school to just live those memories again. Where I was kind of going with that, and you touched on it a bit though, is that kind of practical real world skills and then the theory. And of course you need both to be successful. But what I'm really interested in is where the balance of that is. And I think I looked at education, like the cybersecurity masters or probably about 10 years ago. So I'm probably a little bit dated, but it felt to me like it was more heavy on the theory side of things. And certainly as I worked in the SOC, in the collaboration center, some of these people, we were getting a master's student or a PhD student, and some of them would come in and be fantastic. Don't get me wrong, but some of them would be not almost as useless as somebody who had almost zero experience was kind of doing a complete career change. So I just, I never really saw the theory always translate into the real world. So where do both of you stand on practical experience, empirical experience and theoretical? Let me make a comment and hopefully set this up for Miser, which is to me, and I think it's a, I think, I don't know, because I've only ever experienced the Canadian education system, but I think it's somewhat unique to Canada, the way our college system works. Because when I talk to friends in other countries, colleagues in other countries, they don't quite get the experience that we get out of the college system here in Ontario. And when I went to college, and again, I could date myself even more than you can, Josh, so I won't. But when I went to college, I found a lot of my classmates were actually university graduates who had gotten all the theory, but had no practical and no hands-on experience. And they were coming back to the college level, because it provides that real mix of here's the theory, but here's the hands-on, and you get both sides of the experience all at once. And that was what I have long preached, and probably much to, I don't know, I've probably angered some people over the years, that I don't recommend the university path to people who want to go into computer science or tech or computer security specifically. I recommend the college path because of that. And I don't know if that's something, Windsor, that you can talk to a bit more, but I feel like college gives you that best of both worlds experience that you really can't get anywhere else. And we have so many paths now, right? We have university, we have college, we have certifications, we have boot camps. And I don't think any of them give you that interesting split that colleges here in Ontario at least give you. Absolutely, I do agree with you, Tyler. One thing from my experience as well, master's and PhD, they are condensed, they're 100% or 99% theory. And just because you only do your studies, and basically most of it is programming, because that's your theory, hypothesis, you apply it, you get the result, compare, etc. Someone works in the field and they master's, it depends what type of master's they get, but most are theory. Universities, they more in cybersecurity, as Tyler mentioned, in computer science, they focus more in programming. And I do actually, at Fanshawe, we do have more students, they come, like in the past couple of years, they do have at least three, four, five students that return, they come from Western University. It's not just because some universities, they have only, it's unique. In our colleges, we create programs, and it's been supported, and we have the funds to run the programs. Colleges, universities, they have one program, the entire, it's forever. Like Western University, they have only one or two computer science and electrical computer engineering. Well, they open cybersecurity or an AI, that's where the universities kind intend to do more, they will do a master in cybersecurity, a master in AI. But at that level, there's going to be more theory than practical. What we do at our college, we do have practical and theory, kind 50-50%. So colleges usually intend, you will have 70% is practical, 30% is theory. But when you come to graduate, you don't want somebody knows only theory, that's they lack some of practicals or vice versa. So in evaluations, like students must pass both, they have to pass the practical and the theory, so they could, both skills been applied, you understand an IP address, you do understand how buffer overflow, not just, you know, the knowledge, but not how to, the code works, or you do understand coding, but not the fact what caused the buffer overflow. So in our education in Canada, it gives the advanced students, especially in the college level, in Ontario, I'm not sure other province, but I will assume all colleges, they do have 70-30% and how you apply them. And students will learn more. Like most employers, when we come to our conferences, they prefer students because they know hands on, having an university students, you do understand the topic. Also, I recommend students most of the time and friends of them, they said, if you really wanted to get a university degree, because a name of a university, go to the colleges, get two, three years of the college, and then take a credit. And then you get another two years at the university, you don't have to start, you will get the credit from the college, and you get a degree. Or you could do also as a part time, if you wish to get your master's after. It just depends for each individual. But we try here to apply more again, when our students we give the co-op, they have to go for one year co-op. Like it has to be a paid internship. Employer, they do have to fill a survey, which we receive after when students to see is it meets our the program requirement, did the student perform well at their co-op. And the employer, they will commend students was like some skills in penetration testing or in governance evaluations or policies and etc. So we take this feedback to our committee members, and we reevaluate and we look at the courses, but we are and again, it could be we teach it just some students they prefer to. And I noticed a lot of students, they just like to do two things. They want to do bounty hunting, or do you want to be a pen tester? That's all they want it to be. Everyone wants to be a bug bounty and sit at home and get 10k per bug they find. I always have that conversation with people who try to get in. So I think there's something you mentioned on there that I want to jump over to. And you kind of talked about, you know, employability skills and going out and doing the co-ops and finding out where where things are lacking. And one of the things that Josh mentioned at the top of the episode was the, you know, is it a myth that there's a skills gap and missing people? And so maybe this is putting you on the spot. But do you happen to know what the placement rate is for graduates of your program? How many of them find a job? To be honest, Tyler, this is I will be honest with you. So again, we do if you're in cyber security students, they do not really come because they're passionate about cyber security. They want to learn cyber security. Only a small percentage are let's say 10%. They will get 100% co-op. They will get the job after they graduate because usually students when they get a co-op, that's their life job. So when they graduate, they stay part time with them. They want them to keep on and etc. So about 50 to 60% right now, students get co-op and the employment rate when they graduate, they get a job. So we do have in the program about 100 to 100 students who they graduate, about 50 to 60 out of 100 will get a job. The more you put efforts, the time you put absolutely some they focus only get a degree and get certs. Again, certificates, it teach you a tool or methods or a technique. It's a quick way into cyber security, but you might lack a lot of skills, which the degree in college, you understand all the foundations. You don't just do penetration testing, you do understand the network, how it works. You do understand coding, how it's connect the process, the frame, the package into the network, if it's intercepted or not. So you understand all methods and experience foundations. Then, for example, I will give you this analogy, if you want, you're hungry, you want a good food, you could just put something in the microwave, or which is a quick food, or you prepare your own lunch. It takes you longer. But you learned you could change different in the recipe of your food and it's delicious meal at the end, or just put something in a microwave and you understand what you're expecting from that meal. So in education degree, it's students just need to have it or they feel just want it because they need a degree. And certs is all what they need to care for. And some just they believe they will get rich if they, or becomes hackers, they are in the program. I can tell where that Josh is getting ready to wrap us up here, but I don't feel like this this has been a controversial enough discussion. So I want to ask one more question before Josh wraps this up. You see a lot on Reddit. I just had a conversation about this at a symposium a couple of weeks ago, that cybersecurity is not an entry level job, that it's not something that you just go get an education and then go into that it's for people who have spent some time in it as a sysadmin working in networking to migrate over into that field. Now you are teaching people who are most likely in most cases coming straight out of high school. I know that's not always the case. But a lot of people who are coming straight out of high school, and then looking at these entry level positions, where people are expecting them to have more experience. So how do you address that? What is your response to that? Well, to be honest, cybersecurity could be can't be an entry level based on that, the job itself. So if you are doing network monitoring, like it's a software, you're not you're just going to sit like as a sock analyst, what are you going to do, there's a software you're going to run, you're going to report, send it to your seniors, that's what they control. So they're an entry level for cybersecurity. But again, so we don't just teach, and you require an experience. And that's what you need in a degree to understand the entire networking, you understand the programming. So that's what we do teach in a degree so that you will become a junior in cybersecurity. But also, we don't want to think cybersecurity is an easy as an add zone. If it's not like if it's not an entry level, that means you need to be a network admin, or an engineer, software engineer, and you could later on become a cybersecurity expert, because you took only a couple of certs and a couple of training. And that's why a lot of companies get hacked. Because some people don't pay attention to cybersecurity, it's more than just a certification or training, it doesn't mean you have experience in network and operating system and admin, it's an easy to become a cybersecurity or you have a programming degree, you just cybersecurity, it's a one course, cybersecurity is a long field. And again, you're going to learn a lot of things in your education, then in the field, and you're going to learn from the field and you learned in the education. So both they support each other. Having a degree in cybersecurity, absolutely. It helps as an entry level to get the cybersecurity, but a general cybersecurity that has to look and we have to look at it, it's not just something we could add, it's not just a soul to put on your stake. And that's what most people will think cybersecurity, I do have the knowledge of everything. And I just need to take a course to improve my skills and become cybersecurity expert. It's not cybersecurity, it's more in depth, you look into the cybersecurity or computer science in a different angle, you try and in cybersecurity degree, we don't just be learning, you need to understand problem solving, how to interact with, you do have an experience in networking and operating, yes, and network or operating system and admin network. It takes you take that knowledge and experience. But when you become or taking a degree as to improve to cybersecurity, you will see say, I did understand this type of knowledge before. But with education, you will say yes, I see why, how cybersecurity not just I could add a course or do a conference or training or take a certification and become cybersecurity expert. That is my opinion. And also based on you can't become a pen tester. If you just graduated from the college, you still need experience and testers, it's not an entry level. So basically, based on the job is not an entry level. But the degree of cybersecurity is an entry level because you need different jobs. But they are, you can't be an advanced malware analyst, if from after unless you have multiple experience, and you study two, three years, just to focus in that field. I totally agree that I think some of the softer skills might be harder to teach in a cert or a degree or anything. And maybe there is a level of expectation or entitlement. And that's probably partly our fault as an industry and talking about the skills gap so much and look at all this money you can earn and kind of jumping in. But there's one point I want to make and then one question I want to throw back to you. I think we as an industry need to treat it more like an entry position, but realize that you're going to hire somebody and you're probably not going to get much value out of them for the first one, two, maybe even three years to really train security professionals that are going to be good, they're going to be effective, and that can learn that problem solving on the job because that their job will change in that one to two or three year period. Anyway, the tools they use might change. But I think this is the one area where we've skirted around a little bit, is we now are seeing loads of these entry level jobs being snapped up by AI. Level one analyst is now, some companies will tell you an entirely automated task and you just need a level two or three or you're some senior person as a human on the loop or in the loop to kind of validate it. I do some mentoring outside of my work. And I find that that's quite a conversation that comes up a lot and have to kind of coach people to work alongside the AI in a way that I didn't really have to do myself as a SOC analyst. So I'm sure somebody probably hears this a lot and is attuned to where the industry is going and where these entry level roles are going. Is AI going to snap up all these jobs and how can, can we reasonably expect the, is the part of this entitlement that they've just, AI is taking the job that they should be getting themselves, or are they not putting the working to adapt and be the kind of work in the modern day arena and get that security job? That's a really good question. So now I've seen a lot of people and I've asked, they say, oh, I lost my job because AI. And that's, it's something really, and they say, okay, really, what do you do? And they will say, I'm a cashier for instance. Well, AI can't do that. It's just now some people, they just like to say, and like to say, I lost my job because of AI. AI can't take your job. AI will enhance your skills. AI can't operate with us. So if you're not there, operate, AI can't think, can't perform tasks without human. So AI required us to run. But also I do understand a lot of companies, they are depending on AI and like stock analysts and et cetera. But the question is, how did you get your AI? Did you build your AI system? And this I was explaining to my students yesterday. AI, we take the model, we train based on knowledge. Where did you get this data sets? Data sets kind of basically what you train your model on. If your AI trained on a data set was out there, who created that data set? How do you trust that data set? That may be data sets, you're training in ideas on a data set where some of the information, it says, if you see this type of attack, just flag it as a normal attack. So person, I know the data sets and I know what's been used, these AIs, and it could attack these companies. So basically AI, it's not secure, it's operate, it's enhanced, which is like any, it's a programming, but it's an advanced algorithm to run and train on different behavior than human could see. But AI still, we could manipulate the AI prediction. I mentioned to students, we use multiple other AI models to attack the AI. For example, you show on a stop sign, you train the models trained only on a stop sign, and then you put a ticker on the stop sign. The smart car or the camera, the AI will say, I've never seen a stop sign with faded color or with instead the shape, a green sticker that is a green light. The car is not going to stop, it's going to continue or speed limit. The same thing with, if you've seen an attack, AI, they perform, they learn any machine sending to a machine, the IP, the traffic, the package over 1000, that means a DDoS attack drop an alert. As an attacker, you say, oh, this is, okay, I understand how they flagged me. I could use less than 1000 package for device, and I use 10, 20, 40 devices, which is like bots in the internet, and they send the traffic. Basically, the server will have a DDoS attack in a different way. As human, we understand, say, oh, the server having loads of traffic at the same time, but the AI will look and say, this traffic is normal, it's fine. I look at this, doesn't affect the server it's running. This IP is legit traffic, less than normal package I should alert, but basically, it caused. AI don't see this type of performance, and that's why we need to look, and I don't think AI is very secure at this point where we are right now. If we're just jumping to AI, to use them to say, hey, state of art, we have an AI, but we need to understand, I'm a person who knows cybersecurity, and I worked in AI, and I developed the AI softwares. How can we use them? Are they based on this data set? Josh, you are building your software, you will find a data set there. How do you know? How confident are you with this data set? How do you know somebody didn't put any malicious data on a backdoor could use to your AI? So, is it fair to interpret that as it's going to cause as many problems as it fixes? Absolutely. If the AI has not been probably the proper way to build, again, you need your own data sets. You need to harvest them using somebody else unless you trust, but how can you get this trust from someone just online? We go back to, as it was Linux Debian, a couple of years, 2023, where one of the commit users sent the backdoor, allowed backdoor to all companies, the server. I really forgot what the vulnerability was. It was 2023. Does that ring a bell to you guys? Josh, we've talked about this one and had the debate on, is it XZ or XV or XZ? Yes, yes, yes, yes. A few episodes back on that one. It's somewhere, there's an X, there's an X. So, it's exactly the same. So, this is the trust. Do you trust in cybersecurity? Do we trust people we work with? No. And basically, this is you building the entire software on a known data set. Even if that person is trusted and known in the field, how can you trust there is one small data the model learned to avoid, and it's been triggered in a different way. So, AI is good to use. We use it all the time. We need to be careful not just to give 100% AI, because we do still need skills to review them as well. Awesome. Josh got to steal my last question. So, I'm stealing one more last question from him, but this will be quick. We're coming up to the end of the school year for high school students. A lot of them will be going off in September to start their college careers. If they happen to stumble across this and they're preparing for college, what would you as a professor say is just a quick 20-sentence soundbite? What should they prepare for? What should they expect when they get to the program? Well, I would say to students, if you're preparing to go to cybersecurity or any other field, search if this is something you really want. It's not easy and it's not hard. It's just based on how much time do you put and learn. But if you're coming to cybersecurity at Fanshawe College or another college, go research. There's multiple free YouTube lessons, trainings. Expand your knowledge, because there's a lot of terms and acronyms in cybersecurity. If on your first day, if you don't know what they are, it's just going to be overwhelming knowledge. And that's where students, they kind of get scared. What is this? How can I? What is CAD? What is Linux? What is IP? What is router? If they just... And I mentioned which when they come to the open house, we do an open house before like in summer in April and October before the beginning of the start of their programs or year. We recommend multiple things. Go read. And we ask them, why do you want cybersecurity? Which based on some of them, they take high school computer science. Learn more. Spend your time. Try to... There's a lot of free courses. And students also who are finished the school and they're off in the summer or something, say, go to do conferences. Go learn something. Build a project, etc. Because some students, when they finish a school or finish something, they just say, I'm in school. I'm done. I don't need to do anything. This is... Yeah, absolutely. But it's wrong. If you're in cybersecurity, try to improve. Do something. Use your time to build a project. Use that project as an entry, an icebreaker for your interview. And kind of the motivation, they use this kind knowledge and skills. And again, it's an advice. Some students, they're very smart. They do understand how to handle a conversation and interview. Again, it's not just computer skills and cybersecurity skills, but also as a soft skill. Some, they're really good. You see them, you say, I like this personality. Some of them, even if you don't know anything about cybersecurity, I will hire you because there's personality. And some, they do have good skills, but that's why in college and university, we put students in groups so they could present information. It's really hard to teach them soft skills, but they need to improve. And we say to them, go learn about cybersecurity. Did you read things? So I would recommend to come when they're starting their first year at the college or university, read about the topic, go learn on YouTube. There's multiple courses, lessons for free. Just something you understand where you're going to. I think that though we've talked a lot about the college or university pathways, I strongly believe there are many ways into cybersecurity. And actually that's a necessity because I think the more, the diverse backgrounds make for better teams of analysts who all see things slightly differently and come to that better conclusion together. But I also had a little, maybe a small revelation in your last answer in that one, just there, we talked a lot about soft skills and I started to think of how you talk about how important trust is in the kind of AI content and how people are important for trust or evaluating trust. And so I did just do a quick search in my LLM and trust is considered a skill. So I would add that to the list of soft skills that build your trust, trusting that you're somebody who does that extra bit of work and dig in, does that bit of research, does your own project, looks at this from multiple angles, and doesn't just wait to be spoonfed the information, even if it's a fantastic syllabus, because really that's how you're going to be successful in the security world. So hopefully we've answered at least some of the questions that I've posed at the top of this episode. Thank you to the listener for joining us in the Art of Security podcast. Make sure you subscribe wherever it is that you're accessing these podcasts.

TL;DR

  • Ontario college programs offer a 70-30 practical-to-theory split that better prepares cybersecurity graduates for employment than university degrees or certifications alone, according to Dr. Alqarni.
  • Only 50 to 60 percent of cybersecurity graduates find employment, with co-op participation and self-directed learning being the strongest predictors of job placement success.
  • AI is automating Level 1 SOC analyst tasks, but Dr. Alqarni warns that AI systems are only as reliable as their training data — which can be manipulated or poisoned by adversaries.
  • Cybersecurity is not uniformly an entry-level field; roles like penetration testing and malware analysis require years of experience, while SOC monitoring positions can serve as genuine starting points.
  • Soft skills — particularly trust, communication, and intellectual curiosity — are increasingly decisive in hiring and are difficult to teach through certifications or short-form training programs.

Cybersecurity Education: College vs. University vs. Certifications

This episode of The Art of Security podcast brings together hosts Josh Davis and Tyler Reguly with Dr. Mansour Alqarni, program coordinator and professor at Fanshawe College in Ontario, Canada, to examine the state of cybersecurity education and workforce readiness. The conversation opens with a frank assessment of the different pathways into the field — university degrees, college diplomas, certifications, and boot camps — and where each falls short or excels. Dr. Alqarni argues that Ontario's college system offers a distinctive advantage: a roughly 70-30 split between practical, hands-on learning and theoretical instruction, compared to universities that skew heavily toward theory and programming fundamentals. Tyler Reguly reinforces this view from personal experience, noting that many university graduates return to college specifically to gain the applied skills their degrees didn't provide. Certifications, while useful for learning specific tools or techniques quickly, are characterized as a 'microwave meal' — fast but lacking the foundational depth that a full degree program delivers. The panel also addresses the very real challenge of recruiting and retaining qualified cybersecurity instructors, noting that practitioners who enter academia often underestimate the time demands and leave within weeks.

The Skills Gap, Entry-Level Roles, and AI's Disruption

A central debate in the episode is whether cybersecurity is genuinely an entry-level career path. Dr. Alqarni offers a nuanced position: while roles like SOC analyst can serve as entry points, more specialized functions such as penetration testing or advanced malware analysis require years of accumulated experience. He estimates that only about 50 to 60 percent of graduates from Fanshawe's cybersecurity program secure employment, with the most motivated students — those who pursue co-op placements and build independent projects — achieving near-certain placement. The conversation then pivots to AI's growing role in security operations, particularly the automation of Level 1 SOC analyst tasks. Josh Davis raises the concern that entry-level roles are being absorbed by AI tooling, leaving new graduates with fewer on-ramps into the profession. Dr. Alqarni pushes back on the idea that AI is a wholesale job replacement, arguing instead that AI systems are only as trustworthy as the data sets they are trained on — and that those data sets can be manipulated or poisoned. He illustrates this with examples of adversarial attacks on AI models, including traffic-based evasion of DDoS detection systems, concluding that human oversight and critical thinking remain indispensable. The XZ Utils backdoor incident is cited as a real-world analogy for the trust problem inherent in relying on externally sourced AI training data.

Soft Skills, Trust, and Advice for Aspiring Professionals

The episode closes with practical guidance for students preparing to enter cybersecurity programs. Dr. Alqarni encourages prospective students to begin self-directed learning before their first day — exploring free YouTube courses, familiarizing themselves with core terminology like IP addressing, Linux, and networking concepts, and attending open house events. He emphasizes that personality and soft skills can be as decisive as technical ability in hiring decisions, and that group presentations and collaborative projects within college programs are deliberate attempts to develop those interpersonal capabilities. Josh Davis adds a broader observation: diverse educational backgrounds strengthen security teams by bringing varied analytical perspectives. He also highlights trust as an underappreciated soft skill — the ability to demonstrate reliability, intellectual curiosity, and independent initiative rather than waiting to be guided. The panel agrees that continuous learning is not optional in cybersecurity; it is the defining characteristic of professionals who remain effective as the threat landscape, tooling, and AI capabilities evolve around them.

Chapters

0:00 - Introduction and Episode Overview
1:39 - Dr. Alqarni's Background and Career Path
4:23 - Keeping Curricula Current in a Fast-Moving Field
7:57 - Why Practitioners Struggle to Stay in Academia
14:37 - Theory vs. Practical: College vs. University Debate
22:19 - Skills Gap, Co-ops, and Graduate Employment Rates
25:44 - Is Cybersecurity an Entry-Level Career?
31:25 - AI's Impact on SOC Roles and Junior Analysts
33:00 - AI Security Risks and Training Data Trust
39:09 - Advice for Students Entering Cybersecurity
43:00 - Soft Skills, Trust, and Closing Thoughts

Key Quotes

9:27 "You're only paid for the hours you're teaching. And so when I did the math for one of the semesters I taught, I was making $5.50 an hour."
19:02 "What we do at our college, we do have practical and theory, kind 50-50%. So colleges usually intend, you will have 70% is practical, 30% is theory."
23:13 "Only a small percentage are let's say 10%. They will get 100% co-op. They will get the job after they graduate because usually students when they get a co-op, that's their life job."
32:51 "AI can't take your job. AI will enhance your skills. AI can't operate with us. So if you're not there, operate, AI can't think, can't perform tasks without human."
38:50 "AI is good to use. We use it all the time. We need to be careful not just to give 100% AI, because we do still need skills to review them as well."
43:36 "Build your trust, trusting that you're somebody who does that extra bit of work and dig in, does that bit of research, does your own project, looks at this from multiple angles, and doesn't just wait to be spoonfed the information."

FAQ

Is cybersecurity a good entry-level career for recent graduates?

It depends on the role. Dr. Alqarni explains that SOC monitoring positions can serve as genuine entry points for graduates with a solid foundational education, but specialized roles like penetration testing or malware analysis require years of accumulated experience. The panel recommends treating the first one to three years in any security role as a structured learning period rather than expecting immediate high-level contribution.

Will AI replace entry-level cybersecurity jobs?

AI is already automating many Level 1 SOC analyst tasks, and some companies now operate with fully automated first-tier triage. However, Dr. Alqarni cautions that AI systems are only as trustworthy as their training data, which can be manipulated by adversaries. Human oversight, critical thinking, and the ability to identify AI blind spots remain essential — meaning the role of junior analysts is shifting rather than disappearing entirely.

Are certifications enough to break into cybersecurity?

Certifications teach specific tools and techniques quickly but lack the foundational depth of a full degree program. Dr. Alqarni uses the analogy of a microwave meal versus a home-cooked dish — certifications get you somewhere fast, but a degree gives you the underlying knowledge to adapt and problem-solve across different scenarios. The panel recommends certifications as a complement to, not a replacement for, structured education.

Categories:
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Security Operations
  • AI & Machine Learning
  • Getting Started
  • Best Practices
  • Threat Intelligence
  • Technical Deep Dive
  • Cybersecurity education
  • Skills gap
  • AI in security operations
  • SOC analyst roles
  • College vs. university pathways
  • AI training data integrity
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Cybersecurity Education, AI, and the Skills Gap

              XStreaminars (watch here)

              • Jul
                28

                Illumio + Netskope: Zero Trust in the Age of AI Autonomy

                07/28/202601:00 PM ET
                • Jul
                  29

                  Ask Your Cloud Anything: Unlocking Governance Silos in your Environments

                  07/29/202601:00 PM ET
                  More events

                  Industry Events (watch there)

                  • Jul
                    22

                    Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                    07/22/202601:00 PM ET
                    • Aug
                      19

                      Becoming Agent Ready: Insights from Cyera's Expertise

                      08/19/202612:00 PM ET
                      More events

                      Upcoming Webinar Calendar

                      • 07/21/2026
                        04:00 AM
                        07/21/2026
                        Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                        https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
                      • 07/22/2026
                        06:30 AM
                        07/22/2026
                        Insights and Strategies for Effective Data Privacy and Protection
                        https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-for-effective-data-privacy-and-protection/
                      • 07/22/2026
                        01:00 PM
                        07/22/2026
                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                        https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
                      • 07/28/2026
                        01:00 PM
                        07/28/2026
                        Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                        https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
                      • 07/29/2026
                        04:00 AM
                        07/29/2026
                        Real-Time Strategies for Safeguarding Against Prompt Injections
                        https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
                      • 07/29/2026
                        01:00 PM
                        07/29/2026
                        Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                        https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
                      • 08/19/2026
                        12:00 PM
                        08/19/2026
                        Becoming Agent Ready: Insights from Cyera's Expertise
                        https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
                      • 09/02/2026
                        12:00 PM
                        09/02/2026
                        Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                        https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
                      • 09/30/2026
                        04:00 AM
                        09/30/2026
                        AI Command Center: Optimizing Visibility and Control in Your Operations
                        https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/
                      Truth in IT
                      • Sponsor
                      • About Us
                      • Terms of Service
                      • Privacy Policy
                      • Contact Us
                      • Preference Management
                      Desktop version
                      Standard version