HomeCover StoryDigital defenders: meeting the need for talent, bridging the business-technology gap

Digital defenders: meeting the need for talent, bridging the business-technology gap

Nick Herman once led a global corporate campaign to trick people into clicking on a fictitious link. He created fake websites and phishing emails in different languages.

Herman is no cyber fraudster — quite the contrary. Interning at a high-technology manufacturer in Charlotte, N.C., during his freshman year at Virginia Tech, he was put in charge of the phishing project to promote cybersecurity mindfulness throughout the company.

“The biggest issue in cybersecurity is the lack of awareness,” said Herman, who was self-employed as an IT consultant in high school. And lack of cyber education and awareness, he said, can lead to phishing attacks, which “are the number one way cyber criminals infiltrate a system.”

A photo of Arpit Soni.

Arpit Soni is a junior majoring in business information technology. He is pursuing the new academic option in cybersecurity management and analytics this fall. (Photo credit: Shawn Sprouse)

Arpit Soni wants to launch his own business to help organizations better defend themselves against cyber intruders. Network security, he said, is where vulnerabilities are being relentlessly exploited.

Soni values the part-time positions he has held at Apple, Home Depot, and Virginia Tech Dining Services. The sales and customer-service jobs were exceptional learning experiences that let him improve his problem-solving and communication skills, said Soni, who is already well versed in computer languages, some of which he taught himself.

Cybersecurity management and analytics at Pamplin

Herman and Soni, both juniors majoring in business information technology in the Pamplin College of Business, leapt at the chance to pursue a new academic option this fall in cybersecurity management and analytics.

“When I saw that Pamplin will start offering cybersecurity, I immediately booked a one-on-one meeting with my advisor to make the switch from the decision support systems option,” said Soni, who has a second major in finance. The cyber option, he said, would equip him with the skills and knowledge “to protect systems from security threats and damages, as threats to systems will never go away.”

Herman has set his sights on a career in cybersecurity and business. “The cyber option will allow me to take classes that are focused on my goal,” he said. “I want to learn how cybersecurity is important and relevant to business as opposed to being a computer science major who focuses only on the technical aspects and not also the business aspects.

A photo of Nick Herman in front of ten computer screens with cybersecurity issues.

Nick Herman, a junior majoring in business information technology, promoted cybersecurity mindfulness during an internship with a high-technology manufacturer. (Photo credit: Shawn Sprouse)

Herman and Soni can expect that the knowledge and skills they gain will be in great demand when they graduate.

As data breaches and cyberattacks continue to grow, employers — businesses, government agencies, and others — are seeking employees with the right skills to help them.

The tremendous need for such expertise prompted Pamplin to develop the cybersecurity option as part of the college’s business information technology major. The option offers undergraduates a field study with a sponsoring organization in the greater Washington, D.C. metro area.

The option fills a huge gap in cybersecurity education, said Robin Russell, head of Pamplin’s Department of Business Information Technology.

Citing workforce analytics research, Russell notes that the vast majority of cybersecurity education programs are at the graduate level — even though 84% of job postings in cybersecurity require only a bachelor’s degree — and are technically focused, originating in engineering or computer science.

“Our industry partners tell us there is a great need for problem-solvers who have business as well as technical skills,” she said. “They need graduates who understand the technical issues of data, IT, and cyberattacks — and also know how to use data to support business functions and management decisions, including how to articulate the risk and ramifications of alternative cyber strategies.”

Business information technology — the second largest major at Virginia Tech, with 1,200-plus students — deals with data, people, and technology.

Through two long established options for specialization — decision support systems and operations and supply chain management — students learn to build IT systems that help managers run their organizations and make decisions, or learn to use data and technology to manage operations across a global supply chain.

Meeting the demand for talent

The new cyber option would help meet the tremendous need for talent in this field, Russell said. Given the dramatic increases in cyber threats and the continued shortfall of cyber-skilled professionals — 3.5 million cybersecurity jobs are estimated to be unfilled by 2021 — the need for more students educated in cybersecurity is a major priority for Virginia, as well as a matter of national security, she said.

“… there is a great need for problem-solvers who have business as well as technical skills.”
—Robin Russell

In the D.C. area, where Virginia Tech will build its new, technology-focused Innovation Campus, the demand for such professionals is especially intense — more than double the need of the New York metro area, more than five times the Boston area, and almost seven times that of Silicon Valley.

In developing the option, Russell and her faculty have been guided by experts in the industry who also serve on the department’s advisory board, including Deborah Golden of Deloitte & Touche and Baback Bazri of Ernst & Young.

Both Golden and Bazri have noted the need for more professionals who can bring valuable business and management skills and approaches to problem solving and decision making in cybersecurity.

Photo of Robin Russell gesticulating in front of a powerpoint presentation.

Robin Russell gave a joint Hokie Talk on campus, fall 2018, on cybersecurity. (Photo credit: Charles Whitescarver)

An article in the WashingtonExec newsletter noted Golden’s enthusiasm for bridging the gap between business and technology in her work. “It’s my ability to bring technology and innovation [together] with business and the ability to execute on a problem — while at the same time considering risk and its impact on multiple stakeholders — that makes it exciting for me,” she said.

Said Bazri: “Because there are so many bad actors out there, it is critical that businesses understand, assess, and manage third-party and supply-chain risks, and that includes a knowledge of mission-critical vendors and the risk they pose to their organizations.”

Besides contributing new recruits with cybersecurity and business skills to the workforce, the program will also help fuel the pipeline of graduate student talent for the Innovation Campus.

The curriculum for the option comprises four required courses on networks and telecommunications in business, information security, cybersecurity analytics in business, and internet law, as well as six credit-hours of fieldwork. Students can choose electives from six courses, including a new course on data governance, privacy, and ethics.

The option, which reflects one of Pamplin’s strategic focus areas, is among the ways the college seeks to contribute to Virginia’s Commonwealth Cybersecurity Initiative. Its faculty are also conducting research, teaching courses in the nation’s top-ranked online master’s program in cybersecurity, and offering executive education programs on this subject in the D.C. area.

For Herman and Soni, thoughts of jobs and their professional futures can wait a while. For now, they’re planning on making the most of all the learning experiences that the new cybersecurity option offers them, on campus and beyond, over the next two years.

– Sookhan Ho

By the numbers

A photo of Joseph Simpson presenting in front of a room of students.

Joseph Simpson, collegiate assistant professor in management and director of Virginia Tech’s Integrated Security Education and Research Center (ISERC), demoes ISERC to faculty and students. (Photo credit: Shawn Sprouse)


Percentage of U.S. companies experiencing serious cyberattacks annually

5,000 ransom attacks

Daily average number of ransom attacks on U.S. industry

195 days

Average number of days companies take to discover a data breach

100 billion dollars

Annual total economic cost of cyberattacks worldwide

3.5 million

Number of unfilled cybersecurity jobs estimated by 2021

People, business, technology

Discussing how Pamplin’s BIT-Cyber option is different from engineering and computer science programs offered at Virginia Tech, Robin Russell said that the other programs in general prepare students to design and create physical networks and software that are secure and to monitor and assess them for attacks.

BIT-Cyber emphasizes the use of business processes and data analytics in cybersecurity management. “Our students will gain proficiency in the business management of cybersecurity within an organization,” she said, “including setting policies, managing risk and incident response, using data to understand attacks on business assets, and managing the overall cybersecurity function within a business.”

Working with the best and the brightest

Nick Herman finds it fun to solve problems. It’s what drew him to the cybersecurity field.

“I would read about cybersecurity issues in the news,” the business information technology junior said. “A company’s computer systems would be taken down by a distributed denial-of-service attack, for example. It always piqued my curiosity why the company was unable to do anything to prevent it.”

Protecting an organization’s digital assets in an ever-changing technological landscape, he said, is full of challenges. “One of the hardest things about cybersecurity is keeping everything secure while maintaining business continuity.”

Herman, who is vice president of the Cyber Security Club at Virginia Tech, is hoping to add the OSCP, or Offensive Security Certified Professional, to the information security certifications he has earned. It is an arduous examination process, he said, noting that “you have to root 5 boxes in 24 hours, followed by a penetration test report.”

A photo of Nick Herman.

Herman recently interned with Barings’ security engineering team. (Photo credit: Shawn Sprouse)

Through internships, Herman has acquired plenty of experiential learning about the field that has helped shape his aspirations and preferences in terms of employer size, industry, location, and nature of work.

He spent this past summer at Barings as a member of the security engineering team in the firm’s Charlotte, North Carolina, office. The projects he has worked on have been very exciting, he said. “I have written PowerShell scripts to pull information from the domain controller to inform the team when an alert is triggered. I have written user/admin guides for an enterprise password manager solution, as well as administered it.”

He was also tasked with producing a bulletin every month discussing major security events, vulnerabilities, and metrics.

In an earlier internship at Polypore International, “the coolest thing was traveling with my team to perform site-wide migrations,” said Herman.

As a freshman, Herman was on a Virginia Tech team that won the Deloitte Foundation Cyber Threat Competition in 2018.

He and his team members had a “fantastic experience” at Deloitte University in Westlake, Texas, at “a wargame-like event where we competed against other top universities in a simulation of a security consultant incident response,” Herman recalls.

“I was able to work with the best and the brightest like-minded students and to test my knowledge and skills against a real-life scenario designed by professionals in the cybersecurity industry.”