In response, many colleges and universities across the U.S. are investing in security operations centers (SOCs) where students can do real cybersecurity work before they graduate, monitoring their own institution and sometimes outside partners, investigating suspicious activity and responding to incidents.
STRUCTURED VS. UNSTRUCTURED
“We saw in the security industry, at least, that all the entry-level jobs were asking for a bachelor’s and two years of experience,” he said.
UNF’s SOC follows a heavily structured training model in which students move through a six-semester program that first introduces the basics of ticketing systems, incident response and customer service. Next, they shadow help desk employees and experienced SOC analysts, and then become the first line of defense for cybersecurity incidents.
The school’s capacity is growing. They started out with two student employees and have worked up to nine, all working up to 20 hours per week.
As Louisiana State University (LSU), students go through a similarly formal process. New hires complete six weeks of training, then shadow experienced analysts from LSU’s staff or their partnering company, TekStream. Then, the students switch roles, completing investigations while supervisors observe.
LSU’s SOC also organizes incidents by complexity level. For example, a newer employee may be tasked with monitoring “impossible travel” alerts, which show login attempts from different locations in an impossible time frame.
The more time students spend in the program, the more complex problems they will face.
At Cal Poly Pomona, students describe the Student Data Center and SOC as less structured. Nich Rosen, a senior who now serves as one of the SOC managers, said his first experience was walking into the SOC and asking, “Hey, is this the SOC?”
Rosen remembers feeling overwhelmed by the wall of dashboards, logs and remote terminals, before other students involved explained what he was looking at.
Rosen’s introduction to the SOC was fairly typical. Students often enter through volunteer opportunities tied to a thriving cybersecurity club before moving into formal positions. Rosen said hundreds of volunteers assist with the SOC each semester.
INTERNAL VS. REGIONAL
University student-run SOCs also differ in who they protect. Some focus primarily on network activity for their own universities.
At UNF, students monitor campus systems, which Maddox described as similar to managing a small city.
“We have our own police department. We have educational requirements to protect data. We have payment card industry or PCI data that we protect. There are some health clinics on campus,” he said. “So they are seeing a wide breadth of different types of data that must be protected.”
Other SOCs extend beyond campus.
The University of South Carolina, Aiken (USCA), for example, launched its SOC in 2022 before expanding to a regional SOC (RSOC) in 2024. The university’s CISO Chris Clark said students now work with school districts, nonprofits and local governments throughout the region, providing low-cost monitoring and incident response.
“We need people helping out with our school districts, with our small municipalities, with small towns, our county sheriff’s offices and police departments. They need security, too,” Clark said. “In fact, they are often easy targets for these malicious actors, but they often don’t have the budgets to create their own security program.”
The university has forged partnerships with larger organizations as well, including the South Carolina National Guard, Fort Eisenhower and the Savannah River National Laboratory. The National Guard partnership will bring expansion to the SOC, with a new $30 million facility in the works to potentially train soldiers alongside USCA students.
LSU has also expanded their scope beyond education. Chief Information Officer Craig Woolley said TigerSOC supports businesses and government entities through their private partnership with TekStream, which uses student employees for assistance with seven of their commercial clients.
“TekStream, instead of going overseas, is giving more LSU students the opportunity,” he said.
Woolley and Clark agreed that outside partnerships help expose students to a broader set of software tools and incidents.
At Oregon State University (OSU), students have two pathways for hands-on experience. Internally, the school’s SOC employs 10 students for day-to-day defensive operations. Students monitor real-time activity and are tested through incident simulations created by full-time staff. OSU SOC leaders say the 10 students, supervised by four full-time staff, are able to handle 90 percent of the school’s cyber workload.
In exchange for credit, students can also participate in the ORTSOC, a statewide initiative providing cyber assistance to smaller higher-ed institutions, government organizations and nonprofits.
DESIRED SKILLS
Despite the difference in structure, administrators across the programs emphasized many of the same skills.
Technical abilities like log analysis, threat hunting and incident response are baseline for workforce preparation. Softer skills, like communication, critical thinking and documentation help set students apart.
As artificial intelligence tools grow more prominent for attacks and defense, SOC teams are also training their student employees on how to use AI to speed up log analysis and reporting. OSU’s CISO David McMorries said student interest in AI tools has helped the SOC stay up to date with these changes.
“There’s a very easy adoption curve with students with these new tools,” he said. “They’re learning something in their courses, we bring them over, and they can immediately implement or learn about how to do the work with those new tools.”
Prior to the development of these student-led SOCs, leaders recall few opportunities for hands-on learning in cybersecurity.
Emily Longman, OSU’s SOC manager, got her first experience in 2015 in the early days of the school’s internal SOC. She said her experience helped her starting in her career.
“I think it definitely made a big impact,” she said. “As we’ve matured, what we’re doing now makes even more impact.”
Some university SOCs are finding ways for their students to communicate their experiences to employers beyond listing years of experience. At LSU, for example, students receive a one-page summary including number of incidents they responded to, how complex those incidents were, average speed of response, and scores they received when audited by professionals.
At USCA, students are encouraged to complete industry-recognized certifications and can be reimbursed for the cost of the exam. At OSU, Longman said they are exploring a badging program.
While many of these programs are relatively new, they show promising career impacts. LSU reports a 100 percent job placement for SOC participants. McMorries said OSU SOC participants have gone on to work for major tech companies like Oracle, Google and Amazon Web Services.
“They’re using their experience to have a more positive work relationship with their peers, earn a little bit more money, and overall, maybe just get ahead a little bit faster in life than they would have without the program,” Clark said.
