Building the Next Generation of Defenders: My Mentorship Session with SJSU’s NETS

It is always an incredibly energizing experience to step away from the executive boardroom and spend time with the next generation of technologists. Recently, I had the privilege of sitting down with the students of the Network Engineering Technology Society (NETS) at San Jose State University to talk about the realities of building a career in cybersecurity.

Having spent years in the trenches as a healthcare technology and security executive—navigating the complexities of highly regulated environments, scaling infrastructure, and managing massive corporate integrations—I wanted to give these students a look behind the curtain. The cybersecurity landscape they are graduating into looks fundamentally different than it did even three years ago.

Here are the core themes we discussed, and the roadmap I laid out for the SJSU Spartans looking to break into the industry.

1. The AI Revolution and the Converged Security Role

The most pressing question on the minds of students right now is: “Will AI take my entry-level security job?” The candid answer is that the traditional, siloed roles are collapsing. The days of hiring an army of Tier 1 analysts simply to stare at a SIEM and triage low-level alerts are ending. We are moving rapidly toward the AI SOC. Agentic AI workflows and intelligent automation (which I heavily leverage in my own enterprise strategies) are now handling the noise.

For the next generation, this means a single professional will need to embody multiple disciplines. You won't just be a Security Analyst, a Security Engineer, or a Security Architect. You will need to be a hybrid who can architect the Zero Trust environment, engineer the automated workflows that monitor it, and analyze the highly complex, novel anomalies that the AI is unable to resolve. AI isn't replacing the practitioner; it is demanding a higher-level, multi-disciplinary practitioner.

2. To Defend the Castle, You Must Know How It Was Built

One of the biggest misconceptions among cybersecurity students is the idea that they can avoid learning how to code.

You cannot secure a modern enterprise if you do not understand how software vulnerabilities are introduced in the first place. I stressed to the NETS students that they must be well-rounded. Taking software development courses is non-negotiable.

If you don't understand how an API interacts with a database, or how memory is allocated in an application, you cannot effectively audit it. Understanding the Software Development Life Cycle (SDLC) is the only way to truly grasp and implement foundational concepts like:

• Security-by-Design: Baking security into the architecture before a single line of code is written, rather than bolting it on as an afterthought.

• Defense-in-Depth: Layering security controls (Identity and Access Management, network segmentation, application firewalls) so that if one layer fails, the attacker doesn't immediately gain the keys to the kingdom.

  
  

3. Strategy vs. Tactics: BCP vs. DRP

When transitioning from a textbook to an enterprise environment, it is critical to understand the difference between tactical IT operations and executive business strategy. We spent time breaking down the difference between a Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP).

• Disaster Recovery Plan (DRP): This is the tactical IT response. If a ransomware group encrypts the data center, the DRP dictates how we restore the backups, rebuild the servers, and get the network back online.

• Business Continuity Plan (BCP): This is the executive business response. If the network goes down, how does the business survive? In my world of healthcare technology, DRP is about restoring the database; BCP is about ensuring doctors can still safely treat patients using manual downtime procedures while the database is offline. DRP is a subset of BCP.

  
  

4. Navigating Certifications and Landing the Internship

The market is competitive, and standing out requires intentional effort. We closed the session with tactical advice on getting a foot in the door.

The Certification Roadmap: Certifications demonstrate a baseline of knowledge and a commitment to the craft.

• The Foundation: CompTIA Security+ or Network+ are excellent starting points for students to prove they understand the vocabulary.

• The Cloud: Vendor-specific cloud certifications (AWS, Azure, or Google Cloud) are mandatory, as the modern perimeter is entirely cloud-based.

• The Long Game: I highly recommend setting your sights on the CISSP and CISM. While these require years of verified experience to fully attain, you can take the exams early and become an associate. Holding these certifications has been foundational in my own executive career, as they prove you understand both the technical and managerial sides of risk.

Securing an Internship: Sending a resume into the void of an online portal is rarely enough. Hiring managers want to see passion and curiosity.

• Build a Homelab: Spin up a virtual environment, purposefully infect it with malware, and practice your incident response.

• Show Your Work: Write scripts to automate your homelab tasks and put them on GitHub.

• Network Aggressively: Reach out to practitioners on LinkedIn. Don’t ask for a job; ask for 15 minutes to discuss a recent vulnerability you researched.

  
  

The energy in the room at SJSU was incredible. If these students continue to embrace automation, understand the underlying code, and focus on the broader business impact of security, the future of our industry is in very capable hands.