I speak to young students graduating from college pretty often. With two sons who are recent grads, many of their friends, especially those who undertook cybersecurity programs, reach out for tech industry advice often. One of the most common stories I hear from graduates of cybersecurity programs has nothing to do with cybersecurity. It’s about jobs. Or rather the lack of them.

Over the years, I have spoken with countless students who did everything they were told to do. They earned the degree. They studied for the certifications. They attended the conferences. They participated in the clubs and competitions. Then they graduated and discovered that many employers were looking for something they did not have. Experience.

At the same time, I hear employers complain that they cannot find enough qualified talent. These two story lines don’t seem to add up, but yet here we are.

The cybersecurity industry has been having this conversation for so long that most people simply accept it as reality. There is a skills gap. There is a talent shortage. There are not enough qualified people. We hear some version of the same story every year.

I had the chance to sit down with Craig Woolley, CIO of Louisiana State University, at Cisco Live.  It was a revelation.

The interview was supposed to be about TigerSOC, LSU’s student-powered security operations center. Like many people who follow the cybersecurity industry, I was familiar with the broad outlines of the program. LSU had partnered with TekStream and Splunk to create opportunities for students to gain hands-on security experience while supporting operational environments. The program had expanded, received industry attention and produced impressive employment outcomes.

But as he told me how the whole thing started, I realized how brilliant this idea was and how it had grown into this franchise concept that Craig talked about, and then turning the student-run SOC into, in essence, an MSSP.

Listening to Woolley describe it, there was no grand strategy to reinvent workforce development. There was no elaborate plan to transform cybersecurity education. Instead, there was a fairly practical problem. LSU needed additional help monitoring security operations. Students needed experience. TekStream had managed security expertise. Splunk provided the technology platform.

Woolley saw an opportunity to solve them together as parts of the same solution.

The first version of the program was relatively simple. Students worked normal business hours, helping monitor LSU’s security operations center. TekStream remained behind the scenes, supervising the effort and stepping in whenever necessary. The students gained exposure to real security operations while experienced practitioners remained accountable for protecting the environment.

If the story ended there, it would still be a good one.

But it did not end there.

The students performed well. The model worked. LSU expanded the program beyond its own campus through the Louisiana Optical Network Infrastructure Security Operations Center, providing services to other higher education institutions throughout the state. Other schools became interested. The concept spread. What started as a workforce development experiment gradually evolved into something much larger.

Eventually, Woolley and his partners took the next step and launched TigerSOC.

Today, students employed through TekStream participate in the monitoring and protection of commercial customer environments as part of a managed security service. They investigate alerts, analyze logs, review telemetry and participate in security operations while experienced professionals provide oversight and support.

That may sound like a subtle distinction, but I think it matters.

Many universities offer cybersecurity labs. Many offer internships. Many offer simulated environments where students can practice their skills.

TigerSOC operates in a different category.

The students are not preparing for the work. They are doing the work.

That does not mean they are operating without supervision or that customers are somehow serving as a training exercise. TekStream stands behind the service, and experienced practitioners remain responsible for the outcomes. The point is that students are gaining exposure to the realities of security operations while they are still in school rather than waiting until after graduation.

The more Woolley talked, the less I found myself thinking about cybersecurity.

Instead, I kept thinking he solved the problem, why didn’t we think of this before?

For years, the technology industry has talked about the skills gap as though it were primarily an educational problem. The assumption is usually that universities need to produce more graduates, more certifications or more training programs. Yet employers rarely complain that applicants lack degrees. They complain that applicants lack experience applying the information they supposedly learned in operational environments. Those are really two different problems.

A student who understands incident response and a student who has participated in incident response may possess the same knowledge. They do not arrive at a job interview with the same resume.

That observation may sound obvious, but higher education and industry have traditionally treated learning and experience as separate stages. Students learn first. They gain experience later. Employers then wonder why entry-level candidates lack experience.

Other professions solved this problem long ago.

Medical schools have teaching hospitals. Law schools have legal clinics. Journalism schools have newspapers and broadcast operations. Students learn while participating in the profession they hope to enter. They do not spend years preparing for the work only to encounter it for the first time after graduation.

Technology has generally taken a different approach.

There are exceptions, of course, but many students graduate having spent far more time studying technology than operating it. Employers then invest months or years helping new hires bridge the gap between academic preparation and practical execution.

What impressed me about Woolley’s approach was not that he created a successful cybersecurity program. Plenty of universities have cybersecurity programs. What impressed me was that he found a way to align incentives that are often treated separately.

Students gain meaningful experience before graduation. Universities improve workforce readiness. Employers gain access to candidates who can contribute more quickly. TekStream develops a pipeline of talent already familiar with operational environments. Customers receive services backed by experienced professionals.

The technology industry spends billions of dollars discussing workforce development. Woolley built a program that appears to be doing it.

That may be why TigerSOC’s reported employment outcomes are so striking. Woolley says participating students are graduating into essentially full employment. Frankly, that should not surprise anyone. If you are hiring for a security operations role and one candidate spent several years studying cybersecurity while another spent several years studying cybersecurity and participating in security operations, the hiring decision becomes much easier..

As I left the interview, I found myself wondering why similar models are not more common across technology disciplines. Software engineering students could contribute to production applications under supervision. Platform engineering programs could expose students to real internal developer platforms. Site reliability engineering students could participate in reliability initiatives and operational reviews. Cloud operations teams could create structured opportunities for students to gain practical experience before entering the workforce.

None of that would be easy. Programs like TigerSOC require trust, oversight, process and commitment from both academic and industry partners. They require organizations willing to invest in developing talent rather than simply hoping someone else will do it.

Then again, solving the talent shortage was never going to be easy.

What Craig Woolley and LSU have demonstrated is that experience does not necessarily have to begin after graduation. It can become part of the educational process itself.

TigerSOC will likely be remembered as an innovative cybersecurity program, and deservedly so. I suspect its bigger contribution may be showing universities and employers a different way to think about workforce development.

For years, we have been asking how to produce more technology talent.

Perhaps the better question is how to ensure that talent graduates with experience already in hand.

Recent Articles By Author

• Let’s Coordinate Before We Raise Another Billion Dollars
• The AI Governance Gap Is Bigger Than We Think
• Inside the Agentic Red Team — Fighting AI with AI

More from Alan Shimel