In November 2025, the Consortium of Cybersecurity Clinics published its very first peer-reviewed publication on cybersecurity clinical education. The article, “Protecting Communities while Training Future Cybersecurity Professionals: Lessons from the Consortium of Cybersecurity Clinics,” was co-authored by Isak Nti Asare, Scott Shackelford, Jungwoo Chun, and Sarah Powazek and published in The Cyber Defense Review.

The article featured case studies from Consortium members Indiana University, MIT, and UC Berkeley that illustrate the role clinics have played in supporting critical infrastructure and advancing national cyber resilience efforts. The work across these three clinics and other members of the Consortium laid the foundation for expanding the cybersecurity clinic model worldwide, with the benefit of bolstering national security. The Consortium of Cybersecurity Clinics plans to build on this success by supporting and fostering additional collaborative research on cybersecurity clinics between Consortium members.

The Significance: Why Clinics Are Critical to National Security

National security vulnerabilities often originate at the local level, where under-resourced public-serving organizations are increasingly targeted by adversaries. 

By training students to provide professional-grade, pro-bono services to organizations at the municipal and nonprofit levels, the article claims that clinics address two longstanding gaps in public sector capacity: “They redistribute capacity into vulnerable nodes ignored by markets and underserved by states… [And] cultivate a workforce oriented toward civic protection.” This dual-purpose model, scaled nationally by the Consortium to create a federated infrastructure of community-based cybersecurity services, presents a governance innovation that bolsters national security. It accomplishes this by strengthening local resilience and addressing the workforce shortage by training the next generation of cybersecurity professionals with experience in public-interest cybersecurity.

The Consortium of Cybersecurity Clinics serves as a catalyst for this model, facilitating resource sharing, standardizing best practices, and enabling the rapid, scalable growth of clinics needed to meet national demand.

High-Impact Case Studies

The article features three case studies illustrating the diverse and high-impact interventions of member clinics:

• The MIT Cybersecurity Clinic supports city governments in New England, focusing on risk assessments and policy updates to increase local governance capacity. Students engage in rigorous experiential learning, negotiating with city managers and drafting actionable policy documents. The clinic distilled the industry-leading NIST Cybersecurity Framework from its 108 controls to 23 core controls most relevant to small organizations. The streamlined assessment framework has been shared across the Consortium network.

• The Indiana University (IU) Cybersecurity Clinic works extensively with small and rural municipalities, private utility providers, and nonprofits in the Midwest. IU’s interdisciplinary teams focus on governance audits, the development of formal incident response plans, and helping organizations secure cyber insurance. One notable case involved working with a Department of Housing and Urban Development (HUD)-funded community action agency serving 60,000 low-income residents, where IU teams identified vulnerabilities and recommended improvements.  Students also learn to translate technical findings into actionable policies within municipal codes and procurement rules. 

• The UC Berkeley Cybersecurity Clinic focuses on defending politically vulnerable nonprofits (such as human rights and election-integrity groups) that are often targeted in hybrid conflicts and disinformation campaigns. Through its work with organizations like reproductive health providers and election-integrity advocates, the UC Berkeley Cybersecurity Clinic demonstrates that civil society resilience is integral to national security. As of Fall 2025, the clinic at Berkeley had supported more than 230 nonprofits in strengthening their cybersecurity defenses. By defending civil society organizations, the clinic contributes to our nation’s democratic durability: strengthening our democratic institutions against interference from adversaries.

Cultivating the Future Workforce

Clinics also directly address the major national challenge of workforce shortages. As of early 2025, there were over 450,000 unfilled cybersecurity jobs. They provide a practical solution to the paradox of “entry-level” jobs demanding prior experience by providing students with hands-on learning via real-world client engagements. Students build technical, policy, and communication skills in live operational environments, ensuring their work is both high-quality and aligned with professional standards. This cultivates a next-generation workforce oriented toward public-interest cyber pathways.

A Scalable Model: The Consortium of Cybersecurity Clinics

The clinic model’s effectiveness and scalability are driven by the innovations developed in the Consortium of Cybersecurity Clinics’ member clinics.

With 56 total members, the Consortium includes large research universities, small liberal arts colleges, community colleges, women’s colleges, and minority-serving institutions. Member clinics co-develop curricula, define best practices, and refine standardized methodologies that are shared and adapted by peers. 

In conclusion, the Cyber Defense Review article argues that clinics are a field-tested model for strengthening national cyber resilience. The Consortium is transforming these efforts into a scalable cyber infrastructure that protects communities, supports critical services, and cultivates the cybersecurity workforce needed for tomorrow. 

This article is an exciting first example of collaborative research and peer-reviewed scholarship on cybersecurity clinical education from the Consortium. Congratulations to the authors, Isak Nti Asare, Scott Shackelford, Jungwoo Chun and Sarah Powazek, for trailblazing this field of work, and thank you for your time, expertise, and dedication to supporting cybersecurity clinics.

On November 13, 2025, 135 students from more than 30 colleges and universities met for the Fall 2025 “Clinic of Clinics.” This biannual event, held by the Consortium of Cybersecurity Clinics, gave these future cybersecurity professionals the opportunity to connect with their peers while hearing from a panel of current experts in the field. 

The Consortium of Cybersecurity Clinics is a collaborative network of cybersecurity clinics, which are higher education-based programs that train students to provide pro-bono, cybersecurity capacity-building services to real organizations in their communities. Since its inception, the Consortium’s member clinics have trained over 3,700 students in service of more than 900 combined clients. 

Cybersecurity Journeys   

Introducing a panel featuring clinic alumni, panel moderator Jonathan Edward, Co-Founder and CEO of New Harbor, a company specializing in automated security services for small organizations, stated, “there is no single way to build a career in this field.” The three panelists only further proved this point as they shared their journeys from students to the professionals they are today. 

A Day in the Life  

After sharing their stories, the panelists spoke on what a typical workday entails for a cybersecurity professional. 

For example, Huang works in incident response at CrowdStrike, where she is responsible for taking immediate action when an attack occurs. She is the first person on the scene to analyze the who, what, where, why, and how of the attack, and while she needs a host of technical skills to be able to analyze these attacks, she stressed the empathy her job requires, as she always shows up in the midst of a crisis. Huang also stressed the importance of focusing on social engineering, as it is the cause of a significant portion of cyberattacks. 

Brown, on the other hand, works to ensure her clients follow all necessary requirements to comply with various standards, such as International Organisation for Standardization (ISO) and System and Organization Controls (SOC), walking them through various steps of the certification process. In addition to technical skills, Brown’s work requires a vast knowledge of the cybersecurity standards and requirements different organizations must comply with to strengthen their cybersecurity posture and meet customer requirements. 

While his fellow panelists’ work focuses primarily on consulting, Gilmore explained that he spends his days developing code. He works with a small team to create fast, simple, and secure solutions for his clients, and he stressed the importance of collaboration and continued learning.  

Advice for Clinicians  

Wrapping up, the panelists took a moment to consider what they had learned since their time as clinicians, and they offered the following advice to the attendants:

1. “Find something you are passionate about and be confident in it.” Brown stressed the importance of finding specific areas or projects that are personally exciting. She has found this passion not only improves overall work performance but can help someone stand out to potential employers.
    
2. “Leverage the skills you already have.” Gilmore emphasized the importance of using one’s current skillset in unique ways to gain opportunities in a new field.
    
3. “There is always something more to learn.” Huang highlighted the importance of accepting that it is impossible to know everything in one’s field, which is why being a professional means continually learning and improving.  

Q&A Session  

After the panel, students were given the opportunity to ask the panelists questions directly. Questions focused on becoming more involved and eventually securing a job in the cybersecurity field, as many attendants either recently entered or will soon be entering the job market. Their advice can be summed up in three key takeaways.

1. Always seek out people and opportunities that can help you learn more.  
2. Find or create a project of your own to stand out.  
3. Get comfortable with admitting when you don’t know something. 

Breakout Sessions  

The session concluded with students being moved into breakout rooms, where they were able to connect with their peers and share their clinic experiences. Using the prompts provided, students engaged in meaningful discussions about their own cybersecurity journeys.  

Final Reflections  

Demonstrated by the panelists’ remarks, the Fall 2025 Clinic of Clinics highlighted some of the most important traits in a cybersecurity professional: a continuing desire to learn and a passion for this work. As the field of cybersecurity continues to evolve, events like this will serve as an opportunity for each new generation of professionals to engage in the never-ending quest to improve.  

Cybersecurity clinics — university-based programs that train students to provide pro bono cybersecurity assistance to organizations with limited resources — are expanding across the nation and around the world. Clinics equip students with real-world experience as they help local nonprofits, small businesses, and governments defend against cyber threats.

The clinic model gained momentum in 2021 with the launch of the Consortium of Cybersecurity Clinics, a collaborative effort launched by UC Berkeley, MIT, Indiana University, and the University of Alabama. What began as a small network for clinic leaders to share ideas and best practices has evolved into a growing international alliance bolstered by higher ed, philanthropists, and industry, signaling a global shift toward hands-on cybersecurity education in service to the public good.

The Consortium of Cybersecurity Clinics has experienced unprecedented growth over the past year. With many new clinics launching and existing programs expanding, the 2024-25 academic year has been the Consortium’s largest period of growth since our founding in 2021:

• 56 total member clinics have joined the Consortium, with 41 U.S. clinics in 27 states and the District of Columbia. 
• Global expansion in North America, Europe, Asia, and South America, with first-in-country clinics launched in Canada, Peru, Sri Lanka, and Pakistan — plus the Consortium’s first-ever high school-level clinics in Arizona.
• Member clinics trained more than 2,200 students and provided cybersecurity services to over 700 clients.

As our members kick off the Fall 2025 term, we are proud to reflect on their accomplishments and highlight just how significant a leap forward this past year has been. The metrics shared below are aggregated from data provided by 39 of our member clinics.

Multiplying our Alumni Base

Cybersecurity clinics serve a dual purpose: they provide pro bono cybersecurity services to under-resourced community organizations and train the next generation of cybersecurity professionals. By supporting real-world clients, clinic students gain hands-on experience and develop the depth of technical knowledge and breadth of professional skills needed to meet the unique and evolving cybersecurity challenges of community organizations. Students in these programs are being trained at a rate not yet seen before: in the 2024-25 academic year alone, 39 clinics reported training a total of 2238 students — more than double the cumulative total of clinic alumni between Fall 2018 and Spring 2024.

Impact Spotlight: Student Testimonial

“Participating in the Cyber Clinic at Old Dominion University wasn’t just an internship — it was a transformational experience that completely reshaped how I approach cybersecurity.

From day one, I realized this program was different. It blended technical knowledge with communication, professionalism, empathy, and real-world problem-solving. This internship sharpened so many of my skills: technical, analytical, writing, communication, and perhaps most importantly, my ability to empathize and consult like a professional.”

– Carla Belfiore, Student Intern, Old Dominion University,
Coastal Virginia Center for Center Innovation (COVA CCI) Cybersecurity Clinic

Global Growth

This year, the Consortium welcomed new clinics at universities in Southeast Asia, Central Asia, and South America. In Taiwan, our partners at the National Institute of Cyber Security (NICS) have used Consortium support and resources to launch cybersecurity clinics at 10 universities across the country — reaching urban centers as well as more rural communities in northern, central, southern, and eastern Taiwan.

In their first year of operation, the Sri Lanka Institute of Information Technology (SLIIT) trained 176 students and provided services to 44 micro, small, and medium enterprises (MSMEs) in Sri Lanka. Their Program Coordinator, Kavinga Yapa, shared, “The success of our first year demonstrates the real-world value of the cybersecurity clinics model. By engaging both students and MSMEs, we have been able to bridge academia with community needs. Students gained hands-on experience applying structured risk assessment frameworks, while MSMEs received practical guidance to strengthen their security posture. We are proud that SLIIT has emerged as the first university in South Asia to join the Consortium of Cybersecurity Clinics, and we look forward to expanding this impact further with continuous support and collaboration.”

Impact Spotlight: Securing Small Critical Infrastructure

The San Diego Cyber Clinic, a collaboration between San Diego Cyber Center of Excellence (CCOE), California State University San Marcos (CSUSM), National University and San Diego State University (SDSU)

Last year, a team of five students from the San Diego Cyber Clinic completed a cybersecurity assessment for a local Municipal Water District. The engagement encompassed a range of activities to strengthen the security of the district, including social engineering exercises, penetration testing, and a targeted phishing campaign to evaluate and build staff awareness. 

When asked about the project outcomes, Lisa Easterly, President & CEO of CCOE, shared, “In addition to identifying vulnerabilities, the students developed essential documentation to support the district’s cybersecurity posture, including an Incident Response Plan, Disaster Recovery Plan, and Business Continuity Plan. By integrating these components, the project not only uncovered risks, but also provided a roadmap for the district to enhance its resilience against cyber threats.”

Scaling Services for Community Organizations

In addition to providing students with skills-based, experiential learning, clinics serve as a vital local resource for strengthening community cybersecurity. The Consortium’s member clinics support community organizations with foundational cybersecurity services, including risk assessments, policy development, and training that they would otherwise struggle to access.

In our Growth and Impact blog post from March 2024, we proudly shared that our clinics had served a total of 83 resource-strapped client organizations. Remarkably, in the last year alone, the Consortium’s member clinics served 713 community organizations, dramatically growing the volume of clients benefiting from pro bono clinical services in the U.S. and around the world.

Clinics support a wide range of community organizations, with some focusing on specific types of clients. For example, the DePaul Cybersecurity Clinic works exclusively with community-based nonprofits in the Chicago area. Looking at data from 82% of last year’s clinic clients:

• Small critical infrastructure entities — such as utilities, state and local governments, healthcare providers, and K-12 schools — made up 47.5% of the total.
• Small businesses were the next largest group at 30.4%.
• Nonprofits followed at 17.3%.

Impact Spotlight: Client Testimonial

Louisiana State University Cyber Clinic directed by Professor Aisha Ali-Gombe

When Permanent Coatings, a family-owned industrial paint maker in Denham Springs, Louisiana, sought to strengthen its cybersecurity posture, it turned to the Louisiana State University (LSU) Cyber Clinic, which specializes in assisting local small businesses. After attending several LSU Cyber Clinic seminars hosted in partnership with the Louisiana Small Business Development Center, Operations Manager Luke Dwinell-Janopaul requested a personalized consultation from the clinic.

“I think the biggest part has just been the knowledge that the Cyber Clinic has given us, which is half the battle when it comes to cybersecurity,” he said. With guidance from the clinic, the company updated its backup practices, secured physical and digital ports, and built defenses against their biggest threat: social engineering attacks.”

“Anyone associated with a business should go to [the LSU Cyber Clinic],” Dwinell-Janopaul added. “They cover so many topics … Stuff that’s really low-cost but makes a huge difference.”

The Best is Yet to Come

The Consortium is proud of the growing impact achieved by the hard working, mission-driven clinics around the world. These metrics provide just a high-level snapshot of the vital work that clinics do every day on the ground to support organizations that are providing critical services to their communities, but rarely have the means to protect themselves in the digital era.

We would like to offer special thanks to the Consortium’s funders, without whom this early vision and growth would not have been possible, including: The William and Flora Hewlett Foundation Cyber Initiative, Craig Newmark Philanthropies, New America’s Public Interest Technology University Network (PIT-UN),  Fidelity Charitable’s Catalyst Fund, Okta, and, in particular, Google.org for their transformational investment in 25 cybersecurity clinics, which helped the Consortium surpass our goal of 25 clinics by 2025.

To sustain and grow this work, clinics rely on both institutional support and philanthropy. We invite you to learn more and support our work by visiting our website: cybersecurityclinics.org.

Together, we can fulfill our founding vision of a cybersecurity clinic in every U.S. state by 2030, and continue to grow the clinic model worldwide.

Thank you for being a part of our journey.

On April 24, 2025, the Consortium of Cybersecurity Clinics held the Spring 2025 “Clinic of Clinics” event, bringing together over 140 students from more than 40 Cybersecurity Clinics across the world. This is a biannual event held each semester and gives students who are working in their school’s  cybersecurity clinic a chance to connect with peers and learn from top experts in the field.

The Consortium of Cybersecurity Clinics is a collaborative network of higher education-based cybersecurity clinics focused on serving community organizations. The Consortium plays a key role in connecting these clinics, sharing resources, and assessing the impact of clinics on students and the communities they serve.

General (Ret.) Paul M. Nakasone

The highlight of the event was a keynote by General (Ret.) Paul M. Nakasone, who led as the former Director of the National Security Agency (NSA) and Commander at U.S. Cyber Command. He is now the founding director of Vanderbilt University’s Institute for National Security.

Inside the NSA and U.S. Cyber Command

General Nakasone started the keynote with a powerful and inspiring statement for the students in attendance, “The future is about talent, and you represent that talent.” He then shared his experiences in the former roles at the National Security Agency (NSA) and U.S. Cyber Command, two organizations that play a very crucial role in securing the nation’s digital infrastructure. He explained the simple yet powerful mission of the NSA: “We make code, and we break code.” The NSA develops cryptographic keys, codes, and encryption technologies in order to protect the country’s most sensitive communications and defense platforms. NSA also plays a critical role in national intelligence by monitoring adversarial activity.

As for U.S. Cyber Command, General Nakasone outlined three core missions:

1. Defending Department of Defense networks, data, and weapon systems: Supporting over 4.5 million users and maintaining constant mobility, this infrastructure serves as the foundation for global military operations.
2. Providing cyber support to U.S. forces deployed worldwide: From Korea to Iraq and Afghanistan, Cyber Command maintains cyber readiness and protection in active military environments.
3. Protecting the nation in cyberspace: Cyber Command works with the Department of Homeland Security (DHS), the FBI, and the private sector to protect US elections and other critical democratic functions from foreign interference.

Disruptive Technologies and the Importance of Adaptation

The keynote was structured with three core themes: disruptive technologies, the current state of cybersecurity, and the skill sets needed for tomorrow’s leaders. To demonstrate the impact of disruptive technologies, General Nakasone talked about Steve Jobs’ 2007 announcement of the iPhone, which he described as “the most disruptive technology of the 21st century.” He compared the companies that embraced the adoption of and adaptation to mobile innovation, like Amazon and Google, with those that ignored the shift, such as Blockbuster, Blackberry, and Nokia. Through this comparison, he explained how early action can shape long-term relevance and success for companies in a world with rapidly evolving technologies, “You can adopt, adapt, or avoid. Choose wisely.”

Artificial Intelligence: Promise and Risk

General Nakasone explained how today’s biggest disruptive technology, Artificial Intelligence, presents both huge opportunities and serious concerns. He then reflected on the launch of ChatGPT, noting its quick growth: over 1 million users in just five days, and 100 million within two months—a pace that significantly exceeded the internet’s initial expansion, which took seven years to reach 50 million users. He called the capabilities of current AI models as “truly outstanding,” citing their quick developments in areas like coding, reasoning, deep research, and even image generation. While he found the new technology to be exciting, he highlighted the need for responsible advancement and called for national investment in talent, energy, compute, chips, and data that would ensure the safe development and application of AI. With regard to cybersecurity, he mentioned several concerns, including the emergence of deepfakes. Fortunately, defense against malicious deepfakes outperformed offense in the 2024 U.S. presidential election.  Additionally, he expressed worries about the possibility of backdoors in open-source AI models, a recent example would be DeepSeek, and the danger of data poisoning during AI model training, vulnerabilities that may be used to infiltrate critical systems. Despite these risks, he maintained his optimism that AI would advance industries like national defense, education, and medicine, stating that the technology has him “riveted on the future.”

The Geopolitical Landscape: Three Arcs of Global Security

Shifting to a broader strategic view, General Nakasone defined today’s global security environment through what he described as three arcs of geopolitics. In the first arc, he explained the rise of China, showing how it went from a $114 billion economy in 1972 to a $17 trillion global power with expanding diplomatic, informational, and military influence today. The second arc focused on active conflicts, such as the Russia-Ukraine War, and ongoing instability in the Middle East. He explained how digital capabilities, like laptops connected through satellite internet, have made it possible for unprecedented disruption, pointing out that Ukraine has disabled more than half of Russia’s Black Sea Fleet despite having no navy. “This is the future of conflict,” he said, where non-kinetic cyber operations increasingly shape kinetic outcomes. The third arc addressed the threats that cross borders, such as pandemics, climate change, and cybersecurity itself, reminding us all that geographic boundaries no longer protect countries from cyberattacks. When combined, these three arcs show how intricately cyberspace has woven itself into both national security and international relations.

A Closer Look at Today’s Cybersecurity Threats

General Nakasone also talked about the current cybersecurity threats. Last year, there were over 5,000 recorded ransomware attacks in the United States, which is a 15% increase from the prior year. He shared that when companies like Microsoft release updates, the attackers are able to exploit vulnerabilities within just five days, putting intense pressure on organizations to patch systems quickly. What’s even more concerning is that it takes an average of 194 days to detect an intrusion and 58 days to remove it. These three elements present a very challenging picture as we think about cybersecurity today and into the future.

The Four Basics That Defeat 96% of Threats

To tackle these challenges, General Nakasone stressed the importance of renewed commitment to “defense in depth,” urging cybersecurity experts to actively look for threats, conduct penetration tests, and prioritize patching. He also shared the four simple practices that can provide protection against 96% of known adversaries. Those four practices are:

1. Keeping the systems updated.
2. Using strong passwords
3. Recognizing phishing attempts
4. Enabling multi-factor authentication (MFA)

What Makes a Great Cybersecurity Leader?

General Nakasone concluded his presentation by outlining the three traits a cybersecurity professional must have: 

1. Critical thinking
2. Communication skills
3. Character

He shared about this experience about how no one asked him what he majored in after college. Instead, they wanted to see if he could break down a complex problem, communicate clearly, and hold strong values. “Character,” he said, “is what you are in the dark. It’s what you stand for when no one’s watching.”

Q&A Session

After the keynote, students from clinics across the world got the chance to ask questions directly to General Nakasone. The Q&A session turned out to be one of the most captivating parts of the event, with questions ranging from privacy and national security to AI regulation, policy and career advice.

Key Takeaways from the Q&A Session:

1. Collaboration is key: Effective cybersecurity requires coordination between the government, the private sector, and academia. Each brings together strengths to solve complex challenges.
2. Technical leaders are in demand: “We need leaders who code, and coders who can lead.”
3. Strategic government investment in education, talent, and infrastructure can drive innovation, just as it did with the interstate highway system and GPS.

Breakout Sessions: Peer Connections and Takeaways

After the conclusion of the keynote and Q&A, the students were moved to breakout rooms, where they discussed engaging prompts. These sessions allowed everyone to make personal connections, share stories, and think about their clinic work from a new perspective.

Final Reflections

The Spring 2025 “Clinic of Clinics” was an insightful event where students connected with each other and learned how cybersecurity relies on people driven by shared values, teamwork, and a desire to learn. General Nakasone’s keynote shed light on today’s most critical challenges and sparked inspiration about the future we’re creating together. In his closing remarks, he quoted Steve Jobs, “Everyone here has a sense that right now is one of the moments that we are influencing the future.” 

Listening to his keynote certainly made us all feel we were in one.

The National Institute of Standards and Technology (NIST) recently hosted a webinar on university-based cybersecurity clinics and their role in strengthening small businesses’ cybersecurity resilience while training the future workforce. The event featured two Consortium members, Louisiana State University (LSU) Cybersecurity Clinic and University of Nevada, Las Vegas (UNLV) Cyber Clinic, highlighting not only how cybersecurity clinics operate but also the experiences of the small businesses and students who participate in them. While this webinar focused on clinics working with small businesses, cybersecurity clinics serve a wide range of clients, including nonprofits, municipalities, rural school districts, and other under-resourced organizations. 

The full video for this webinar can be found on NIST’s website here.

Why Cybersecurity Clinics Matter

Cybersecurity clinics help address two key challenges:

1. Providing cybersecurity support to under-resourced organizations that have limited access to cybersecurity services and expertise.
2. Training students through real-world client work, preparing them for careers in cybersecurity with on-demand skills and practical experience, while reinforcing commitment to public service.

Rodney Petersen, Director of NICE (National Initiative for Cybersecurity Education), emphasized how clinics bridge the cybersecurity skills gap while expanding access to security services for small businesses that often cannot afford them.

Clinic Spotlights: LSU and UNLV

LSU Cybersecurity Clinic: Leveraging Community Partnerships to Reach Local Businesses

Dr. Aisha Ali-Gombe, Director of the LSU Cybersecurity Clinic, shared how LSU’s model provides students with structured, hands-on experience while offering small businesses three core services:

• Training & Seminars – Broad educational sessions on cybersecurity best practices.
• One-on-One Counseling – Advisory sessions tailored to each business’s needs.
• Comprehensive Cybersecurity Assessments – Detailed evaluations of security posture, led by students under faculty supervision.

By partnering with the Louisiana Small Business Development Center (LSBDC), LSU ensures its clinic reaches businesses that need cybersecurity support but lack the resources to hire professionals. Many business owners are unaware of how vulnerable they are, an issue LSU’s clinic helps address.

One of LSU’s clients, Gary Anderson of Cardinal Capital, LLC, shared how his company was unsure of its cybersecurity risks until engaging with the LSU Cybersecurity Clinic. Anderson described how working with LSU students helped his company identify key security gaps, strengthen internal security policies, and implement real-world solutions that made a tangible impact. Anderson also provided a glowing recommendation for LSU’s clinic and its students, mentioning their professionalism, competence, and ability to deliver on their promises.

UNLV Cyber Clinic: A Student-Led Business Model

Mehdi Abid, Cyber Program Coordinator at UNLV, described their clinic’s student-driven approach, where students recruit their own clients, manage services, and conduct assessments. The clinic operates like a small cybersecurity consulting firm, giving students hands-on experience in client relations, project management, and technical security work.

UNLV emphasizes that cybersecurity isn’t just technical—it requires strong communication and problem-solving skills. Students learn to:

• Engage small business clients and tailor security solutions to their needs.
• Develop leadership and teamwork skills while managing client projects.
• Apply classroom knowledge in a real-world setting to better prepare for cybersecurity careers.

UNLV student Keith Daniel Tan spoke about his experience working with small businesses through the clinic, highlighting how real client interactions strengthened his cybersecurity skills. He emphasized that while technical knowledge is critical, learning to communicate cybersecurity risks effectively was one of the most valuable takeaways. His experience working directly with business owners provided him with a stronger professional skill set and helped solidify his career goals in cybersecurity consulting.

Key Takeaways

Small Businesses Need More Than Just Technical Support

• Many small businesses do not recognize their cybersecurity risks until they experience a breach or incident. Clinics play a key role in bridging this awareness gap.
• Effective outreach—through partnerships like LSU’s collaboration with LSBDC or UNLV’s student-led client engagement model—ensures that small businesses know help is available.

No Single Model for Assessments

• Clinics design their own assessment frameworks based on student skills, client types and needs, and available resources.
• Some clinics conduct penetration testing and in-depth risk assessments, while others focus more on security policy, governance, and fundamental cyber hygiene.

Hands-On Learning with Real-World Impact

• Students gain practical experience that strengthens their employability, while businesses receive security services they couldn’t otherwise afford.
• Hearing directly from students and clients in this webinar underscored the value clinics provide—not just as a training ground for students, but also as a meaningful cybersecurity resource for communities.

Legal and Ethical Considerations
Cybersecurity clinics work closely with their institutions and clients to align on expectations and to develop safe and ethical structures for students to work with real-world organizations. These relationships are often supported by:

• Legal and operational frameworks such as NDAs, MOUs, and Student Codes of Conduct to ensure confidentiality, shared expectations, and ethical practices.
• Creative engagement models such as:
  • Students being hired by clients as interns, ensuring proper oversight and structured learning.
  • Clinics partnering with local Small Business Development Centers (SBDCs), which manage the client relationship and legal liability while providing cybersecurity services via the clinic as part of their broader support offerings.

Conclusion

This webinar reinforced the critical role cybersecurity clinics play in both workforce development and providing cybersecurity services to local small businesses. As more universities launch clinics, LSU and UNLV’s models offer valuable lessons on structuring programs, engaging students, and delivering meaningful security support to small businesses.

For more information about cybersecurity clinics and how to connect with one, visit the Consortium’s website.

Watch a replay of the webinar below.

On November 11, 2024, the Consortium of Cybersecurity Clinics hosted 66 students representing 14 different universities for the Fall 2024 “Clinic of Clinics,” a semesterly event for students participating in clinics to network, learn from experts in the field, and partake in group activities. 

Matthew Nagamine, the Director of Membership of the Consortium, began the online meeting by emphasizing how the event served as a way for clinic students from all over the country to meet peers, including some who might end up as colleagues in the future. 

In a lighthearted icebreaker, students were asked to introduce themselves in the chat using only emojis. This engaging start set a collaborative and communicative tone for the event. 

A highlight of the event was a keynote by Dr. Jeff Tully, who leads the Healthcare Ransomware Resiliency and Response Program at the UC San Diego Center for Healthcare Cybersecurity. Tully provided a compelling overview of the intersection between healthcare and cybersecurity, and gave insights into the consequences of cyber threats on patient health care and hospital operations. 

In his presentation, Tully shared that cyber attacks on healthcare are growing, and it is affecting and degrading hospitals’ ability to perform operations. Not only is this a point of weakness of critical infrastructure from the perspective of national security, but it also worsens disparity in health care. At the granular level, it can also impact individuals and families in devastating ways. Tully shared an example of an incident at a hospital in Alabama, where a nine-month old baby passed away. The child’s mother claims this to be the result of diminished care due to a malfunctioning computer system during a cyber attack that was not disclosed. 

Ransomware attacks, in addition to impacting patient care and the ability to provide medical care, also impacts patient health information, as stolen data often ends up leaked. The financial impacts can also be very costly; for example, Tully cited a cyberattack that cost Scripps approximately $113 million dollars in lost revenue. 

With all these concerns, how do you study a problem like this? 

Dr. Tully highlighted how we can apply the scientific method to the field of cybersecurity by asking questions and performing experiments. He explained how early medicine relied on trial and error, but evolved into a data-driven discipline through scientific research and hypothesis testing. 

For example, one of the challenges of studying a ransomware attack to see if it disrupts patient care is that organizations are not eager to show everything that went wrong. However, rather than study the direct data, one of Tully’s suggestions was to study the ripple effects. When hospitals are attacked by ransomware, they attempt to stem the damage by shutting down the network and locking down services, and hospitals that cannot take patients may send them to nearby hospitals. Rather than focusing solely on IT systems, researchers could examine impacts such as patient health outcomes, emergency diversion rates, and operational disruptions, before, after, and during a cyberattack. 

“We could be doing more of these scientific studies with respect to these cybersecurity practices,” Tully said. Sharing an example of this, Tully shared the results of a phishing study, in which a test group that underwent phishing training did not have any significant impact on the group’s vulnerability to phishing attacks. 

Tully also shared innovative tools and solutions to mitigate the effects of cyberattacks on healthcare operations. For example, detecting when ransomware attacks are occurring may be possible by using publicly accessible information. Hospitals are usually very noisy on the internet, so if they shut down, they suddenly become very quiet. If signals of network activity go away, it can be an indicator that something may be occurring. 

Inspired by military technology, Tully also proposed using rapidly deployable 5G networks and point-to-point Wi-FI systems to ensure that hospitals can continue to function even when their primary networks are compromised. 

In closing, Dr. Tully shared advice for students. He encouraged them to think creatively and embrace diverse opportunities in cybersecurity, noting that the field is open to those with a variety of skill sets and backgrounds. He remarked, “[it is] important to understand what happens when we fail, and how to fail better, rather than how to avoid failure at all.”

Following the keynote, students came together in breakout rooms to share their unique journeys and aspirations in cybersecurity. Reinforcing the advice that Dr. Tully imparted, students met peers of all different backgrounds; the meetings brought together graduate and undergraduate students, as well as students from different universities. For example, in one breakout session, there were Computer Science, Management and Information Systems, and English majors, as well as students with military and animation backgrounds. Some were interested in how cybersecurity work is done for the government, while others were interested in malware analysis. Students also shared how their university runs the clinic program and imparted advice based on their experience. 

The Consortium’s Fall 2024 Clinic of Clinics demonstrated the spirit of collaboration and innovation. As cybersecurity challenges evolve, events like these are helping to empower the next generation of cyberdefenders.