More than 30 individuals affiliated with the Consortium of Cybersecurity Clinics attended the June 2024 Cyber Civil Defense Summit in Washington D.C., joining more than 150 additional cyber defenders, academics, and policymakers who share a mission of protecting under-resourced community organizations against cybersecurity threats. This was the second convening of the day-long annual conference — orchestrated by the UC Berkeley Center for Long-Term Cybersecurity (CLTC), which co-founded and co-chairs the Consortium, and made possible with a grant from Craig Newmark Philanthropies. 

Consortium representatives engaged throughout the robust agenda, scoped under the theme “Data Driven Resilience.” The Summit’s panels and presentations surfaced a range of valuable insights, including how volunteer-based programs like cybersecurity clinics are essential — but more must be done to provide incentives and fill the talent pipeline. 

Read more takeaways from the Summit on the CLTC website:
https://cltc.berkeley.edu/2024/07/18/eight-key-takeaways-from-the-cyber-civil-defense-summit/

Want to start a clinic? Check our our resources and learn more about our community of 33 (and counting!) members. 

The Consortium of Cybersecurity Clinics is pleased to announce that Matthew Nagamine will serve as Membership Director, responsible for developing and implementing strategic priorities for the Consortium, onboarding and stewarding member clinics, and working with Consortium leadership to achieve its mission of launching a university, college, or community-college based clinic in all 50 U.S. states by 2030. 

We sat down with Matt to learn more about his background, what he’s most looking forward to in his new role, and his vision for the Consortium.

Matt Nagamine has been CLTC’s Manager of Strategic Partnerships since 2018, where he has cultivated impactful relationships with key partners and allies to support CLTC’s programs. During his tenure Matt has managed multiple flagship projects including Cybersecurity Futures 2030 and CLTC’s Research Grants Program. In early 2021, Matt played a key role in getting the Consortium of Cybersecurity Clinics up and running. He researched and built the first backend systems for the Consortium, set-up monthly meetings, managed an RFP for Members, administered grants, and helped with the first Clinic of Clinics student networking event. Matt also co-led the creation and implementation of CLTC’s Diversity, Equity, Inclusion and Belonging strategic plan.

Matt earned his bachelor’s degree in Political Science with a minor in African American Studies from UC Berkeley, where he conducted research in Professor Nikki Jones’ Justice Interactions Lab, exploring the intersections of race, gender, and justice.

---

What attracted you to the Consortium’s mission?

What’s not to love? The Consortium’s purpose is to support a network of colleges and universities in building and growing cybersecurity clinics. These clinics educate and train students for the cybersecurity workforce while helping protect vulnerable organizations from cyber attacks. I was fortunate to contribute to the Consortium in 2018 by building the first back-end systems, setting up the first monthly meetings, facilitating an RFP that administered the Consortium’s first grants to members. Since then, I’ve had a front row seat observing how the Consortium has made clinics more effective by facilitating information sharing among members—and how making this knowledge accessible to others has significantly lowered the barriers for more universities to establish clinics of their own.

What will you be doing as Membership Director? What do you hope to achieve in the role?

In recent months, the Consortium has experienced a tremendous amount of growth, with new members in many states, major investments from funders, and increased visibility at the NICE cybersecurity conference and Cyber Civil Defense Summit. The Consortium now needs full-time support from someone who can provide leadership, structure, and organization for its members. As the Membership Director, I aim to drive both short- and long-term strategies that will significantly enhance the membership experience and the Consortium’s ability to support clinics in delivering high-quality training for students and services for their clients.

What aspects of the role most excite you?

I am most excited to meet, support, and work alongside this incredible group of cyber civil defenders. The Consortium and its members—an impressive and diverse network of academic institutions, including community colleges, Minority Serving Institutions (MSIs), tribal colleges, and international universities—are already doing amazing work. I’m fired up about helping these members become better connected and more effective through their membership.

Clinics are often championed for helping defend “civil society” and to grow and diversify the cyber workforce – why is this important, broadly, and to you personally?

This model addresses two major gaps in the cybersecurity field: 1) helping low-resource or otherwise vulnerable organizations that are providing crucial services to their communities to improve their cybersecurity posture with no-cost, direct assistance; and 2) equipping students, including many traditionally under-represented in the field of cybersecurity, with practical skills and real-world experiences that are transferable to the cybersecurity job market. Filling these gaps is crucial to achieving more secure and more equitable cybersecurity outcomes for everyone. I believe in and am excited to contribute to the grassroots, community-based approaches that Consortium members take to expand who participates in and has access to cybersecurity.

What’s something you want the Consortium of Cybersecurity Clinics community to know about you?

Last year, I led CLTC’s Cybersecurity Futures 2030 initiative, in partnership with the World Economic Forum’s Centre for Cybersecurity, which gathered global perspectives on how cybersecurity will evolve by 2030, providing decision-makers with strategic foresight to improve the decisions they make today. Through this work, I truly understood the importance of incorporating diverse perspectives to understand and solve issues. This experience reinforced my commitment to inclusive practices and to cybersecurity on a global scale.

What have you learned from working in the cybersecurity field that you’ll take with you?

Relationships and collaboration have been at the core of my work managing strategic partnerships at the UC Berkeley Center for Long-Term Cybersecurity (CLTC). I’ve learned that the most complex challenges in cybersecurity often can only be addressed through strong, trustworthy partnerships. I think this is true for Consortium members and the student and client communities they serve. These lessons will guide me in my role as Membership Director, helping to support our members and advance our mission.

Google.org’s $25M+ investment in 25 cybersecurity clinics by 2025 is helping expand the Consortium of Cybersecurity Clinics nationwide

BERKELEY, CA – Fifteen colleges, universities, and collaborative initiatives across the United States will receive $1 million grants and additional support from Google’s Cybersecurity Clinics Fund to launch new cybersecurity clinics. The funding from Google.org, the company’s philanthropic arm, is part of a $25-million+ investment to develop 25 U.S.-based clinics by 2025, in collaboration with the Consortium of Cybersecurity Clinics.

Similar to pro bono clinics in schools of law and medicine, cybersecurity clinics provide students with hands-on experience in digital security as they protect the networks of critical infrastructure like hospitals, schools, energy grids, as well as non-profits and other public interest organizations.

“Google’s transformative investment is catalyzing cybersecurity for the public good,” said Ann Cleaveland, Co-Founder and Co-chair of the Consortium of Cybersecurity Clinics and Executive Director of the UC Berkeley Center for Long-Term Cybersecurity, the Consortium’s administrative home.

“We congratulate the recipients and applaud these awards,
which propel forward the vision of the Consortium of Cybersecurity Clinics
to establish a cybersecurity clinic in every U.S. state by 2030.”

Ann Cleaveland

“After several years of working with public agencies in New England, it is now clear that college-based cybersecurity clinics can be the key to protecting critical urban infrastructure from cyber attack,” said Professor Larry Susskind, Co-Chair of the Consortium and Director of the MIT Cybersecurity Clinic. “The new clinics will expand the Consortium’s coverage to almost half the states in America. Clinics provide hands-on instruction while allowing their colleges and universities to meet their social responsibilities.”

According to the World Economic Forum’s 2024 Global Risks Report, cyber insecurity remains one of the top 10 global risks over the next 10 years. Americans filed 880,418 complaints with the FBI’s Internet Crime Complaint Center (IC3) in 2023, with potential losses exceeding $12.5 billion — a 22% increase compared to 2022. Meanwhile, there are nearly 450,000 open cybersecurity jobs available in the U.S, according to CyberSeek, and employment of information security analysts is projected to grow 32 percent from 2022 to 2032, according to the U.S. Bureau of Labor Statistics.

Cybersecurity clinics are a “win-win,” as they provide a diverse pool of students with hands-on cybersecurity training while protecting under-resourced community organizations from cyber threats. Clinics were included as part of the Biden-Harris Administration’s National Cyber Workforce and Education Strategy (NCWES), which encourages colleges, universities, and state, local, tribal, and territorial governments “to increase the use of hands-on learning opportunities, such as cyber clinics and cyber ranges, to enable students to work directly with organizations in their communities and develop cyber skills in simulated environments.” The Cybersecurity and Infrastructure Security Agency (CISA) also recently published a resource guide for university cybersecurity clinics, noting that “clinics act as force-multipliers for our mission to strengthen target-rich, resource-poor organizations.”

“The world is in a moment where emerging technologies, like AI, are creating both new opportunities and threats in the world of cybersecurity,” said Heather Adkins, VP of Security Engineering at Google. “It’s essential that we invest in growing a strong, diverse, and widespread cybersecurity workforce to help protect everyone — from critical infrastructure to small businesses and schools. The 15 clinics that we’re helping to establish serve a wide variety of students across all corners of the U.S. and we’re excited to see the impact they’ll have in their local communities.” 

“Google’s continued investment in expanding the reach and impact of university-based cybersecurity clinics will have a major impact for decades to come. We’re thrilled to be at the forefront of this movement that is training a diverse new generation of cybersecurity professionals and developing digital defenses for critical community organizations.”

Carol Christ, Chancellor, UC Berkeley

In addition to grant funding, Google will provide the new clinics with volunteer mentorship from Google employees, as well as Titan Security Keys and scholarships for the new Google Career Certificate in Cybersecurity.  As part of the investment in cybersecurity clinics, Google also made a $2.2M grant in 2023 to support the Consortium’s efforts to build the capacity of clinics nationwide, including mentoring new clinics, sharing teaching resources, and conducting research across the network of clinics to better serve the public interest. 

Chosen from over 200 applications, the 15 colleges, universities, and collaborations selected to receive the $1 million grants are:

• Benjamin Franklin Cummings Institute of Technology
• The Cyber Center of Excellence (CCOE), a non-profit collaborative that includes California State University San Marcos, National University, and San Diego State University
• Dakota State University
• Eastern Washington University
• The National Security Institute at George Mason University’s Antonin Scalia Law School, in collaboration with Howard University 
• Northeastern State University 
• Spelman College
• The University of Texas at El Paso 
• Tougaloo College
• Trident Technical College 
• Turtle Mountain Community College 
• The University of Arizona 
• The University of Hawaii – Maui College 
• The University of North Carolina Greensboro
• West Virginia State University

The grantees serve diverse student populations, including rural communities and students attending two-year institutions, and span a variety of Minority-Serving Institution designations, including Asian American and Native American Pacific Islander-Serving Institutions (AANAPISI), Hispanic-Serving Institutions (HSI), Historically Black Colleges and Universities (HBCU), Native Hawaiian Pacific Islander Serving Institutions, Tribal Colleges, and Native American-Serving Nontribal Institutions. The new clinics will bring the Consortium of Cybersecurity Clinic’s total presence to 32 cybersecurity clinics in 22 states plus the District of Columbia. 

Craig Newmark Philanthropies’ Cyber Civil Defense Initiative helped launch and establish the Consortium as a national platform. Other early supporters of the Consortium include the William and Flora Hewlett Foundation, the Fidelity Charitable Trustees’ Initiative, and New America’s Public Interest Technology University Network (PIT-UN).  

Students and faculty from 18 university-based cybersecurity clinics convened virtually to network and learn about the student-led Cyber Clinic at the University of Nevada Las Vegas

On April 18, the Consortium of Cybersecurity Clinics hosted its Spring 2024 “Clinic of Clinics”, a semesterly virtual event for students participating in cybersecurity clinics around the country to network, learn from experts in the field, and partake in group activities. This spring, 70 students from 18 different universities participated.

The event kicked off with a warm welcome from Ann Cleaveland, the Center for Long-Term Cybersecurity’s (CLTC) Executive Director, and Sarah Powazek, Director of CLTC’s Public Interest Cybersecurity Initiative. Both congratulated the Consortium on its recent growth.

Students then seized the opportunity to get better acquainted and network, grouping into breakout rooms to connect and learn more about the work being accomplished by their colleagues at other clinics. Attendees later regrouped to watch a presentation from the University of Nevada, Las Vegas’ (UNLV) Cyber Clinic, who showcased some internal tools and a training simulation students developed to teach new members. 

Mathew Salcedo and Angel Garcia, two co-founders of UNLV’s Cyber Clinic, explained how their clinic specializes in providing free cybersecurity services to small local businesses in the Las Vegas valley. 

The vast majority of clinics in the Consortium are faculty-led and taught as a semester-long course. UNLV’s Cyber Clinic is unique in that it operates as a student-led club, with support from faculty advisors, and operates year-round. This arrangement enables Cyber Clinic members to provide services to clients on an at-need basis, gives students more opportunities to gain experience working with different clients, and builds their skills over the course of their academic careers.

Salcedo and Garcia showcased the web portal application they created for their clinic. The portal is one of many internal tools their students have developed for Cyber Clinic, which serves to streamline clinic operations.

“Most of UNLV’s members have backgrounds in computer science, information systems, and cybersecurity. Many have an interest in software development,” said Salcedo. “This project allowed for some of our members to practice their programming and software development skills. Web applications are a very big portion of cybersecurity. In the past, members have been able to conduct penetration assessments or tests on our own website, too.” 

Garcia explained to the audience how UNLV clinic students access the portal using an email and password, landing at a central dashboard that hosts a timesheet application for members to track their volunteering hours working on cases for clients. The dashboard also featured a training library, where students can access and track completed cybersecurity certification training– including student-developed training and the CompTIA Security+ certification.

UNLV also shared their innovative approach to onboarding their clinic’s new members. Cyber Clinic’s leadership built a training simulation in Minecraft to prepare new members for conducting client site visits and train students how to identify cyber and operational risks in small businesses. At the “Clinic of Clinics” event, Salcedo and Garcia demoed a gameplay walkthrough of their Minecraft  simulation, which was modeled after the Krusty Krab restaurant from the Spongebob Squarepants television show. 

“We tried to incorporate every kind of cyber and operational security problem you may run into when working for a client,” said Salcedo. “We’ve tried to include, virtually, as many different problems and security risks that we’ve actually seen in restaurants or in small businesses in this simulation.” 

The simulation recreates a business owner’s office, visualized as Mr. Krabs office, complete with computers, smartphones, and tablets functioning as the point-of-sale system. Users can interact with these devices to evaluate their cybersecurity practices and identify any potential vulnerabilities.

What a journey this past year has been for us at the Consortium of Cybersecurity Clinics! As we embark on 2024, we’re eager to reflect on last year’s accomplishments and share new data collected from the 2022-23 academic year on the growth of the cybersecurity clinics.

Training More Students Than Ever Before

University-based cybersecurity clinics provide hands-on training to students from diverse backgrounds and academic expertise. This training initiative aims to strengthen the digital defenses of community organizations that often fall through the cracks of cyber defense, as well as train the next generation of cyber civil defenders.

Our latest data shows that over 880 students nationwide have benefitted from this training initiative. Moreover, the 2022-23 academic year marked a significant milestone for the Consortium, with a record-breaking number of over 450 students trained – a 150 percent increase from the previous year. This cohort represents the largest group of students trained in the Consortium’s five-year history.

Expansion of the Clinics Model

Since its inception five years ago in 2018, our network of university-based cybersecurity clinics has grown to encompass 15 active clinic locations. Our clinics now spread across nine different states, bringing us closer to our ultimate goal of launching a university cybersecurity clinic in all 50 U.S. states by 2030. 

The Consortium is committed to expanding the reach and impact of cybersecurity clinics in partnership with Google.org, which is committing more than $20 million dollars to support the creation and expansion of cybersecurity clinics at 20 higher education institutions across the United States.

80+ Public Interest Organizations Served

Many public interest organizations that provide essential public services lack the resources for basic cybersecurity self-defense. Our university-based cybersecurity clinics provide pro bono assistance to these kinds of “target-rich, resource-poor” organizations to help them develop long-term cybersecurity defense, increase their resilience, and expand their cyber security capacity.

Over the past five years, our clinics have supported 83 local and regional resource-strapped organizations with cybersecurity assistance. 

Clinics served a diverse range of public interest-aligned clients in the 2022-23 academic year. Non-profit organizations comprised over half of our clients (52%), with local governments following as the second-largest group served (18%). Additionally, Small businesses (10%) , K-12 education institutions (8%), and healthcare organizations (6%) made up a significant portion of our clientele, underscoring the breadth of our impact across various sectors.

The Work Ahead

The Consortium is proud of the expansion of the clinic model and the positive results this initiative has had for cybersecurity students and community organizations across the country.

Thank you for being a part of our journey. We look forward to continuing our mission to amplify the upside of the digital revolution and ensure that everyone can safely benefit from what technology has to offer. We cannot wait to see how the Consortium of Cybersecurity Clinics continues to grow and make an impact for public interest organizations in the coming year.

Stay tuned for more updates from the Consortium of Cybersecurity Clinics!

The Consortium of Cybersecurity Clinics is seeking a qualified individual for a full-time, year-round Membership Director position to support the Consortium in assisting universities around the country and the world with cybersecurity workforce development and protecting vulnerable organizations from cyberattacks.

The Membership Director supports the Consortium of Cybersecurity Clinics in assisting universities around the country and the world with cybersecurity workforce development and protecting vulnerable organizations from cyberattacks. The Consortium will be growing its membership by 10-20 or more universities and colleges over the next several years. This position works in close alignment with the Executive Committee of the Consortium of Cybersecurity Clinics, currently co-chaired by clinic leadership at the UC Berkeley Center for Long-Term Cybersecurity and the Massachusetts Institute of Technology. 

This is a fulltime, 2-year contract position with the possibility of extension and/or conversion to career.

Application Review Date

The First Review Date for this job is: March 23, 2024 – Open Until Filled

Responsibilities

Provides leadership, structure, and organization for the long-term effectiveness of the Consortium of Cybersecurity Clinics, with responsibility for administrative and programmatic activities. Leads short- and long- term planning, assesses effectiveness, and recommends changes to content, policies and procedures accordingly.

• Conducts strategic planning and works with the Consortium’s faculty executive committee to develop and implement strategic priorities for the Consortium.
• Develops annual program plans, including milestones/deliverables, timelines, monitoring and evaluation frameworks, and ecosystem development strategies.
• Monitors progress toward Consortium-wide goals and objectives, through semi-annual review meetings to review milestones/outputs and plan/problem solve. Establishes and collects key data points from Consortium members and supports related research about the impact of cybersecurity clinics.
• Prepares critical program outputs including briefing documents, donor reports, requests for proposals (RFPs), peer review protocols and templates, surveys, event concept notes and agendas.
• Represents the Consortium in recurring partners meetings and regular management meetings to facilitate knowledge-sharing and collaboration, promote efficiency, and maintain clear channels for feedback and communication.
• Conducts outreach, onboards, and stewards new members of the Consortium. Assesses the Consortium’s organizational effectiveness, and recommends changes to program’s content, policies and procedures to support the success of existing and new members of the Consortium.
• Creates and implements improved processes to qualify, welcome, onboard and steward new members.
• Oversees improvements to the Consortium’s backend infrastructure for member communication and information sharing; selects and supervises vendors to deliver results.
• Ensures that lessons-learned are shared and elevated with Consortium membership, to continue raising the bar for clinic effectiveness.

Facilitates the efforts of Consortium leadership, clinic faculty at various institutions, allied organizations, volunteers, donors and state, local and federal officials to collaboratively strengthen cybersecurity clinics across the US and worldwide.

• Facilitates collaborative problem-solving to reach solutions that benefit all parties.
• Expands the Consortium of Cybersecurity Clinics clearinghouse of clinical resources with new collaborative content; hosts a community of practice around clinical education / technical assistance with peer clinics.
• Develops symposiums, workshops and other convening events.
• Engages the clinic alumni community and corporate partners as ambassadors and program volunteers.
• Supports Consortium-wide programming related to skill development for students.
• Participates in external initiatives such as the Public Interest Technology University Network.

Participates in workshops and publicity events, and provides public relations oversight and social media support.

• Directs and manages professional PR / communications consultants, and student media interns to highlight the accomplishments of Consortium members
• Authors blogs, op-eds and/or social media content that raise visibility for the cybersecurity clinic model and the Consortium and change the way policymakers, researchers, and practitioners think about digital security technical assistance.
• Liaises with Consortium members to ensure that key research findings are communicated with the public and the field. Prepares collateral and data visuals that communicate impact and success stories.

Identifies and pursues funding opportunities and revenue streams.

• In coordination with Consortium leadership and development staff, stewards relationships with a range of program sponsors (including corporate partners, foundations, and private donors), carefully tracking priorities and identifying overlapping interests.
• Identifies and elevates funding opportunities that emerge from Consortium outreach, and helps connect member clinics to prospective funders.
• Participates in budgeting and accounting processes to support a self supporting financial outlook for the Consortium.
• Researches and plans for long-term governance and financial sustainability of the Consortium; presents options to the executive committee.

Required Qualifications

• Bachelor’s degree in cybersecurity, law, science & technology studies, public policy, information science, business, non-profit management or a related area, or equivalent years of related work experience.  
• Academic background in cybersecurity, law, science & technology studies, public policy, information science, business, non-profit management or a related area. 
• Demonstrated success building membership-based organizations, multi-institution collaborations and/or network organizations. 
• Advanced ability to work with an executive committee and/or advisory board to develop and implement a strategic plan.
• Ability to oversee strategic communications and public relations, and establish a basic social media presence.
• Demonstrated success with program building within an academic or other institution. Advanced program management skills, including project management, tracking deliverables, managing budgets, selection and supervision of vendors, and report writing. 
• Advanced interpersonal skills. Ability to lead collaborations with leaders in the field and to convene internal and external peers and experts to achieve results.
• Advanced oral and written communication skills.
• Demonstrated evidence of a commitment to advancing diversity, equity and inclusion.
• Ability to steward funders and other program supporters.

Preferred Qualifications

• 8+ years of management experience in membership-based organizations, coalitions or associations.
• Understanding of the unique digital security needs of under-resourced public interest organizations (such as public agencies, nonprofits, and small businesses).

Salary & Benefits

For information on the comprehensive benefits package offered by the University, please visit the University of California’s Compensation & Benefits website.

Under California law, the University of California, Berkeley is required to provide a reasonable estimate of the compensation range for this role and should not offer a salary outside of the range posted in this job announcement. This range takes into account the wide range of factors that are considered in making compensation decisions including but not limited to experience, skills, knowledge, abilities, education, licensure and certifications, analysis of internal equity, and other business and organizational needs. It is not typical for an individual to be offered a salary at or near the top of the range for a position. Salary offers are determined based on final candidate qualifications and experience. 

The budgeted salary or hourly range that the University reasonably expects to pay for this position is $120,000 to $160,000 annually. This is a 100% FTE, 2-year contract position eligible for full benefits.

Other Information

This is a fulltime, 2-year contract position with the possibility of extension and/or conversion to career.

BY SHANNON PIERSON, PUBLIC-INTEREST CYBERSECURITY FELLOW, CENTER FOR LONG-TERM CYBERSECURITY

At the Consortium of Cybersecurity Clinics’ monthly meetings in November and December 2023, members reflected on the year’s accomplishments and shared anecdotes about the successes of their individual clinics. 

Funding and Development Updates

• In an exciting update, clinic funding is coming to the EU! In partnership with Google.org, the European Cyber Conflict Research Incubator CIC (ECCRI CIC) will launch cyber clinics seminars at select European universities. The initiative aims to expand access and opportunities for students interested in learning about the field of cybersecurity. Clinics will open in Czechia, France, Germany, Greece, Poland, Romania, Spain, and Ukraine, offering tailored curriculums in the respective languages of these countries. 
• University of North Carolina (UNC) Chapel Hill received a grant to establish a cybersecurity clinic that is set to launch in early 2024. UNC clinic coordinators are currently crafting the course curriculum and actively seeking clients for the clinic’s inaugural class. 
• San Diego State University, California State University San Marcos, and National University are joining forces to create a regional cybersecurity clinic in Southern California. This collaboration is managed by the San Diego Cyber Center of Excellence and aims to foster cross-institutional collaboration amongst San Diego’s cyber defenders.

Cyber Civil Defense Research Updates

• Indiana University and Purdue University’s Cybertrack program, an initiative that connects Indiana’s local governments with cybersecurity experts for tailored advice, published its inaugural report in November 2023. The “Cybertrack Report” aggregates results and analysis from 23 cybersecurity assessments conducted on local government entities in Indiana. The report finds that most local governments in Indiana struggle to implement even the most fundamental cybersecurity controls, such as multi-factor authentication (MFA).
• The MIT Cybersecurity Clinic students recently conducted site visits for their clients in the New England area. These visits provided an opportunity for students to observe the physical assets of their clients, such as servers and building layouts. This hands-on experience helped enhance their understanding of employee access to IT assets, organizations’ operational security posture, and the overall company culture.
• The University of Georgia (UGA) CyberArch Clinic assisted seven different organizations this year, clients of which included city governments, water treatment facilities, and small business clients. Additionally, UGA opened a Women in Cybersecurity (WiCyS) chapter.
• Rochester Institute’s (RIT) clinic achieved success with a variety of client projects in 2023, including a first-of-its-kind collaboration with the Rochester Philharmonic Orchestra. As a token of appreciation, the orchestra graciously awarded students free tickets for their services. RIT observed a trend among non-profit clients: most prefer cybersecurity assessments over penetration testing. This preference stems from a desire by these organizations for practical advice on what specific cybersecurity program aspects they can implement to improve their cybersecurity posture.

CLTC congratulates all the members of the Consortium of Cybersecurity Clinics on yet another impactful year in training the next generation of cyber civil defenders and building cyber resilience for community organizations — we can’t wait to see how these initiatives expand in 2024!

The Consortium

Question: How does the Consortium support new clinics?

Answer: The Consortium is a forum for faculty, students, trainers, and advocates to network and share knowledge, expand the reach of cybersecurity clinics, and lower the barriers for other institutions of higher education to successfully establish their own clinics. We host a monthly conference call for peer learning and sharing among established and new clinics. Members have access to a growing library of collective resources, designed to help new clinics get up and running without recreating the wheel. Consortium lines of effort such as our fundraising and impact & learning committees are also aggregating best practices that will be available to new clinics.

New clinics can establish mentorship relationships with existing clinics, and we host events for clinic students and training workshops for clinic instructors (stay tuned for more information about a clinic-focused pre-conference workshop at the 2024 NICE Conference.) [Note: The Consortium’s mission is to help build the capacity of all cybersecurity clinics, and Consortium members don’t advise new clinics on individual grant applications for opportunities like the Google Cybersecurity Clinics Fund.]

Where to House A Clinic

Q: Does an institution have to have a well-developed Cybersecurity or Computer Science program to launch a cybersecurity clinic program?

A: No. Clinics can be established as part of a degree program that is not directly related to technology, or outside of degree programs (for example, as a student club.) Successful existing clinics are often interdisciplinary and may be housed in business schools, law schools, and other departments. Having a faculty champion and buy-in from departmental and institutional leadership and administration at launch is more important than having a cybersecurity or computer science degree program.

Curriculum

Q: Is there a set curriculum for a cybersecurity clinic?

A: No. Curricula vary across clinics, depending on the emphasis of the clinic and the course requirements in a given institution. However, many clinics have similar modules and learning outcomes. Several Consortium members have shared their syllabi and other course materials with the community. For more information, check out “Teaching Syllabi” on our Resources page, and/or get involved in the Consortium!

Student Recruitment

Q: Can students with no prior cybersecurity experience participate in a cybersecurity clinic?

A: Yes. Several existing clinics allow students from all majors and grade levels to join, regardless of prior experience. Most clinic programs provide initial training to students to make sure everyone has the shared baseline knowledge to participate (see examples from UC Berkeley and MIT ). Students from non-technical majors bring complementary knowledge, and often have transferable skills they do not even realize. An interdisciplinary approach helps to create a well rounded team able to effectively engage with the client and analyze requirements from multiple perspectives.

Q: How do clinics grow the number of students in their clinics?

A: In order to grow the clinic, students across your campus need to be aware of and inspired by the opportunity to participate in the clinic. There are many ways that clinics conduct outreach to students, like campus-wide postering, hosting info sessions for prospective clinic students, and developing partnerships with student affairs/student advising. The best ambassadors to recruit new students to the clinic are often alumni of the clinic who can speak to their experiences providing cybersecurity assistance to organizations in need.

Another common limiting factor is faculty and instructor capacity. Recruiting volunteer mentors is one way that clinic instructors have augmented their capacity to advise students in the clinic and accept more students into the program.

Student Registration

Q: Do clinics accept only currently-enrolled students?

A: Existing member clinics of the Consortium of Cybersecurity Clinics are higher education-based programs, and work with undergraduate (including community college) and graduate students. Some institutions can accept visiting students to the clinic on a case-by-case basis, without requiring formal admission. Check with your institution to find out about concurrent enrollment and visiting student policies.

The cybersecurity clinic model is adaptable to other types of cybersecurity workforce development programs (for example serving non-traditional students, folks returning to the workforce, career changers, or other community members). If you are interested in developing a cybersecurity clinic outside of a university or college, the Consortium welcomes your participation and membership. [Note: there are some opportunities, such as the Google Cybersecurity Clinics Fund, for which only institutions of higher education are eligible.]

Student Support

Q: Do clinics compensate students for work in the clinic? What kinds of student support do clinics offer?

A: It depends. Some clinics are able to support students financially for their work in the clinic, while others provide course credit, and still others function as an extracurricular activity. Each clinic will need to work within its host institution to decide if and how it wants to approach student support. Compensating students at the typical hourly rate of your institution, stipends, paid internships, course credit, and tuition relief (while in the clinic) are all options that have been used successfully. Schools should look internally at the different tax implications for students before selecting an approach.

Student Leadership

Q: Can students participate in creating and leading clinics?

A: Yes. Students bring great perspective and ideas to the design and implementation of a clinic. Some cybersecurity clinics are organized as student organizations, such as the successful Free Cyber Clinic at the University of Nevada, Las Vegas. [Note: there are some opportunities, such as the Google Cybersecurity Clinics Fund, which do not accept applications submitted independently by students and require a faculty or institution lead.]

Budget and Equipment

Q: What kind of equipment and supplies (e.g. hardware, software, or other equipment) should clinics budget for?

A: Clinics often provide laptops and security keys to students specifically for working in the clinic. At a minimum, clinics also need to purchase products and/or services that provide secure data storage and that allow for secure communication and collaboration between the clinic and its clients (for example, encrypted messaging and/or VPN services).

Q: What other guidance can I find on a start-up budget for a cybersecurity clinic?

A: The cost of clinic startup and operations depends on faculty teachers, paid student internships, materials, enrollment, and full-time support staff or TAs. Consortium clinics have found that $300k is a good funding target for the first year, and $100k each year thereafter. Page 11 of the Clinic Development Toolkit has more information on typical line-items in a start-up budget. Note that marketing and outreach may be needed to start-up a clinic and should be considered as you develop your clinic budget.

Clients

Q: How do clinics market their services to potential clients?

A: One successful approach to marketing clinic services is to partner with a community organization that can connect your clinic to organizations in need. Many clinics partner with local hubs that serve as trusted partners, vouching for the quality of the clinic program to potential clients, and finding clients that would most benefit from the free services. For example, clinics have partnered with the Small Business Development Centers in their communities who can help with outreach to small business owners. Other clinics have established partnerships with entities like the United Way. Once the clinic has an established track record, clients also come via word-of-mouth.

Q: Is a “clinic” seen as a time-limited event that happens annually, or an ongoing entity?

A: The university-based cybersecurity clinics in the Consortium are ongoing entities, where students and clients have the opportunity to develop a sustained engagement (i.e. over the course of a term or semester).

Instruction: Virtual vs. In Person

Q: Can clinics run virtually, or do they have to be in person?

A: Instruction and clinic participation can be either in person, virtual (online) or hybrid depending which is considered most effective for the clinic and client. We have seen all of these options work successfully in existing clinics. If the clinic’s clients are local, many clinics make an effort to have students meet with clients in-person.

Risk Management

Q: How do university-based cybersecurity clinics handle liability?

A: Typically, an MOU (sometimes called a Statement of Expectations) is executed between the clinic client and the clinic’s host institution. Clinic directors can work closely with their institution’s legal department or general counsel to work out the specifics of an MOU or other agreement. If you need help getting started, contact cybersecurityclinics@berkeley.edu for templates that have been shared by existing clinics and made available through the Consortium as a resource to the community. Many schools also require students to agree to a code of conduct for working in the clinic. See pages 13-14 of the Clinic Development Toolkit for more information.

Fundraising

Q: Do clinics fundraise?

A: Many clinics are supported at least partially by grants or other philanthropic support. Pages 11 and 12 of the Clinic Development Toolkit cover a range of fundraising strategies and tips including how to identify and approach prospective funders. The Consortium of Cybersecurity Clinics will expand clinic fundraising materials and suggestions on its Resources webpage in 2024 – stay tuned!