By Higher education institutions are among the most targeted and least defended organizations in the US. A single ransomware incident can take a university offline for weeks and cost tens of millions of dollars to remediate, yet most institutions lack the staffing and budget to run continuous security monitoring. The cybersecurity talent pipeline is equally broken: students graduate without hands-on experience, and employers cannot find analysts who are ready to work from day one.
In this interview on TFiR, Craig Woolley, Chief Information Officer at Louisiana State University, breaks down how LSU built a public-private partnership with TechStream and Splunk to operate real, 24/7 security operations centers staffed by trained students, now covering more than 40 higher education institutions across the country and generating direct revenue from private sector clients.
Guest: Craig Woolley, Chief Information Officer at Louisiana State University
Show: TFiR
Here is what every CISO, higher education IT leader, and cybersecurity workforce program director needs to know.
Technical Deep Dive
Q: What is the LSU student SOC model and why was it created?
Craig Woolley, Chief Information Officer at Louisiana State University, created a public-private partnership with managed detection and response provider TechStream to run security operations centers where university students work alongside professional analysts. The model exists to solve two problems simultaneously: higher education institutions need affordable, continuous security monitoring, and cybersecurity students need real-world experience that classroom training cannot provide. TechStream owns all the risk, all the SLAs, and covers nights, weekends, and holidays so students are never overextended.
“We want our students getting real world experience and we also want to try to reduce the cost for the universities.” — Craig Woolley, Chief Information Officer, Louisiana State University
Q: Who is TechStream and what role does it play in the partnership?
TechStream is a managed detection and response provider based in Atlanta, Georgia. In this model, TechStream owns all monitoring responsibilities, all contractual SLAs, and all operational risk. The arrangement allows students to work inside a live SOC environment without the university bearing the liability of service delivery. Woolley noted that the first MDR partner Splunk introduced declined the model and asked to be paid to handle everything without student involvement, missing the workforce development objective entirely. TechStream embraced the concept from the first conversation.
“They own all the risk, they own all the SLAs. But our contract allows for our cost to be reduced by the work that our students do working side by side with TechStream.” — Craig Woolley, Chief Information Officer, Louisiana State University
Q: How does Splunk fit into the SOC architecture and which deployment model does LSU use?
LSU’s CISO evaluated available SIEM platforms and selected Splunk as best in breed, deploying the cloud-based version. Each of the 35 higher education institutions covered in the State of Louisiana receives its own Splunk Enterprise Security instance. SOAR runs across all instances as an overarching orchestration layer, and students interact primarily with the SOAR platform that TechStream manages, with direct access to Splunk for searches when needed.
“Each school gets their own Splunk ES instance and we heavily utilize SOAR overarching all of that.” — Craig Woolley, Chief Information Officer, Louisiana State University
Q: How are students trained and how does the incident tiering system work?
Students complete a six-week training program that covers Splunk, SOAR, and foundational IT concepts. After training, students are qualified to handle Level 1 incidents. As their skills mature, they progress to Level 2 and Level 3 incidents. Level 4 incidents remain exclusively in TechStream’s hands. The tiering system provides a clear, risk-contained boundary so that no student is ever assigned work beyond their verified capability, and TechStream maintains full accountability for higher-severity events regardless of staffing.
“Those new students know they can only do level one incidents. But then their training continues, their maturation continues, and then they can get up and do category two or category three.” — Craig Woolley, Chief Information Officer, Louisiana State University
Q: How is AI changing what students do in the SOC and what does human-in-the-loop mean in practice here?
TechStream is already integrating AI to handle a portion of lower-level incident work, which Woolley expects will shift student entry points from Level 1 to Level 2 in the future. Rather than eliminating student roles, AI changes what those roles look like: students learn to interact with AI-generated outputs, verify them, and escalate when needed. Higher-level analytical work remains human. The public-private structure gives the program the agility to absorb these changes faster than a traditional university curriculum could respond.
“Students will learn how to interact with the AI and how to double check what AI is producing for them. We might have students starting in the future at level two and not level one because AI is going to do a lot of that for them.” — Craig Woolley, Chief Information Officer, Louisiana State University
Q: How many institutions is this model now protecting and how did it scale so quickly?
Starting three years ago, the model now covers approximately 40 to mid-40 higher education institutions across the country. Adopting institutions include NJIT, Georgetown University, the University of Alabama, the McCreary Institute at Auburn, and Kennesaw State, among others. Woolley attributes the speed of expansion to the franchise structure: training materials, onboarding processes, and the TechStream partnership are standardized so that any participating institution can replicate the model without building from scratch.
“We have built this as a franchise model and so all the training has been developed through our process.” — Craig Woolley, Chief Information Officer, Louisiana State University
Q: How does the state of Louisiana justify the funding and what is the financial case for proactive security?
The State of Louisiana funds the program at $7.5 million per year. Woolley made the case to the state by pointing to the cost of reactive incidents: before this model was in place, individual cyberattacks took universities offline for weeks and cost tens of millions of dollars each to resolve, with no workforce development benefit and significant reputational damage. The proactive model costs less, trains students, and protects the institutions simultaneously. That argument has persuaded the state to continue funding and has attracted interest from approximately 50 schools across the country.
“It’s a lot cheaper to be proactive than reactive. One incident was costing tens of millions of dollars for one incident to resolve.” — Craig Woolley, Chief Information Officer, Louisiana State University
Q: How does the Tiger SOC generate revenue and what kinds of private sector clients does it serve?
LSU opened a second SOC dedicated to commercial clients. TechStream contracts directly with private sector organizations and then subcontracts the monitoring work to LSU’s student analysts. Current clients include one of the largest casinos in the country, several healthcare organizations, and approximately seven private businesses in total. TechStream pays LSU for the student work, LSU reduces its costs, and TechStream lowers its own labor costs relative to hiring full-time staff. The revenue generation model is being made available to all participating universities in the franchise, so that schools like NJIT can offer monitoring services to local businesses or alumni-owned companies.
“LSU SOC generates revenue for me because TechStream pays me. TechStream can lower their costs some because they’re paying our students, which is cheaper than paying a full time person at a company.” — Craig Woolley, Chief Information Officer, Louisiana State University
Q: What is the talent pipeline benefit for private sector companies that use student SOC services?
Because students may spend years monitoring a specific company’s environment through TechStream, those companies develop a detailed picture of each analyst’s capabilities and familiarity with their infrastructure. This creates a direct hiring pipeline: when a student graduates, the company can recruit someone who already knows their environment and has a demonstrated track record. The arrangement benefits all three parties, reducing recruiting costs for the company, improving placement outcomes for students, and strengthening the financial case for the program.
“It’s a great pipeline for that company to say, can I hire these students getting ready to graduate. They already know our environment and we know that they are well trained.” — Craig Woolley, Chief Information Officer, Louisiana State University
Q: What was the biggest operational challenge and what would Woolley do differently?
The model has exceeded expectations overall. The primary challenge Woolley identified is that smaller institutions do not generate enough incidents to keep student analysts consistently engaged and progressing through the training tiers. The fix he would apply from day one is to assign smaller schools multiple institutions to monitor rather than only their own, ensuring adequate incident volume for training purposes. The revenue generation model, where TechStream brings commercial clients to schools with excess capacity, is the current solution addressing exactly this gap.
“Some of these smaller schools might not generate enough incidents to really keep the students busy and to get them fully trained. I would probably rethink some of that distribution.” — Craig Woolley, Chief Information Officer, Louisiana State University
Q: What is the recommended implementation path for a university that wants to adopt this model?
Woolley recommends a phased approach. In the first phase, TechStream onboards the institution into Splunk and begins providing full 24/7 professional monitoring within a few weeks. The institution runs that configuration for at least six months to twelve months, working out operational issues before students are introduced. In the second phase, LSU’s Tiger SOC is incorporated so that student analysts begin handling incidents and lowering costs. Only after the foundation is stable should the institution consider opening its own student SOC. Starting with TechStream providing full coverage removes the pressure of going live with untrained students.
“Start slow. This is designed to be done in phases. Give yourself six months to a year to make sure you got all the kinks worked out, you got TechStream fully onboarded, and then you can start bringing on your students and training them.” — Craig Woolley, Chief Information Officer, Louisiana State University
Resources & Documentation
- Louisiana State University ITS, home of the Tiger SOC program and the franchise model for student-run security operations centers
- Splunk Enterprise Security, the SIEM platform deployed per institution in cloud-based configuration
- Splunk SOAR, the orchestration platform students primarily interact with for incident handling
***
👇 Click to Read Full Raw Transcript
Swapnil Bhartiya: Hi, this is Swapnil Bhartiya and we are here at Cisco Live. And today we have with us Craig Woolley, CIO at LSU. First of all, Craig, it’s great to have you on the show.
Craig Woolley: Thank you for having me.
Swapnil Bhartiya: It’s my pleasure to host you here. First of all, let’s talk about LSU for our audience member who may not be able talk about yourself and LSU. Then we’ll talk about your presence at the event.
Craig Woolley: So I am the Chief Information Officer at LSU. I’ve been there for about six years. The reason why I’m here at the event is we have created a unique, I think, arrangement with a public private partnership to do security operations centers, including students, but also including our partner, which is TechStream, in the process. So it gives us the best of both worlds in that our students are getting real world experience, but they don’t have to work 24 hours a day, seven days a week because TechStream is always there helping them and monitoring them. And then they take the nights and the weekends and the holidays so that our students don’t have to work through all that.
Swapnil Bhartiya: And what is TechStream?
Craig Woolley: So TechStream is a managed detection and response provider out of Atlanta, Georgia. They were one of the, when we knew we wanted to do this and we knew we wanted to use Splunk as our SIEM, but we had to find a partner to help us bring up the whole idea of onboarding students into a SOC. And so Splunk brought us different partners for us to talk through to see if they’d be interested in taking this risk where we’re asking them to help us train our students and to take some of the risk as far as our students doing the work on their behalf. The first partner that was brought to us, we met with for a while and they really didn’t want anything to do with students, right? They said, why don’t you just pay us a lot of money and we’ll do it all for you and you don’t have to worry about students. And they’re missing the point of what we’re trying to do. We want our students getting this real world experience and we also want to try to reduce the cost for the universities. So Splunk then brought us TechStream. We met with them and they right away loved the idea and were excited. And so we decided we’ll do a public private partnership where they do all the monitoring, they own all the risk, they own all the SLAs. But our contract allows for our cost to be reduced by the work that our students do working side by side with TechStream.
Swapnil Bhartiya: Excellent. Can you talk about how, especially let’s go a bit deep dive into the weeds. How are you specifically leveraging the Splunk and Cisco technologies to, as you rightly mentioned, to not only power this environment, also make it risk free for you so that students can focus on what they’re doing without worrying about consequences.
Craig Woolley: So my CISO a few years ago did an analysis of SIEMs and determined he wanted Splunk. He thought it was best in breed. He thought it was the easiest. And we can use the cloud based version which we do. We heavily utilize. So every school, so we’ve got in the State of Louisiana 35 or so higher ed institutions in this model being protected by the SOCs. Each school gets their own Splunk ES instance and we heavily utilize SOAR overarching all of that for our students interact a lot with the SOAR platform that TechStream manages for us. But they also go into Splunk if they need to do searches and all that.
Swapnil Bhartiya: When you talk about threat, can you talk about what kind of threats we are talking about and is the onus on students, do they not have to worry about that, is it totally up to Splunk and Cisco, or there are technology or AI machine learning that you’re using to mitigate some of those threats and what are those?
Craig Woolley: So our students, so we have a training program that we’ve developed that again this is being now utilized at three higher ed institutions in the state of Louisiana. It’s being utilized at NJIT, Georgetown University, Alabama and the McCreary Institute in Auburn and Kennesaw State. So all these, we built this as a franchise model and so all the training has been developed through our process. Students are trained in six weeks and after the six weeks they’re able to handle, interact with Splunk, SOAR and they do the low level incidents. They’re all marked as level one through four. Those new students know they can only do level one incidents. But then their training continues, their maturation continues and then they can get up and do category two or category three. We don’t have any students doing level four yet. So TechStream knows they handle all of that. But the students are heavily trained in Splunk. They’re heavily trained in basic IT concepts.
Swapnil Bhartiya: Also this could be a tricky question. The thing is that things are moving so fast in this space, for us media persons we are on our toes and sometimes it’s just too much. Now when we talk about education bodies, new students, universities, the curriculum moves slowly, technology moves fast. So how, and this is a big pain point for students also in a way, AI is also taking over a lot of low level jobs that students used to become interns and all those things. So how much are you looking at this?
Craig Woolley: Yes. And that’s the beauty of a public private partnership. Because we can be more nimble, because TechStream can be more nimble. So they are already working on AI and using AI to maybe do some of the lower level things, which is fine. The students still will do human in the loop, students will learn how to interact with the AI and how to double check what AI is producing for them. And you’re still going to need higher level thinkers for the other incidents. And so we might have students starting in the future at level two and not level one because AI is going to do a lot of that for them. But again we have so this whole concept we have built to where we are supporting and protecting probably 40 mid-40s higher ed institutions across the country with this, we just started three years ago. So I attribute that to one, a great partner in both Splunk and TechStream and that public private partnership that allows us to move much quicker than general higher ed moves. Like you mentioned, sometimes that can be very, very slow. This is unusual for higher ed for stuff to move that quickly.
Swapnil Bhartiya: No. First of all, thank you, because this is a serious pain point. Now you did touch upon what kind of attention nationwide or even globally, this model is attracting, where you’re also hearing from other states, federal level that this model can be replicated. And earlier you also mentioned you wanted to work with an organization and they just wanted a lot of money. So let’s also talk about sustainability, revenue plays a big role there. You know, not everything can be sponsored for a bit. So these are two or three questions bundled together, but I think they correlate with each other.
Craig Woolley: So we have probably met with 50 schools across the country so far. Some have adopted like the ones I mentioned, others are on the fence, others, this still is not cheap. Even the model we’re using, it’s still expensive. But what we have convinced our state of Louisiana, who is funding our model for our state, it’s a lot cheaper to be proactive than reactive. And one incident, which we had many schools brought down for weeks at a time just a few years ago before this was in place, and that’s costing tens of millions of dollars for one incident to resolve. Our state is funding our projects, 7.5 million a year and we’re training students. In those other attacks we had no students were trained. We just had to pay money to fix something and have the reputational damage for those higher institutions. So we do believe other schools do have an interest because of the workforce development aspect of it. Protecting that school and giving those students a great experience is I think what is also interesting.
Swapnil Bhartiya: Excellent. Thank you. The second part of the question was monetization or revenue generation. So it becomes self sustaining versus depending or relying on those specific funding sources.
Craig Woolley: Great point. And that is one thing that is our next iteration of the model. Right now the way it was designed is our schools monitor incidents for themselves. Their students monitor it for their school. It’s worked so well. And since TechStream provides services to lots of commercial customers, we decided, well, why don’t we also try to generate revenue by, again, everything goes through TechStream. So my risk is low. But TechStream could outsource to my SOC and we opened up a second SOC just for this purpose so that some of those other companies instead of going overseas to try to save money, they can outsource to one of the SOCs. So LSU SOC generates revenue for me because TechStream pays me. TechStream can lower their costs some because they’re paying our students which is cheaper than paying a full time person at a company. So we’ve got one of the largest casinos in the country is being monitored by our Tiger SOC. We’ve got some healthcare. We’ve got I think about seven different private businesses all through TechStream. TechStream does the contract with them and then they just pay me for the work my students are doing. And so I am generating extra revenue there. We’re going to open this ability up to any of the schools that participate in the program so that if NJIT wants to offer services to local businesses or maybe there’s some alumni that love NJIT and own a company and want NJIT students helping with their security, that would be an option and a revenue generator for NJIT. And then these businesses, since these students will be trained for many years, possibly monitoring that company’s incidents and protecting them, it’s a great pipeline for that company to say, hey, can I hire these students getting ready to graduate. We just want to hire them. They already know our environment and we know that they are well trained.
Swapnil Bhartiya: You’re also presenting here at the event. If you look back when you started this, how you made mistakes, learned from them, if you had to, like today is day zero, how would you do things differently? The reason I’m asking this question is because that would be an insight for a lot of other folks. So what would that be?
Craig Woolley: It has actually worked better than my wildest dreams as far as how well the model worked. Probably the one thing, and I mentioned this earlier, that I would maybe rethink is that in the state of Louisiana we’ve got 35 higher eds being covered by the SOC. There are three locations where we have students: LSU, LSU Shreveport and LA Tech. So they all have their own SOCs, all trained and brought up and worked the same way, all under TechStream. Probably the hardest thing is that some of these smaller schools where I say their students are going to monitor their incidents, their schools might not generate enough incidents to really keep the students busy and to get them fully trained. So I would probably rethink some of that distribution and maybe make sure some of these smaller schools had multiple schools they cover instead of just themselves. But that’s also where this idea of the revenue generation comes in. If a school has extra capacity and their students working in their SOC, why not get paid for that extra capacity they’ve got and get them more experience by letting TechStream bring them customers.
Swapnil Bhartiya: And if there are schools, universities who have either not considered it or need a push, what would be your advice to them?
Craig Woolley: One would be start slow. This is designed to be done in phases which is the same way we did it. And by that, TechStream, since we’ve got this process down and we’ve done it for many, many schools, TechStream can come in and get you set up and protected in just a few weeks. They can have you all onboarded in Splunk and have somebody monitoring 24 by 7 at TechStream your incidents. I would do that first. Then our SOC, Tiger SOC, would get incorporated into that so that our students would be monitoring some of that and that will then lower that school’s costs. I would do that for six months at least so that you give, if you are planning on onboarding students and opening up your own SOC, give yourself six months to a year to make sure you got all the kinks worked out, you got TechStream fully onboarded and then you can start bringing on your students and training them.
Swapnil Bhartiya: Great. Thank you so much for joining me. And this is actually really important for the next generation because people don’t realize companies are looking at cost cutting. But when it comes to the current breed of employees, where will you get to the next level? So what you also mentioned is that organizations are also realizing that. So like Cisco and Splunk, they also know that they will need that talent in the future. So they support the public private partnership that you mentioned. That is the critical piece here. So thank you for not only sharing those insights, but also these initiatives. And I look forward to sharing this with our audience.
Craig Woolley: Thank you. Appreciate it. Thanks.
