Skip to body

Information Technology and Administrative Management

College of Education and Professional Studies

Dr. Ray Spencer, Lecturer

Office: Everett
Phone: 425.405.1614

As much as I enjoy learning, I think I had too much of a good thing when I was working on my Ph. D.  I got tired of school and went looking for a job, leading to an interview with a computer security firm. I knew nothing at all about the field, but when the interviewer described the job as “devious contemplation”, I was hooked! Luckily, no one else at the time knew anything about computer security either, so my lack of knowledge didn't keep me from getting the job.

And besides, it was all so much simpler then. The World Wide Web was a new thing, the first popular browser (Mosaic) came out a few months after I started. Our company had primarily worked on Department of Defense contracts but was transitioning to commercial products, including one of the first firewalls. “Devious contemplation” told us that a simple firewall couldn't possibly stop all attacks, but it did a very respectable job against the attacks of the time.

But how things have changed! Attacks we used to recognize were possible but seemed far beyond reach are now commonplace. Firewalls have gotten incredibly more complicated but are even less capable of stopping attacks today than they were 20 years ago.

I ended up working at Secure Computing Corporation (later part of McAfee, which is now part of Intel) for 7 years, the last few working primarily on operating system security, including leading projects that evolved into Security Enhanced Linux (SELinux).

I returned to the field a few years ago to teach after watching the changes from a distance. It was fun to dive back in, and after teaching the technical side of attack and defense for a couple of years, I joined ITAM winter quarter 2015.

What I love about ITAM is the opportunity to teach the big picture. Cybersecurity is too often viewed and taught as purely a technical problem. This is compounded by media stories that invariably end up blaming the victim of a cyber attack for not having sufficient defenses. But in reality, if the bad guys are sufficiently motivated to break into a computer system, they will succeed – even the best defenses simply slow them down. We need cybersecurity professionals that understand this, and even more, we need their bosses to understand. Hopefully that will be you someday!

If you do take a cybersecurity class from me, expect to see a lot of recent events covered in the class. It's a rapidly changing field – by the time any book is published, it's out of date. Often the lesson of the recent events isn't even clear so be prepared to feel in the dark at times, we all do. But my goal is to try to put it all together in a way that you can take what you learn in class and apply it to whatever comes your way later.

I live in the northern suburbs of Seattle, and have an office in the University Center at Everett. If I'm not there or in my home office, I hope it's because I'm outside, ideally kayaking on a nearby river, or biking, or otherwise enjoying the great Pacific Northwest!

Advice to Students

Participate in class, Participate in activities outside of class. Talk to your instructors. Let us know what is working for you, and let us know what isn't working. We're here because we love teaching, and our reward is watching you succeed!

"Life is what happens when you are making other plans."

(original source unknown, seems to get attributed to various people)


Ph.D. in Mathematics, University of Minnesota

B.S. in Computer Science and Mathematics, Purdue University


Secure Computing Corporation (1993-2000)

Software Engineer/Research and Development. Projects included operating system security, network security, cryptography, protocol analysis, formal methods

Whatcom Community College (2012-2014)

Taught networking, network security, digital forensics and virtualization

Central Washington University (2015-present)

Teach cybersecurity, networking and digital forensics


  • TheFlask Security Architecture: System Support for Diverse Security Policies. Proceedings of the Eighth USENIX Security Symposium, August 1999 (co-author).
  • Deriving Security Requirements for Applications on Trusted Systems. Proceedings of the 19th National Information Systems Security Conference, October 1996.
  • Developing and Using a “Policy Neutral” Access Control Policy. Proceedings of the New Security Paradigms Workshop, September 1996 (co-author).


Take the Next Step to Becoming a Wildcat.