Podcast featuring Dr. Bjorn Mercer, Program Director, Communication, Philosophy, Religion, World Languages and the Arts and
Dr. Kevin Harris, Program Director, Cybersecurity, Information Systems Security and Information Technology
Cybersecurity is an extremely broad field that is integrated into so many aspects of an organization. In this episode, Dr. Bjorn Mercer talks to APU Cybersecurity Program Director Dr. Kevin Harris about what individuals should know about career opportunities in cyber and IT professions. Learn why IT and cyber professionals must have the skills to collaborate with all levels of management and why it’s so important to increase diversity in tech fields in order to fill many of the open IT and cyber positions.
Listen to the Episode:
Read the Transcript:
Dr. Bjorn Mercer: My name is Dr. Bjorn Mercer. And today we are talking to Dr. Kevin Harris, Program Director in the School of STEM. And our conversation today is about cybersecurity. Welcome Kevin.
Dr. Kevin Harris: Thank you. Thank you for having me, looking forward to it.
Dr. Bjorn Mercer: Excellent. I know I’m excited about this conversation. I know very little about cybersecurity. So I’m really, very interested in the topic and really about the depth of what cybersecurity is. So to jump into the first question, can you provide a brief overview of cybersecurity and also how is it different from other IT fields?
Dr. Kevin Harris: Yeah, that’s a great question. And I think it’s one that’s changed over time. So my background is infrastructure. So worked in the IT space in networking and then in security kind of before it became labeled as cyber as what we think of today.
And we’ve gone through and, you know, several different changes. So what does cyber look like? And so we’re really thinking about cybersecurity, protecting data, protecting digital assets that individuals have, that companies have. And so how to protect it? And so that’s the wide range of fields that go with that.
It’s a technical work that’s done to protect it, but also the policy and legal implications behind it. And so we’re just broadly talking about protecting assets, digital information or data that an organization has. That’s broadly what we’re talking about with cyber. And I think a lot of times individuals focus on the really highly technical portion of it.
And so you talk about how is it different from other IT fields? And I think really it’s a part of other IT fields. So a lot of times when people think about, are they gonna look at the IT field as a potential degree path or career opportunity, they immediately think of coding. A lot of times that might’ve been the first exposure they had to take, whether it was in elementary or middle school, high school. And so that’s the initial thoughts of coding.
And then from there maybe networking, but security and cybersecurity is kind of integrated into all those fields. So if you’re developing code, it should be done in a secure manner. If you’re implementing a network architecture, there’s ways that you can develop it with more of a focus on security versus prioritizing certain traffic.
So cybersecurity is a broad field and really I’d say it’s part of all the other IT fields. So I guess that was my long answer to say that cyber is just a portion of the kind of subset of all the other IT fields.
Dr. Bjorn Mercer: And that’s great. My follow up question is, I’m glad you brought up coding, is cybersecurity, both, it includes software and does it also include hardware? Now, I asked that question because obviously nothing can exist without hardware, but obviously coding is part of software and different things like that.
Dr. Kevin Harris: Some of this is, kind of came up in the news lately about restrictions from certain telecom companies, the equipment that they are allowed to ship in. And for the longest time, the assumption was made that if a piece of hardware, whether it was a switch, a router or a computer, if you purchase it and you unwrap the shrink wrap then it was safe, because it was brand new and that meant it was safe.
But because of the really nature of where a lot of hardware is built the question comes into, could it be a possibility that a piece of hardware could be compromised before it was even shipped to a user? And so those questions come up.
That’s one way that hardware comes into the cybersecurity question. And a lot of times the other issue when it comes into hardware is: Is the individual using the hardware or piece of equipment that’s been purchased in a manner that it was actually intended?
Sometimes maybe organizations might try to save money on purchasing a router that was specked out for bandwidth at a certain level of traffic and their organization uses more bandwidth than that device was speced. And so, yes, possibly can it work, but what are some of the security implications of the bandwidth exceeding the amount of resources that was allocated to that device? So hardware is definitely a part of that, I guess, formula, if you will.
Dr. Bjorn Mercer: Now to continue with, I guess I can say the hardware question, are Alexa’s a cybersecurity threat? Or are they mainly just a privacy threat?
Dr. Kevin Harris: Yeah. And it depends on how you look at that. You know, uh, is that the same, you know our data is a huge part of what we’re trying to save. And so when you talk about a privacy threat and it’s the potential that someone is giving up access to their data. So to me that is definitely a cyber threat.
And another thing is just a number of devices. Every device that you have on your network, whether it’s your corporate network or at home on your home network is a potential for that device to be compromised. And then someone use that device to jump to another device on your network.
So it’s opening an additional kind of hole into your network. And so we have to make that decision that, you know, is it something that you really want to do, add these extra devices, as well as making sure that each of those extra devices that you add, you stay on top of the updates.
So when they’re updated, are they patched? If that device then becomes obsolete to the point to where it may still work, but maybe the vendor that supporting that no longer supports that particular device. And so they’re not issuing security patches, are not issuing any type of software updates to that device.
And so you staying on top of that as the user saying, “Okay, well, I need to purchase a new device. Not because my current device isn’t working, but because I’m no longer receiving updates.” And so there are vulnerabilities. And so it’s kind of risk versus reward situation of how many devices and in what manner you implement them on a home network.
Dr. Bjorn Mercer: That totally makes sense. And especially with home networks, just to think, how many devices now, and very soon we’ll be on home network besides an Alexa, besides a garage door opener besides, your air conditioner can all be on a network, including your refrigerator. It seems a little silly why you’d want a smart refrigerator, but I guess people want it?
Dr. Kevin Harris: I was at the store recently and I saw a Wifi enabled Crockpot. So I thought immediately, I’ve never, you know, used a crockpot and said, you know, if I could only have controlled moving that temperature from the other room, or before I got home, it would change my total experience with the crockpot. I asked myself the same question: What is the purpose other than you can? And so it’s definitely a lot of devices that can be on a network.
I talked with a colleague recently, and he’s in the security space. And he says he was scanning his network just to do a periodic check and he found about 40 devices connected to his network. And so he was concerned about, has somebody compromised his network? And after he got to doing a little digging, he realized that no, he actually did have about 40 devices connected, such as the devices that you named.
And so yeah, each one of those is a potential vulnerability open a hole into the network. And so, you know, it’s all these kind of different devices and one, it makes it just more difficult for the average user to make sure these devices are secure when they connect.
A lot of the vendors of these various IoT devices make it extremely easy to connect to the network because they want the consumer to have that convenience. They don’t want them to have to go through a lot of security protocols when they connect it. And so I think that’s one of the things just as a collaborative effort, that some of these IoT manufacturers might look at possibly turning on more features than leaving everything turned off just to kind of help out with the process.
Dr. Bjorn Mercer: And that totally makes sense. We recently got a new printer and it was really easy to connect to the network, versus our last printer was, like, impossible. But at the same time, it’s like, I can also see how that also makes it more vulnerable to outsiders. And then one comment, you know, if the crockpot was a smart crockpot, I would totally buy it if it could then cook for me.
Dr. Kevin Harris: Right. I’m, I’m, I’m with you there.
Dr. Bjorn Mercer: Yeah. And I don’t think that’s what it’s, uh, I don’t think it was created for that reason.
Dr. Kevin Harris: Unfortunately. I don’t think so.
Dr. Bjorn Mercer: Yeah. So this takes me to, the next question is why is cybersecurity becomes so important for individuals, corporations and for governments?
Dr. Kevin Harris: Well, I think because, when we talk about organizations now, regardless of what the company does, the data that’s there is so important. And it’s the vast amount of data that gets stored. And we’ve moved from, you know, a lot of what organizations do now.
And we’ve seen this this year with the pandemic and work from home, that it’s so prevalent, that information data systems can be access away from the office, away from where we traditionally might have thought, okay, it’s safe because the person has to be located here physically on our premises. But now one individual might be able to monitor equipment across several different locations.
You know, we’re away from our house, you mentioned the garage door opener. We can check in to see if we actually did lower the garage door, which is a thought that I always have, you know, as I’m almost about to get on the interstate away from the house, I’m like, “Did I actually close it?” So we can see those types of things, you know, remotely, which is great for convenience.
Employers are able to kind of maximize in their workforce, but because it’s data so dispersed over different locations, it’s imperative that information is secured, because if not, everything falls apart. You know, if we aren’t confident that our banking that we do online is secure, then we’re not gonna have trust in the financial sector.
And so it’s one of the things we’ve embraced this innovation, this convenience of technology. And now, a lot of times it’s after the fact that we’ve realized, okay, now we’ve gotta make sure that it’s secure. So I think that’s why, it’s just, we’re so dependent on data and technology now.
Dr. Bjorn Mercer: And that totally makes sense. And if people didn’t have confidence in banking, they wouldn’t bank. And nor would they probably even deposit their money anymore because everything is so connected. And I’m assuming the sheer amount of money that just banks alone have to spend on security is just, just mind boggling.
Dr. Kevin Harris: We think of the financial sector, health sector with there being so much focus now with telehealth, also being a area that’s heavily invested in now because of the same, you know, as a medical patient, they want to have confidence that this information that they’re sharing remotely is secure.
Dr. Bjorn Mercer: And that brings me up to a follow-up question. At the time of this recording, it’s late November of 2020. So the election just happened. And so one of the news stories is, election security. And so here’s a question is how easy is it to get a computer to change a vote? And I say that in jest because the US government spends a lot of money on making elections secure. And so one of the things that some people are saying is like, “Oh, well this happened and then millions of votes were changed.” And my only response is like, “Really?”
Dr. Kevin Harris: Yeah. I think, you know, there’s a lot of conversation and they were a lot of conversations before the election and coming up into it. And you know the great thing about it is the vast majority of our voting machines have two things that are in place for security.
One is their air gap, meaning those machines are not connected to an external network. So even if you know, some of these scenarios that you could see somebody showed that they’ve been able to, in a lab compromise one machine or, you know, a minimum amount of machines, well, the first thing they would have to, you know, physically be sitting there with no one recognizing them in the physical room next to the machine. So if that was possible. So that’s the first thing that would happen.
And the next thing that also the vast majority of our voting machines also print out a paper audit or ballot of some type so the voter is able to see what actually was saved to the system. And so there’s the, that’s an immediate audit trail that has a paper ballot that the user can either see, or there’s a paper ballot that’s saved as audit trail.
So those two things make our voting system, you know, very secure with just those two things in addition to all the other options that are there, that you talked about, the resources that are spent on making sure that the technology, the vendors, the software.
And that’s, that’s another thing there’s not just one type of software, one type of hardware voting machine that’s used across the country. There’s various different softwares, different machines at the different state, local election boards use for elections. And so to say, is somebody compromising the integrity of the voting system on a wide scale, we’ve done a great job in this country of making sure that’s something that’s really taken seriously with security.
Dr. Bjorn Mercer: I’m really glad you brought that up because each individual state operates their elections differently. So in my mind, I’m totally imagining like an early two thousands hacker movie where there’s a montage of these people hacking, quote hacking, you know, typing away at a computer and then they do something and then the entire election apparatus has changed somehow.
But the reality is that each state operates their elections separately from other states. Some states might share certain software, different things like that, but a decentralized way of holding elections is actually a really good way of ensuring fair and equitable elections.
Now, again, as a follow-up, because we just had the elections, should there be federal guidelines or a federal system for elections? And would that put our elections in more jeopardy?
Dr. Kevin Harris: You know, I think those are conversations that do come about. And, and, you know, every so many years the conversation comes up is what about internet voting? You know, on a wide-scale to increase the number of percentage of the population that votes and participates in the process.
You know, I think they’re great conversations. I just think we would have a long way to go to effectively be able to implement a system on a national scale in a secure manner and not introduce more risks than where we’re at now.
But one of the other gray areas, I think now that with our election systems, even inside of a state, the local election, sometimes county to county, they’re using different systems. And of course, you know, that does introduce some frustrations. We’re wanting to see immediate results across the state. This election ends at 7:00, we wanna know at 7:15, what the results were. That would be great if that was an instant update.
But, you know, I think having to wait a couple of days, you know, a few days for results is worth it to make sure that the security is there and we aren’t risking the integrity of the voting system.
I think one of the things that also came up when we are talking about election, and this is something that will continue to be a question, even a post-election of where we’re at, and not just concerned with election security, but our social media.
Right now, it used to be that the majority of the news that we captured, we turned on one of our local stations and we got our news from a trusted news source whether it’s, you know, the two or three major news networks. And we were sure that information had been vetted and we could trust that information. Now, so many individuals, they’ve opted to cut the cord, may not have traditional cable. And so they get their news from social media. They get their news from the internet.
Truly we live in a world to where you can’t believe what you see and hear with some of the deep fake technology that’s out there that can manipulate videos or audio or both.
And so I think that’s big concern that, you know, if someone’s able to manipulate social media and kind of change the perception of what has happened or what is gonna happen. And that’s a huge concern.
I think that, you know, we see some of the tech companies are trying to address and label certain things that they’ve identified as deep fake or altered videos. But yeah, I think that’s something that will continue to be a concern.
Dr. Bjorn Mercer: And I completely agree. I think the 2020 elections have brought up many issues, many issues that need to be investigated and studied. And a lot of issues for policy makers to address. And, we just hope that our elected leaders are able to address them.
Dr. Kevin Harris: Definitely.
Dr. Bjorn Mercer: And so my next question is what do students learn when they get a degree in cybersecurity? Um, and then a bachelor’s versus a master’s?
Dr. Kevin Harris: And, and I’ll talk kind of in general, then talk about some of our students. And, you know, when we talk about cybersecurity when students are wanting to enter the field, well, and even if someone has been in the field for years, the question comes up: Do you want to be highly technical or do you want to go into more of a management role?
So I think a lot of time that’s something that individuals looking to go into that field, you know, they may question their self, which field is best for them. And so in particular, our, bachelor’s degrees, we try to give our students kind of a broad set to look at both, you know, to have technical skills, but also that if they are someone that’s might have had a career in tech or in cyber that they’re able to kind of couple some of those skills and go in and work as team lead or into management to have both those project management skills as well with technical skills and the ability to interact with a teamwork and group work.
And, and I think on the master’s levels, a lot of time we see individuals there that have worked in the field and they’re looking really to take their next step up. You know, they’re looking really there to go into management.
And so I think there are a lot of times, and, you know, we introduce in our programs heavily focused on policies, some of the policy implications that are there, so that in addition to having an understanding of tech, but how does this work within the role of our organization? You know, what are some of the organizational struggles and structures it will have to overcome?
And what about some policy or legal implications of some of the things that we do. So it’s really that focus that kind of double edged, you know, highly technical versus is someone looking to manage a team of individuals that are going to implement these new innovations.
Dr. Bjorn Mercer: And all those make complete sense. And it really makes me think, I really like what you said about somebody who already has a degree, or is coming back to get more experience with management. And it really helps me think about, communication in, in any role and especially important in cybersecurity, because if, like, the frontline person is, is working away and making cybersecurity better, leadership has to also understand those improvements and the threats to them implement those.
And then how, how do you feel like the role of education helps people really prepare for that leadership experience and working with, you know, different leaders within organizations and work with different stakeholders?
Dr. Kevin Harris: Well, I think the first step of that is realizing that a lot of industries, especially cybersecurity is really interdisciplinary. We all have this kind of thought, you’ve talked about old movies. And we all kinda remember those old movies, somebody sitting in a basement somewhere and the lights on their programming on a computer. And so that’s our kind of initial reaction when we think about someone that’s a cybersecurity analyst or cybersecurity warrior, if we call them, but that’s the furthest thing from the truth.
Individuals have to be able to work with the other areas outside of IT. You know, they learn to work with the business units and they’ve gotta understand what the organization is because even a best, you know, applied cybersecurity strategy, if it’s too strict it stops the organization from doing what they’re there to do, it’s not correct.
A technique that you use in one organization or decision that’s made in one organization, just doesn’t work well with another organization. So that’s why it’s important for, you talked about the leaders, and these are leaders outside of IT, other C-level executives to have some type of cybersecurity awareness so that they can understand the risks. And when they’re making decisions and when they’re allocating resources that they keep this in mind. And, you know, so that they understand that when they’re looking at resources, the fact that they haven’t had a breach, or in a lot of times, I say that it’s because they don’t know that they’ve had a breach, that some, you know, that’s one of the staggering things that we see about a lot of the breaches as they’ve occurred, months, years, before the organization discovers that their organization has been breached.
So not to cut funding, but, you know, a leadership team that’s not aware of the potential risks might choose to cut some of the technology funding that’s there. So, even someone in a business degree or any other type of degree, will benefit from having a cybersecurity background. Retail, there’s a lot of data in cybersecurity, and we talk about privacy associated with retail. So I think it’s probably the biggest thing is just realizing that IT or cyber doesn’t sit in a silo anymore. It’s woven in throughout the organization.
Dr. Bjorn Mercer: And that totally makes sense. It makes me think of, like, if anybody ever dreams of becoming, like, a C-suite executive, you know, if they wanna work hard, get the promotions, you know, make the big money.
One of the realities of that is that they will have to think about cybersecurity because if they are at any organization that has any presence on the internet, they will have to figure out how to deal with cybersecurity. And will have to listen to their cybersecurity experts to make informed decisions on how to protect themselves and their customers. And that really leads me to our final question is what are the job prospects in the field of cybersecurity? And what type of person typically goes into cybersecurity?
Dr. Kevin Harris: When we talk about job prospects, that’s one of the things is it depends on if you look at the cup half full or half empty. I’ll start with the half full, and then we get to the half empty part.
The great thing about the field is there are a lot of job openings in the cybersecurity field. You know, depending on the study that you look at, there’s close to a little over 500,000 jobs in the US alone, particularly in the cybersecurity field, that are vacant right now. Worldwide numbers are over 3 million cybersecurity job openings.
So if you’re looking to get into the field, it’s a great field to get into, lots of job openings. So that’s the glass is half full way of looking at it. The glass half empty way of looking at it is because they are these large number of vacant cybersecurity openings, organizations and governments are at risk of having these positions unfilled.
And so it’s one of the things that, you know, to make sure that we continue to be able to support the innovation, secure the new technology or hardware that’s being developed and implemented is we have to make sure that there’s a strong pipeline of workers. And that’s a collaborative effort, you know.
Higher education, we have to do our part, making sure that we continue to have and develop new programs and have degree programs so that if someone’s interested in going into the field, they have options. And again, that’s one option. There’s also other options to address this workforce need.
And one, one of the other options is to look at is diversity in the field. So when we talk about the diversity in the tech field in general, and cybersecurity is not any different. You know women and minorities are segments of the cyber field or tech field that lag a lot of times behind the overall population.
So making the field in higher ed and the degrees that we have more attractive to women, minority candidates is gonna increase the number of individuals that go into the cybersecurity field. And then really helping out the challenge of filling all these unopened positions. So it’s something that’s, you know, not only the right thing to do, but it’s, it’s a thing that’s gonna protect everyone in the whole global scale of things, of having more individuals in the field.
Dr. Bjorn Mercer: And that’s completely true. I’m quite amazed at how many open jobs there are in cybersecurity. And, it is an absolutely wonderful field. And it’s one of those things when you’re looking at job prospects for the future, say 2025, 2030, 2040, 2050. And really into the long-term future, cybersecurity will not go away.
Certain aspects might be taken by automation versus AI, but people will always be needed to help with cybersecurity. And that’s one of the really unique things about cybersecurity is that for a long-term career there’s plenty of growth and there’s plenty of stability, which is absolutely wonderful.
And so at this point, Kevin, and any final words? I’ve had a great conversation about cybersecurity and anything final to say?
Dr. Kevin Harris: I’ve really enjoyed it. I think the other thing is to remember is that there is not just one type of cyber job. You know, we talk about, you know, the programmer or the highly technical job, you know, we’ve got all different types of jobs, whether it’s social media, whether it’s management.
So if you’re interested in securing data, working with data, look into it and see if there’s an area that you’re interested in. It’s a broad field. And so I just encourage everybody to take a look at the cyber field, whether it’s for career or just for your own interest.
We all have data that is important to us, everything from our banking information that we talked about to our phones, pictures of our loved ones that we have on our phones, all that is important information that we need to secure. So I just appreciate getting a chance to chat for a few minutes.
Dr. Bjorn Mercer: Excellent. Thank you. And I know I’ve learned that cybersecurity is a lot more than the 1995 film “Hackers.”
Dr. Kevin Harris: But that’s a good film.
Dr. Bjorn Mercer: It’s a good film. No, it is. It’s funny watching it ’cause you’re like, “Oh my gosh, it’s totally in the ’90s.” But cybersecurity is a field that goes a lot deeper, a lot more complex and a lot more interesting than, you know, like we talked about people on basements hacking away at stuff.
And that cybersecurity as far as one of the cornerstones of the contemporary world, is here and is here to stay. So, so thank you, Kevin for a great conversation.
Dr. Kevin Harris: Thank you.
Dr. Bjorn Mercer: Great, my name is Dr. Bjorn Mercer and everybody have a good day.