An interview with Stan Mierzwa

Stan Mierzwa
My career has taken me on a path of many major functions within the Information Technology (IT) realm. Back in the 1990s, I started off doing something called technical support. For many students who are considering IT fields or security, they may end up doing some sort of technical support as they embark on their careers. I did this with a small software company that provided solutions to the pharmaceutical industry, and that involved a lot of telephone tech support work, which included walking end-users through setups and problem solving corrective steps.

What became evident to me at the time, because it was drilled into me by my superiors, is that we were dealing with medication pharmaceuticals, and as such, a premium was given to security and insurances of who did what and what took place using technology. Given this initial experience in my twenties, I got an early inkling into security and privacy.

Stan Mierzwa
After that, I became a network engineer, a software developer, a systems engineer, a director of IT, and then focusing solely on lead application security in a large metropolitan police department. In each of these roles, I needed to put forward energy towards security and privacy. You got to remember, when I started in my career, cybersecurity wasn’t even a term in the field. It was simply security. So I think that’s where I got my initial interest in the field.

Stan Mierzwa
At a higher level, I have to say that I got really, really interested when I was in charge of an IT team for a large international NGO that was founded by John D. Rockefeller III. In that role, I was part of the leadership enterprise risk-management team. What that entails is a team of varied department and subject experts put together to help organizations, businesses, big or small, assess their risks.

Part of risks to organizations, which could be anything from somebody falling down a faulty step to something higher level such as cyber issues, it really opens up conversations about real-life risks, cybersecurity being one of them. This activity got me even more interested, because in these situations you have presidents of organizations, leaders, the board — which oversees an organization — really getting more and more engulfed in cybersecurity. So this experience with having greater responsibility, made it more personal to me.

Stan Mierzwa
One facet of my work involves teaching several cybersecurity courses to undergraduate students. That’s one part of my role and one that I genuinely enjoy – especially when enlightening students to what cybersecurity is all about. We also have a cybersecurity curriculum that aligns with the National Security Agency (NSA) and Department of Homeland Security (DHS) Center for Academic Excellence in the cyber defense program. That’s otherwise known as the CAE-CD.

Stan Mierzwa
That means that we are following and pursuing the standards and criteria set forth by the NSA and the DHS around cybersecurity education. Kean University is in the middle of preparing our submission for this designation. So we’re working on that. That’s a substantive part of what I’m doing right now.

Stan Mierzwa
Our effort includes pursuing a three-prong approach. One: We’re maintaining the center, which is the Kean University Center for Cybersecurity, and that’s the operational piece. This includes being a resource to the university community, collaborating with our IT team on security-related topics, maintaining a website with cybersecurity resources, for both the university community but also the outside community. Two: We’re also — this is a big deal — doing quite a bit of awareness and outreach in our community on varied cybersecurity topics to add value to unmet needs.

Three: Pursuing strategic items such as industry collaborations, grant funding, internships for students.  For example, we recently started the first New Jersey chapter of the Cloud Security Alliance, which allows us to partner industry professionals and students to focus on security topics surrounding the cloud. 

Stan Mierzwa
We genuinely hope we can get back together in person in the not too distant future to host onsite events. So for example, the New Jersey Department of Homeland Security has hosted an Alice in Cyberspace event at our university a few years ago. This event is geared towards women who are pursuing, plan to pursue, or are currently in careers and leadership roles in cybersecurity. We were scheduled to host another such event in April 2020, but it was obviously postponed because of the COVID-19 epidemic.

In addition, our center has developed a program for providing training and cybersecurity awareness residents in senior centers. Because of the pandemic, we have not been able to get out to senior centers in New Jersey to provide this community outreach, but once things settle down, we plan to move that effort forward. 

Stan Mierzwa
With regard to senior citizens, we have done some studying and research on this population and found they are often targeted for cyber threats and cyber attacks. This outreach will include providing hands-on and on site education and assistance to seniors through student volunteers, in collaboration with our cybersecurity staff and faculty, and the senior community. So it’s a really great opportunity to give back to this community. This is an effort we are working on in the center.

Stan Mierzwa
On the research side, there are two areas where we have a current focus. The first surrounds cybersecurity in the global public health research sector, and this is specifically around NGOs and nonprofits. And it’s very relevant today because of the COVID-19 pandemic.

We have a paper currently in  peer review that proposes a cybersecurity framework that these sorts of organizations can follow to make sure that they’re doing cybersecurity risk assessments if they are involved in global public health research. So that’s one area of research we’re doing.

Stan Mierzwa
A second [area of research] is around the National Institutes of Standards and Technology as a special publication called 800-181. It’s a framework for cybersecurity specialty areas and work roles. We are bringing attention to awareness and knowledge around the need for greater notice of the cybersecurity Investigate role. We think greater attention needs to be given to investigative roles, especially in law enforcement cyber investigations and digital forensics.

Stan Mierzwa
Yes. That’s a great question…It doesn’t really necessarily matter about the technology used and the environment, those will often change. But, there’s a couple of things I’ve always remained curious about, and that focuses on how systems actually work.

But more importantly, how they don’t work. I’ve always been that type of thought tinkerer, trying to understand, looking at a system of technology and creating the blocks of operation in my mind, so that I can understand all the pieces of a system and then understand, “Okay, where can something go wrong in there and where is there a vulnerability?”

I think anyone who is curious about something probably looks at systems that way. So I think that’s sort of a thread. Another one is, I like to look at tools we’re using, systems we’re using, for example, the car I’m driving, anything — and see what’s a challenge that’s not being met.

Stan Mierzwa
For example, I drive an older 2005 Toyota Camry car. At some time or point somebody realized that it would be helpful, in a car, to have a backup camera available. And so, somebody had that initial thought. They looked at it and said, “Why don’t we do that?” And so, that was an unmet challenge. My 2005 car doesn’t have a backup camera, but now the newer cars do.

Thinking critically about what problem is not being met is important. I also think that regardless of technology and for any student today, look at the world that way and you will be amazed at what you find and realize that, “Wow, maybe I came up with something that is unique and I could change the world.”

Stan Mierzwa
So let me first start by saying, our Center for Cybersecurity is, I think, quite unique. It’s a collaboration between our School of Computer Science and Technology and our School of Criminal Justice and Public Administration. 

So think technology but then also think criminal justice. It’s a very cool, interesting and important mix. Our current programs are for undergraduate students. We have a bachelor of arts in criminal justice with a cybersecurity concentration. We have a bachelor of science and computer science with a cybersecurity option and a bachelor of science and information technology with a cybersecurity option. So those are the programs in general, and our center pursues a genuine collaborative methodology.

Stan Mierzwa
We emphasize this multidisciplinary approach to education and we think that is good because for those students that may not be in the computer science program but want to pursue becoming a law enforcement officer, or they want to pursue working for the Department of Homeland Security, within cybersecurity, this program can make that possible. And so, they’re pursuing criminal justice but they want the technology aspect of it too. Our education blends  both the technical and nontechnical aspects of cybersecurity very well. 

On the technical side, from our computer science department, we often get students taking courses in our criminal justice program. And, there could be this blend the opposite way, as well —  making for an excellent multi-perspective classroom.

Stan Mierzwa
We have many student posters on cybersecurity that were created by students, in partnership with academic staff hosted on our Center for Cybersecurity website. There exist several student-run challenges that we host, as well.

The Computer Science Department at Kean has hosted five student-driven hackathons. We’ve established one of the first Women in Cybersecurity (WiCyS) chapters and we think this is incredibly important. We created a small business cybersecurity guidance training module and as I said earlier, we’re publishing research. So in general, I would say we are a blended mix between tech and non-tech and we have the unique nuance of the criminal justice aspect.

Stan Mierzwa
It is. We have that available on our Kean Center for Cybersecurity website. It’s a PDF and I can certainly make that link available to you. It’s quite useful. It’s a couple of years old but quite honestly, it’s still very relevant. And, if I’m a small business and I don’t know how to get started, this resource provides you the step by step to get started.

Stan Mierzwa
Yes, you are absolutely right. I tell my students this because there are those who are pursuing, as I said earlier, law enforcement. That’s their passion but they recognize that law enforcement is now using more and more technology tools. And, I tell them, “Look, you don’t need to know how to build these tools but you need to understand what these tools do and how to use them.”

Stan Mierzwa
Such tools could be relevant to doing digital forensics. I often put up an interactive slide of a house with all different types of technology devices inside.  In this case, these are students that may be interested in law enforcement and may ask, “Well, tell me why is it important that I understand the technology?” And, what I’ll say is, “Well, one day you might be called upon to do an investigation of a house and you’re going to look for digital evidence. So understanding where such evidence can be gained is valuable.”

So if you see an iPhone, obviously that’s one piece of evidence but think about the smart TV, think about the cameras in the house, the garage door opener, those are all IoT. And so, you need to know that there are devices that you’re going to need to be aware of. Not how they’re built by the engineers, but for your own sort of investigation.

So by default, you’re doing cybersecurity work and I think they gain an advantage if they know, as they’re going into the field of law enforcement, knowing something about how to approach these issues and investigations with technology.

Stan Mierzwa
Yes.

Cybersecurity Guide
And, I’m wondering if you could just walk us through, what is that course like? Maybe at a very high level, some of the things that you cover just because it sounds like a great stepping off point for people that are interested in the field and just coming into the field. 

Stan Mierzwa
I’m glad you asked this question. It is an introductory course covering the full and vast range of topics around cybersecurity. One can expect content on the historical perspective of the internet and cyber, as well as introductions to the connection to criminological theories. This involves discussing hackers and why a hacker or a bad actor acts the way they do.

This is an important aspect of the class, not even getting heavy into the technology, but taking a step back to understand the action causes.  We do however also bring up technical aspects of cybersecurity, and this genuinely peaks the students’ interest, because the class tries to relate their daily activities of interactions with technology to cybersecurity. 

Stan Mierzwa
I think one of the key things that I really try to instill in the students is that I really want them to look at the world a bit more critically and differently with regard to cybersecurity. Given they are heavy users of technology, but may not necessarily know whether they’re using it properly with regard to security or not. So I bring about examples of hacks and how they occur, where possible.

However, I will explain to the students how past hacks may have occurred, with the caveat being this is for information and knowledge awareness and not to be practiced, right?  The purpose of explaining a hacking eent is for situational awareness but you should not be doing this.

It’s against the law. I’ve spent time in a state police IT security department and I really tried to bring to the students knowledge on how cyber integrates with law enforcement positions. I think that’s always interesting to them, as well.

Cybersecurity Guide 
So, real-world applications. 

Stan Mierzwa
One of the things that I’ve done in the class too, just thinking about the world differently is, I’ll say, “Next time you’re at a traffic light look up, what do you see there?” One student will raise their hand and say, “Well, there are security cameras there.” And, I’ll say, “All right, let’s pick that apart. How does that work? How do you think it works? And, what are some of the vulnerabilities there? Why would someone want to hack into that or could it be hacked into?”

So that awareness around the technology, all around them, I think is what this course is also about. I just want them to look at the world differently or more critically with regard to cybersecurity.

Stan Mierzwa
I really enjoyed—and you probably heard this from other experts, as well —I think it just came out in 2019, about Cyber Smart by Bart R. McDonough from Wiley Publishing. That is an excellent book for the home user or anyone curious about how hacking and breaches can be prevented.  The book provides many simple explanations and basic steps for preventing cyber issues and how to be more secure. For example, guidance on how best to secure your Galaxy smartphone. 

This book gives you many step-by-step guides on a variety of cybersecurity topics – it is very approachable for anyone, even if you are not a cyber expert. Another book I like and I used in an undergraduate course is The Cyber Risk Handbook. This is also from Wiley Publishing, it’s a good overview book covering cyber risk analysis and frameworks.

This may not be for the home user, but this will be for the professional who is interested in cyber, maybe doing risk assessments and getting involved in audits but not necessarily being the technical guru. And, I think that’s great for leadership in organizations because they want to understand the cyber risk environments to their organization. 

Stan Mierzwa
The third one, and this is going to be a catchall, I think for students, includes any of the technical certification study guides. So things such as the CISSP Official Study Guide by SYBEX or the CCSK from McGraw Hill, The All In One Exam Guide. These are books that cover specific cybersecurity topics. The CCSK’s are on cloud, the CISSP is a real broad cyber and security content.

But, if I’m a student and I’m learning about cybersecurity, it’s not a bad idea to utilize these books for references are available and if by chance they do pursue a certification, they’ll have a little bit of a leg up already in the run, where they have been studying from these guides. These certifications can help distinguish a student from another student, when they’re interviewing for positions. So those are the three kinds of general things that I would focus on.

I want to also throw out something about programming. I think you should have one scripting or programming language in your arsenal.  Currently, I would recommend Python. If you can learn a little bit about Python, it is valuable…because of the extensive number of libraries and the ease of use of reading the code. But, that gets more into the weeds, I think.

Stan Mierzwa
Great question. I tell them to really stay curious and if they’re unsure about which way they want to follow, they can continue to stay curious and continuously learn and you may find your way that makes you happy. I’m telling my own kids this all the time too because they say, “I’m not sure what I want to do in my life.” Well, I say, “Keep learning different things, trying different things and you will find it.”

I had a student, this past term, who said, “I rarely didn’t think about cyber as a career possibility but now I’m thinking about it more and more, I’m interested and I’m going to pursue and take another class or two.” And so, I think that was the case because they were curious and open-minded. “Look, the world will continue to morph and change and it will be hard to predict.”

But, if you learned good basics about working hard, being forthright and putting in your best effort, I think then you will succeed because then you’ll be able to use those qualities in whatever field you choose or whatever job you choose.

Stan Mierzwa
The field of security, cybersecurity, privacy will only continue to grow. And, until the day when we reinvent the way we’re using technology via the internet, this will remain in place. So think of a world that maybe isn’t so open and aware and have all this vast amounts of information and ability to provide the information digitally.

Then I could see the world, maybe becoming a bit more, I don’t want to say locked down, but constrained or protected. But until that time, as long as we have the internet, we will continue this way.  Until then, there will always be threats. 

Stan Mierzwa
Gosh, in cybersecurity it can be difficult to predict one year out these days. I’m glad you raised this question. Off the bat, I think I can say, “Goodness, how about all of those predictions made for this year around cybersecurity?”  I bet half of any top 10 list of cybersecurity predictions for 2020 can be thrown out the window because of COVID-19. Who knew that this health pandemic  would have turned into a cybersecurity and cybercrime issue?

It has because motives came about – threat actors found that with COVID-19 found new potential motives available. Threat actors are using this as an opportunity for cybercrime activity. I think that predicting one year at a time is probably the best way to do this…I would say, if I’m an organization with a cyber team, stay on top of the landscape and industry, right? What’s going on? What are the trends? What are the frameworks we’re supposed to be following, perhaps legally?

It depends on your industry. If you’re in banking or finance, there’s legal reasons why you have to follow certain cybersecurity practices. But, you’ll have to stay on top of that, so I think that may change over time too. I think there’ll be greater attention now to public health and cyber than there was in the past.