Dr. Stephen Kirkman is an assistant professor and program director for the Bachelor of Science in Cybersecurity degree in the Anderson College of Business and Computing at Regis University in Denver, Colorado.
Dr. Kirkman has over 25 years of professional experience, including 6 years of active duty in the Air Force and 20 years of experience in industry. Dr. Kirkman held various roles in industry, but mostly as a computer security engineer supporting various agencies within the Department of Defense and the Intelligence Community.
He has proficiency in the certification and accreditation of systems, system administration, and a specialization in cyber and computer security. He has been CISSP-certified since 2003. Prior to joining Regis, Dr. Kirkman completed his PhD in computer engineering at the University of Florida. His research focused on modeling trust in cloud companies and using blockchains to store cross-domain consumer policies.
Listen to the full episode
Key takeaways from the interview
- Journey into cybersecurity: Dr. Kirkman’s interest in cybersecurity developed while working at a Colorado Air Force base. He transitioned into the field around the time of 9/11, attracted by the variety of roles and opportunities in security testing, vulnerability reporting, and risk management.
- Cybersecurity education at Regis University: The cybersecurity programs at Regis University are designed for online, asynchronous learning in eight-week formats, catering to working adults. These programs include bachelor’s and master’s degrees in cybersecurity and related certificates.
- Unique aspects of Regis’s program: The program utilizes the Scholar Practitioner Model, employing affiliate faculty who are current industry professionals. This approach ensures that the curriculum is relevant and up-to-date with industry trends and demands.
- Extracurricular opportunities: Regis University offers a cybersecurity club open to all students, providing real-world experience through competitions like the Rocky Mountain Collegiate Cyber Defense Competition.
- Curriculum development: Dr. Kirkman focuses on aligning the curriculum with current job market demands and industry needs. He emphasizes the importance of hands-on experience, utilizing tools like Oracle VirtualBox for simulations and practical exercises.
- Future of cybersecurity education: Dr. Kirkman discusses the importance of adapting to future disruptors in cybersecurity, particularly the role of AI. He suggests that students should embrace emerging technologies like ChatGPT to stay ahead in the field.
Here is a full transcript of the episode
Steve Bowcut: Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I am a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening.
Today our guest on the show is Dr. Stephen Kirkman. Dr. Kirkman is an assistant professor at Regis University. The topic for today is going to be cybersecurity educational opportunities at Regis University. Before I bring him in, let me tell you a little bit about Dr. Kirkman. Dr. Stephen Kirkman is an assistant professor and program director for the Bachelor of Science and Cybersecurity degree in the Anderson College of Business and Computing at Regis University in Denver, Colorado.
Dr. Kirkman has over 25 years of professional experience, including six years of active duty in the Air Force and 20 years of experience in industry. Dr. Kirkman held various roles in industry, but mostly as a computer security engineer supporting various agencies within the Department of Defense and the intelligence community.
He has proficiency in the certification and accreditation of systems, system administration and a specialization in cyber and computer security. He has been CISSP certified since 2003. Prior to joining Regis, Dr. Kirkman completed his PhD in Computer Engineering at the University of Florida. His research focused on modeling trust in cloud companies and using blockchain to store across domain consumer policies. And with that welcome Dr. Kirkman. Thank you for joining me today.
Stephen Kirkman: Thank you for having me, Steve.
All right. This is going to be fun and interesting. I’m looking forward to this, but let’s start with learning a little bit more about you specifically, how did you become interested in cybersecurity? Is that something that’s always been that interest you or is it something that’s been relatively recent?
Stephen Kirkman:
That’s a very valid question. I wouldn’t say it’s been recent, but I wouldn’t say it’s been always because they’ve only had the cybersecurity career path for the last maybe 10 to 15 years.
Steve Bowcut:
Sure.
Stephen Kirkman:
And I would say I fell into this career path. I was working on a Colorado Air Force base, and I was looking for another job, and this job popped up for a computer security professional. And because I happened to know people on this contract, so I applied and I got in and they said, “You need a CISSP for this. You should study for the CISSP.” And this was right around 9/11. It was just after the attacks in New York, and it has no bearing on it, but that’s why I remember the career switch is because there was a big event that happened around that time.
And then I realized that even though I have my undergraduate in computer science, the security field, which was called computer security at the time, really attracted me because of the variety of things you could do. Security testing, I had opportunities for travel. I had opportunities to present vulnerability findings and risk reports to management.
And it seemed very, very exciting to me. I had done a little bit of programming early in my career, but just felt that I needed to do something else. So I fell into it. And then after several years of doing it, I actually was thinking about transitioning out, and I had one of my bosses tell me, “Steve, you can’t leave. You’re so good at this.” And he stroked my ego a little bit. So I said, “Okay, I’ll stay.” So I fell into it, and then it just mothballed into a-
Steve Bowcut:
I find that interesting because I have the opportunity to talk to lots and lots of people in the cybersecurity field, and I think your path is probably the most common. And maybe as you pointed out, maybe it’s because it’s a relatively new vertical if you think of it in those terms, that very few people grow up thinking, “Oh, I want to be a cybersecurity expert when I go to college.” They may be a doctor or a lawyer or some of those other professions, but more commonly it’s computer science or people with some kind of a technical interest who kind of fall into it and realize, “Wow, I really like this and I’m really good at it, and the need is there.”
Now, that may change decades down the road when a whole generation grows up watching CSI on television or something, and, “Oh, that’s what I want to do when I grow up.” But that thing is interesting that that’s a fairly common path into cybersecurity, at least right now.
Stephen Kirkman:
Yeah. It’s very hard to predict the future. I know that’s one of your upcoming questions. It’s very hard to know. I mean, you can have, when you’re designing your career, people mostly, even my son is concerned about designing a life too specifically, in too much detail, big picture. I know I want a degree. I didn’t even know I wanted a PhD until five years before I started the PhD, and then that opportunity fell in my lap. Of course, it requires a lot of hard work, but I don’t regret a second of it.
Yeah. Well, and I’m glad that you did, and that’s the advice I always give when my kids or people in my sphere of influence or asking about college advice. I always say, “Well, think about cybersecurity because there’s a huge need, which of course, if you’re good at it makes you very employable. So it certainly is worthwhile to consider that.” So let’s turn our attention then to Regis. So let’s talk about what are the different cybersecurity programs, degrees, certificates, those kinds of things that a student would find available to them should they choose to attend Regis?
Stephen Kirkman:
Definitely. Well, for right now, I would say that one of the biggest attractions of Regis is that they’re all online.
Steve Bowcut:
Okay.
Stephen Kirkman:
The cybersecurity degrees per se, they have a lot of ground-based students. Presently, they’re all online and they’re all asynchronous, and they’re all in eight week formats, which means they do tend to be compressed.
Steve Bowcut:
Right.
Stephen Kirkman:
But they’re ideal for the working adult who doesn’t have a bachelors, or maybe they want a second bachelors, who doesn’t have the time to attend a physical class. When I went to University of Florida, I was a very late career, and we were well established. So it was a conscious decision to attend in person. That’s very difficult for most people if not impossible.
So Regis gives you the flexibility through the online. Asynchronous, meaning you don’t have to attend class every day. You have assignments that are due weekly, and you have interactions weekly. And you do have deadlines that we do have to give grades for performance, but asynchronous is basically get to it when you can within your week of working life.
Steve Bowcut:
So the whole bachelor’s degree program then, sounds like the vision when it was created was working adults, right?
Stephen Kirkman:
Oh, totally.
Steve Bowcut:
Non-traditional students that are not walking around campus with a backpack?
Stephen Kirkman:
We actually are in discussions right now. We hope to go in that direction. I would like to go in that direction. We’re not there yet. I’m not sure if we will be there, if we’ll get there. But it’s definitely all, even the master’s degree I mentioned, the master’s degree, we have one main master’s degree in information in cyber systems. And the two certificates, they’re all designed for online, asynchronous, all three of them.
Steve Bowcut:
Which I think works great for that particular degree program because we’re talking about computer people, right? They get their education in the same environment which they will be working when they graduate. You could look at it that way, I guess.
Stephen Kirkman:
And under that hat, the CS program, the Pure Computer Science Program is also online as well.
Steve Bowcut:
Is it? Okay.
Stephen Kirkman:
Yeah. So Anderson College of Business and Computing has, that’s its the feather in its cap. And I wanted to say, I may skip ahead a little bit, but it’s natural with the discussion that when Covid hit, we were, how shall I say? Placed perfectly to react to the home isolation.
Steve Bowcut:
Okay.
Stephen Kirkman:
Ground-based students, traditional students had to adjust quite a bit. Online programs, I didn’t feel any adjustment whatsoever. And that was so unique, so unique to Regis. Not unique to Regis in that, there’s a lot of online programs out there, but we have a low student count, 15 to 20 max per class. We divide it up in sections. And we also use, I’m not sure if I’m jumping ahead again, but we also use adjunct faculty. We call them affiliates from the local area mostly. Sometimes they don’t have to be local area, but currently working in industry.
Steve Bowcut:
Right. Excellent. And you’re right, we’re going to get to that in just a second. But what you said, I just want to touch on that a little bit because I think that’s what I perceived, when Covid came, is that there were some programs, most programs I think were kind of moving toward offering an online option, but many of them weren’t there yet, and they found themselves really having to scramble because now everything needed to be online. Programs like Regis, who had already gone that direction barely noticed, right? I mean, because that’s what you were doing.
Stephen Kirkman:
Barely noticed. They’ve been doing it for decades.
Yeah. Interesting. All right, so that paints kind of a picture for the programs that are available. Let’s turn our attention towards the extracurricular stuff. So how about events, clubs, organizations, competitions, that kind of stuff? Can the students be involved in that?
Stephen Kirkman:
Yeah. Actually right after I started, nearly after I started it, Regis has a cybersecurity club and it’s open to all students. It’s open to all students online or traditional because we hold Zoom meetings as well. Now with the Advent, everybody’s used to Zoom from Covid, so we’re always trying to get new members. Graduate, undergraduate. Of course, it’s voluntary, it’s student led. They compete in the Rocky Mountain Collegiate Cyber Defense Competition.
Steve Bowcut:
Okay.
Stephen Kirkman:
And we are just one region that we compete in, but it’s actually a national competition.
Steve Bowcut:
Right. Okay.
Stephen Kirkman:
Yeah. So they get real world experience competing in that competition. And we have a small lab at the university that the students can set up and do some practicing as well.
Yeah. All right. So we’ve talked about some things that I think set your program apart, but is there anything else that you can think of that makes Regis’s Cybersecurity program unique?
Stephen Kirkman:
The unique part I did touch upon that, I’ll touch upon it again because so important is that we use affiliate faculty and it’s called the Scholar Practitioner Model. That’s what we use. My thrust, since I’m a full-time professor, I’m generally a scholar. So they’ve got me to design the curriculum and make sure it follows all the regulations and all the higher learning regulations. And we use predominantly practitioners to teach, and it’s just as convenient for the practitioners, for our affiliate faculty as it is the students because-
Steve Bowcut:
That’s a good point actually. So what you’ve designed to make… So working adults can attend class. You’ve also got industry practitioners as affiliate teachers, that makes it convenient for them as well. And I really like that model.
Stephen Kirkman:
They’re busy on the cutting edge, on the bleeding edge during the day, and then they come home and interact with the students at night. They’re really busy people. Kudos, hats off to them. And it’s a little bit challenging to find adjunct affiliate faculty that are willing to do that. They get paid of course to do that. But that’s one of the big unique parts of Regis.
And I think that does add some credibility. If you know that your professor, his day job is doing exactly what it is he’s trying to teach you then you know that that’s current, it’s relevant, that’s the way it really is in the industry. Not that the professional educators can’t do that, but I think it’s more a question of… Well, I think back when I was in college and sometimes I would find myself thinking, “Really? Are you sure that’s the way it really is? How long has it been since you actually worked? Or have you ever actually worked in the field?”
Stephen Kirkman:
You can’t make that argument anymore.
Steve Bowcut:
You can’t make that argument anymore.
Stephen Kirkman:
You can’t say, “All you do is teach.”
Steve Bowcut:
Exactly.
Stephen Kirkman:
“You’re teaching because you can’t do.” And that argument is blown out of the water.
Yeah. Yeah, that’s true. I want to bring our focus back around a little bit, and you did mention it before, but I think it’s so important that a program like yours offers real world cybersecurity challenges so that the students are prepared when they graduate to actually go right into the workplace. So what are some of the ways that Regis does that? How do you ensure that you’re getting current, relevant, real world things?
Stephen Kirkman:
One of the things I try to do is, number one, I try to look, I’ve actually been looking recently, I try to look at least at Denver job openings and see.
Steve Bowcut:
Oh, interesting.
Stephen Kirkman:
It’s not hard. It’s just a matter of finding the time to do it. Looking at the job openings, seeing what skills, since I’m actually designing the curriculum with, and there’s oversight there. I don’t design it and we’re off and running. If I make changes, we have a whole advisory process involved and boards to go through so that they check my work too.
But if I can look at what jobs are open and what skills they’re looking for, then I can also tailor my courses for that. The one thing I’ve been thinking about recently, one thing that’s a little bit challenging is the hands-on experience. How do you do hands-on experience?
And there are a lot of cloud companies that are offering hands-on experience. The challenge is that usually they come with a fee, and that adds a layer of a complexity on top of it. If there’s a fee, a number of students, a login ID. So I’ve been trying to use virtual machines as much as I can. And Oracle VirtualBox, and you can add that link at the bottom, is really good for doing labs on the individual’s laptop. A laptop for an online asynchronous program, it’s almost goes without saying that the student needs a computer and a high speed internet connection.
Steve Bowcut:
True.
Stephen Kirkman:
You would think it’s ubiquitous. There’s people that come through that they try to work on a tablet, and there’s just, even for cybersecurity, there’s not enough computing power. So have a laptop, have, even with a podcast like this, there are still some laptops that don’t come with audio and video.
Steve Bowcut:
Yeah. That’s true.
Stephen Kirkman:
So they can do presentations.
Steve Bowcut:
Right.
Stephen Kirkman:
So I push them towards for virtual machines so that they can actually try some simulations at home without having to deal with a cloud environment.
Steve Bowcut:
I love the idea that you build your curriculum around what you see in industry, what industry is asking for, because it doesn’t do any good. If industry says, “We’re really short, we need people to sit in a SOC and monitor for threats,” that kind of thing. It doesn’t do you any good if you’re teaching people to do threat intelligence for nation state stuff if that’s not what the industry is looking for. If they need somebody to work in a SOC, at least your students should know that this is where the jobs are at.
Stephen Kirkman:
System administration is not necessarily a security course, but it is one of the courses in the curriculum. I did want to add that I also do a fair amount of reviewing of other cybersecurity programs.
Steve Bowcut:
Oh, okay.
Stephen Kirkman:
And most of those are public. Regis is public. And what I’ve tried to shoot for and what I’ve kind of liked about the Regis curriculum is that it’s kind of like the Goldilocks. I consider it the Goldilocks curriculum. It’s not too technical, it’s not extremely technical like an engineering, and it’s not extremely management like something a little bit more soft skill oriented. And I have seen some cybersecurity degrees that are either more geared toward management or more geared toward highly, highly technical. So I try to hit the middle.
Okay. All right. And that makes me think in terms of research, so some students, they really look forward to getting their teeth into some serious research. What are the opportunities for research like at Regis in cybersecurity?
Stephen Kirkman:
For the most part, all they have to do is ask. When I start teaching a class, I let them know that I have research I’m currently working on. For the most part, what I’m finding is that the Denver metropolitan area is so busy that a lot of people, a lot of students…
The undergrads, the ones that happen to be fresh out of high school are more interested in getting their first job. And my post-traditional students already have, most of the time, already have a job and they’re wanting to get a raise or a promotion. I haven’t seen as many people ask about getting into my research or getting into research.
I know there are other professors and other departments that invite students and design curriculums or design courses to take advantage of that. So it happens, all they have to do is really ask and I put it out there, “If you’re interested, come talk to me.”
And one thing that I find fascinating about Regis students is they’re really involved. They’re really involved. Regis encourages community involvement since it’s a Jesuit institution, everybody’s so busy. So the research ends up falling a little bit down on the list of their priorities, because they want to get jobs and they want to help the world and help the community. I remind them they got opportunities and I’m willing to help in any way I can.
Perfect. All right. So for those students who really want to get in some serious research, at least the opportunity’s there, all they have to do is ask. All right, so we’re winding down here. I’ve got a couple of more questions and these are kind of fun questions. The first one is, if you were to build a cybersecurity reading list, and I don’t just mean reading, but books, papers, lectures, YouTube channels, conferences, anything that you think would direct students to resources that they could use, what would that look like?
Stephen Kirkman:
I thought long and hard about this, Steve. And at first it was a little bit difficult. When I started thinking about it. I gravitated toward my textbooks that I use in courses, but I have to admit, they can be dry.
Steve Bowcut:
They’re like textbooks.
Stephen Kirkman:
They can be dry like textbooks. However, rudimentary programming like Python, Java, and Unix, any books on that. I particularly like the computer networking book by Kurose and Ross. It is another college textbook, but lots of information in that. I wouldn’t consider it a great read, but if they’re wanting to beef up their skills, for sure.
I ran across a book called The 24 Deadly Sins of Software Security, and I started using it. It’s more of a handbook per se. What the odd thing is is that the vulnerabilities, this book was published much more than a decade ago. And the vulnerabilities that are out there that this book mentions people aren’t patching their systems.
Steve Bowcut:
Yeah.
Stephen Kirkman:
Yeah. You still got to know about them. You still got to know how to, because there’s still old window systems out there. So it’ll be a couple more decades before this book becomes obsolete. It’s called 24 Deadly Sins. I think there’s a couple editions and they stopped.
I haven’t found a more recent edition, but it gives you the basic vulnerabilities. I was thinking about, you had mentioned conferences and videos, Crash Course, Computer Science is a YouTube channel, and they’ve got what’s nice about them is that they’re very… It’s easy to follow along, but they do talk quickly because they call it crash course.
Steve Bowcut:
Right, okay.
Stephen Kirkman:
And they’re only 15 minutes. So the average attention span. If you can generate 15 minutes of attention, very interesting. And they have got some cybersecurity and cryptography ones in there.
Steve Bowcut:
Okay.
Stephen Kirkman:
You mentioned conferences, as far as books go, it’s so challenging in the cybersecurity field because I’ve got books on my shelf that are already kind of out of date on blockchain and cybersecurity, they go out of date real quick. So I have a tendency to, I probably direct them more toward actually the research conferences. I know USENIX is a huge conference.
And I wouldn’t say it’s predominantly the East coast, but all you have to do is Google USENIX, U-S-E-N-I-X, and they have a family of conferences. And some of the top researchers and some of the top research gets presented there. DefCon, if you haven’t heard of it, I’m sure you’ve heard of it.
One of my favorite security textbooks, it isn’t really a textbook, but it’s the all-in-one CISSP, and it’s by Sean Harrison. There are a lot of certification help guides out there. That is, I considered my Bible. If I need to refresh anything, any of the fundamentals. On the lighter side, I would say any book by William Shatner, if you want an enjoyable read, it’s not necessarily cybersecurity. I’ve got more probably non cybersecurity textbooks, but I do a lot of both fiction and nonfiction reading. So William Shatner is very entertaining. Very entertaining.
Steve Bowcut:
Oh, for sure. Yeah. Okay. Anything else?
Stephen Kirkman:
No. Mostly college, I keep all my college textbooks. Yeah.
Well, I’ve been trying to capture these as you’ve mentioned them, so we’ll put links in the show notes so that people can just go and click on those links and get right to those resources. We appreciate you offering those. So we’re going to wrap up here with what I always find is probably the most fun question. This is where we ask you to dust off your crystal ball and look into the future. Obviously none of us know what the future is going to look like, but I think it would be instructive for our readers and listeners to see what you think the cybersecurity landscape may look like in five years or ten years. And maybe the essence of the question is, what should students be doing today to be prepared for what you think is going to come in the future?
Stephen Kirkman:
Wow. Yeah. That’s a hard and fun question. I was thinking about those disruptors, and my answer is, Steve, the future is here, and it’s called AAI. And that was the big one that popped up on my list. You only need to turn the TV. We’ve been discussing ChatGPT quite a bit, and the general consensus around ChatGPT has been one of, “If you can’t beat them, join them.”
Steve Bowcut:
Right.
Stephen Kirkman:
I know some instructors are already saying, “Go ahead and use it. Go ahead and use it. Tell me the prompt you used and we’ll work from there. And maybe we can analyze what ChatGPT is.” ChatGPT is disrupting the education world for sure. But on the positive side, it happens to do research pretty well too.
The AI with respect to deep fakes and deep learning is extremely concerning, which is why I don’t pick up my phone anymore because I don’t want my… This is a little different. You can’t hide from everything but the deep fakes and somebody taking one of your kids or stealing your kid’s voice and making you think something happened. You got to open your front door and go explore the world. So you can’t live in a bubble. But the AI is a huge disruptor. One thing that I mentioned that’s coming still, it’s here, it is blockchain.
Steve Bowcut:
That’s a good one.
Stephen Kirkman:
Applications are all over the place. Mine is not so much, mine’s on a research focus. I look at blockchain for the underlying cryptographic primitives that used to build it. One of the other big disruptors to look in the crystal ball, you haven’t heard much about it lately. Quantum computing is a big disruptor that’s coming.
People always say it’s coming, and I still think it’s coming. It’s coming so much that the researchers are looking for ways to already get around it. And it isn’t really even practical yet, but there are already researchers looking at what to do if it does get here. Those are some of the big three and-
Okay. Well, that sounds like sound advice to me. I like what you said about AI and ChatGPT, it’s coming. So you need to understand it, you need to be able to work with it, you can’t ignore it, and it is disrupting all kinds of industries. And so it’s something we need to understand. And it feels to me like we’re riding that wave right now. In fact, we’re just as if you’ve done any surfing, the swell is just happening for AI and ChatGPT, so it’s going to grow exponentially over the next few years. And I think right on the heels of that will be a quantum computing because they’re getting closer and closer as our technology advances.
So those are things that I agree with you that students need to understand, learn to work with them and not ignore them because they’re not going to go away and don’t be afraid of them. As a journalist, just as quick aside, as a journalist, of course ChatGPT is just disrupting the whole journalism industry because anybody can write pretty high quality stuff now. So the trick now is to understand that it’s not in competition with you. As a journalist now it’s, “What kind of prompts can you write?” You need to use the tool, not fight against the tool. So we need to become prompt writers and editors and fact-checkers as journalists now. So it’s doing similar-
Stephen Kirkman:
I would say that the quality of what ChatGPT produces is still highly debatable. There are a lot of professors would say it produces not good writing at all, and it’s easy to detect, so depends on your circles. And the other problem with ChatGPT is the references.
Steve Bowcut:
Right. And that’s why you’re an editor and a proofreader because it’s going to get stuff wrong. That’s what I always tell people, “Look, it’s great, but it’s not going to do the job for you. You still have to go through and check, make sure all the facts are right.”
Stephen Kirkman:
It may be wrong, it may pull some… Everything on the internet is true of course, not. So it may actually pull some wrong data.
Steve Bowcut:
Right. Yeah. All right. Well, this has been fascinating. I appreciate you spending some time with us today. It’s been fun.
Stephen Kirkman:
Oh, it’s fun. My pleasure.
Steve Bowcut:
All right. And I want to thank our listeners for being with us, and please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of The Cybersecurity Guide Podcast.