Dr. Erald Troja, assistant professor with the Mathematics, Computer Science and Science Division of St. John’s University’s Collins College of Professional Studies.
Listen to the episode
Here are the key takeaways
- Cybersecurity education at St. John’s University: The university offers a comprehensive cybersecurity education with programs like Associate of Science, Bachelor of Science in Cybersecurity Systems, and Master of Science in Cyber Information Security. These programs are accredited and recognized for their excellence.
- Unique aspects of St. John’s cybersecurity program: The program is noted for its dual accreditation (ABET and NSA validation), hands-on approach, and opportunities for students to engage in real-world cybersecurity challenges. It also offers flexibility for students to pursue minors or graduate-level courses.
- Industry engagement and real-world preparation: The program maintains strong industry connections, providing students with internship opportunities and insights into current industry needs and trends.
- Experiential learning opportunities: St. John’s University offers unique experiences like study abroad programs focusing on cybersecurity, allowing students to gain international perspectives and practical skills.
- Advice for aspiring cybersecurity students: Dr. Troja recommends exploring personal interests in cybersecurity, suggesting resources like Kevin Mitnick’s book “Ghost in the Wires” to gauge interest in the field.
- Dynamic and evolving field: Cybersecurity is portrayed as a constantly evolving field, offering diverse and exciting challenges for professionals.
The following is a full transcript of the podcast episode:
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide podcast. My name is Steve Bowcut. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening. On today’s show, our guest is Erald Troja. Erald is an assistant professor with the Mathematics, Computer Science, and Science Division of St. John’s University’s Collins College of Professional Studies.
Our topic today is going to be cybersecurity education opportunities at St. John’s University. Let me tell you a little bit about Dr. Troja. Dr. Troja is the acting program director for the Cybersecurity Systems program and the main point of contact for St. John’s University’s Cybersecurity Center of Academic Excellence. He received his Ph.D. in computer science from the graduate center at the City University of New York.
Prior to joining St. John’s, he served as an assistant professor of computer science at Iona College, teaching computer science and cybersecurity courses. He has over 20 years of experience working as a senior systems engineer for Time Warner Cable and Charter Communications. With that, welcome, Erald. Thank you for joining me today.
Erald Troja:
Thank you for having me, Steven.
All right, so this is going to be fun. I’m looking forward to this. And first I think I would like to learn a little bit more about you, and I think our audience would as well. So tell us how did you first become interested in cybersecurity? At what point in your academic career did that happen for you?
Erald Troja:
So I think the seed was planted very early in my growth. So at around age of six, believe it or not, I was a sort of mischievous kid, and I wanted to actually pass messages. We wanted to communicate with friends in the classroom, writing notes, and sending. And one day we got stuck. We basically got intercepted from the teacher, and we had to figure out how to do. Lucky for us, we had friends who were older than us that were hanging out, and they said, “There’s a magic way for you to do it.”
And basically, in a nutshell, they introduced us to this notion of sending messages through a substitution cipher method. And of course, we knew nothing of what that was except for the fact that we thought it was cool. So now, we had a encrypted method, sending messages, passing messages in the classroom, and basically, the teacher could intercept them, but the teacher could not understand what those messages were.
I found that very, very cool. I basically was hooked up on the idea, but I didn’t go any further than that. I want to fast-forward around 1994 when I was actually enrolled in the bachelor of science at Brooklyn College. There was a professor, his name was Dr. Dayton Clark, and he was teaching a security class, networking class where we basically had to, one of those hands-on activities we had to do, is actually send emails, literally send SMTP commands via the terminal, via Telnet, and basically spoof email addresses.
And I thought that was very cool. So we had the theory, basically, we had the theory of how it actually work as an SMTP protocol, and we actually got to see the insecurity live. So that really sort of restarted my whole, even though I was enrolled in a computer science course, which was very program-intensive, I really wanted to sort of divert and take on more of these courses.
So I followed Dr. Clark on a system administration course. So actually, what we did is we saw day-to-day, the security and insecurity of various operating systems such as FreeBSD, NetBSD, and variants of Linux, and I said, “I really want to do this.” I was great at programming, but I said, “I want to follow this.” This was actually piqued later on.
After 15 years of working, I decided to go back to school and complete my PhD. Everything came together when I actually started my Ph.D. journey. There, I worked with a great professor, and I was able to design, apply, and test novel cryptographic techniques that were really designed at offering efficient location privacy.
So at the day’s end, if I were to look back, I applied literally what was my first interaction with cybersecurity, you can say, which is this notion of cryptography, right? I really knew nothing, but the seed was dormant for a long time, and I guess after 30-something years I said, “I want to do this.” I was happy at doing research. I was getting pulled just from the idea of having to work on it. It just sounded fascinating. So this is how I came to be and actually get to work on the cybersecurity field.
Steve Bowcut:
What a fascinating story. Thank you for sharing that. I appreciate that.
Erald Troja:
You’re welcome.
All right, so let’s kind of focus on St. John’s University a little bit. Tell us about the different cybersecurity programs, so degree programs, certificates, that kind of thing. What can a student come away with if they attend St. John’s University relating to cybersecurity?
Erald Troja:
Well, we do have three programs that are related that do have the title of cybersecurity system on them. First, we have associate of science, which is really meant to be as a pathway, as a platform towards getting into the bachelor of science. It’s less intensive, obviously, the requirements are about one-third of what the bachelor of science requires.
We do have the main program where the majority of the students is enrolled is a bachelor of science in cybersecurity systems. And then we have a fairly nascent, I think it’s about two to three years that it’s been, rollout a master of science in cyber information security. While all the three programs are actually originally accredited, the bachelor of science has the one that has the most accolades. Basically, it is accredited by the middle states, which is original accreditation. It is also accredited by ABET in cybersecurity.
I just want to point out, ABET is a non-for-profit organization that accredits colleges and universities that have applied and natural science programs, such as computing, engineering, and engineering technology. And also on top of it, the actual program, the bachelor of science, is validated as a National Center of Academic Excellence in Cyber Defense education.
So the acronym for that is NCAE-CDE. So it’s literally been vetted by the NSA and has been blessed by the NSA to say, “Yes, we do agree with what you are basically teaching there to align with more or less our rigorous threshold.” The program itself is housed within, right, St. John’s University, which is now designated as a center of Academic Excellence since, I think, was spring 2022.
We do have a website where you can see pretty much everything related to cybersecurity. That is simply the URL of cybersecurity, just the way you hear it, cybersecurity, one word, dot stjohns dot edu.
However, we do have other closely related programs that I really think it’s worth mentioning that are very correlated with cybersecurity. For example, we have great Homeland Security, we have a legal studies and criminal justice programs, as well as we are working currently within our division with working on a bachelor of science in digital forensics.
And I think students might be interested into having this very closely correlated. For example, our lab, main cybersecurity lab, shares a partition with Homeland Security where they do a lot of simulation, a lot of intelligence simulation, et cetera, et cetera. These sort of closely-correlated programs I think offer a great multidisciplinary learning experience. And a lot of these students enrolled into these other programs do take cybersecurity as a minor. So I think it’s worth the mention that there’s very closely-coupled programs that exist, not necessarily under the cybersecurity title. So, yeah.
Steve Bowcut:
Excellent. Thank you. And what we’ll try and do is capture as much as that as we can in the show notes with links where students can go directly to your website and take a look at what the options are there. So I appreciate that.
Erald Troja:
Thank you.
Another interesting thing I think that our audience would find interesting is what kinds of cybersecurity-related events or clubs or organizations, capstone project, what would life be like for a cybersecurity student at St. John’s?
Erald Troja:
Well, students at St. John’s, cybersecurity students, are very much of the type that they have a passion on what they’re doing. So what we do outside the classroom with respect to the engagement, everything that we actually do runs through, is actually run, and it’s presented through this sister or baby chapter of the Association for Computing Machinery, ACM.
So we have a specific SJU ACM student chapter. One of our professors, the chair, Dr. DeBello runs this, and she does a wonderful job in creating recurrent engagement events in our cybersecurity clubs as well as bringing, right, bringing into the classroom external cybersecurity professionals that have, basically we have discussions with respect to technical or career-building talks. In other words, nothing related on the technical level, how do we do this? This is purely on how do we get you to match up with what is being asked from industry.
And you can find a lot more on this specific student chapter, SJU student chapter, if you were to… and again, this might be one of those show notes, their website is https://sju – just the way you hear it – sjuacm.com. You can literally find all sort of events that has been happening in the past.
For example, we do have, at least we try to fit in at least 13 events, which actually match closely with the way that the weeks are partitioned, the semesters are partitioned. We’ve done things in a past such as a capture the flag event. We had another previous event was Introduction to Active Directory. This is where we’re bring in external speakers to have a discussion, and then we follow up with actual hands-on work on how to mimic, on actually how to bring theory to practice to understand what has happened behind the scenes.
So it’s a very active group. Just a little side note, when I was interviewing at St. John’s, this is in fall 2019, as I was walking from the dean’s office, right, to go outside, I heard a light music with very chill music upbeats. I said, “What is this?” I want to follow, and I asked the dean, “What exactly is this?” She says, “Well, they’re having a capture the flag.” And I walk into the lab, the whole entire lab, it’s partitioned such that we are sitting next door with Homeland Security.
There was about 70-something students, there was light chill music playing, everybody was happy, engaged discussion with each other, and I said, “Wow, I really want to teach in an environment where I as a faculty can do my job. I could do my 50%, I want the other 50% to have well-receiving audience in order to take on what I’m interested in to teaching and basically go farther together.”
So this was one of those accolades that I noticed and I said, “Wow, this is it.” I reached out back to the dean, I said, “I want to stay there.” I got a chance to stay for the capture the flag, and the rest is history. So very well-engaged students. There’s a gazillion ways that you can learn outside the classroom, and this is the opportunity for our students to learn and deepen their skills with respect to cybersecurity.
Steve Bowcut:
Perfect. Thank you. I appreciate that.
Erald Troja:
Welcome.
So talk to us about, well, first of all, anything else that you can think of that makes your program unique in regards to cybersecurity, but also how does St. John’s prepare students for real-world cybersecurity challenges?
Erald Troja:
Well, the uniqueness of the program, I think it comes in, I really want to highlight first and foremost the actual accreditation that are associated with our Bachelor of Science program. I am a program coordinator, slash, program director for that program, and that’s the one that I want to highlight first and foremost.
First and foremost, the simple notion that this is a purely-vetted, accredited program from ABET, as well as it being a validated program of study from NSA, should be something that students should keep in their checklist onto whenever they’re actually looking to other programs. They’re not many programs that have this dual combination. There’s a handful, I would say about 10 programs or so within the entire United States. So attaining both accreditation from ABET and being validated from NSA, it’s a lot of hard work that we had to put in. So that in itself makes it a little bit unique.
There’s other things that I can mention such as the dedication and the passion that faculty teaching at cybersecurity here at St. John’s have. For example, almost all of us hold either a [inaudible 00:13:58] degree in cybersecurity or a closely related discipline and also brings into the table decades of learning and applying cybersecurity in the real world.
Something else that I can throw in, for example, is we do have a great, the latest state-of-the-art, cybersecurity, which has actually been funded by an alumni, the Sanford family, and what we do in this cybersecurity lab is that we actually try to meet at the cross-cutting of theory and practice. So basically, generally courses are most of the time scheduled to be twice a week for about an hour and 25 minutes. What we do is we usually spend 125 minutes in respect to theory, how it works, then we do meet at the lab and we do practice hands-on whatever theory we learned in the past.
So it’s very hands-on, technical type of program. And the idea would be to sort of simulate, and the simulation comes in with respect to a lot of feedback from industry board, et cetera, et cetera. What do we need to do so that once a student actually graduates, they have a capacity to withstand and enter, basically approach a entry-level position.
So this would be another thing. With respect to the program, what makes it unique on how the actual curriculum is scheduled is that it allows for what I call a lot of lateral movement, side-to-side movement. What does it mean? So I attend every open house that we have, and one of the things that piques students’ and their parents’ interest is, “Look, I want to put in the work, I want to spend four years within this program, but can I get something more?”
And the answer is, “Yes, within four years, you can get more than just a bachelor of science In cybersecurity.” The way that we have actually designed the program is that it allows you to seamlessly fit in a minor. I mentioned before, there’s a lot of closely-correlated minors that you can take, which are actually pulled from closely-correlated disciplines such as Homeland Security, legal status, criminal justice, and digital forensics, and the idea would be that you can literally fit in, within this four years, you can fit in a minor.
So now, you’re not only graduating with bachelor of cybersecurity, you also have a minor that would make you more valuable in the workplace. Another lateral movement, for example, would be to say, “Look, I want to pursue graduate work, graduate courses.” So what the program allows is that you can take what’s called a pathway program.
This is obviously done with proper planning at the early freshman center. You can take graduate level of courses during your undergraduate curriculum that basically leads to one graduating and then shortening the amount of time that he or she needs to pursue a master’s in cyber and information security from, let’s say, year and a half to just one semester. So basically, it’s a very fast and cost-efficient way to also earn a Master’s if that’s what the students wants to do.
There’s other things that I can mention that would make the program unique. This did not exist in my time, but it’s good to mention it because there’s a lot more to life than just the life with respect to the curriculum in some particular institution. What we have, what St. John’s offers, is this study abroad opportunities, and what we do for a duration of two weeks, we basically take a select amount of students that are interested in this and we implant into an external campus.
We have campuses in Rome, Paris, Limerick, we have a lot of partnership, educational partners, out there, mainly in Europe. And what we do is we implant for two weeks in some local place, and we practice cybersecurity. We actually do joint cybersecurity exercises while being abroad. So this is an experiential experience that I think all the students that do have the opportunity should take note because it basically opens you up to a lot of connections.
You make a lot of connections with your travel abroad friends, you get to see a different country. It is a thing that I wish I had for myself back in 1994 when I was in Brooklyn College. So this is, in a nutshell, the uniqueness that the program offers in general.
Excellent. It sounds like it is a very unique program, and there’s lots of ways that you’re giving your students real-world cybersecurity experiences, preparing them for the real world. You mentioned industry boards. I’d like to explore that a little bit. Can you tell us more about your industry partners and what information you get from them to prepare students to go to work when they graduate?
Erald Troja:
So there’s two types of feedback that we generally get. One would be we do have two meetings a year with our industry board. So this is visible, you can see who the industry board is. If you go to cybersecurity.stjohns.edu, you can scroll into the industry’s board and you can basically see who are the members.
The idea is that when we meet, we discuss what is the latest and greatest strengths that they actually do see in their workplaces. That is one feedback that we get in order to attempt and alter the curriculum. So it’s a never-ending cycle, and this actually comes in through this ABET accreditation that we have. There’s always improvements that we need to inject in order to stay credited within our curriculum.
Another great feedback that we get would be through this external internships that we provide to students, and there’s two types of them. There’s generally an academic internship where a student that is on their junior and senior year gets to enroll and basically take a course that’s called the internship supervision. So there’s three parties that come in place, this is the industry partners, this is the program director, program coordinator, and the internship director.
And what we’re doing in here is we try to… so basically, it’s run a course. You’re supposed to do a semester’s worth of work somewhere, and this somewhere comes in through the work of career services, or it’s internally homegrown through the connections that we have with the board. The idea would be to stay registered and to partake into some major project, major cybersecurity project in one of these industry partners. And they do provide feedback.
There’s a midpoint, you can think of that midpoint as a midterm, and there’s a ending point where we exchange. It’s a non-structured, but we basically get on the phone, we get on the Zoom meeting or sometime via email to get feedback on what and how the students perform. At the day’s end, they’re getting a letter grade for this academic internship.
The idea would be to get feedback. There’s a lot of times that the feedback would be, we need more, for example, terminal exposure or we need more scripting exposure. The idea would be to get all of this input and discuss it in our divisional meeting, and then try to find out what can we do to feed it back into the curriculum in order to mitigate this sort of feedback that we get.
Not long ago, I worked on design in a course I believe was CSS 1010, basically, which we wrote regarding scripting in [inaudible 00:21:52] shell and PowerShell with respect to automating cybersecurity tasks.
Again, this is an elective course, but the idea would be if you were to highlight it the proper way and sort of market the proper way to the students to say, “This is the reason why we’re designing this course. This is why it’s not becoming an elective.” It’s going to help them in the long run once they graduate. So these are the two types of feedback that we usually have.
Excellent. Thank you so much. I appreciate that. Now, I feel like you’ve already given us lots of resources that our audience can go to and get more information, but if you were to… I guess I’m greedy. I just want to pull a little more from you if I can, along that line. But if you were to put together a reading list, what would be your top picks? And it could be books, papers, lectures, YouTube channels, websites, conferences to attend. What kind of resources would you point students toward?
Erald Troja:
So generally, so I’m the point of contact for the cybersecurity program, and a lot of times I do get emails with respect to, “I’m interested into knowing what is it?” right? “What’s the curriculum, and how would it feel if I were to be enrolled into your program?”
And I generally try to tell students that the best way for them to make a decision… so this is light, this is very light with respect to the reading part, but I think it’s going to help students in the long run. I tell them the best thing you can do is to see can you somehow foresee yourself, I mean, are you a tinkerer? Are you the type of person that likes to play with puzzle and say, “Well, look what happens if I were to remove this,” right? “What is going to break? Can I fix it?”
And so one way to sort of highlight a student’s interest in cybersecurity, sort of say, “Is that the best decision for you to take as a program?” basically, invest four year of your life, would be to read some sort of book and say, “Do you align with what was happening in the book? Do you see that fascinating?”
And so there’s a great book that I would like to recommend. It’s called… and again, when I was going to Brooklyn College, 1994, this guy was in the news for the wrong things, but now it is in the news for the right things. So the name of the book is called Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker by Kevin Mitnick. This was plenty in the news, there’s plenty of time that we were hearing Kevin Mitnick was able to hack into the POTS, plain old telephone service, intercept phone calls, et cetera, et cetera.
And the idea would be, if you have time and you are an undecided student, take a spin at this book, maybe read the preamble, read a few, four chapters, and see you align with does that interest you? Does whatever Kevin Mitnick was doing back then, does it basically align with what you probably want to do in the future?
And if the answer is yes, most likely taking on cybersecurity would be a good career path for the reason that you actually do like it, and you are not making the decision based on the outcome of the program which is being employed or the salary, et cetera, et cetera, so.
That’s interesting to me because, just as a side note, that book was one of the reasons that I got into cybersecurity years and years ago as well. I found it fascinating. And it really does a good job of illustrating that cybersecurity or hacking or cyber threats aren’t always even done at a keyboard. There’s always a human element, and that was kind of Mitnick’s kind of expertise is getting around people. And so I would second your recommendation for that book. So go ahead.
Erald Troja:
So yeah, that’s the idea. If you were to align with the book, I think you’d do quite well in cybersecurity. There is not one day that you expect to be boring. There’s never one day that is the same. So I can tell you from being a security engineer with Time Warner, every day was something exciting.
There’s new tools that you can learn, new approaches, and basically, it keeps you on your toes. And if that’s what you want to do, I think this book will bring it about. You probably will get to learn more about your inner self by reading this book.
Excellent. Thank you for that recommendation. I appreciate that. We’ll put a link to that in our show notes. I think we’re about out of time, but I would like to ask you to dust off your crystal ball a little bit and look into the future and give us your perception of what the future of cybersecurity might look like. And I ask this question because I know sometimes undergraduate students experience some anxiety trying to make sure that they pick the right courses and get that all aligned to their advantage, as well they should spend a lot of time thinking about that.
And so maybe some advice from someone like yourself might help them make some wise choices in the beginning.
Erald Troja:
I appreciate the question, and I think as we go through time, as we traverse in time, I think AI, artificial intelligence, is going to play a more central role just in general in our humanity. The reason for it is that there’s a lot more data that’s being generated out there, and now we’ve went to this new models that are great at being able to analyze massive, massive, massive amounts of data.
That massive amounts of data happens to also be generated from a lot of these IOT devices, internet of things devices. I mean, we recently did a renovation in our apartment, and my microwave and fridge happens to have an optional thing to be connected online, and it’s going to generate some data. And so the idea would be to look forward and project this from, say, about a decade from now. I think AI-driven approaches in cybersecurity will be more central as we move in time.
So my advice to students will be to be able to approach a program that provides them the opportunity to learn as quickly as possible the foundations of artificial intelligence, right, to learn the principles, but don’t learn them in a vacuum, approach a program that has the capability to closely intersect them or sort of meet them at the cross-cutting of cybersecurity as well.
Basically, you don’t want to learn foundations of artificial intelligence, generally, the way that it’s learned in computer science where it’s in a vacuum, you learn the procedures and techniques, you need to look into and say, “I want to learn them, but how can I actually approach a program, right, that intersects them as closely as possible with cybersecurity?”
So this would be another good way to look into the future. So there’s an ongoing NSF base funding effort at St. John’s to basically revamp the program such that we have now an AI-intensive cybersecurity program, just because everybody from the industry, everybody from our industry partners and industry board, tells us that this is the future.
They’re seeing more and more demand on this. And so I think this would be a good way for the students to sort of get their feet wet, learn AI, different models, and how do they actually apply to cybersecurity approaches? What would be those critical areas, and what sort of tools do you need to meet them in the [inaudible 00:29:51]?
Steve Bowcut:
Excellent. Thank you so much. That’s sound advice. I appreciate that. Well, we are out of time, but thank you, Erald. I’ve enjoyed this. I’m sure that our audience will enjoy it. So thank you very much. And a big thanks to our listeners for being with us. And please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.