Dr. Faisal Kaleem is a professor in the Department of Computer Science and Cybersecurity at Metro State in Saint Paul, Minnesota. He is also and the director of cybersecurity programs at Metro State and the Executive Director of MN Cyber.
Summary of the episode
In this episode of the Cybersecurity Guide Podcast, host Steve Bowcut interviews Dr. Faisal Kaleem, a professor in the Department of Computer Science and Cybersecurity at Metro State and the director of cybersecurity programs there. They discuss cybersecurity education opportunities and strategies for career advancement in the field.
Dr. Kaleem shares his own journey into cybersecurity, emphasizing the importance of curiosity and passion for technology. He also highlights the core subjects and skills that students should focus on, including computer science fundamentals, programming languages, computer networking, operating systems, cybersecurity principles, cryptography, web vulnerabilities, and security tools and technologies. Dr. Kaleem emphasizes the importance of continuous learning and recommends professional certifications such as CompTIA Security+, Certified Ethical Hacker, Certified Information Security Manager, Certified Information Security Systems Auditor, CISSP, Offensive Security Certified Professional, and certifications offered by SANS.
He also discusses the impact of emerging technologies like AI and machine learning on cybersecurity, both from a threat perspective and a defender perspective. Dr. Kaleem advises early career professionals to pursue further education, stay updated with industry trends, join professional organizations, attend training workshops and conferences, seek mentorship and guidance, contribute to open source projects, and embrace continuous improvement and lifelong learning in their cybersecurity careers.
Listen to the episode
Full transcript of the episode
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut, I am a writer and an editor for Cybersecurity Guide, and the podcast’s host. We appreciate your listening.
Today, our guest is Dr. Faisal Kaleem. He’s a professor in the Department of Computer Science and Cybersecurity at Metro State and the director of cybersecurity programs there. We’re going to be discussing cybersecurity education opportunities broadly, and also specifically at Metro State. So let me tell you a little about Dr. Kaleem. Faisal Kaleem is a renowned educator, trainer, and consultant with over 18 years in information technology and cybersecurity. Faisal’s expertise spans computer networking, databases, programming, and information security, which is highlighted by his CISSP certification. His research focuses on cutting edge areas like cybersecurity, smart grid security, computer and network security, forensics, and artificial intelligence applications. As the executive director at MN Cyber and his service on various boards, Faisal’s contributions to cybersecurity education and innovation are unparalleled. With that, welcome Dr. Kaleem, thank you for joining me today.
Faisal Kaleem:
Thank you very much Steve for inviting me to your podcast. I’m excited to be here.
Steve Bowcut:
I’m excited to have you. This is going to be fun and interesting for our audience and I appreciate your time.
Faisal Kaleem:
Thank you very much.
Steve Bowcut:
So let’s start with that. Let’s help the audience understand how the journey was for you. What was your path to where you’re at now? How did cybersecurity become a thing for you?
Faisal Kaleem:
Yeah, it’s a good question. So my journey in the cybersecurity field has been a unique one. My background is electrical engineering, but really what fueled is the innate curiosity and passion for understanding the inner workings of technology. I don’t have formal training in computer science on cybersecurity, but my journey has been characterized by a series of experiences that have led me to where I am today. So if you don’t mind, I can talk about those experiences quickly and mentioned that what kind of experience and what kind of education I have.
Steve Bowcut:
I would love to hear about that.
Faisal Kaleem:
Okay. So from a young age, I exhibited a national inclination towards engineering. So instead of simply playing with toys, I found myself dismantling them to uncover their internal mechanism. It was that early fascination with reverse engineering that laid the foundation for my future endeavors in the realm of technology and cybersecurity. So after completing my bachelor’s degree in electrical engineering from a prestigious university in Pakistan, I embarked on my professional career as a telecommunication engineer for a defense contractor. All right, now, it was during that time that I wrote my first TSR keylogger program in C programming language. TSR stands for terminate-and-stay-resident, and that basically was a big deal during that time and that was a pivotal moment that introduced me to the intricacies of cybersecurity. Around 1996, I started my master’s degree in electrical engineering at Florida International University. It was here that I chose to focus my thesis on a stagnography, further deepening my understanding of covert communication techniques with digital media. So again, kind of like you can see the progression of cybersecurity over here.
Embarking on my academic journey in 1999, I ventured into teaching as a lecturer. Concurrently, I pursued diverse industry certification, enhancing my proficiency in IT and security. During this period, I was asked to develop a security course for the National Science and Management Information System program, and this was basically a pivotal juncture in my career path. And this is where I decided that, hey, teaching is where I want to go. Teaching this particular course in security repeatedly and experimenting with different security tools not only reinforced my enthusiasm for cybersecurity, but also motivated me to deepen my expertise in the domain. Now during my tenure as assistant professor at NFIU, I played a pivotal role in designing and developing an online master’s degree program in cybersecurity, reflecting my commitment to advancing knowledge and nurturing the next generation of cyber professional.
And finally, upon joining Metro State in 2014, I found a landscape where only one course, Steve, just one course, focusing on computer security, existed. Think about it, there was nothing at Metro State in 2014. Since then, my mission has been to cultivate a culture of cybersecurity excellence, both within the academic realm and across broader society. Fast-forward to 2024 and Metro State stand as the foremost institution in Minnesota for cybersecurity boasting comprehensive academic programs and cutting edge technology. Throughout my academic and professional journey, my unwavering dedication has been to propel the field forward, advancing knowledge in cybersecurity and nurturing the next generation of cyber professionals. So in a nutshell, this is my story about cybersecurity.
Steve Bowcut:
Interesting. Well, thank you. I appreciate you sharing that. That is fascinating. So with that background, let’s focus in on students that may be interested in cybersecurity, maybe they really haven’t even decided that that’s exactly what they want do. Could you help them understand what core subjects or skills they should focus on? Do they need to be programmers? Or maybe they don’t even like programming, is there still a place for them in cybersecurity? Can you explore that a little bit?
Faisal Kaleem:
Yeah, very good question. So, again, cybersecurity is that area where you can… It’s for everybody. Whether you have a technical background or whether you have a non-technical background, you have a place in cybersecurity. But let’s talk about it from the technical perspective because most of the time people are interested in technical aspect of cybersecurity. With that, computer science fundamentals, start with a basic of computer science and computer architecture. And definitely don’t forget about, and I always tell my students, two programming languages. Just understand the working of C programming, and then Python. These are the two programming languages I always tell my students that, “Hey, if you really want to do good in cybersecurity, get these two programming language under your belt.”
Then, second thing, you cannot do anything good about cybersecurity if you don’t know computer networking. So a strong understanding of networking protocols, devices, and technologies, they are really, really very crucial because they will help you understand that how the data flows across the networks and how to secure that data effectively. Then, as you know, that everything requires an operating system, all devices require a framework or operating system. So knowledge of various operating systems such as Windows, Linux, or macOS, and so on, so some knowledge of operating system.
Then don’t forget about those cybersecurity principles. They should know about some sort of threat modeling, risk assessments, so here you go, whether you are technical or non-technical, you have to understand how to do some sort of risk assessment. Vulnerability scanning, access control mechanism, incident response, they’re all vital for developing security strategies. Then obviously doing the coursework, you also have to understand how to secure the information, so cryptography is something very, very important. Here we are talking about different type of encryption algorithms, digital signatures, other cryptographic protocols for securing data communication and system. Then definitely you have everything is done via web-based application, most of the web applications and services are web-based, so understanding common web vulnerabilities like cross scripting or SQL injection and how to mitigate them is also very important for cybersecurity professionals. Pen testing, what a wonderful, wonderful area over here, that they should learn about pen testing to provide valuable insights into how attacker exploits vulnerabilities and how to effectively defend against them.
And again, I should also mention that in all these things that are variety of security tools and technologies. They should play around different type of firewalls, intrusion detection or prevention systems, antivirus software, log aggregation analysis. And then don’t forget, we always say that, “Hey, learn Kali Linux.” Kali Linux is something that you should absolutely, absolutely learn if you really want to do good into cybersecurity.
For the non-tech, we should also, and again, even for the tech, don’t forget about those security standards and compliance like for example, those ISO standards, 27001, or the NIST cybersecurity framework, or having some understanding of regulatory compliance like HEPA or GDPR or other, there are a bunch of PCI compliance, so some basic understanding.
And finally, I would also say that, and again this is not just me, this is coming from my industry partners, that effective communication, problem solving, and teamwork skills are a must for cybersecurity professional. And actually, I would say we, instead of calling them soft skills, now we actually introduce a better word for that, we call them power skills.
Steve Bowcut:
Oh, okay, I like that.
Faisal Kaleem:
So learn those power skills. And then continuous learning, earning professional certifications, participation in cybersecurity communities and conferences, they’re all essential for keeping pace with evolving threats and technologies.
Steve Bowcut:
Okay, so lest we paint a picture here that might scare somebody just coming out of high school, that’s the stuff that you’re going to learn when you enter into cybersecurity, you go to Metro State and get involved in the classes and programs there. So if I’m just coming out of high school, how much of that is essential? Do I need to have strong math skills? Do I need to have any programming at all? Or can I come out of high school and make a decision to go to Metro State and get an education in cybersecurity? I guess I’m just trying to figure, what is the basic-
Faisal Kaleem:
No, I understand. I thought the question was basically-
Steve Bowcut:
No, it was, that was perfect. I just want to make sure that someone listening to this who’s still in high school thinking that cybersecurity might be a course for them, what do they need to have before they can be-
Faisal Kaleem:
Absolutely.
Steve Bowcut:
Successful in their education?
Faisal Kaleem:
No, I know that if some of the professors are listening to this thing, they might disagree with me on the math part, but long time ago I learned that if we are going to put high math requirements for the students to join the cybersecurity program, we will not have a good number of cybersecurity people in the workforce. So for the K-12 students, don’t be afraid. You just need simple college algebra, and obviously you’re going to come and learn about discrete math and statistics, those are something that you would learn, and those are the minimum requirements from my perspective. So if you are a K-12 students learning, the number one thing that I would like you to have is the passion about cybersecurity.
Steve Bowcut:
There we go.
Faisal Kaleem:
You should be passionate about the field. And again, this is for everybody. If you are not passionate about the field, honestly, regardless of whatever educational background you have, you cannot do much in cybersecurity feed. So the number one thing I would say is the passion. Some sort of technological background, so if you have been playing around or messing around with some of these tools, I think you have the capability to join the cybersecurity program. I would suggest, again, if you are in high school, if you can, which actually, I did a talk to one of the high school over here and I mentioned, because the students asked me question about a cybersecurity certification or some sort of certification, so I said, “You know what? If you really are interested and if you really want to find out that, hey, I can do good in cybersecurity, try to get that CompTIA A+ certification.” That is a certification that will tell you that whether you can do good in cybersecurity or not, and that would basically give you a baseline or a background in joining Metro State program.
Steve Bowcut:
Oh, that’s excellent. That’s good actionable advice right there. I like that. You could, right out of high school, or even while you’re still in high school, you could pursue that CompTIA A+ certification and see whether you’ve got an aptitude for that kind of thing. Interesting. Thank you.
So a minute ago you mentioned some of the tools and technologies. So cybersecurity is such a dynamic field, things are changing so quickly, the tools that people are using are changing. So what advice would you give a student who wants to get into cybersecurity? Just focus on the fundamentals and then learn the tools when you get in the field, or do some of each? How that look to you?
Faisal Kaleem:
Yeah, so as I always tell my student, and by the way, this is a number one question during interviews with the lawyers, that, hey, do you have a setup in your basement where you can practice or have some sort of hands-on skills in cybersecurity? So again, where I’m going with this is every student who is a current student in cybersecurity, or who’s interested in joining a cybersecurity program, the very first thing they should do, and nowadays, it’s so simple, you just connect a bunch of virtual machines, install a couple of softwares, and start playing with them. So my advice to those students would be, especially when it comes to the cybersecurity, just install a couple of virtual machines, and one of them should be Kali Linux, which is basically a Linux distribution with all the different type of tools and stuff regarding cyber, you should start playing with that particular distribution as soon as possible. Start playing with different type of operating system, start understanding the different security mechanism of the operating system.
And again, you know what? There are so much out there when it comes to internet or YouTube or LinkedIn, there are so much tutorial. You guys are living in an era where you just need to go out and you will find the knowledge. I just compared myself with my kids and I always tell them, “Hey, listen, when I was doing my education, there was no internet. We don’t have resources like you guys have. It’s so simple for you guys just to type-“
Steve Bowcut:
That’s true. We had to actually use textbooks and you only knew-
Faisal Kaleem:
Exactly.
Steve Bowcut:
What was in the textbook. You really couldn’t branch out beyond that too easily.
Faisal Kaleem:
Exactly. And with ChatGPT and with all the AI stuff, with all this Copilot from Microsoft, we just have to tell the system, “This is what I’m looking for,” and then comes out tons of information for you. It’s just, to you, that you just have to sit down and understand that information. You don’t have to really worry about reading a formal textbook or something like that, as you just said, Steve.
Steve Bowcut:
Yeah, interesting. All right, so let’s paint a picture then for this student, this hypothetical potential student of cybersecurity. What kinds of career opportunities are awaiting them when they get through, and we might look at a couple of different points along the way, when they get through with their undergraduate degree, and if they go onto a master’s or a PhD? What kind of career opportunities does the cybersecurity field offer?
Faisal Kaleem:
And Steve, I want to admit that, as an educator, we don’t do a good job when it comes to talking students about the career opportunities. I really hope that students who are listening to this podcast take this advice from me. So the very first thing that any student should do, and even starting the career, they should take a look at some of the job roles that are out there. Now when I say job roles, I suggest taking a look at NICE cybersecurity framework, so N-I-C-E, which is from NIST, and it’s called the NICE Cybersecurity Workforce Framework. And then the second framework is called the DCWF, that stands for DOD Cybersecurity Framework. Now, both of these frameworks basically are divided into multiple categories, like whether you want to go into security or provision, whether you want to go into investigation or defend or protect. I’m not going to go into those details, but the good thing about those framework is they will basically tell you the different type of job roles, and then they will spell out those job roles in terms of what we call the KSATs, KSATs.
K stands for knowledge, skills, abilities, and tasks. So basically it will tell you that, hey, if you want to become a cyber defender, or cyber defense analyst, which is by the way a particular role in those framework, then what kind of knowledge is needed? What kind of skills you should bring to the table, what kind of tasks the employers will be asking you to perform. So if you get an idea ahead of time that, hey, these are the kind of tasks employers are going to be asking me to perform, you will basically make a better decision in choosing your role even before joining any cybersecurity program. So again, I would urge you, I would recommend you, that before you start your cybersecurity career, take a look at those two frameworks and find out what is close to your passion. And again, when it comes to our job roles, it’s not just technical roles over there, as I mentioned, there are a bunch of different type of roles available, but again, you just need to take a look at those frameworks and decide yourself that what role basically you want to get into.
Now, again, having said that, I will mention few roles over here quickly just to give the students the idea. So obviously the first role is security analyst role. Now, this particular person is responsible for monitoring and analyzing security threats. They respond to security incidents. They are the one who implements security measures to protect the organization and obviously organization’s assets. Then another exciting role, which I know my students are very, very excited about it, is the pen testing role, or the ethical hacking role, or ethical hacker role. They are the one who actually assess the security of the systems by trying to simulate how the attackers break into those system and try to identify and then obviously exploit those vulnerabilities and weaknesses. So this is one of the most exciting, exciting roles for students.
Incident responder. They are the one who basically investigate those breaches. They are the one who coordinate responses to the breaches and then not only contain them, at the same time, try to mitigate the impact of those security incidents. Then another one is the SOC analyst, the security operations center analyst. They’re the one who sits down in the security operation center and then monitor the security alerts, analyze the security incidents. They take a look at the incidents and responds to these incidents in real time to protect the organizational assets.
And again, as I said, there are a bunch of them, and there is a forensic analyst as well, but I should also mention the SOC, or actually security compliance officer/auditor, because I want to make sure that the students who are listening, they have to understand that it’s not just the technical aspect, but there is a non-technical aspect of cybersecurity as well. So security compliance officers or auditor, they ensure that organizations comply with relevant laws, regulations, and industry standards, by conducting security audits, assessments, and compliance reviews and so on. So again, there’s a variety of roles. You can become also a security researcher, that you can start analyzing vulnerabilities and then you can try to develop exploits. And again, when I say developing exploits, not from the bad guy perspective, but from the good guy perspective, because you want to develop the exploit to help the pen tester to identify and uncover those weaknesses and vulnerabilities, and so on. So again, sky’s the limit over here, Steve.
Steve Bowcut:
Yeah, and not only, all those things that you’ve talked about, the beauty of it is all of those things are required in every vertical market. It’s not like it’s just financial, or it’s not just government. Every vertical market, healthcare, anything you can think of, needs those skills across the board, so there is a great opportunity. And so I want to focus a little bit on academia’s role in that. So how do you, specifically at Metro State, prepare the students for that? Do you go out and talk to people in industry and find out what they want, what they need, the skills that are needed to fill the roles that they have, and then design your curriculum to fit that? Or how does that work?
Faisal Kaleem:
Yeah, I’ll come to that in a bit, but I just want to say one quick thing to the student, and especially from the perspective of the job roles. As you said that cybersecurity is something that could be applied to any sector, any verticals, I always tell my student, and this is my favorite tagline, that cybersecurity is national security and cybersecurity is job security.
Steve Bowcut:
Yeah, very good.
Faisal Kaleem:
You can just go into any field with cybersecurity knowledge and you’ll be able to find a role there in that vertical. So cybersecurity is national security, cybersecurity is job security.
Now, role of academia. Absolutely. So MN Cyber, that I established a couple of years back, it’s basically a public-private partnership, and what I was able to do was I was able to convince the senior directors or the chief information security officers of the major organizations here in Minnesota, we are talking about Best Buy, Target, Medtronic, UnitedHealth Group, Fairview, which is a medical system, Preem, Cargill. We have national guards, we have some legislatures sit in the advisory board. So it’s basically a very, very powerful advisory board from different sectors. And by the way, our state IT CISO also sits in the advisory board. And this is the board which actually helps me not only with any sort of internship opportunities or full-time opportunities for my students, but at the same time, whenever I have question about like, “Hey, is our curriculum up to date? Is there something else that you guys want and we are not doing? Please advise me,” they are the one who actually advised me on that.
On the other hand, as you know, Steve, that Metro State is a NSA designated Center of Academic Excellence in Cybersecurity, and because of that, we actually have to align our curriculum with what we call the NSA Knowledge Units. And that basically makes sure that we are covering a wide range of topics, including computer networks, cryptography, vulnerability assessment, regulatory compliance, and so on. So obviously comprehensive curriculum based on industry advice, based on NSA Knowledge Units, that’s the number one thing for any good cybersecurity program.
Then definitely the role of expert faculty come in. I’m very, very proud to say that our faculty member of expertise in various areas of cybersecurity, but then we also have something called community faculty. So again, the term typically is adjunct faculty, but we call our faculty as community faculty because these are industry experts, but they are part of the community, and they are the one who come and teach us some special courses for us with the experience they bring to the classroom. Honestly, student love them. So we have tons of these community faculties as well.
Then our courses, some of our courses, they are also aligned with some of the industry certifications as well. So again, as you know that some of these certifications, they always try to update themselves, so automatically, which means that if we want to keep ourselves or our courses aligned to these certification, we also have to update our courses as well. So that’s basically the other thing we always try to do in order to provide the best possible education for our students.
Steve Bowcut:
Perfect. All right, and so you mentioned some of the internship opportunities that you learn about because of your connections in the community. Let’s explore that a little bit. How crucial are internships, and are they common, or is it more rare?
Faisal Kaleem:
So internships are incredibly crucial for a cybersecurity student because they provide valuable real world experience exposure to industry practices and networking opportunities, quite frankly. They are not common. It all depends upon obviously your connections with the industry, and it all depends upon if the industry has some sort of openings, but we try as much as possible to get internship opportunities to our students. So I should mention that our program, both at the undergraduate level and graduate level, basically has internships, courses. So the student basically take internship and then they also get credits toward their internship.
But I should mention here is that one of the latest internship that Metro State has created is what we call cybersecurity clinic. So this is one of the four grant that we received from NSA, so we were one of the four awardees nationwide. NSA entrusted us with this grant to establish what we call a cybersecurity clinic. Now, cybersecurity clinic is a wonderful, wonderful way of providing a student with hands-on skill. How? So what we do, we train the students, then these students basically going to go out, and then they’re going to provide free risk assessment to different type of clients. And the clients include small businesses, K-12 schools, underserved municipalities and communities, and nonprofits.
And then the good thing that happened with the clinic as far as Metro State is concerned, that Minnesota IT, we call them MNIT, so Minnesota IT, or MNIT, they joined hands with us because they had a similar needs. They wanted to do some sort of assessment for K-12 underserved municipalities and communities. They said, “Hey, why not we work together, and then why not we provide these services to these clients together?” So we are working with MNIT, we already started with 21 students this semester, and this is the first semester we are doing this internship. The students are going to go out in the groups and then they’re going to perform these assessments for these various type of clients. What are wonderful opportunities for students to learn not only by doing the real deal, but the same time they’re going to be also working with people from MNIT, who are going to be there to guide them as they perform these assessments.
So again, yes, internships are very, very important, and sometime you can find creative ways. Just like I said, the cybersecurity clinic is a wonderful idea to create or to provide opportunities for the students to get into these internships. There are various benefits. Obviously you would get industry exposure, you will definitely have a possibility of professional networking. You will enhance your portfolio even before you graduate. All those power skills development that I just mentioned before, that comes naturally as you work with different type of team members, your communication skills will improve big time, your problem solving abilities and teamwork skills in a professional environment is going to be improved, and so on.
Steve Bowcut:
Okay, so thank you for that. I appreciate that. So before some students can worry too much about their internship, they need to worry about scholarships, so they can get to that point. Is there anything you can offer in that regard, scholarships, that are relevant or applicable to cybersecurity students?
Faisal Kaleem:
Absolutely. And you know what? There are several scholarships, opportunities available. Metro State, we just finished one of the scholarship from NSF, but now we are going to be applying for other scholarship opportunities, but I should definitely mention some of these scholarship opportunities that the students should be looking for.
So one of the scholarship opportunity that is available to the NSA CAE Institution, the Center of Academic Excellence Institution, is from DOD, and that scholarship is called DOD CYSP, which stands for Department of Defense Cybersecurity Scholarship Program. This program provides funding for both undergraduate and graduate student who are pursuing their degrees in cybersecurity, or related fields, and what the recipient does that the recipient will receive full tuition coverage, stipends, summer internship opportunities with the DOD. And obviously the idea is that after you receive this money, for every single year of the money that you receive, or for every single year of the scholarship that you receive, you will be obligated to work into a government three-letter agency, whether it could be a DOD or FBI or or CIA. The good thing is that they will find an opportunity for you, so you just have to pay back by working for a governmental agency.
Now, similar to the same idea is something called Cybersecurity, or CyberCorps Scholarship for Service, or SFS. Now this is basically sponsored by the National Science Foundation. The idea is exactly the same. They will give you the full tuition, they will give you stipend, they will give you a laptop, they will give you tons of things. But then once again, upon graduation, you actually have to pay back by working for any governmental organization, does not have to be DOD or FBI or whatever. Even though I think last time they also allowed the student to work for state government as well. So again, the idea is the same. You can obtain the scholarship and then you can just pay back by working for the same number of years that you got the scholarship for. So for example, if you receive the scholarship for one year, your obligation is to work for one year. If you got the scholarship for two year, then you should be working for the government for two years.
Then on the private side, on the private sector side, ISC2, this is the provider for the famous CISSP certification, they provide both undergraduate and graduate scholarship. And by the way, the deadline is coming very, very soon, which is February 29th, so if any student who is listening to the podcast, and if you’re interested in the ISC2 undergraduate and graduate scholarship, you should hurry and apply for those. It’s not much, but it’s $5,000 per year to cover tuition, textbooks, and other educational expenses, but it’s still a good amount of scholarship. So February 29, don’t forget that, apply as soon as possible.
And finally, I should also mention that SANS, which is one of the popular provider of security courses and certification, they have something called SANS cybersecurity work study program. This is basically their way of offering scholarship in which they actually select some students, and then what they do is that they ask the student to attend their SANS cybersecurity training course for free, and then they give you certification exams for free. And then in return, all they want is that you assist them while somebody’s teaching the course and act like a teaching assistant or something like that. What a wonderful way that you are basically there to, not only observe, assist, but you are also learning, getting these courses for free, and then getting certification for free. So again, if you’re interested in getting into the SANS work study program, you should take a look at that and apply for it.
Steve Bowcut:
Excellent. Thank you. All right, earlier at the top of the show, we touched briefly on professional certifications, so let’s explore that a little bit more. What professional certifications would you recommend? How important are they? And how does that all fit together with a formal education?
Faisal Kaleem:
All right, so I’m going to repeat myself again, Steve, that this is one thing that I know that not every faculty is going to agree with me. I’m a big proponent of certification, but I know some faculty don’t like the word certifications. But let me start by saying this thing, that certifications are not a replacement of formal cybersecurity education. If somebody gave me a choice between certification and degree, I would opt for cybersecurity degree. Certifications are highly important in the field because they can provide validation for somebody’s skills, knowledge, and expertise in a specific area of cybersecurity, and then demonstrate their commitment to professional development. But once again, if you are listening to me, students, your number one priority should be going after the degree. And while you are doing the degree, or while you’re getting your degree, or even after you complete your degree, I would highly recommend you to go after some of these certifications.
Now, with that, I can mention a few certifications that I tell my students to go after, and if you get those certifications, definitely your chances of getting into the workforce is going to be much higher as compared to somebody who is just going there just with a degree. So numerous certifications available from various organizations covering a variety of topics and skill level. If you want to start as a base level certification, again, I already mentioned for the K-12, start with the CompTIA A+ because that covers also some aspect of security. But for undergrad students, or for a student in associate degree in colleges, your best starting point is CompTIA Security+ certification. This is an entry-level security certification that covers foundational cybersecurity concepts, principles, making it suitable for beginners, or those seeking to start a career in cybersecurity. And then the cool thing about this certification is that this is vendor neutral certification and widely recognized by the employer, so you are not working on a specific technology over here. So this is the reason why it’s widely recognized by the employers.
Then you can, again, follow the CompTIA route. I tell my students to follow the CompTIA route. CompTIA provides some high-level certifications like, for example, if you want to go into pen testing, you can do PenTest+. Or if you want to do some sort of analysis, you can get CompTIA CySA+. Or if you want to go at the highest level of CompTIA, you can go what we call CompTIA CASP+, or C-A-S-P+, which is basically one of the top-level certifications from CompTIA.
When it comes to the other providers, EC-Council has a series of certification. One of their popular certification is called a Certified Ethical Hacker Certification, which is almost the same as CompTIA PenTest+ certification, so that’s another good one to go after. For students who are interested in compliance or security management or security auditing, ISACA, I-S-A-C-A, they offer two certifications, the Certified Information Security Manager, or CISM, or Certified Information Security Systems Auditor, or CISA. These are two very, very popular, renowned certifications from ISACA. And especially if you really want to go into the non-technical aspect of cybersecurity like auditing or cybersecurity management, I would highly recommend you to go into this.
The top-level certification that I personally also have is the CISSP certification from ISC2. Now obviously this requires, not only knowledge, but this also requires some practical experience. Students who are interested in this certification, you can definitely get to the certification, you can take the certification exam, and if you pass the certification exam, they will give you what they call the associate of CISSP, or associate-level CISSP certification.
And then once you get, I don’t remember the exact number, but I think five years of practical experience, once you get that five years of practical experience, then they would convert your associate CISSP certification into a full CISSP certification. But ultimately, all students who wants to go into a cybersecurity role, whether it’s a technical role or a non-technical role, or who actually wants to climb that executive ladder, they should definitely try to get into the CISSP certification. And again, as I said, CISSP certification is not a replacement of a graduate degree. So if you have a choice between a graduate degree in cybersecurity or a CISSP certification, you should first try to complete your graduate degree and then you can try to complete the CISSP certification.
And I should mention one more certification, actually, I would say two more. OSCP, which is a very, very technical certification, stands for Offensive Security Certified Professional. This is a very, very challenging certification because, even to pass it, you actually have to pass a challenging 24-hour hands-on exam. So think about the power of the certification and think about how much valuable this certification is, because they will put you to a 24-hour exam, hands-on exam, which basically will assess your knowledge, not only the knowledge, but obviously your capability of performing certain tasks, which would be a testament to the employers that you know what you are doing and you know how to accomplish certain tasks. And finally, if you are doing some SANS training, SANS provide bunch of different types of certifications through their GIAC, or what they call the GIAC Security Essentials, Global Information Assurance Certification. They have a series of certifications. You can also try to look into those certifications and try to get into those certifications.
Steve Bowcut:
Excellent. And just a note to our listeners, we will try and put links to as many of these certifications as we can in the show notes. And additionally, if you’re listening to the podcast from our website, or if you go to our website, in the left-hand panel menu you’ll see articles and reviews of all of those different certifications that Dr. Kaleem has talked about. So we’re getting close to being out of time, but there are a couple of things that I do want to talk about and get your perspective on. And of course, one of those is emerging technologies. AI, machine learning, that’s all the buzz, right? So give us your perspective on the impact that has on cybersecurity, maybe both from the threat perspective as well as the defender perspective. How are these new technologies going to play into it?
Faisal Kaleem:
Oh yeah, of course, this AI and it’s machine learning, they are really, really, I would say, having a profound impact on the field of cybersecurity, both in terms of defending against the cyber threats and definitely from the malicious actors’ perspectives.
So AI and machine learning are influencing cybersecurity in many ways. So for example, when it comes to, let’s start with threat detection prevention. So both artificial intelligence and machine learning technologies nowadays are being used, not only to detect, but to prevent some prevalent cyber threats in real time. And how they do it, obviously, AI is all about analyzing vast amount of data and patterns. So all they do is they analyze the data, they try to identify the patterns, which are indicative of malicious activity. So these technologies definitely, definitely can help the security systems teams to recognize the threats and responds to these new and evolving threats more effectively than traditional signature based approaches. Now, keep in mind, signature based approaches is all about that, hey, we know what the threat is, we know how the attack work, and we develop the signature, and then obviously we put that signature as part of the tool or technology, and then the tool or technology compare the signature against a threat, but it will not guard against any new or any emerging threat, and this is where the AI and ML can come in. I really like the idea because this is basically more towards a proactive strategy as compared to our reactive strategy. Definitely AI and machine learning are helping big time in that.
Anomaly detection, that’s another area, that identify anomalous behavior within the network. It can take a look at the user activity and that could indicate a security breach or insider threat. We should not even forget about the insider threat. That’s something very, very important to keep in mind, whether it’s malicious intent, or whether it’s accidentally done, whatever. But AI and ML can also help in identifying that anomalous behavior and help organization detect and respond to these incidents very quickly.
Then, again, you can think in terms of predictive analytics, which already touched upon, that it can analyze historical data to predict the future cyber threats and vulnerabilities, allowing the organization to proactively mitigate the risk and improve their security posture, but that’s another area that AI and ML is breaking ground. AML, which stands for the adversarial machine learning, which is all about, so think about this thing, malicious actors, they are also leveraging big time AI and ML techniques to develop sophisticated cybersecurity attacks that can evade these traditional security defenses. So AML basically lets you manipulate or exploit the AI and ML algorithms to bypass these detection mechanisms and generate malicious contents and launch targeted attacks. So this is where obviously if somebody is good in the AI and ML, then definitely they can come up with some sort of mitigated strategies against the AML as well, like using the AI and machine learning. So there are so many different things the AI and ML is doing.
Steve Bowcut:
Yeah, I agree. Thank you. So before I let you go, I don’t want to forget our early career professionals, so somebody who’s already maybe got their undergraduate degree, or maybe they’ve got a job in cybersecurity, but they want to advance their career. We’ve already talked about professional certifications. Obviously that’s a great way to advance your career, pick the direction you want to go in, find the right professional certification, add that to your resume, that’s a great way to advance your career. Is there any other strategies or suggestions that you could offer this early career professional?
Faisal Kaleem:
Absolutely, and again, the key word here is continuous learning, which is going to be essential for anyone to stay abreast of industry developments, honing skills, and advancing their careers. But here are some strategies or some tips that I can provide to consider for continuous learning and career advancement in cybersecurity. I always tell my undergrad student that you should not stop at the undergraduate level. You should pursue further education. Whether it’s going after advanced degree, like a master’s degree, or getting certifications, all the specialized training in cybersecurity. You should definitely, definitely take a look at that. Okay. So again, if somebody is asking my choice, I would say, “Hey, go get your graduate degree, a master’s degree in cybersecurity or cyber operations.” And by the way, Metro State offers a MS degree in cybersecurity operation, which is basically an accelerated program that you may want to take a look into.
Steve Bowcut:
Very good.
Faisal Kaleem:
Stay updated with the industry trends. That’s something very, very important. You should subscribe to some podcasts, like this one, or other podcasts. Regularly follow industry news, take a look at the blogs, join some forums, all about… You need to stay informed about the latest trends. Steve, you mentioned about the AI, or ML, they need to be informed about the emerging technologies like AI and ML. They need to also take a look at what are the best practices the others are following and I’m not following. So again, subscribe to cybersecurity newsletters.
Join the professional organization. That’s also very important. If you have an ISACA chapter, or ISC2 chapter, or ISSA chapter, join those chapters and participate in online communities. Connect with your peers and learn from their experiences. Definitely attend training workshops and conferences. If your state or if your city or if your area offers these short training workshops or a one-day or a two-day conference, you should definitely, definitely try to attend those conferences. And by the way, conferences are a wonderful, wonderful way of not only learning about the emerging technologies, learning new contents, but as well, networking opportunities. This is where you’ll get to meet your future employer. So again, just make sure that if you have an opportunity via your school or via your employer, do not miss it. Attend those conferences.
Then also, I would say that I always tell my student, whether you already graduated or not, or if you already graduated, just start participating in some of these free online competitions, such as Capture the Flag competition. It will make sure that your technical skills are still sharpened. You still have the problem solving abilities and team working skills. So again, make a team and join some of these Capture the Flag competition, which then there are tons of them on the internet.
Do not be afraid to seek mentorship and guidance. I tell my student to join me or connect me on my LinkedIn profile, connect with me, connect the other professors, connect with the mentors within the cybersecurity field who can provide you guidance or advice or who can support you as you navigate your career in cybersecurity. Look for experienced professionals who can offer insights, share their experience, share their journey in cybersecurity. They can also provide feedback on your career goals as you develop them.
Again, also, if possible, try to contribute to open source projects, and there are so many out there, because then you’re going to be working with an army of industry professionals who are contributors to these open source project. And this is basically a best way to gain hands-on experience, share your knowledge, collaborate with other professionals, and at the same time, it’ll also help build your reputation, showcase your skills, and learn from others in the community. And don’t forget, I was already mentioned to you the key word is you should embrace in continuous improvement, just adopt a mindset of continuous improvement and lifelong learning in cybersecurity career.
Steve Bowcut:
Perfect. Thank you. Excellent advice. Faisal, I can’t thank you enough for the time that you spent with us today. The information is invaluable, and I’m sure our audience is going to learn a lot from that, and I appreciate that. So thank you for spending time with us.
Faisal Kaleem:
Thank you very much, Steve. It was really fun. And as I said early, that we don’t do enough for our students in terms of career advice, so I really am thankful to you to provide us this opportunity to talk directly to our students, so thank you for that.
Steve Bowcut:
Well, we appreciate what you do, and a big thanks to our listeners for being with us. And please remember to subscribe and review if you find this podcast interesting, and join us next time for another episode of the Cybersecurity Guide Podcast.