Dr. Gregory Laidlaw, chair and lecturer of Cybersecurity and Information Systems at the University of Detroit Mercy.
Summary of the episode
Dr. Gregory Laidlaw emphasizes students need a broad IT foundation (networking, systems, databases) because most entry jobs aren’t purely cybersecurity.
He explains the program aligns with national frameworks (including CAE) and industry feedback while focusing on principles over specific tools. He keeps courses like ethical hacking and forensics intentionally challenging, grading documentation, process, and ability to pivot—not just outcomes—while stressing ethics: written permission, clear scope, and leaving no trace.
His advice: stay open, try areas you think you won’t like, and use certifications to signal readiness to employers.
Listen to the episode
Read a full transcript of the episode
Steve Bowcut:
Welcome to the Cybersecurity Guide Podcast, the show that helps students and early career professionals make smart decisions about cybersecurity education, build marketable skills, and navigate real world career pathways. I’m Steven Bowcut, and today I’m joined by Dr. Gregory Laidlaw.
Dr. Laidlaw is the department chair and lecturer in the Department of Cybersecurity and Information Systems at the University of Detroit Mercy. Dr. Lela brings a practitioner’s lens to cybersecurity education. He spent about 25 years in IT consulting across small enterprises and local government with experience spanning software and database design, network infrastructure, systems security, and data integration.
He’s a certified ethical hacker, and he earned a doctorate of management in information technology from Lawrence Technological University, where his doctoral work exposed how agile methods can accelerate complex data integration efforts in a real law enforcement context. And we’ll be able to talk about that a little bit, I’m sure.
He’s also active in the professional community through organizations like ISACA, Infragard, and ISC Squared, and his current interests include secure systems, human factors in security, and design usability, which is a critical and often overlooked part of building defenses that people will actually follow. And I hope we’ll talk about that as well.
In this episode, we’re going to talk about what Detroit Mercy’s cybersecurity curriculum is designed to produce, how the program aligns with national academic and workforce frameworks, and what industry integration should look like in a way that genuinely improves graduate readiness.
We’ll also discuss Detroit Mercy’s distinctive work in vehicle cybersecurity, including innovative approaches like digital twin virtual labs that let students explore realistic attack and defense scenarios in a safe environment. If you are evaluating cybersecurity degree options or you are early in your career and trying to make your best next move, this conversation will give you a practical, experienced-based perspective.
With that, Dr. Laidlaw, Gregory Laidlaw, welcome to the Cybersecurity Podcast. Thank you for being with me today.
Dr. Gregory Laidlaw:
Glad to be here.
Steve Bowcut:
Okay. Well, this is going to be interesting and I really enjoyed the biographical information and the intro there. There’s some interesting things that I’m sure that we’ll be able to touch on as we go through some of these questions that I’d like to ask you.
We genuinely appreciate you giving us part of your day and helping students and early career professionals that are looking to decide whether cybersecurity is the right direction for them, and if it is where they think they might want to pursue that. So let’s start with some more background on you.
So if you could give our audience a flavor of what your journey, both professional and academic journey has been like. And I’m particularly interested in what experiences that you’ve had in the past most shaped your view of what students must be able to do on day one in a security role.
Dr. Gregory Laidlaw:
All right. So I don’t think I have … Well, maybe I do have a non-traditional background for IT, but 25 years. So 25 years ago, we didn’t have cybersecurity degrees. We didn’t have IT degrees. It was computer science or nothing. So Economics major and learned a program.
But as far as my path, it was, I don’t know, a bit different in that you’re looking for what do they need to know first on the job? So one of the things I liked, I try not to tell too many stories in class, but I always end up doing that.
And most of it is, here’s what I did and here’s how you can learn from my mistakes. So one of the things that I will say as far as first day on the job, and this is going to be a non-traditional answer, soft skills. It took me a while to figure that out. I mean, it took me many years to figure that out.
It wasn’t necessarily how technically competent I was. And what I knew, it was how I related to people and how I understood their problems and how I could relate to their problems, and then how I could solve their problems.
Because there were all sorts of areas where users were doing things that didn’t make sense or that were not secure or could be done better. So you’ve got to go actually figure out what they’re doing before you can have that conversation.
And of course, you can’t come at that conversation as I’m an expert in this field, so whatever you’re doing is completely wrong. Well, of course it’s not completely wrong. It probably just needs some tweaks. So a lot of times I’d be dealing with different clients and they’d say, “Well, we can’t do that here because what we do is completely different.” But then when they describe it, it wasn’t completely different. It was slightly different.
They were using completely different language to describe their processes, but no, it was the same process with some other tweaks. So then you could go back and say, well, this is what … And of course you can’t name the clients because you can’t, but you can say, “This is what I’ve seen done elsewhere.
You’re doing something similar. It works very well over here. How about this? ” And that’s really where the value came in. And I think that’s where it took me a while to figure that out is it wasn’t how technically competent I was because most people didn’t understand that because I didn’t talk to them.
So my career path is programming is fantastic for me because I won’t have to talk to people. And that lasted about probably a couple years, But then I learned it better. So this is me telling you, you’ve got to talk to people no matter what you’re doing.
If you’re straight up programming, you still got to come out of the basement and talk to people and understand what they want and how they’re actually using the software. And that’s part of the usability that you talked about.
And we’ll probably talk about all throughout this is if you’re designing things, whether they’re systems or security or software, if they’re not designed for the people who are actually using it, it becomes useless either it’s counterproductive. And if it’s counterproductive, they will find ingenious ways around software and security-
Steve Bowcut:
To not use it correctly.
Dr. Gregory Laidlaw:
To not use it. It’s frightening, but also fascinating to watch that process. And again, this is the soft skill, this is the people where if you don’t understand that your systems are going to be bypassed or quite frankly not even used.
And that’s one of the things that we are trying to guard against early career consultant, we’re being driven by billable hours, billable hours, billable hours. So if you’re not part of the solution, then, oh yeah, you’re a consultant. We can let you go at … We can tell you to go home at noon. Exactly.
Steve Bowcut:
That’s Interesting.
Dr. Gregory Laidlaw:
So I would say focus on some of that and realize that you’ve got to look at the bigger picture, not just the technology. And obviously you need to know the technology, you need to stay up with the technology. That’s also going to be always part of your job.
And I think I knew that fairly early on. It was an interest. And I think most people in this program, most people in this field understand that and know that and enjoy that. This is not a study for four years, learn everything you can and then shut the books and turn off your brain and learn nothing ever after that.
Steve Bowcut:
Yeah, that’s a really good point. All right, so we’ve got hard technical skills, we’ve got the soft human skills, and I’m going to throw one more in the mix if I can. So as I looked through your biographical information prior to the show, one thing that kind of bubbled to the top for me is, okay, so you’re the department chair for cybersecurity and information systems.
While closely related, there is a difference between those two cybersecurity and information systems. So I thought from the employer’s perspective, what do you think the employers want students to know when they show up at that first day on the job?
How much weight are they going to put to those hard cybersecurity skills? And let’s go ahead and put in those human skills and then also architecture, data integration, governance, those information systems kinds of things.
Dr. Gregory Laidlaw:
That’s an ongoing question because we do talk to employers, we do seek their input, and that’s kind of a mixed bag. They say they want the soft skills, but then when you read their want answer, you’re like, oh no, I don’t see anything soft skills in there at all, so how do we bridge that gap? But as far as the … I don’t see it as much of a dichotomy between IT and cybersecurity.
At the undergraduate level, it’s all one program. It’s only cybersecurity. We do split it up at the graduate where there’s more of a focus. But at an undergraduate level, your first job might not be pure cybersecurity. In fact, very unlikely. I would say very, very unlikely that you’re going to walk out of any program, ours or anybody else’s, and start an enterprise architecture position.
As much as we can train you here, you just really don’t have the big scope to do some of that stuff. The risk and the compliance and the enterprise architecture require those soft skills, but also require a bit of understanding of all the different domains that you’re going to have to deal with.
And I think that was part of my … Being a consultant, I got exposed to that and I think it was really good training for what I’m doing now. So at the undergrad level, we are talking about IT skills, database, software. We’re focusing on cybersecurity, but we’re doing networking. That’s what I’m teaching tonight.
You can’t really do cybersecurity or risk or any of that without understanding the underlying infrastructure. It’s just not … Maybe it’s possible. It just breaks my mind trying to think about how am I going to secure this if I don’t actually know how it works?
Steve Bowcut:
That makes sense. You can’t protect it if you don’t know what it is or how it works or where its vulnerabilities are. And so maybe the message for someone thinking about getting an education or someone in the process of getting an education in cybersecurity is to remember that you really need a holistic or a well-rounded view because when you show up to work, some of the things you’re going to be doing may not be directly related to cybersecurity, at least in the short term. So you need to understand the bigger picture. Is that a fair assessment?
Dr. Gregory Laidlaw:
Yeah, that’s probably a much better synopsis of what I just said than anything else.
Steve Bowcut:
Alright. Well, let’s move on here a little bit to national framework. So I assume that in your role, you’re very involved in curriculum design and what goes into the curriculum. So talk to us about national frameworks, which ones you focus on or use and what weight they bring to how … There’s obviously other things you got to talk to employers and there’s lots of things that come into how you design your curriculum, but these national frameworks, how do they play into it?
Dr. Gregory Laidlaw:
We are at CAE certified schools, so they are …
Steve Bowcut:
So they’re going to dictate certain frameworks you’re going to use, right?
Dr. Gregory Laidlaw:
Yes. They’ve got lists and lists of knowledge units that we have to meet to re-certify the recertification processes every four years, but we report every year. So every year we’re saying how we’re meeting those particular KUs. And from experience, it’s not like those KUs are out from left field.
This is government, academia, and industry all collaborating on those KUs for the CAE certification. So yeah, it’s not like we don’t want to meet them. We find them as fantastic guidance. We also look at some of the certification exams, what they’re asking. We talk to industry through ISACA and through other organizations, we’ll talk to former students what they’re actually doing and what gap, what did they not know when
Steve Bowcut:
What do you wish you knew that- I like that.
Dr. Gregory Laidlaw:
Is that something we can fix? Sometimes the answer is yes, sometimes it’s no. We also have the same conversation with employers. Sometimes they come to us and say, well, we really need people trained up on this particular technology. And sometimes there’s a little bit of pushback because they’re very, very specific. We want experts in Oracle 23I.
No, we can’t do that. We have them pretty well trained up on SQL and we might be using MySQL, we might be using SQL Server, but part of what we’re doing is we’re matching the hands-on skills with the theory. So they’re using MySQL or they’re using SQL Server, but they understand what they’re doing in a larger context.
So moving to Oracle shouldn’t be a huge lift for them. And that’s part of what we’re trying to do both in the program and bring that out to industry as well. Because we do see that, and I see it in the LinkedIn ads and all of that stuff.
You can’t really expect somebody coming out of four-year institution to have that very specific knowledge, but they can have something close. They have something that can be adaptable to that. And part of where we started with day one is people skills, adaptability. You’re going to learn a ton of stuff.
And like I said, we stay pretty high on the theory. We like the hands-on to reinforce the theory. Because of course, the other thing that if we train very specifically, as you’ll see some program, really community colleges, some of the bootcamp type things going on, they’re training very specifically to this technology. But what do we all know? That technology has a three-year lifespan. Right,
Steve Bowcut:
Exactly.
Dr. Gregory Laidlaw:
In three years, I’m probably off on my Oracle numbers, but they’re going to go from 23 to 27. If you’re really tight into 23, that might break you to go to 24, 25, 26, 27. But again, we’re also looking at the theory. So what’s similar between MySQL, SQL Server, Oracle 23 leads you into what’s similar between 23 and 27? You see the same thing in Windows that is very specifically through your life span. Yeah.
Steve Bowcut:
Teaching the principles and maybe some of the terminology that’s not likely to change, it seems like it would be much more valuable than a specific version of a tool or software interesting-
Dr. Gregory Laidlaw:
And when I mentioned Windows, we’re using Active Directory quite heavily, but again, that, like I said, has a very specific three-year lifespan. You’re going to have another Windows server version every three years, but we want to even step it back from that. What if you didn’t have Active Directory? What are we actually trying to do with Active Director?
We’re talking about permissions, we’re talking about compliance, we’re talking about audit, we’re talking about logging and all of this stuff. Active Directory is an implementation of that. Could we do this in another way?
And the answer, of course, is yes, it might be harder, it might be easier. You might have to do that on the job. You might walk in somewhere and they’re not a Microsoft shop, so they’ve got other appliances, they’ve got other mechanisms, they’ve got other software, but our students should be able to and will be able to say, “Oh, this isn’t Microsoft, but I understand the concept.
I can learn how to implement it rather than being completely destroyed because it’s not exactly what you were trained on.
Steve Bowcut:
Yeah, excellent. All right. So here’s what I hope will be an interesting question, and I know it’s going to vary from student to student, but have you, in your experience, identified some parts of the curriculum that are deliberately, or maybe the better word is necessarily hard for students to grasp and understand, but they have to be that way because they’re going to teach them to do something that they’re going to be expected to do and they show up to work.
So are there some parts of the curriculum that are just generally harder for students? And I know, like I said, it’ll vary from student to student, but there may be some things that you say, yeah, students normally struggle with this particular thing.
Dr. Gregory Laidlaw:
Well, yes, there’s a couple of things that happen. I’m going to speak mostly to digital forensics and ethical hacking because those are the two that I’ve taught consistently over 10 years. There are some parts that are very, very difficult in there. So it brings up two things.
We’re not watering them down, but we’re also looking at the process and the procedure rather than the end results. So for ethical hacking, the last thing they have to do for a finalist, they’ve got to perform and write up a pen test.
So I know how it works. They have a vague idea of how it works, but that’s something where you can see the process and the procedure rather than the end outcome is more important because we’ll have some students that’ll, they’ll be excited about it. They’ll sit against all my warnings over 15 weeks, they’ll sit down and then they’ll just go at this particular box and they’ll break into it.
But guess what? They got to write that up and they can’t do it because they were so focused, they’re not really sure what worked and what didn’t work. Whereas other students will walk through it and they’ll have a nice procedure, they’ll have a nice writeup. It’ll be logical, it’ll be coherent.
Guess which one is better for your end users or for your industry? It’s the one that’s coherent, the one that they can understand. Because part of what happens when they’re just hacking away and, “Oh, I tried this and it didn’t work and it didn’t work and this didn’t work.” Guess what?
That’s really good information to have. If this is your system, if this is my system, I want to know what you tried and what didn’t work and why it didn’t work. And does that mean success for me as the person that owns this asset or was that because you didn’t try this other thing?
And this is the other reason why we don’t water it down is when they have a decent writeup, a lot of times, even though students who seem less technical, they get so close. They’re so very close and that’s a real learning experience for them is I can read the paper and say, This was a great idea to go in this direction. It didn’t work, but fantastic idea.
You pivoted very nicely. Your plan was to do this and it didn’t work. So you pivoted based on what you knew, what you found out, and you got so close, but did you consider doing this other thing?” And you’ll see the light bulb go on or their brain explode, whichever one happened because they didn’t think of that.
They didn’t get there. And part of it is because they’ve got a time limit. Part of it is they’ve got other things going on, but again, that’s not going to be any different when they’re doing it in the real world.
Steve Bowcut:
In real world, yeah.
Dr. Gregory Laidlaw:
A lot of the stuff we do keep deliberately hard, but it’s not one of those, “Oh, you didn’t break into the box. Sorry, try again next year when you take this course again.” Yeah, it’s more of process and procedure and what did you learn and how did your plan and how did you pivot because that’s what they’re going to have to do.
Steve Bowcut:
Yeah. Okay. Thank you for that. I appreciate that. So one of the things that I always like to bring up when I’m talking to people like yourself is the importance of and how do you give hands-on learning experience.
And I guess I should have asked before I got to this point, maybe you could quickly just, are all the classes in person on campus or are some of them remote and how does all that work for your programs?
And maybe there’s a mix of all of those things, but where I’m driving with that is how do you make sure that they have actually touched some stuff and it’s not going to be that when they walk into their employer, it’s not the first time they’re actually touching some stuff that they need to work on.
Dr. Gregory Laidlaw:
So since I’ve been here, and this is pre- COVID, we’ve always had kind of a hybrid model. There’s certain things where it’s straight up lecture. And at the time, most of us are commuting, so it seemed really not very effective for everybody to drive 15, 20, half an hour to sit in front of computers and listen to me talk to them, but never actually touch the computers.
So a lot of times we do hybrid where I’m lecturing online about the theory and then the next class is hands-on. That’s what we’re doing tonight in network. We’re doing some hands-on in networking where I had a online lecture on Tuesday. The freshman class are typically on campus as much as possible just because as much as- They’re freshmen.
Online, there’s still a much better interaction face-to-face, person to person, and we’re a smaller university. So my big classes end up being 25 students. So by the time I meet them, first year, I know a bit about them, I know what their goals are, I know how they work, I know all sorts of things that sometimes seem not relevant at the time, but then are relevant later.
That’s hard to replicate in an online environment. Plus there’s all the standard freshmen stuff, show up to class and be ready and do all of that stuff.
Again, hard to do remotely, but we do get a lot of hands-on. We’ve got a lab here, we’ve built it, we rebuild it. Much like our curriculum, we modify it pretty much every single semester, every single … Sometimes mid-semester, part of that’s driven by what’s going on, part of that.
Sometimes it’s me. Sometimes we should de- emphasize this. This is not something we need, but it’s always got a hands-on component, whether it’s physical machines in our lab or competitions through ISOCAP, or we’ve got Hack the Box and Tri HackMe.
And some of the online things we mix in there because they’re actually kind of a nice mix of … It’s simulated hands-on, but it’s nice because it’s got some instruction and then it’s got some detail, and then you’re doing an exercise and then you’re moving on to the next thing. So it’s a lot more integrated than really what we’re doing in person where I’m lecturing and then they’re applying on Thursday.
It’s kind of mixed that way. It also gives them access to things that we don’t have here at the university. We can’t afford them even if we could. There’s maintenance, there’s maintenance and ongoing-
Steve Bowcut:
Absolutely.
Dr. Gregory Laidlaw:
Of things that go on with that. So we use a lot of virtualization here because what we don’t want to do is burn a ton of time setting up an environment. We want them to be hands-on as quickly as possible.
Although we certainly do have them build some stuff just because they need the experience and the frustration of building something and doing everything right and still not having it work, but then being able to back up and say, well, this was working as of step 43, now I’m at step 77 and it doesn’t look like the picture, it’s not responding. So where did I go wrong between 43 and 77? Something they’re also going to have to do.
Steve Bowcut:
That’s a real world thing. Exactly. Yes. All right, so I want to move on to ethical hacking. So this is probably in most people’s minds, and particularly students who are just getting started. This is the sexy side of cybersecurity. And I would like to hear you, you’re certified in ethical hacking.
I’d like to hear you talk about that intersection, if you will, between having offensive competency so you know how to do this, and yet there’s the ethical part. So is there friction, I guess, is really the way I want to ask the question in trying to teach the students, look, these are the things you could do, but you can’t do some of them because it’s just not ethical and how do you know what to do and how do you teach that part?
Dr. Gregory Laidlaw:
Oh, that’s probably chapter one, first three pages of any text on ethical hacking, the answer’s permission. You need permission to be on ethics- To do everything. And in fact, you need very well-written, well-documented, scoped permission for what you’re doing.
Steve Bowcut:
Do you ever feel like you’re training the next generation of unethical hackers when you’re doing this though?
Dr. Gregory Laidlaw:
To some degree, because you mentioned sexy and a lot of the students first day, they’re like, oh, I’m going to break in, I’m going to do this and I’m going to do this and I’m going to … I’m like, hold on. You’re only going to do that if you get permission to do that and you get it well-written permission to do that and anything else is illegal and unethical and that can be a real big hazard in this career path.
We’re well beyond the days when you had famous hackers and they got busted and they spent time in jail and then they’re getting all these million dollar gigs because they’re wanted. No, you’re seeing people who cross boundaries not getting jobs because if you couldn’t trust them then, how do you trust them now? In IT, in cybersecurity, you have access to all sorts of stuff that could be compromised and ethics are key here.
So permission and part of doing an actual pen test is having that written permission, having somebody to talk to, have a point of contact inside. And then if something goes beyond your scope, get it clarified, get it in writing. And that’ll happen all the time in real life is when I talk to pen testers, I’ve only done internal pen testing. So by definition, they were my systems or ones I was responsible for.
But when I’m talking to people who aren’t pen testers, a lot of times something will come up that’s not covered by scope, but you sort of have to cover it. You see poor passwords, you see traffic that looks weird and concerning, but that’s not part of your scope. Point of contact, talk to the point of contact. This is what we saw. Make them aware of this.
This is what makes it ethical is that’s your guardrails, as you called them, is this is outside of what I’m allowed to do in writing, point of contact. Excellent. Either modify my scope in writing. And I say in writing all the time in class because this is contract. You don’t want it to be verbal.
Think of the scenario where something comes up and you say, “Oh, can I investigate this particular server? I know it’s not part of my scope, but I’m seeing some unusual activity. Can I get into it and check it out? ” Oh yeah, sure, sure, sure. No problem.
Steve Bowcut:
Interesting.
Dr. Gregory Laidlaw:
What happens when you drop that server and you’re talking about millions of dollars and losses? Is your point of contact going to say, “Oh, sure. Yeah, I told him to do that. No problem.” Or is that point of contact going to completely deny that he knows you? Yeah,
Steve Bowcut:
Exactly. Well, and I had another question rattling around in the back of my head. These guardrails, so get permission. Is another guardrail or does it even make sense to have a guardrail that says, so get permission, but also don’t break anything while you’re there. I mean, do you leave no trace like we used to do in Boy Scouts when you’re camping? Is that part of what you have to teach? Look, you’re there, you could break some stuff, so don’t.
Dr. Gregory Laidlaw:
Yes, that’s exactly what we’re after is you’ve got permission, you may inadvertently break something, but you also have to realize this is a functioning business. Document the fact that you could break something and then back off, and then leave no trace is exactly what we’re doing. So remember when I talked about pen tests before? The other problem with people with students that are like, “Oh, hack, hack, hack, hack, hack. Oh, I’ve got it to work now. I don’t remember what I did.”
Steve Bowcut:
Yeah, but it’s working.
Dr. Gregory Laidlaw:
But it’s working, so I get an A, right? Well, can you reverse that? Because that’s the last part of any real pen test is you’ve got to put all the systems that you touched back in their original condition. So if you get into a firewall and change the settings, you’ve got to be able to put that back.
If you didn’t document, if you don’t have a good write-up, can you do that? No, you absolutely cannot. If you change five settings and a firewall, you did that a week ago and didn’t write it down.
Steve Bowcut:
You didn’t document it. Exactly. Yeah, that was a problem. Okay.
Dr. Gregory Laidlaw:
And if you told me you did that, I’d say don’t even attempt to go back and do that because you’re more likely to make things worse than to make them better. But yeah, leave no trace is nice to allowing me to circle back to that because that is also part of the pen test is you’ve got to put things back and not break things.
One of the things that comes up a lot in a pen test is how do you transmit, how do you disseminate your results? Those have to be highly secure. That’s got to be encrypted when you send it over the internet. Do you really want a bad actor to intercept your report that says, “Oh, here’s how I broke into the system.”
Steve Bowcut:
Yeah, here’s the holding abilities and the weak spots.
Dr. Gregory Laidlaw:
Thanks, good hacker. Thanks for the nice roadmap so I can get into all of the stuff with the step-by-step instructions.
Steve Bowcut:
Yeah. All right, so I want to move now. I’ve been anxiously waiting to get to this part. This is one of the parts that I really am looking forward to. So I want to get you to talk about the human factors, particularly usability.
So what are common ways that security fails because systems are hard to use? We talked about this briefly at the top of the show, but can you talk to us more about that and how you teach that?
Dr. Gregory Laidlaw:
We have an entire class on that, and it’s something that we started a while ago, even before it ended up being a bigger thing. We want systems. We’ve got a little bit of software design or system design in our curriculum to understand that users are … They’re not dumb. And I hate all of the stories that you see on the internet, like, oh, these dumb users did this.
Well, maybe there’s a reason why they did that. Maybe your software isn’t as usable or as user-friendly as you think it is. And they had to come up with a way to adapt so they could get their jobs done. And that’s the common thing that I saw over my 25 years, and you still sort of see it today, which is if you’re giving your users two competing objectives, security is normally the one that gets thrown out the window first.
Classic example … Actually, I saw this the other day in a doctor’s office, and I’m not going to name names, but they’ve got these highly secure systems that I’m sitting in the waiting room, and I’m watching this system, and the mouse is going back and forth across the screen. I’m like, “What the heck is going on? Is this an attack?” And it only took me about two seconds to realize, no, that’s not an attack. That is they don’t want to log in and out of their system 20, 30, 50 times a day. It’s got a sleep or it’s got a log on screen-
Steve Bowcut:
Reset that timer.
Dr. Gregory Laidlaw:
It’s way too stringent for what they actually need. So they’ve got the mouse going back and forth, so it shows activity, so it’s not going to time out. It’s not going to go back into the sign-on screen. And actually, I don’t need to mention that because I see that a lot in doctor’s offices.
And I’ve also seen the converse side of that, which is where they’re walking into an exam room and the doctor has to sign on and it takes them 10, 15 minutes. Well, that’s 10, 15 minutes he’s not talking to me or one of my kids about what’s going on, but that’s also 15 minutes that could…
Whatever he was doing, anything would be more productive for those 15 minutes- Exactly…. than him struggling to sign on or her struggling to sign on with the technology. So is there a reason why it needs to be that way? Is there a better way to implement that than the way that they’re doing?
Because in both cases, I suspect it’s almost like a complete reboot to get back up to a record rather than what about … We can do face, we can do thumb, we can do all sorts of things that would be fairly quick and easy to implement, and then the doctors or the optometrists or whoever wouldn’t bypass them because it really wouldn’t cost them any time, but it would still be secure. I mean, we do face recognition all the time. It’s not that hard of a technology.
Steve Bowcut:
Yeah, that’s good. And it does seem like as an industry, we’ve come quite a ways there because it wasn’t that many years ago that I would often have to cringe when I would hear employers grumbling about their employees that used weak passwords or wrote their passwords down, and yet they weren’t providing any tools like a password management system or anything.
You could literally have hundreds of passwords and they all have to be strong and unique. That’s almost undoable. You can’t remember them all. You have to have some kind of tool. So yeah, you either use a weak ones or you write them down. But I think we’ve come a long way with multifactor authentication and those things.
Dr. Gregory Laidlaw:
Oh, Yeah. And even the understanding, because when I was first doing auditing, when I was first looking at systems and responding to auditors, they were pretty locked into, it’s got to be eight characters, it’s got to be upper and lower, it’s got to be this complex, you got to change them at every 30 days on and on and on. I’m like, “You’ve got to consider what is it that we’re securing here? Does it need that kind of security?”
And my classic example was I had a set of clerks and the auditors wanted this. And I fought every single year, even sometimes the same auditor, I’m like, “This is overkill for these particular workstations.” There’s nothing on these machines that the general public can’t get if they walk into the lobby.
So there’s five machines in the lobby that are all signed on all the time, and the clerk’s machines don’t have any more access than those. So why go? It’d actually be quicker to sit down at the public terminals and get the information than talk to the clerks, especially when they’ve got to spend 15 minutes signing on and doing all this other nonsense.
And part of human factors is if you make things difficult and you make it difficult for somebody to do the job, and then you yell at those same people for not doing the job efficiently, security’s out the window.
And part of ethical hacking is if you’re doing something physically on site, if you’ve got a very complex system, where’s the password going to be stored? If they’re right-handed, it’s in their top right-hand desk drawer or it’s under the keyboard.
Sometimes we’ll run into a lefty and it’s in their left room, but almost guaranteed because they’ve got this tight security and then they’re also being yelled at for being inefficient or slow or whatever metrics driving that. You’d see that on the shop floor as well where they’re just signing onto the machine to update peace counts and eight characters and even worse.
So that was one of the things that it was interesting is they’re running these very … They’re all wearing gloves. They’ve got oil everywhere. It’s just everywhere. Oh, well, the machine timed out, you got to stop the machine and take off your gloves and wipe your hands and then type on the keyboard.
Again, 15, 20 minutes. How many pieces could have you run down that machine while you were messing with- Doing that. So a lot of that goes into it. We can do a lot of secure by design stuff. We also talk about just human nature of what they’re going to do. We talk about the spam and the spear phishing and just general social engineering because it’s more popular now because it’s way more effective. It’s way more effective.
Steve Bowcut:
Oh yeah. With AI it’s becoming-
Dr. Gregory Laidlaw:
Even worse. Even more scary because some of the business email scams that we would see before, AI puts that on steroids where I actually had some investigations where there were wire transfers requested via email when somebody was out and that the wire transfers made sense, but there was no procedure to verify it.
There was no way to get ahold of this person, so it just happened. So that was via email. Imagine now, and we’ve seen cases like this where the secretary gets an actual phone call from the boss saying, “Transfer this money and here are the accounts and this is what to do with it and it sounds like that, because I think I saw the other day, five, 10 seconds of voice and you can totally replicate that.
Steve Bowcut:
Absolutely. Yeah. All right, so let’s shift here a little bit. And this is something else that we’ve mentioned briefly, but I want to go a little deeper on it before we run out of time here. And that is this idea of input from industry or industry integration where maybe you have some advisory boards or … I mean, so we’re talking about your curriculum development again, how and how much input do you get from industry?
Dr. Gregory Laidlaw:
As much as we possibly can. And like I said before, we do filter it based on what we know and what we need and how we meet our KUs. But industry advisory board, we’re at ISACA, we’ve got alumni coming back and saying that I talked about this is what they needed to know and if that’s something that fits into our program, we’ll certainly do I mean, the other thing that we do is we’ve got some very highly qualified adjuncts and they’re bringing that stuff in on a daily hour by hour basis.
Oh, this is what I did today. This is the problem that I ran into. And we’re also talking to them to see, because at the end of the day, we want to match what employers need, but we also want to make sure that it’s not just what they need on day one or week one or year one, but that it’s something that will train the student to be able to be productive day one, week one, year one, and on in the future.
So we are taking that at all times. I guess we might be ramping up a little bit more on Python because I’m getting some feedback that employers, even in non-programming roles are looking for those types of skills. And we’ve that before just because from being out in the field, I know if you can script something, pretty much anything, digital forensics, ethical hacking, networking, anything you can script, you want to absolutely do because it’s consistent, it’s easy, you don’t have to remember anything.
You just remember to hit the button. Actually, if you can auto schedule it too, you’re miles ahead. So we’ve been teaching it in that manner. I didn’t realize until a couple of days ago when I started to get some feedback from employers and my students interviewing that employers are actually asking for that, even though it’s a non-programming position.
So we can ramp that up a little bit because I love doing that. Well, and I love technology and I love learning new things and I love bringing that into the classroom because that’s fun. That’s why I’m here.
Steve Bowcut:
That’s awesome.
Dr. Gregory Laidlaw:
This is all the stuff I didn’t get to play with when I had to be billable because there’s all sorts of fun things that I’m like, oh, I really want to get into this, but can I bill for that?
Steve Bowcut:
No. No. All right. So we’re about out of time and I do want to get to some actionable advice for the listeners, but before we get to our final question, I’m intrigued a little bit about your doctoral work and it has something to do with law enforcement. I believe there was a sheriff’s department.
So I guess what I want you to talk about briefly, if you could, is there some things that came from that that influenced what you teach students now about incident response or evidence handling or operational constraints, that kind of thing? Is some of that your doctoral work in these public sector environments, does that filter into what and how you teach?
Dr. Gregory Laidlaw:
Yeah, that actually goes back to where we started, which is talking to people and understanding that the programs and the processes and the limitations. And that came about because of the limitations of many of the people I was working with is none of this stuff was integrated.
It’s shocking to a modern audience, but 911 call was different than what happened in the police cruiser, which was different than what happened when they got booked, which was different than when they got released, which is different than … So think about entering somebody’s name 35 times from the time that there’s a 911 call to the time that they get sentenced. That’s an enormous amount of data entry and an enormous amount of wasted time and error and all sorts of-
Steve Bowcut:
Yeah, I was going to say room for error. How many ways can you spell that?
Dr. Gregory Laidlaw:
All sorts of chaos going on. And you’ve got monkshot systems, you got fingerprint systems, you got commissary systems, just the multiplication of systems that as somebody goes through the system was enormous. And at the time, there were all sorts of solutions out there, but all of those solutions were scrap everything that you own and buy our million dollar product, $2 million product.
Oh, and by the way, we’re the only ones that can implement it, so fire all your IT staff and hire us at the same time. Nobody had the budget for that. It wasn’t doable. Plus you had pieces where commissary system isn’t doing … That’s their system. They’re not going to deal with them. They don’t care that you paid a million dollars for that. State of Michigan said, “This is our system. You were using this system.” So how do you integrate that?
How do you make that move as smoothly as possible through the system based on your constraints of budget and to some degree users. You’ve got talking to some of the deputies, and this was a conversation we had several times is we could introduce technology, but we’re back to human factors. Typically, if you had an older deputy, they’re real, real good with writing things down on a yellow pad.
They probably, actually, some of them said point blank they were not going to use a tablet. So part of what was being proposed just wasn’t going to straight … Just absolutely was not going to work.
So we had to deal with all of that. And then as far as pivoting, lots of pivots there, but I know you mentioned somewhere in the notes and somewhere of the things that I have here, the work that I did as a reserve deputy.
And part of that was to understand the domain of who I was working for and what they were doing and how they were manipulating, how they had to work with the general public and the people that they had to deal with and how things flowed through the system. Fascinating stuff. But the training there, I think falls nicely into IT, which is know how to pivot, have a plan, but know what to do when that plan doesn’t
Steve Bowcut:
Work. Inevitably, it doesn’t work.
Dr. Gregory Laidlaw:
Yeah. I think Von Mulkey says something like, no plan survives first contact with the enemy. Completely true. The one I use for my students, because they don’t know who Von Mulkey is, is Mike Tyson said, “Everybody’s got a plan until they get punched in the face.” Yeah, that’s true.
So that’s something that I’m not sure that you can really teach. You can talk about it and you can observe it and you can see it, but I think that was a training that really helped me is doing some of the simulation training. Sometimes because I was a newbie that the deputies loved to mess with. Oh, really? And they have control over the simulation, so sometimes they would escalate and they would escalate really quickly.
Sometimes they deescalate and you’ve got to be able to do both and be able to pivot where sometimes another person would come in and we were doing live training where deputies were acting as suspects, so all sorts of things. But it really got me to think on my feet and to understand.
And I think that translated into some of the incident response that I did, and that’s where I very definitely saw plans go horribly, horribly wrong once something changes. And some of the people that you thought would be dependable and would be able to keep it together when things got really, really bad, just went of no help whatsoever.
And yet some of the people that you didn’t expect much of really stopped up. And this is where you’ve got to pivot and say, well, Joe is completely useless here, even though he’s got seven years of training, but here’s Mary.
She seems to have a good focus on what we need to do right now and not spin out of control about what might happen and what happened. And that ends up being the big thing in incident responses. Yeah, we need to understand what happened, but we can’t really spin out of control about all of it. We need to quickly understand it and move on rather than
Just getting horribly upset about it. So I think a lot of that stuff translated well. Hopefully students and people in the field can at least experience some of that or at least be open to experiencing some of that because maybe where we started, which is where I started in programming because I didn’t want to talk to people. And now what do I do for a living? I just talk to people. You talk to people. Yeah. You said we’re almost done, but I’ll keep going if you want.
Steve Bowcut:
Well, we have time for one more question. This is kind of our actionable guidance for students question and it’s always amazing to me.
So you’ve got all these students coming to you. They all have different directions that they want to go where they’re likely to end up, security operations, government and risk, governance and risk, or any number of different areas that kind of fall under cybersecurity and information systems.
So are there, and if there are, what are the specific first steps that you would recommend to a new students that they should accomplish within the first six to 12 months of their academic career?
And the reason I find that an interesting question, because they’re kind of scattering, they’re going in different directions, and yet there must be some advice that you can give them that’s going to help each one of them regardless of the direction that they’re going to go within cybersecurity.
Dr. Gregory Laidlaw:
And that’s the great thing about what we’re doing here. And the great part of my job is because I get to talk to individuals, I can give them individual-
Steve Bowcut:
Individuals.
Dr. Gregory Laidlaw:
But most of it is stay open to what you like. You’ve got four years, experiment, try stuff. I’ve got students come in and say, “Oh, well, I hate programming.” Well, how do you know? You did it in high school and maybe it’s not the programming, maybe it’s that particular class, so try it.
Find out whether you like it or not. There’s really no … This is the time to experiment. This is the time to find stuff out. Maybe try programming, maybe try something that’s outside of your box. The risk is really low here.
I mean, worst case scenario, you’re going to get a bad grade, but in the overall scheme of things, you’re here for 120 credits. So one bad grade, two bad grades, not really going to trash your grade point. You’ve really got to work pretty hard to trash your
Steve Bowcut:
Grade points. You know what? I really like that
Dr. Gregory Laidlaw:
Advice. Trash your grade point. So there are all sorts of things that you can do and there’s all sorts of things that you can … So first thing, stay open. Think about what your gaps are. Think about exploring those to see whether you like, but also see what you like, see what you have an aptitude for, see what interests you and pursue that because cybersecurity is huge.
The risk and compliance is way different than digital forensics, ethical hacking. I mean, night and day difference. Almost two different sets of people who do well in each of them. That doesn’t mean to say you can’t start in one and then do the other. I suppose I did.
Everybody can sort of do that some … And that was also part of my journey. Try and compress that while you’re here. I originally, I thought compliance and audit was a bunch of busy paperwork and annoying people that were keeping me from doing my job.
Steve Bowcut:
Sounds like it.
Dr. Gregory Laidlaw:
But then-
Steve Bowcut:
Well, that’s really good.
Dr. Gregory Laidlaw:
Once I got better at my job and got more into the larger picture, I can see why this is an important … I can see why we can’t just trust my word for, oh yeah, your system’s secure. You need the auditor, you need the outside experience and welcome the outside experience.
Steve Bowcut:
So maybe we could take that part of your advice and we could distill that down to something that says, in the first six to 12 months of your cybersecurity education, try something that you think you’re not going to like.
Dr. Gregory Laidlaw:
Oh, I love that.
Steve Bowcut:
Yeah.
Dr. Gregory Laidlaw:
I’m stealing that.
Steve Bowcut:
There you go. It’s yours. All right. Was there anything else? I didn’t mean to cut you off if there was other advice that you wanted to add.
Dr. Gregory Laidlaw:
No, no, no. And I think there was a question in there somewhere about, well, we’re back to first day on the job. We’re talking about early career. One of the things that we talk about and we emphasize in the program is obviously do well in school, learn as much as you can, but also look at certification.
We look at certification as guidance for our curriculum. We’re not going to narrow cast to this particular one or that particular one or whatever. But I think it’s helpful after either during the end of your academic career or right when you start, because it shows that you’re still interested, it shows that you’re still learning, and it gives some credibility to the education that you have. Unfortunately- And
Steve Bowcut:
I appreciate you bringing that one up. I normally ask some questions about how you would feel about certification, but more and more, we’re seeing that in almost every advertisement for employment, the employer is saying, “I want these certifications.” So regardless of how you feel about certifications, it sure does help you get help you get a job.
Dr. Gregory Laidlaw:
Well, and I understand where the employers are coming from, which is if you ace through all of the courses here and you do well and you learn a ton of stuff, but you move to Indiana, anybody in Indiana, they’re not going to know what you learned here. Our reputation is not going to carry to …
We could be a diploma mill, we could be a bootcamp, we could be anything other than what we are. CAE helps us a little bit with that, but I’m not sure that employers are too tuned into that. But if they’re seeing some compTIA or some entry level certifications, what they can then say is, oh, this person has a four-year degree and they must have learned something because they’re both still interested and they can pass these exams whether you find they’re a good fit for the field or they’re not a good fit.
It still shows that you’re learning and you’re capable of learning and you must have learned something in four years in whatever school that you’re at. And I’m pretty sure that applies to any other university that doesn’t have a world-famous football team.
Steve Bowcut:
Yeah, that’s true. All right. Well, we are out of time now, but Greg, thank you so much. This has been a lot of fun. Your enthusiasm is catching, and so this has been a lot of fun for me. I appreciate it. I’m sure that our audience is going to enjoy this as well, so thank you for your time today.
Dr. Gregory Laidlaw:
Oh, no problem. And obviously enjoyed it. I love talking about the school. I love talking about cybersecurity.
Steve Bowcut:
Okay. All right. And to our listeners, if you enjoyed this, please like, rate and subscribe and all those things that help others find the program as well. And thanks for being here and we’ll see you next time on another episode of the Cybersecurity Guide Podcast.