Dr. Mark Heckman has worked in the field of information security for nearly 40 years as an engineer, researcher, practitioner, and educator. His wide-ranging career has spanned many areas of information security, including research and development of very high-assurance, multi-level secure systems for use in government and the military, research and development of intrusion detection and security event management systems, and general IT security and compliance for commercial organizations in the financial and health industries. Dr. Heckman earned his MS and PhD degrees in computer science at the University of California, Davis and is a Certified Information Systems Security Professional (CISSP). He is currently a professor of practice and teaches in the Cyber Security Engineering and Technology program at the University of San Diego.
A summary of the episode
In this episode of the Cybersecurity Guide Podcast, host Steve Bowcut interviews Dr. Mark Heckman, a professor of Computer Science and Cybersecurity at the University of San Diego (USD). They discuss the cybersecurity educational opportunities at USD, including the two master’s programs offered in cybersecurity engineering and cybersecurity operations and leadership.
Heckman emphasizes the importance of understanding fundamental concepts in cybersecurity and highlights the need for professionals who can balance security and usability in system design. He also mentions the increasing importance of legislation and regulations in the cybersecurity field. Heckman recommends reading books like Ross Anderson’s “Security Engineering” and Sami Saydjari’s “Engineering Trustworthy Systems” to gain a deeper understanding of cybersecurity fundamentals.
He cautions against relying too heavily on artificial intelligence (AI) as a solution to cybersecurity challenges, as the field is constantly evolving and requires human expertise. Heckman also mentions the industry advisory board at USD that helps shape the curriculum to meet the needs of the cybersecurity community.
Listen to the episode
Here is a full transcript of the episode
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening.
Today our guest is Mark Heckman. Mark is a professor of Computer Science and Cybersecurity at the University of San Diego. We’re going to be discussing cybersecurity educational opportunities at USD.
Let me give you a little bit of Mark’s background. Mark Heckman has worked in the field of information security for nearly 40 years as an engineer, researcher, practitioner, and educator. His wide-ranging career has spanned many areas of information security, including research and development of very high assurance, multi-level secure systems for use in government and the military, research and development of intrusion detection and security event management systems and general IT security and compliance for commercial organizations in the financial and health industries.
Mark earned his MS and PhD degrees in computer science at the University of California-Davis, and is a certified information systems security professional. He is currently a professor of practice and teaches in the Cybersecurity Engineering and Technology Program at the University of San Diego.
With that, welcome, Mark. Thank you for joining me today.
Mark Heckman:
Oh, it’s a pleasure to be here.
Steve Bowcut:
Okay.
Mark Heckman:
Even though it is 6:00 AM.
I know. And thank you for that. I appreciate that. So, let’s start giving our audience kind of an inside view of what your journey into cybersecurity has looked like. How did you first become interested in cybersecurity?
Well, I graduated from college with a computer engineering degree. And at the time I had no idea what I wanted to do with it, except that I knew even then I didn’t want to go to Silicon Valley. Then a friend of mine from school said that his father had a startup in his garage in Carmel, wonderful place. The startup was working on something called a multi-level secure operating system, and they were looking for engineers.
Now, I had no idea what a multilevel secure operating system was, but it sounded interesting, and I’ve been working in the field of cybersecurity in one way or another ever since, which is, as you said, nearly 40 years now, and almost never have I been bored.
Okay. So in one sense, maybe it was serendipitous. You just happened to get this job, which included cybersecurity, but that’s not necessarily what you were pursuing at the time.
Mark Heckman:
I didn’t know that cybersecurity existed as a field. This is the early 1980s, and at that time it wasn’t a widespread practice. Cybersecurity wasn’t well known then as a practice on its own. So, I had no experience, no exposure to it at all in school.
So yeah, it was a very heavy duty cybersecurity job. We were building what was then, I don’t know if you’re familiar with the old Orange Book, the national, the Department of Defense standard for secure systems? It’s expired now. They dropped it around the year 2000, but at the time, a lot of people were trying to build systems to satisfy that standard, and we were building a system at the highest level of that standard called the A1 level, which allowed me to meet some, I got to work with, I don’t know, some really great people in the field of cybersecurity.
If you know anything about the history of cybersecurity, my boss, my direct boss was Roger Schell, called the father of the Orange Book. I also got to work on research project with Dorothy Denning who wrote some of the original works on, for example, intrusion detection and…
Steve Bowcut:
Fascinating
Mark Heckman:
Through them, I learned about to treat cybersecurity not just as a field of engineering, but as a field of study almost as a science. That’s how I got interested, and that’s why I’ve stayed ever since.
Yeah, interesting. And it certainly is true that that field has evolved. You and I are both old enough to have seen it evolve from kind of a pastime, or maybe it’s a good idea to something that is central to any software development or system development and programming.
Mark Heckman:
Yes, at the same time, I’ve also seen, and you probably have noticed too, how little things have changed. We’re still doing some of the same things badly.
Steve Bowcut:
Yeah, that’s true. I know. You might note that we’re still trying to keep people, to get people to keep their passwords unique and safe and protected. I was just reading something this morning that reminded me of that. It’s been decades that we’ve been trying to teach people to protect their passwords and use a new password, and don’t fall for the phishing scams, which are trying to gather your passwords.
Mark Heckman:
I agree with you. On the other hand, I’ve always been under the impression that it’s a mistake to depend on unsophisticated technological users to be the line of defense in security.
No, and I agree, and I think we’ve made great headway in moving away from that. Wouldn’t you agree? I mean, we don’t rely on passwords like we used to. It’s not the only way of securing your systems anymore.
Mark Heckman:
We’re getting there. We’re finally getting there, and it’s only taken 40 years.
Steve Bowcut:
Right.
Mark Heckman:
But I mean, in other ways, for example, patch and pray. The idea is that we’ll ship the product, and we’ll let the users find the bugs and then we’ll fix them as they happen, is still the main way that, I think… It’s still the main paradigm that’s used in industry today. And that was identified as a problem in the early ’70s, and we still do it.
Yep, I agree. All right, so let’s turn our focus towards USD. So, tell us about the different cybersecurity programs, degree programs. What could a student anticipate should they look at USD as their choice of academia for cybersecurity?
Mark Heckman:
Well, the University of San Diego offers two different cybersecurity master’s programs. One is called cybersecurity engineering, and it focuses on all aspects of how you engineer secure systems. And the other one is called cybersecurity operations and leadership, and that has more of a focus on governance, risk, and compliance. The cybersecurity operations and leadership program is online only, but the cybersecurity engineering program has both online and in-person options.
So, if you’re the kind of person who prefers having lectures, then you could choose the in-person option. So, we have students in the San Diego area who are enrolled in that, and we have people from all over the world, really, enrolled in our online program.
And in addition, although we don’t have a undergraduate cybersecurity engineering degree, we do have what’s called a 4 + 1 program. And if a student enrolls in the computer science program at USD and wants to continue in cybersecurity, they can in their senior year, as an undergraduate, they can begin taking our graduate level programs. And in that way, after they receive their undergraduate degree, it takes them one additional year, and they’ll have their master’s degree in cybersecurity.
Oh, okay. Well, that’s a good way to do it. So, it’s not just an undergraduate degree with an emphasis in cybersecurity. You’re actually accomplishing the coursework for your master’s degree while you’re working on your undergraduate degree.
Correct. The coursework, the first year, the first semester coursework for the cybersecurity engineering master’s program is then counted as electives toward the undergraduate major. And that’s really, I think, a fantastic program because it means you can get your undergraduate degree in computer science and your master’s degree in cybersecurity engineering in just five years.
Yeah, excellent. Okay, good. Yeah, that’s fascinating. And I assume that you have some students that follow that track. You probably have other students that have gotten their undergraduate degree elsewhere and then come to University of San Diego for their master’s degree. It’s a fair assumption.
Mark Heckman:
Absolutely. Our program is aimed at working professionals primarily. So, most of our students are people who have families and jobs, and either they’re trying to advance in their career in cybersecurity or they’re trying to transition into a new career.
Right. Okay, perfect. And that’s exactly the audience that we cater to, so I’m glad that you pointed that out. And we will of course direct anyone who’s interested to go to your website. I’ve spent some time looking at your website and the degree programs under cybersecurity, and there’s a lot of them. And most of them, as you pointed out, are online and suited well for people who are also working. So, that’s excellent.
So, with that, and maybe that will have some influence on what we talk about next, but I would like to get a sense for extracurricular things. And so, this would probably most apply to in-person students, right? And maybe not, you can correct me there, but are there clubs and events, competitions, those kinds of extracurricular things that cybersecurity students can be involved in? Or computer science students with an interest in cybersecurity?
Mark Heckman:
Well, there are. There’s a student club called the Cyber Spartans, and they hold monthly meetings both in person and online, and they organize various activities. I think there was a Capture the Flag activity, maybe it was a training for a Capture the Flag and things like that. And they have guest speakers every month.
The San Diego chapter of the ISC Squared, professional organization, they meet monthly on campus. And students are encouraged to attend. We try to encourage our students to attend that either in person or online so that they can make professional connections. The networking is invaluable.
And each semester our program holds what we call a cybersecurity mixer, which is a panel of invited speakers from the San Diego cybersecurity community. And by this I mean CISOs, CTOs. We have FBI agents and other members of the security community. And they’ll talk about how they see the cybersecurity field evolving.
And afterwards there’s food and drink, and students can network with the speakers afterward and talk about job opportunities, including internships.
Excellent. And that is a big part of a successful education, I think, is to be kind of immersed in the culture of the industry to which you’re wanting to work, and making those connections could be invaluable. And we’ve talked about some things now that I think set your programs apart or your institution apart in cybersecurity, but is there anything else that USD does that you’d like to point out that makes their cybersecurity program unique or special?
Mark Heckman:
Well, there are so many cybersecurity programs now. I’d hesitate to say that anything is unique, but I will say that our cybersecurity engineering program may be somewhat unusual in that it incorporates systems engineering techniques or systems engineering concepts. Cyber systems, as everybody knows, are constructed from many different components, and they have many different… Well, they’re often conflicting objectives, right? The trade-off between security and usability, for example.
Steve Bowcut:
Exactly.
Mark Heckman:
So, that requires you to make a lot of trade-offs, and systems engineering considers how do you design and integrate and manage a complex system like a cybersecurity system throughout their entire systems lifecycle while you’re trying to balance the different goals.
And in fact, this idea of managing a secure system lifecycle is a foundational concept that runs all the way through our program. For example, the focus of the security test engineering course that I created is about creating what’s called an assurance case, which is a body of evidence that shows that a system satisfies specific security claims, and that, the assurance case is made up of assurance arguments that you create at each stage of a system’s lifecycle so that you can demonstrate that you’re maintaining these properties, these security properties of the system throughout its entire existence.
Let’s see. There’s another aspect of our program that’s a little unusual is that our student body has a large number of current military and recently separated military veterans. San Diego is a longtime Navy town, and USD has a special military and veterans program that helps active duty military and veterans enroll and to use their educational benefits.
Many of those students come in with active clearances, and they are well-prepared when they graduate to go on to government jobs because they’re in very high demand.
Steve Bowcut:
Excellent. Very good.
Mark Heckman:
That may be 40% of our student body right there.
Wow. Okay. Interesting. Thank you for that. So, learning the fundamentals, learning how things work is one thing, but learning how the real world cybersecurity world operates is probably another thing. So, is there anything that you could think of that USD does to prepare students for real world cybersecurity challenges?
Mark Heckman:
Well, okay, the cybersecurity field, we were just talking about this, is constantly changing, right? So, any specific tools or technologies that someone might learn in school is going to be out of date in a short time. So, we really try to emphasize fundamental concepts that don’t change, but then as much as possible, we try to put those fundamental concepts into practice using current widely used tools.
And I’ll give you an example. In the intrusion detection and incident handling course, we give lectures about fundamental techniques for intrusion detection, but for the assignments, when students carry out their assignments, they use industry standard tools like Splunk, for example, as a security event manager.
So, our expectation is that even if our students go on to use different tools, there’s no guarantee that they’re going to use Splunk when they go into industry, for example. Whatever they use, they’ll be able to use them. It’ll be easy for them to adapt, to use the new tools because they’ll know the important features, the most fundamental features that are part of all these products that are all similar. So, that’ll help them carry out their work.
Yeah, I think that would help the learning curve. For an employee or a new employee coming out of college with a shiny new degree and going to work in the industry, that learning curve would be flattened a bit, I think, because they’ve already been exposed to some of the tools that either their prospective employer is using or something similar to it, because a lot of these tools are quite similar in the end. So, all right.
Mark Heckman:
Exactly. This idea, this whole point of teaching these fundamental concepts is, let’s say, animated by my own experience in industry, how I looked and I saw the people who are the real whizzes at cybersecurity, and they’re not the people who are necessarily experts at using a particular tool. They’re the people who really understand cybersecurity at a fundamental level. And then no matter what we throw at them, they’re able to take on that task and shoulder that task and accomplish it even if they’ve never done it before, because they understand what the purpose is and what they’re driving for. It’s the difference between engineering, an engineer and a technician, I would say.
Exactly. Yeah. And thank you for pointing that out. I think that is so important. Being able to operate the tool well is a good thing. But if you’re not going to be very versatile, if all you really do is operate that tool very well because if you don’t understand the fundamentals, your employer may change tools, and or you may look for another job with an employer that doesn’t use that tool. And if you don’t have the fundamentals, you’d be at a bit of a disadvantage, I think.
Mark Heckman:
Oh, a real disadvantage. And I remember I read some government document saying, “We need more pen testers,” and I thought, “No,” because that was the goal. That was how they were going to solve the problem with unsecured systems. I said, “No, you don’t need more pen testing. You need to train developers and fundamental techniques for developing security into their system.” It’s too late if you’re depending on pen testers.
Steve Bowcut:
Yeah, yeah, that’s true. You don’t want somebody to come find the problems. You want to build the product that doesn’t have problems to begin with.
Mark Heckman:
Well, at least as few as possible.
As few as possible, exactly. Now, earlier you mentioned research, and I don’t remember the context in which we were talking about that, but I’d like to explore that a little bit. Are there research or internship opportunities for students at San Diego, University of San Diego?
Mark Heckman:
Well, I think I mentioned earlier, our program is a professional master’s program aimed primarily at working professionals. And these are people who are either trying to advance in their careers or to start a new career, but they typically have responsibilities with families and jobs. And also the program is very full in the sense that the coursework is continuous for five semesters. So, working students just don’t have a lot of time for other activities. Also, many of our students already work in the cybersecurity field. They don’t need internships.
Steve Bowcut:
They don’t need an internship, particularly an unpaid internship.
Mark Heckman:
Right.
Steve Bowcut:
They need to continue to work to support their families. Got it.
Mark Heckman:
But for the rest of the people, we actually are working with an industry advisory board. We call it the Industry Advisory Council of Local Cybersecurity Leaders to create a better school-to-job pipeline to help our graduates who are new to the field find their first jobs. That first job is a tough one always. Everyone wants to hire you once you have any experience, but if you have no experience, it’s hard. So, we’re working on improving that school-to-job pipeline.