Dr. Thaier Hayajneh is the founder and director of the Fordham Center for Cybersecurity, University Professor of Computer Science, and director of cybersecurity programs at Fordham University.
Thaier is also a co-chair for the Center for Academic Excellence’s Cybersecurity Education Diversity Initiative. Dr. Hayajneh received his PhD and MS degrees in information sciences with specialization in cybersecurity and networking from the University of Pittsburgh.
He has over two decades of experience in cybersecurity research and education, and his research focuses on cybersecurity and networking, including system’s security, applied cryptography, blockchain and cryptocurrency, and IoT security, privacy, and forensics.
Over the past few years, he received over $10 million in federal funding from NSA, DoD, and NSF to support cybersecurity research, workforce development, advanced curriculum, capacity building, and scholarship for service programs.
He has published over 100 papers in reputable journals and conferences, and his publications were cited over 3,500 times. He also served on several NSF cybersecurity review panels and serves as a CAE reviewer and mentor for NSA. Faculty profile
Listen to the episode
Summary of the episode
- Cybersecurity education diversity initiative (CEDI): As a co-chair, Dr. Hayajneh elaborated on the goals of CEDI, which include improving cybersecurity programs at minority-serving institutions, building new programs where none exist, and enhancing the quality of education to bridge the gap between students from different backgrounds.
- Challenges in cybersecurity diversity: The podcast touched upon the challenges in achieving diversity, equity, and inclusion in cybersecurity. These include finding qualified workforce, lack of infrastructure and resources at minority-serving institutions, and the need for a more inclusive hiring process in the industry.
- Meritocracy and DEI: Dr. Hayajneh addressed the balance between meritocracy and DEI initiatives, emphasizing the importance of providing equal opportunities for diverse groups to participate and excel in cybersecurity.
- Advice for promoting diversity in cybersecurity: He suggested that companies should adopt mindful hiring processes, reach out to diverse educational institutions, and consider holistic admission criteria to promote diversity and inclusion.
- Intersectionality in cybersecurity: The concept of intersectionality was discussed, highlighting the importance of considering the multiple facets of an individual’s identity in understanding their experiences and contributions in cybersecurity.
The following is a full transcript of the interview:
Welcome to the Cybersecurity Guide Podcast, the podcast dedicated to helping students and professionals discover cybersecurity educational and career path opportunities. My name is Steve Bowcut. I’m a writer and editor for Cybersecurity Guide and I’ll host today’s special episode of the show. It’s special today because in April, we celebrate diversity month. And so, the topic for today is diversity, equity, and inclusion in cybersecurity. And we have the perfect guest for this.
Our guest for the show is Dr. Thaier Hayajneh, Founder and Director of the Fordham Center for Cybersecurity, university professor of Computer Science, and Director of Cybersecurity Programs at Fordham University.
Thaier is also a co-chair for the Center of Academic Excellence’s Cybersecurity Education Diversity Initiative, and that’s kind of what makes him an expert on today’s topic. Let me tell you a little bit about him before I welcome him in.
Dr. Thaier Hayajneh received his PhD and MS degrees in Information Sciences with specialization in cybersecurity and networking from the University of Pittsburgh in Pennsylvania. He has over two decades of experience in cybersecurity research and education and his research focuses on cybersecurity and networking, including systems security, applied cryptography, blockchain and cryptocurrency, and IoT security, privacy, and forensics.
Over the past few years, he has received over $10 million in federal funding from NSA, DOD, and NSF to support cybersecurity research, workforce development, advanced curriculum, capacity building, and scholarship for service programs.
He has published over 100 papers in reputable journals and conferences and his publication’s recited over 3,500 times. He also served on several NSF cybersecurity review panels and serves as a CAE reviewer and mentor for NSA. And with that, welcome Dr. Thaier Hayajneh. Thank you for joining me today.
Thank you, Steve. Thank you for the introduction and thank you for giving me this opportunity.
Well, we appreciate your time. This is going to be a fascinating episode and I’ve been looking forward to it for some time. So let’s start with a little bit more about you. I think our audience would like to understand what your path has looked like. So what interested you in cybersecurity? What drew you there? And what is your path to where you’re at now? What does that look like?
Oh boy. How much time we have today?
Yeah. Give us the cliff notes.
Okay. So I mean since I was a kid, I always liked to dig into things and see how they work, open the boards of my toys. And when my dad bought us the first computer, I remember I was at high school. I even used to rip it apart every week or so and put it back together. So obviously, when I decided to go to college, I tried to pick something that has to do with design, computers, math, I love all these three areas.
So I chose electrical and computer engineering, and I was always fascinated with how data is being processed. Back then, that’s in the mid, early nineties, people used to, I mean the science started to digitalize everything, and we started to see everything working as zeros and ones. I used even to walk around my house and tell my sister, “You know that everything around us is just a zero and one and a bunch of zeros, bunch of ones.
And then we take these zeros and process them. They they go into circle. We may squeeze them together, that’s a compression. We may cipher them, hide them and send them.” And I was always wanted to learn more about how do we send these data from one location to the other. And once I finished my undergraduate degree, because typical undergraduate degree in engineering is boring, lots of math and theory, I didn’t have enough of real world experience.
So I pursued a Master degree in engineering and I focused more on the networking aspect, the fiber optics. Fiber optics was new and big back then, wireless this communication and to have a better understanding on how to apply things that I have learned in my undergrad and used them in that Master degree. And in my first job I worked at a research and development center and controversial to all what I learned.
The first thing they asked me, I always learned how to have a clean signal that is transmit from A to B. We clean it up, we prevent the signal from any interference, just making sure it arrives from A to B, making sure higher performance. And the first thing they asked me was like, “How can you jam that signal? How can you hide the signal? How can you conceal that information?”
And I was like, “But why?” They said, “Okay, listen, for good people, honest people, we want that communication to be clear. We like to see the signal and everything transparent and everything, but how about the bad guys? We don’t want them to receive that signal. We want to hide.” And that was my first really exposure to cybersecurity. And I started to learn more about this kind of securing the signal at the physical layer, and hiding information.
And I wanted more, and the first thing I noted is that this is a very complicated field. Back then also everyone used to take one or two weeks off, sometimes a month, a course in web developing and they become a web developer. I couldn’t do the same thing with cybersecurity. And the only way to learn more is to actually go and pursue professional degree. So I decided to study more and I picked a program at the University of Pittsburgh where I did another Master degree and a PhD that fully focused on cybersecurity.
My PhD thesis focused on designing or preventing crypto resilient attacks for mobile wireless networks. It was a project or a grant that’s funded by the Department of Defense. And throughout the end of my PhD, I worked for about six to 10 months in a research center where I also worked and explored techniques to improve wireless communication coexistence and also tried to design security protocols for those teeny-tiny noise source devices. Now, ever since then, I have always been involved in cybersecurity research, academy programs, curriculum design and workforce development.
Excellent. Thank you so much. I appreciate that. So maybe you can help us understand a little bit more about the CAE’s Cybersecurity Education Diversity Initiative. What are the goals and the aims and what does that initiative aim to achieve?
Absolutely. So the CAE originally started by the Centers of Academic Excellence Program office, which under the National Security Agency. Lynne Clark, the chief there, she asked us to form some kind of a group for diversity and to help minority serving institutions back then. And we actually volunteered to do that myself and Dr. Amelia Estwick were the co-chairs of that working group and was totally volunteer.
We put ourself together, we announced that with the CAE community, and we were surprised that 50 or 60 institutions back then just jumped into help and work and it was all for free. So what happened after that is the program office at the Centers of Academy Excellence at NSA put together called for proposals, and it was a $3 million grant with, I mean other groups and institutions were able to apply. We applied and we were selected for that grant.
And the ultimate goal of that grant is to improve cybersecurity programs at minority serving institutions with all the group HBCUs, HSIs, PBIs and all the groups of minority serving institutions. There are about 800, 850 minority serving institution in the nation. And if they don’t have an existing cybersecurity program, our goal is to work with them, help them build a program for them. If they do have a program or they think they have a good program, we’re going to review that for them and give some recommendations, suggestion and ideas to improve that.
With the ultimate goal of all these kind of things is to actually bridge that gap between students coming from minority serving institutions as compared to other privileged students that are coming from well-established institutions and strong cybersecurity programs. Just a quick note, we have seen cybersecurity programs where the students don’t have even a single hands-on lab or exercise. And as we are all aware, cybersecurity is all about hands-on, it’s all about being able to do the job and to get it done.
And without hands-on and extensive lab exercises, it’s impossible to teach students, which of course, immediately once they graduate, they will have more challenges as compared to other students to find jobs. So our goal was really to improve the quality of the programs of those MSIs, help them in order to improve the education that their students are going to receive.
Excellent. All right. So in your opinion then, what are the key challenges facing the cybersecurity industry when it comes to diversity, equity, and inclusion?
Of course. Very good question. So I mean, overall, the main challenge right now for cybersecurity in general in any field, whether it’s in academia, industry, private, public sector, is to find qualified workforce. And in academia in particular, we are really struggling more and more to find qualified faculty for example. In private sector, it is the same thing. In the federal government, the same thing.
And the federal government did so, they came up with new initiatives and programs, just like the Scholarship For Service program, the CYSP, the SFS program, and those kind of programs, they actually sponsor students from their undergraduate degree all the way until they graduate for two to three years. They pay all their tuition, stipend and hire them while they are still students, just with the goal that once they graduate, they have to fulfill their commitment and work with the federal government, the same number of years where they were educated.
And this program has been around since the early 2000, I assume it’s a very well-funded project. The Congress approves that almost every year, and it really helps a lot. Now, how about really students coming from minority serving institutions and these underserved communities? If it’s challenging for the industries and regular industries and regular institutions, it’s even way more challenging for those MSIs.
So and CEDI which is the Cybersecurity Education Diversity Initiative, over just the past two and a half years, we have interacted with over 150, 200 minority serving institutions, and we learn a lot about their challenges that we face. Just to list at you here, compared to other institutions, they have a lack of infrastructure, things that we always assume that are available, a lab that’s equipped with up-to-date computers where students are able to install VMware on them or other tools that they need.
Those institutions, they don’t have even access to that up-to-date labs. Sometimes they have labs that they don’t even operate the latest operating system, latest material. They don’t have access to cloud, to hardware, to software and other material. Their students also lack resources. So even during COVID, everyone assumed that, okay, let’s move the students back home and work remotely, access through Zoom and do this on your laptop.
Those students, many of them don’t even have access to broadband internet or high computational power machines that always require cybersecurity to install VMware and other tools. I mean, when we’re talking to some of those MSIs, they get a special exception for some students just to come on campus, even during the middle of COVID where everyone was shutting down to allow them to continue their education and give them special permission, because they really don’t have any kind of high speed internet, high-powered laptop or any kind of desktop at their home.
And so, we usually just assume these things are available to our students. But with students coming from minority serving institutions and underrepresented community, they don’t have even these basic things. Lack of qualified faculty, if it’s a challenge for us as big institutions, rich institutions, to hire and pay hundreds of thousands plus dollars to a faculty. MSIs cannot do that. They don’t have that kind of resources. And also they don’t provide the same facilities, the same resources to faculty.
So it’s very hard for them to attract qualified faculty into their institutions. Add to all that now with all these black and black and black, those institutions will also be excluded automatically from most of the funding and grants, because by nature, the way we review grants is we look at the intellectual merit, the resources available to students, the faculty, what does the institution has there, what can they offer? And if they can’t offer any of these, then they are automatically excluded from most and or the majority of these institutions.
So these are the main challenges that are facing. We are working towards helping them, we’re working towards doing something. And I will save that for a later question. I’m sure you’re going to ask me how do we address this in a second.
Very good. I appreciate that. So anytime that there’s a discussion about diversity, inclusion and equity and inclusion initiatives, this idea of meritocracy will come up and that’s a valid viewpoint. We all know that people perform best when they’re hired and rewarded according to their merits. And so, that’s a valid viewpoint, but how do you address those kinds of questions when people make that juxtaposition between DEI initiatives and meritocracy?
Very good point. So honestly, Steve, that’s a challenging point and question. And I needed to do some good research before I-
Fully understand the situation. And from my understanding, this is not an issue that’s only inclusive in cybersecurity. And I actually read one of the articles I think from Washington Post or Washington Times where they discussed that case of the recent bank issues that happened and they focused on the Silicon Valley Bank and how companies and small banks, when they prioritized diversity and inclusivity, most of the time unfortunately, comes on the price of the quality of hiring in other fields.
Just they throw in an example in that article that SV Bank, the Silicon Valley had an opening for almost one year that they couldn’t fill to hire, I think a risk management director or chief. And instead they hired a chief diversity officer. I do know how [inaudible 00:16:53] with hiring. And people were saying the main reason that bank fell apart was of their bad risk management.
If they had a good risk management in place where something about the bond was going up or down and they didn’t have some kind of backup or plan or something, if they fixed that, then the disaster could have even maybe become less or not happened at all. And same thing applies with any critical sector. And cybersecurity is no different.
Cybersecurity is a very critical field. And one of the most challenging things that in cyber, and most of my students reach out to me when they graduate is that, “Professor, there’s no entry level job in cyber. Nobody wants to hire us as an… They require years of experience.” And that’s for a good reason of course, because you are hiring someone to protect your assets, your private information, your company could go bankrupt, your company could be exposed to cyber attacks, to the privacy of your customers and other challenges if you hired someone without any experience. So you want to hire people that have the quality to perform the job, but also have that expertise. So it is a challenge. And that doesn’t mean there is no hope to address that.
What you can do is you try to hire entry-level people, and in that case you could consider diversity. Let them shadow other experts in the company, let them climb the ladder until they develop all the needed skills before you actually put them in the right position. So there are some ways to walk around it, but it is challenging.
And if you just have the closed box hiring, and you look at the candidate just based on their qualifications without even having a face-to-face interview, not to know how they look like or what’s their background or anything, you will end up hiring students from high end colleges, privileged students, mostly White, non-diverse students just because of the type of education they were exposed to, the type of experience and hands-on. So again, it’s a challenge to go around it, but it’s not a hopeless case.
Excellent. No, I appreciate that. That’s a good way of explaining it. I think we all understand that meritocracy is a good thing, but it kind of assumes that we all have the same or similar opportunities to participate, right?
And if you don’t even have the opportunities to participate, something has to be done. And everyone I’m sure is all about helping people that are disadvantaged. So let’s get everybody on the same playing field and then meritocracy is a great way to promote people. So I wanted to ask you to give some advice.
What would you say to companies, what would you recommend that they do to ensure that their cybersecurity teams are diverse and inclusive? And maybe you’ve answered that already. I think what I heard you say was, let’s hire some people and give them an opportunity. Let’s get them on the playing field and give them the opportunities that everyone else has, and then let’s see how they perform. Is there more that you want to add to that?
Absolutely. So as you said, I touched on that. So the easy one is to have mindful hiring process in place. That’s very important. Making sure that we are all recruiting in diverse areas, advertising for positions and opportunities across everywhere. Reaching out to people that can connect us to applicants. Don’t just ask your employers if they know someone good to recommend them, because then you are hiring from the same culture that you have and they’re excluding too many.
You also need to spread out the world to different places, connect with HBCUs, HSIs and other minority serving institutions. That’s important, because that brings us to the pipeline. So definitely the pipeline to hiring comes from academic institutions and connecting with those minority institutions is going to definitely help recruiters recruit qualified candidates into those companies. For academic institutions also, they should also try their best to be more inclusive.
So they need to put more holistic admissions criteria in place. That’s very important. They should look at applicants as a whole and not only filter them based on their academic achievements, because if we just do that and we just look at how much their sector scores, how much they scored in general GREs and so on, then we will deny all those applicants that are coming from diverse backgrounds, Hispanic applicants, Black applicants, most likely these applicants do not have access to the same educational support throughout their career.
They didn’t really get exposed to the same opportunities and support system that others have. So unlike non-Black or non-Hispanic. So establishing really a holistic admission, which means considering the person, their lived experiences, their diverse experiences. And what they are really doing here is that to invite those diverse cultures with their diverse backgrounds into that university or that admission. And you have to give them a seat at the table to see what kind of living experiences they can bring to that table.
So hopefully with these things and fixing the admission part in academia and then the pipeline into industry, and industry, also reaching out to diverse groups, into institutions, and also to diverse institutions themselves like the MSI, and then changing their hiring criteria as well that hopefully may help institutions to be more inclusive and not exclude specific groups from our community.
Excellent. And I like what you said, let’s give them a seat at the table. So we have to somehow identify them and because I wanted to explore this idea of intersectionality a little bit. And as I understand the term, so we’ve got diverse groups of people, and some people fall into more than one of those groups.
And so, is that something that you have to consider or that institutions should consider when promoting diversity? And how would they do that? How would you determine if someone is, and what would you do about it if they were in more than one group?
Absolutely. So thank you for explaining intersectionality, the way you look at it. And really, I mean, the idea is that as a human, we are not just one characteristic and we are different interconnected or we are different layers of diversity. So there’s a mix of gender, ethnicity, race, your lived experience, your sexual orientation, your gender identity, all of these mixed together and their interactions of how that really affects your daily life and how that really affects how people see you.
For example, Black students who are taking, let’s say cybersecurity courses, their experiences in navigating the program is different than someone who is White student taking the same program. And then if you add other factors like let’s say Black student who identifies as queer or have a disability, then the interactions also may complicate or facilitate their living experiences in that program.
So intersectionality really matters, and it may complicate things for people. It may make achieving goals in their life a little bit harder. So if we do not consider intersectionality and let’s say I’m admitting a student or hiring people without looking at their intersectionality, then we’ll be missing out also in these lived experiences.
And what contributions again, can they bring into the table? To summarize, intersectionality is really important to be considered and we need to talk more about it in cybersecurity in particular in cybersecurity. And as I mentioned earlier, the expectation on the bar is set very high. People wants to hire the best, the experts, they try even to steal experts from one company to the other, from one institution or the other. So that makes it even more challenging.
Yeah. Okay. Very good. Thank you. I wanted to ask you to kind of walk us through how this initiative seeks to engage educational institutions and promote DEI within their cybersecurity programs. And I think you may have addressed this at the beginning, but is there anything else you wanted to add to that idea?
Of course. So as I mentioned earlier with CEDI, the first thing we try to do to help minority serving institutions build either new or improve their existing cybersecurity programs is to understand their needs and something we try to do and the shortages and the lack of things I mentioned, faculty, resources and infrastructure at their institutions. So something we try to do at CEDI is really to work one-on-one with these institutions. We try to avoid the approach of one-size-fits-all.
Something those MSIs like to see happening is to give them, to understand their need and to tailor something that’s really suitable for them. Just throw in an example here. Some institutions want to do, for example, I don’t know, an advanced homomorphic encryption for cloud security. And then they invite a bunch of minority serving institutions into that workshop just to justify in their grant, “Oh, we’ll work with minority serving institutions and help them, by doing the workshop.”
Did you check their background? Did you notice that the students, they didn’t even learn cryptography first before teaching them advanced homomorphic encryption that’s not suited for their background or their students? So in CEDI, we developed what we call the CEDI services by working with the institutions at the CAE. There are about Centers of Academy Excellence and now there are about 400 across our nation.
So what we do is we hire experts, experts from Centers of Academic Excellence Institution geographically located near one of, let’s say I have an HBCU in Alabama, I want to work with them, I want to help them, and they need some kind of faculty development or student development. So I’m going to hire an expert, preferably from the same state. We find, let’s say University of Alabama at Huntsville, they have a CA center. We connect with their director, they recommend someone from their institutions.
We hire that someone, we cover all the costs of that someone to pay him for their consultation services, travel, going to that HBCU or MSI and help them on their campus. So we develop a group of services, faculty development to improve the qualifications of the faculty at the MSIs, student development to improve also the qualifications of their students by engaging with them in cybersecurity boot-camps, capture the flags and other kind of hands-on activities that will boost their hands-on experience so their students will have a better chance to get good cybersecurity jobs in the future.
Curriculum development and program development, we hire a mentor or advisor for them. We cover all the costs to improve their programs. And unfortunately, as I mentioned earlier, some of these institutions, they think they have a good cybersecurity program in place and when you dig deeper into that program, it lacks the basic things that other students will learn at other institutions and hands-on labs and those exercises that are necessary and knowledge that’s necessary for students.
We also, in some cases help students, our MSI institutions do some kind of articulation agreements with other bigger institutions. So there is a pipeline of two-year small college to a four-year college or a student from a four-year college into an Master program into a bigger institution. So the students will have boost their career by another degree into their resume. So these are the things we try to work with them with the institutions.
And recently, when we adapt and improve our service, we noticed that when we recommend, for example, enhancement on their program, adding more hands-on labs, as I suggested, we don’t have the infrastructure to support that. So we started also to support establishing new labs and basic infrastructure. And we’re not looking at crazy cyber brain with a million dollar support. We’re looking at 20, $40,000 and this really helps a lot.
It could buy a rack of small servers connected with some Raspberry Pis, cloud access to bring on some lab activities and hands-on experience to their programs and their students. So this is how CEDI’s is doing it. Again, we are not alone in this. We rely heavily or fully actually on the institutions in the Centers of Academic Excellence by hiring them to support and help MSIs.
We’re kind of matching them. We meet with the MSI, understand their needs and how to improve their programs, and then we hire an expert to work with them one-on-one and improve their program or give them a workshop or build an app for them and so on.
Excellent, excellent. Thank you for that. That’s a very impressive list of things that you’re already doing to work with these institutions and to put all of these Centers of Excellence together, helping minority institutions. That’s marvelous. I’d like to end on kind of a what is yet to be done question.
So as our last questions, what steps do you think need to be taken in the future to increase diversity, equity, and inclusion within cybersecurity?
Very good point. So the first step I want to advise students coming from a diverse group or underrepresented group to be brave, to be brave and not to be intimidated by cybersecurity and how complicated. It is complicated, I have to admit. But also the field of cyber has changed over the past few years.
We used to think of cyber as a discipline under computer science, and it’s all about cryptography, complicated algorithms and math and operating system and heavy programming. But things change over the past, I would say five to seven years, cybersecurity became a discipline by itself. And under cybersecurity you could find business management, policy intelligence, and of course, computer science and engineering as part of that holistic approach of cybersecurity.
So there is a room now in cybersecurity for everyone regardless of their education background. And as for next steps, I think the first thing is, I mean, to invite people into a field, they have to feel that they belong to that field. That’s a very important thing.
And the way you make them feel that they belong is by representing their social groups in the field. For example, if a Black student, let’s say, sees that there are other prominent Black cybersecurity figures in the field, then they will feel that they can also have place in cybersecurity.
So representation is so powerful, it’s so important. So hiring people in the field that represent groups like Indigenous group Hispanic people, Black, people of disability, and LGBTQ team members, faith-based diversity, if we can include all these and then they would become the stockholders of the field.
And with that comes also representation. So you will feel that you belong when you see representation. So people will feel that they belong and they are represented in that. That’s the first part. As a second part, also, people like a place where they feel safe and not judged, that’s an important thing by their lived experience, by whatever they feel or wherever they go, whatever they experience.
And so again, giving safe spaces for people to be there to express their ideas, their thoughts about all things in cybersecurity, that will definitely help. And also creating some kind of advising groups being inclusive in our advisory board, that’s also going to help, because when you being inclusive in your advisory board, you are going to include people from diverse groups and ethnicities, and they will have better understanding in supporting the hiring process or the expansion and inclusivity of other groups. So also, it’s not enough to get people in.
And once you get these people in, you should also have in place in companies or universities, some kind of program, sustain and maintain those candidates that you have and making sure they have enough support to succeed. So you don’t want to hire Hispanic or African American student and immediately put them in work and after a month or so, see I have all these tasks for you, and you couldn’t complete half of them or one third of them. Of course, they couldn’t because they need some kind of support training, maybe more education or a certificate to help them.
They were not exposed to the same technologies and education and high level of training that other students have. So I would say we should give them more support, more time, be patient with them, and then allow them to climb that ladder from being a beginner in cybersecurity all the way to become a figure. So others will see them and then they will think about them as their role model and they’ll feel the belonging, which we started with.
Excellent. Thank you so much. I really appreciate this conversation. I think this is an important conversation to have, and I thank you for taking some time today to be with us. I just can’t tell you how much I appreciate that. And I want to thank our listeners as well. We appreciate you listening and tuning in today. Please find us online at cybersecurityguide.org and join us next time for another episode of the Cybersecurity Guide Podcast.