Mid-Career Students Earn Degrees in Cyber Security

BY DAVID HECHLER - CyberInsecurity News. Michael Fitzpatrick had never been a tech guy. In college he majored in finance. He had a couple of ideas about next steps. One was law school. Maybe something in corporate law, which could give him options with financial security. The other was a job in law enforcement. He had five relatives who had worked for the New York City Police Department. The bond ran deep.

He ended up with a law degree and a job with the police. He’s an agency attorney and advises the Intelligence Bureau. He also became the legal representative on the technology working group, where cybersecurity and privacy are increasingly important. And that’s how he found that, even if he wasn’t a tech guy, this was something he needed to know.

As he began to learn, “I started thinking that this stuff is really cool,” he said. Fitzpatrick found himself regretting that he hadn’t delved into technology in school. “If I had a time machine, I would go back and learn more,” he thought, wondering if the opportunity might come around again.

In 2017, it did. He got an email from New York University announcing a new academic program. He’d been searching for one for months, but those he’d found were full-time and would have required him to quit his job. This one was different. It was designed for midcareer executives with demanding jobs. And it wasn’t just a certification. It was a Master of Science in Cybersecurity Risk and Strategy, and it was designed to be completed in 12 months. While students continued working.

As he read about the program, he saw that it wasn’t just for lawyers. In fact, it was a joint effort by NYU’s School of Law and the Tandon School of Engineering. The courses would focus on tech, law and policy. They would be taught by professors from both schools. The students would come from a variety of backgrounds, but before classes started, they all had to complete an online “bridge” curriculum to ensure that they shared a grounding in the subject.

This seemed to be what Fitzpatrick had been looking for. But there were two big questions. What would the police department say? And what about the $85,500 price tag? The first proved no problem. His supervisors could not have been more supportive, he said. He had actually worked for the department twice as a student intern. School had been full-time and work part-time. Now it would be reversed. Nearly all the work would be done online and could be accomplished during evenings and weekends. There were also three weeklong “residencies” during which students had classes on campus.

As for the money, it was possible that he could secure funding from the police department, but it would be a long process. He would not be able to join the inaugural class in May 2018. So he took a deep breath and decided that he’d pay for the program himself. He hoped that it would be worth the cost.

A Program to ‘Mirror the Real World’

Randal Milch and Nasir Memon are co-directors of the program. Milch, who retired as general counsel of Verizon in 2015, is co-chair of the NYU Center for Cybersecurity and teaches at the law school. Memon is a professor in the Department of Computer Science and Engineering at Tandon and also directs the school’s Information Systems and Internet Security Laboratory. The dual leadership of the new master’s program is key; an interdisciplinary approach has been integral from the start.

The idea didn’t originate with them, Milch explained. Tandon’s then-dean Katepalli Sreenivasan and law school dean Trevor Morrison were the individuals who developed the idea and pushed to make it a master’s-level program. “They were the ones who had the vision and did the heavy lifting,” said Milch. But the proof of concept, Milch allowed, was a course in cybersecurity that he was asked to teach at the law school in 2015.

He agreed, but he insisted on an interdisciplinary approach. “I wanted it to mirror the real world,” Milch said. “And in the real world, cybersecurity issues are tackled by teams, and the teams have lawyers and technologists on them.” Both professions have a lot of “internal-speak,” he noted. “And both are characterized by an assumption that people in the other specialty don’t know anything about your specialty.”

He’d witnessed the phenomenon, and the harm it did, at Verizon, where the CEO had asked him to “fix it.” He’d brought in the business heads and tech leaders to begin the process of learning to work together. At NYU, he and Memon were partners with that same goal. They wanted to establish a way to help the lawyers and technologists become “conversant in the other subject—and get a level of literacy and fluency in the other area.” The seminar that the two first taught in 2015 produced the approach, and a lot of the material, that anchors the master’s program today.

A Different Kind of Teaching

Ed Amoroso has been teaching computer security courses since 1989. But the course he taught in the master’s program last year was different. “I enjoyed it as much as I’ve enjoyed any class in 31 years,” he said. The reason was the students. “They were challenging me,” he said. “I found it pretty refreshing.”

Amoroso is now the CEO of the global cybersecurity company TAG Cyber. Before that, he worked for more than 30 years at AT&T, the last dozen as its chief security officer. Most of the teaching he’s done has been at the Stevens Institute of Technology, where students rarely press him to defend what he says. He understands. They’re too busy taking notes, and they’re focused on getting jobs. But at NYU, he was teaching a different group.

“You get a bunch of practitioners—they are people who are used to letting you have it if they disagree with you.” Especially lawyers, he added. They question things. Like the need for firewalls, for example. Other students simply accept firewalls without giving them a second thought, Amoroso said. But these students asked why they were still necessary. And with the advent of the cloud, he said, it’s a really good question.

The computer science students need to understand that it’s not just about tech. They tend to think of the policy stuff as “nonsense,” he said. And the lawyers need to understand the basics. It’s not OK to say, “I’m not technical,” any more than it’s OK for an employee at a financial institution to say, “I’m not financial,” Amoroso said.

“You can’t be a Luddite,” he continued. “You don’t have to be a crazy geek, but we’re not selling coconuts here. You can’t ignore the fact that this is a technical discipline.”

Amoroso’s colleague from the other side, Judith Germano, was also energized by this new approach. “I love teaching a combination class of students with technical and legal and business expertise,” said Germano, who was formerly chief of economic crimes at the U.S. Attorney’s Office for the District of New Jersey and now runs GermanoLaw LLC, which advises public and privately held companies on cybersecurity and privacy.

Teaching a mixed group, she noted, is “much more akin to the way it works when we’re with clients.” You always need to get all the stakeholders together, she said, and let them hear the perspectives of their colleagues—and then find common ground. So this class “is an ideal way to address the subject matter.”

The unique design isn’t all that the students get. During the residencies, teachers enrich the program by bringing in a wide array of guest speakers, Germano said. She invites prosecutors, FBI and Secret Service agents, and chief information security officers to talk about their work. The students seem eager to embrace these opportunities.

“I think we are helping to build and enhance a generation of cybersecurity experts who have an appreciation for the legal and technical issues,” Germano said, summing up what the program offers. “We also work to recruit a diverse class of students—men and women, from government and industry, of different backgrounds—which helps to increase the diversity of the pool of cybersecurity practitioners.” That, in turn, “brings a broader perspective to one of the biggest problems facing our nation and the world.”

What the Students Say

From the first class, 29 students—including four lawyers—graduated in May 2019. The second class, which began their studies the same month, jumped to 35 students, seven of them lawyers. They enrolled for different reasons, but they all wanted to improve their skills in a challenging and fast-changing field. And they wanted to do so without interrupting their careers. The ability to achieve this by studying part-time over 12 months, while securing a master’s degree from a prestigious institution, was a big draw.

That certainly applied to Francesca Lulgjuraj, who enrolled in the first class. An assistant general counsel and compliance director at Starr Companies, Lulgjuraj had a J.D. and a privacy certification, and she’d been at the insurance, travel assistance and investment company for more than five years. But she felt that there was something missing. “I was butting up quite frequently with information security,” she said, “and I wanted to be sure that I was up to speed with the different concepts.”

She was comfortable with the legal issues, but the technical aspects were another matter. “I could understand them conceptually,” she said, “but the mental hurdle that I needed to get over was a fear of the unknown.” When she heard about NYU’s new program, “it immediately sparked an interest.” And she decided that she wanted to pursue it, even though her daughter was less than a year old at the time.

Her supervisors at work were immediately enthusiastic. So enthusiastic, in fact, that they agreed to cover the tuition. “They viewed it as an opportunity to better educate me, and a benefit to our program,” Lulgjuraj explained.

She expected that she would emerge with a stronger foundation in the technical concepts underpinning information security. “I didn’t expect that I would be writing code,” she said. But she actually did write code. “I’ve now got a stronger relationship with my chief information security officer,” she said. When he mentions programs, she knows what he’s talking about: “I’m better educated, and I can make suggestions.” Their relationship is “more robust,” she added.

Melanie Gersten is neither a lawyer nor a technologist. She’s a director at Mastercard. But her job involves investigations of merchant data breaches and compromised account data, and in 2017 she was designated to represent Mastercard when the National Cyber-Forensics & Training Alliance (NCFTA), based in Pittsburgh, opened a New York City office. The NCFTA brings together companies and government agencies to collaborate on cybersecurity, and with her background in compliance, Gersten fit in. She began regular visits to the new office shortly after it opened, in 2017. But over time she felt that she could benefit from additional training.

She was particularly impressed by NYU’s dual approach. “Having that holistic understanding of the cyber landscape was unique,” she noted. Mastercard saw clear benefits for her and the company, and its tuition reimbursement program helped make it possible.

The payoffs have been clear and welcome. She expanded her understanding of the subjects she cared about, and also learned a lot about “topics that weren’t on my radar, like privacy law,” which she was surprised to find “fascinated me.” Her colleagues at work were “supportive and impressed.” They saw how much extra work she’d taken on, and now they see her as a “subject matter expert in the field,” she said.

One of the biggest benefits was the networking, she added. She was inspired by her professors and her peers alike. They supported one another during their year together, and they’ve stayed in touch since the program ended. One particular source of inspiration, she noted, was Francesca Lulgjuraj, who not only had a young daughter at home, but was pregnant through most of her studies and gave birth to her son four months before graduation. And then brought them both up with her when she collected her diploma. “Francesca was an inspiration for all of us,” Gersten said. “If she can do it, we all can do it.”

Year Two

No sooner had the first group finished than the second began. Andrea Azzolina, part of the second wave, sees the program as a potential “differentiator” for her. Currently the director of technology and integration at JetBlue, where she’s worked for eight years, she hopes that the training will help prepare her for a job as a chief information officer or possibly a CISO. And the cost? She took out loans: “I see it as an investment,” she said.

So far, the instruction has more than met her expectations. But there’s been one big surprise she hadn’t anticipated: her classmates. Some of them have earned certifications she thinks she may need. Others hold jobs she’s been thinking about applying for: “Which has been great for me, because I’ve had the chance to learn from them.”

It’s been “a delightful surprise,” she continued, “to see how experienced and knowledgeable everybody in the program is.”

Program director Randy Milch recently remarked on the very same thing—and he confessed that he’d also been taken by surprise. Going in, he hadn’t anticipated how the students themselves would alter the education they received. These were not 25-year-olds.

The average age of the group was about 40. They had nearly 20 years of work experience. A quarter had served in the military, and more than half had earned advanced degrees. This wasn’t like a typical law school class.

Milch has taught some of the master’s classes himself, and he’d never taught students like these. “The level of discussion—these people have practical experience in all sorts of different areas,” he said. “I had to change it to bring out that experience in class.”

He realized that the best way to teach the need for trade-offs among the different teams when they’re struggling to improve their company’s cybersecurity was to ask the students to talk from their own knowledge and experience. “That is the great thing,” he said. “It’s almost think-tanky.”

A Work in Progress

As for Michael Fitzpatrick, who paid his own way and hoped that he’d find that it was worth the cost, he sounded like a satisfied customer after it was done. He’d hoped that the experience would “give me a foundation that I can rely on and build on throughout the rest of my career,” he said. And he feels that it has.

It’s given him “credibility when you’re discussing these issues with folks who have a technical background,” he said. Now “they assume a subject matter familiarity.” He no longer needs to ask basic questions. That doesn’t mean that he’s done learning. “I still ask questions,” he said. “And you have to.”

He also holds his classmates from the program in high regard. And, like every student interviewed, he said that they stay in close touch. NYU has tried to make that easy. It’s made a point of inviting them back. They’ve been reeled in for events, and to meet the current crop of students. More such activities are already on the books. This seems to be in keeping with the mantra of collaboration.

But the program is still new, and no one suggested that it can’t be improved. In fact, several students mentioned that the leaders sought feedback regularly during the first year, and made adjustments in response to the students’ complaints. Asked if there’s anything he’d change in the program, Fitzpatrick thought for a moment before he answered.

The collaboration between the two schools is not as smooth as it could be. The curriculum could be better coordinated, he said. He believes that the school is aware of this challenge and is trying to synthesize and integrate the two. But that’s something that will require more work, he said.

Overall, it sounds like an A. With room for improvement.

Comments? Questions?