Associate Professor of Computer Information Systems at the University of Tulsa Sal Aurigemma shares how his interest in how things worked shaped his career path in nuclear power and computers, Being introduced to computers in high school and learning about the Chernobyl event led Sal to study nuclear engineering followed by time in the Navy as a submarine officer. On the submarine, Sal had to understand how systems worked from soup to nuts and that let him back to IT. As a computer engineer, Sal spent a lot of time on network troubleshooting and was eventually introduced to cybersecurity. Following 9/11, cybersecurity took on greater importance. Sal's research focuses on behavioral cybersecurity. To newcomers, he suggests heading into things with an open mind and doesn't recommend giving users 24-character passwords that have two upper, two lower, and two special characters that cannot be written down. We thank Sal for sharing his story with us.
Learn more about your ad choices. Visit megaphone.fm/adchoices
[Music] You're listening to the Cyberwire Network, powered by N2K. [Music] The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. [Music] [Music] My name is Sal Arajama. I'm an Associate Professor of Computer Information Systems at the University of Tulsa. [Music] I've always been interested in how things work even when I was in high school. Computers came around and I think I was a sophomore or a junior in high school. When my high school got the first computer lab and they were teaching us basic, and I think the first thing I did was write one of those adventure type text-based programs where you choose A or B if you want to run away, if you want to fight the dragon and die. That kind of thing. It was fun for the game, but then trying to figure out how the computer worked and how it did stuff is always interested me. When I went to college, I ended up getting a nuclear engineering degree and it was one of those things kind of like with cybersecurity. I never planned on liking nuclear engineering or cybersecurity, but something piqued my interest and Chernobyl actually piqued my interest before I went into college. I read about it and I was like, wow, I'd like to know more about how nuclear power works and the next thing I was silly enough to go get a degree in it. [Music] Then once I got my degree in nuclear engineering from the University of Florida, I ended up going into the Navy as a submarine officer and my job was to fight the ship. You are collecting information, being able to, if required, attack the enemy if there is one. But a lot of it is just understanding how systems work from soup to nuts. I mean, when you qualify on a submarine today or even back in the old days, you have to be able to draw every system and every valve and understand what every component does so that if the component fails, what is the impact on anything else in the ship? That's always interested me and that's what kind of led me to go back to my interest in IT when I decided to get out of the Navy was the world is evolving. Everything is transitioning to information and data and, wow, it seems more and more complicated every day. I think I should learn more about how that works. [Music] What I think of a computer engineer nowadays in college is very different than what I was doing. I think of a computer engineer as someone nowadays who designs components of the next generation's computers. What I was doing was everything from project management to Unix and Windows system administration, a lot of training, a lot of system implementation and probably 50% of my time is on network troubleshooting because, wow, did we have lots of network problems. And that was actually probably still to this day my favorite thing, which is why one of the classes I teach is networks and troubleshooting and it's just a lot of fun trying to figure out why the packet didn't get from point A to point B. [Music] That's kind of what led me in my professional career to stick with IT and then, over time, I found myself, I guess, fighting with cybersecurity more and more because the government was slowly getting more interested and caring about security because we've all heard about the big cybersecurity exercises in the late '90s that showed how you could take down the power grid or you could take down the communication system. The government doesn't always move so quick and the Department of Defense sometimes is even slower, but there came a point in my career, after 9/11, where we had all these operational requirements and cybersecurity requirements coming in from two different parties. The people that needed to get things done and the people that were tasked, it was their job to keep systems secure. I see, even to this day, there is still a gap between the security purists and those folks that are just trying to do their jobs and get their tests done, and that's kind of really where I focus my research on behavioral cybersecurity, is trying to get people to be more secure, but also understanding why they don't do the things they know they should be doing, and there's probably a pretty good reason as opposed to just stupid users. There are different perspectives on just about everything in cybersecurity, so there's that challenge of privacy versus security. They go hand-in-hand, but at times they conflict and be open-minded to the fact that what you know about cybersecurity fits your biases and your experiences and don't assume that everyone else knows as much as you or that you don't know as much as other people. So it's a very nebulous statement. I guess what I would say is I wish I was more open-minded earlier on about the technical and procedural challenges with cybersecurity, because I made so many mistakes by just reading the rule and saying that's the way it has to be, and then coming to find out that people can't accomplish their mission if I give them a 24-character password that has two upper two lower two special characters and they have to have it for 17 different systems and they can't use a password manager and they can't write it down. So going forward, I think my main goal when I teach my students, and also with my research, is to try to find ways to elevate security while not necessarily throwing away the tasks and increasing the level of effort so much that it's just not worth doing. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cybersecurity challenges we face. It's happening at M-WISE, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M-WISE features one-to-one access with industry experts and fresh insights into the topics that matter most right now to frontline practitioners. Register early and save at M-WISE.io/Cyberwire. That's M-WISE.io/Cyberwire. (gentle music) [MUSIC PLAYING]
