Dr. Scott Miserendino leads BluVector’s engineering and research team as the company’s VP of Research and Development. BluVector is a network-based, advance threat and intrusion detection platform. He is responsible for building a cyber security solution that enhances the cyber analyst’s ability to identify, reason over and act on both known and previously unknown threats.
CyberMedia recently sat down to speak with Scott about his career path, advice he has for those interested in cybersecurity, and some of his tips for how to approach new topics and roles.
Note: This interview has been edited for length and format.
Tell us a little bit about your background and how you got started in the field?
At age 15, I got involved in a summer internship program. It was like an early STEM internship program geared toward high school students involved in science, technology, engineering, and mathematics as a career path. I ended up in this program for two summers back-to-back. I was placed at the U.S. Naval Research Lab (NRL) in their plasma physics division. That’s the first time I met an electrical engineer.
You were just a 15-year-old in high school?
Yes! My parents had to drive me there. Luckily my father was working at the time at the Navy Yard. He would drop me off and have to pick me up at the end of the day. This project was at an annex facility on Andrews Air Force Base that was in the basement in a most interesting place. It was straight out of a 1950s U.S. government lab like you would see in a movie for nuclear weapons research. If you were in high school, you had never seen anything like it.
On my first day, I blew something up. It was an AC to DC converter. I put together this circuit and I didn’t know the difference in AC and DC power and basically wired it backward. It exploded. Sounded like a shotgun going off, because it’s encased in a plastic casing that holds all the parts. And all these scientists come running out. So, that was my first day in the lab, scaring everybody at the Naval Research Lab. And that’s where I started in science.
Where did you go to college?
I did my undergraduate work at Johns Hopkins. I knew going in I was interested in electrical engineering, so that was my major on the first day. I graduated in about three and a half years, ultimately double majoring in electrical engineering and applied mathematics, which today is more akin to a data science curriculum.
When you talk about why you choose or don’t choose to go into engineering as a discipline, exposure at an early age just doesn’t happen for engineers. Often the first time anyone is exposed to an engineering course is their first, sometimes second year in college. Which is awfully late compared to when people first see science. My son is in first grade and he has a science curriculum. But he won’t see engineering until after high school. If it wasn’t for this program, I would never have seen engineering, much less electrical engineering, at that time.
I ended up working at the Naval Research Lab every summer from when I was a junior in high school until I graduated from undergraduate school. For the most part, all my research experience was at NRL.
How about graduate school?
I wasn’t totally sold on going to graduate school. My mentors from my internship at NRL were all PhDs. But my parents were not academics. My father was in the Navy, enlisted when he was 18. My mom was a bus driver throughout my childhood. They were not academics or engineers, so this was very different for them.
I was in a double major and trying to decide between grad school and work, so I decided to do both. I applied to grad school and I went and got a job. Since I graduated undergrad six months early, I started at a company called SRC and I worked on a classified project. It was my first introduction to the classified world. It was electrical engineering, particularly communications. At that point it was 2002, right after 9/11, and the project was somewhat in response to that. It was really intoxicating to see that national level of work with the client.
How did these job opportunities manifest themselves? Was it through a colleague, a teacher? Was it something you applied for?
I was in a fraternity as an undergraduate and one of my fraternity brothers, who was also an electrical engineering major, was the lead engineer on one of these projects at SRC. He knew I was graduating early and said why don’t you come and interview, we have some openings. Every job change I’ve had has been driven by some relationship. I never really went to job boards and applied. But I usually always knew somebody or was recruited.
After that job, I got accepted to graduate school at Caltech. Most graduate students don’t declare their focus in their first year, but I knew I wanted to work in micro electromechanical systems, or MEMS, which is mostly fabrication.
Why that field?
In the early 2000s there was a whole tech boom going on, but I never really learned code. I was interested in something very hands on and it was ultimately the thing I loved about working there. A lot of electrical engineering (EE) is quite mathematical. But MEMS is a cross between cooking, photography, and applied chemistry. It has the feel of hobby work. That ended up being my PhD work, multi-chip systems for microfluidics.
Were you always a tinkerer? As a kid, did you like building things?
I liked Legos and taking stuff apart. I always liked doing that. I’ve since drifted into much more of the computer science and software development side, so it’s more tinkering in a different sense. I still like the mechanical devices more than the software, but the software world pays better.
What came after graduate school?
Northrop Grumman was recruiting at Caltech. They had an experimental program called the Future Technical Leaders program. It was a three-year rotational offering within Northrop. I had known of Northrop since my dad was in the military, so I was always interested in defense work.
I didn’t know anyone in this program, but I went to the briefing with the recruiter. He was a Caltech alumnus and he flagged me as having a good technical background in engineering. But you also had to have demonstrated leadership skills and I was our graduate student body president for a year. I ended up accepting that right after graduate school and the first rotation was back in the Washington D.C. area doing missile-defense. I wrote a missile interceptor simulator, and it got pretty good reviews so the people at Northrop got to know me. After that, I did another year rotation doing micro machining. And then the third rotation was synthetic aperture radar image processing. One of the people I knew from my first rotation was working supporting the NSA in Fort Meade. So, I got my clearances reinstated and I went to work with my friend on that program, in support of the NSA, on what they would term digital network intelligence. That was my first introduction to cybersecurity.
I spent three years there in a couple of different roles. For a year, I ran a communications team. It had no technical need at all, they were just looking for a manager and wanted someone who could take the technical speak and translate it into presentations for the director. What I learned there was amazing, how influential it was to understand how to communicate these engineering concepts and make them consumable.
“You wanted to be involved in something that mattered, and that mattered nationally.”
Throughout this, you were moving between dramatically different projects and roles. Did you have a process for how you would enter and prepare for each of these roles?
While I feel like I have a natural capability to teach myself new material, my trick was to go to university websites, query the course curriculum, and look for the entry level graduate student course. Then I’d go buy one or two of the textbooks for that course. Usually you only have to read the first five chapters to get the basic knowledge of the field, the vocabulary, and the two or three major equations used in the field.
How did you come to your role at BluVector?
While I was at the NSA, they got several of the Northrup leadership program alumni together. Several of them were on this big program at Northrup and I became a principle investigator (PI) for an internal research and development program there related to cybersecurity. I also knew all the other PIs on various projects and at one point they ran into issues with a machine learning issue and asked for me to join the product team. To prepare for this, I read up on the basics of machine learning, and found that the team was doing some very backwards and overcomplicated things. I changed it, went back to the basics, and it solved the problem.
A year later, the two projects merged into BluVector. We spent two years as a startup which was my first experience in the startup world. At that point, I was the chief data scientist and I ran our analytics group and then I moved into heading up engineering and technology. Today I run our day-to-day engineering operations in research.
Did you have any sort of expectations about what cybersecurity, what it was going to be like at the NSA?
I didn’t have any specific expectations of what it was going to be like. I’d been in the world of cyber for several years before BluVector. But the NSA is impressive. The building is iconic with black windows and it just looks dark and menacing. As you walk in, you’re walking down this long hallway and you get to this wall, which is classified. On the wall are the names of the operators who have died while on mission, and it definitely hits you. You definitely get a sense of where you are, but it’s also cool and exciting.
What ultimately drew you to the world of cybersecurity?
I got started in 2009, and there was still a lot of involvement in the war on terror. It was definitely a very motivating factor. When I was on the communications team at the NSA, my cubicle was right outside the office of one of the technology chiefs. I always knew when his program was successful if we would watch the news and a terrorist was dead the next day. You would see that and know the program is doing the right thing for the nation. At the time it was an important driving factor. You wanted to be involved in something that mattered nationally.
This discipline of engineering is dissimilar from most others in that you’re not just trying to manipulate forces of nature to some greater good. Instead, you’re really fighting another human. There’s a human adversary at the end of this and it’s much more of a chess game. It is an incredibly nuanced game where it works because somebody made a mistake somewhere, and they found it, and they’re going to drive a truck through it. Vulnerability is almost always some developer’s mistake.
But I was interested in tool development at the time. How do you automate it? How do you do it at scale? I was more interested in how you build this capability with global reach and global speed.
“That offensive side is continually driving you to do things better. There’s no winning. You just survive to fight again. And you can fend them off for a little bit, but they’ll come back.”
What keeps you in this industry?
Oh, it’s still the mission. It’s still very cool. It is always moving, and it never gets stale. You don’t see that kind of innovation in other areas of engineering. For the most part, people are just repeating the same work others have done. In cyber, that is never true. Every year, it is something new and someone is coming up with some new thing that makes your life hard or easy.
It’s got a great dynamic between offense and defense, which are fundamentally two sides of the same coin. The difference is the defender has to be successful one hundred percent of the time. The offense only has to be right once. That offensive side is continually driving you to do things better. There’s no winning. You just survive to fight again. And you can fend them off for a little bit, but they’ll come back.
The amount of money that has come out of these cyber crimes is now orders of magnitude higher than before. In nation states, it’s a lot cheaper to do a cyber capability than it is to build a missile or aircraft carrier. And you could use it all the time! They are ramping up, and there are really well-funded, highly educated people driving the other side of that equation. So, this field just does not get stale. It is constantly evolving.
What advice would you give to anyone who is thinking of going into cyber security?
The value of internships is huge. I got such value out of being an intern, getting early exposure into the STEM fields. It wasn’t necessarily cyber, but it was still technical, and it’s something the school system does poorly for so many kids.
For anyone in the position to hire an intern, I would encourage them to do it. I know they often feel like more work than they’re worth, you’re teaching them everything and it is time consuming and expensive. But I always believe it is worth it. I hope we can encourage other people in my position to continue to believe that it’s worth it because it is so valuable.
The other thing I would encourage people to do is not give their interns terrible jobs. There are certain tasks I know that are sexier or more exciting and I’ll give that to my intern over my own people because I want them to walk away knowing they did something really cool with their internship. I didn’t just get people coffee and therefore never wanted to be an engineer again. Don’t just have an intern do the grunt work around testing. That’s not going to get them excited about the field.