Defining a new domain
by Jon Kuiperij – May 19, 2022
Today, most of us don’t think twice about using credit cards to make online purchases, storing important documents in the cloud or having private conversations on our smart phones.
But things weren’t nearly as secure in the early days of the internet, when logging onto a network was like speeding down a treacherous dirt road without wearing a seat belt, rife with danger at every turn. When companies and individuals began transitioning valuable data storage from paper to digital, criminals weren’t far behind. In 2008 alone, identity theft affected nearly 10 per cent of Canada’s population, costing consumers, banks, credit card firms and retail stores a whopping $7.2 billion.
Long before the explosion of identity theft and other cybercrimes, Dr. Victor Ralevich could see the storm clouds on the horizon. Though he was originally hired to teach in Sheridan’s computer science diploma program, Ralevich’s specialty was cryptography, the art of using algorithms and keys to convert plain text into undecipherable code (and vice versa) to ensure data is only readable by the sender and the intended recipients. Prior to arriving at Sheridan, Ralevich had spent six years working as a chief scientist, information systems security consultant, chief security officer and information technology (IT) manager for several large companies in Canada, the United States and Israel.
“Victor was aware of the security threats that were emerging in industry, and he also understood the skillset necessary to defend against those threats.”– Long-time Sheridan School of Applied Computing administrator Mark Orlando
Sheridan computer science coordinator Dr. Dragana Martinovic knew Ralevich’s background better than anyone — the married couple had co-written and presented numerous research papers advocating for increased security surrounding educational and medical data — but others within Sheridan’s School of Applied Computing recognized Ralevich’s expertise as well. “Victor was aware of the security threats that were emerging in industry,” recalls long-time School of Applied Computing administrator Mark Orlando, “and he also understood the skillset necessary to defend against those threats: cryptography, intrusion detection, penetration testing, security auditing, ethical hacking and more. He knew what it took to create a well-rounded cyber security professional.”
While Ralevich and Martinovic both felt security concepts should be taught in the computer science diploma program, they also realized three years was not enough time to instill all the advanced mathematics, networking and other competencies required of cyber security specialists. But when the Post-secondary Education Choice and Excellence Act was passed in 2000, making it possible for Ontario colleges to offer applied degrees, Ralevich was quick to propose that Sheridan become the first post-secondary institution in Canada to offer an undergraduate cyber security degree. “I knew it would be a challenge,” says Gary Closson, Sheridan’s Dean of Applied Computing and Engineering Services from 1996 to 2007, “but I loved the idea — especially because we already had such a strong computer science program.”
With full support from Sheridan’s leadership, Ralevich spent the next two years shaping a unique curriculum that embedded cyber security concepts into foundational computer science. The first program map consisted of courses in database security, network security, writing secure programs, ethics and ethical hacking, information systems security legislation, computer forensics, physical security, operations security and communications security. Ralevich also sought out information systems security managers and industry professionals to serve on the program’s Professional Advisory Council (PAC), which supported the program’s development by further informing curriculum, serving as guest speakers, donating hardware and software, funding grant opportunities for exceptional students and providing eight-month paid internship opportunities between the third and fourth years of the program.
"The PEQAB (Postsecondary Education Quality Assessment Board) requirements for college degrees were so rigorous,” Closson recalls. “They were insistent that we did not duplicate any degrees that were offered by any universities, which is a reason we called the program the ‘Bachelor of Applied Information Sciences - Information Systems Security.’ Even then, there were university professors reviewing the program to ensure that it truly was unique.” PEQAB also mandated that the program’s faculty either had extensive industry experience — difficult to find in a fledgling field — or advanced academic credentials such as PhDs or masters.
“Sheridan wasn’t far behind the police in realizing (digital forensics) was an important field to learn.”– Former digital forensics professor Joseph Coltson
Several professors in Sheridan’s computer science diploma program already had the latter, but they still upgraded their education by earning Certified Information Systems Security Professional (CISSP), Global Information Assurance Certification (GIAC) and Information Systems Audit and Control Association (ISACA) certifications to strengthen the new program’s proposal. To round out the faculty, Ralevich leveraged his industry connections and also searched for qualified security professionals who had experience in related fields.
Joseph Coltson was a long-time detective with the Peel Regional Police when Ralevich approached him at a 2002 High Technology Crime Investigation Association meeting and invited him to design and teach the program’s second-year digital forensics course. “I’d learned about digital forensics a couple of years earlier through training from the Ontario Police College and the Canadian Police College, so Sheridan wasn’t far behind the police in realizing this was an important field to learn,” says Coltson, who is now Partner, National Forensics Markets Lead for professional services firm PwC Canada. “I built the course around my personal experience and kept things very introductory, which would allow students to play around with some of the tools while building an understanding of the investigative process. I tried to make it very real-life for them.”
Despite all those efforts, Sheridan's first application for PEQAB approval of the new degree was denied because the program map proposed that the fourth year of studies be delivered entirely online — a novel approach that the Ontario Ministry of Education didn’t feel was feasible for degree-level studies. “The Ministry’s logic at that time doesn’t make sense nowadays,” says Lenore Edmunds, then an associate dean in Sheridan’s School of Applied Computing and Information Management. “Since our students would be going out into industry for an eight-month internship between their third and fourth years, we thought they could go to work, make some contacts and then be able to stay where they were while completing that final year. It was a great idea.”
“When this degree finally went forward, it was primarily because of Victor. He had such a passion for what he was doing and such a commitment to it. It was unbelievable.”– Former School of Applied Computing and Information Management Associate Dean Lenore Edmunds
Sheridan was undeterred, applying again the following year and this time securing PEQAB approval. “When the first proposal got turned down, Maureen Callahan (then Sheridan’s Vice-President, Academic) said, ‘Don’t worry, we’ll submit it again,” Edmunds says, “and our second proposal made sure to highlight all the quality assurance measures we had in place, such as our Local Academic Committee. But in all honesty, when this degree finally went forward, it was primarily because of Victor. He had such a passion for what he was doing and such a commitment to it. It was unbelievable.”
Members of BAISc’s first graduating class included (back row, left to right) Jeff Bates, Jesse Mukundi, Mike Williams-Yeagers, Joel Bowers, (front, left to right) Michael Perklin and Joshua MacDougall
Creating an unprecedented program was one thing, finding students to fill it was another. The first cohort consisted of just 35 students: 28 direct out of high school, three college graduates, two university graduates and two international students. “Enrolment was about two-thirds of what we originally anticipated, for several reasons,” Martinovic says. “A steady downturn in the IT sector had begun a few years earlier, and qualified students and parents were also uncertain about the potential for career and further educational opportunities for graduates of an Ontario college degree. The initial branding of the program as an ‘applied degree’ and the fact it was first approved for only five years created additional confusion and concerns.”
Ralevich and Martinovic helped generate excitement and awareness by informing their computer science diploma students of the new degree before it launched, but some of the program’s first students either discovered the Bachelor of Applied Information Sciences (BAISc) degree by accident or joined it after pursuing other interests first. “We were a bunch of miscreants who stumbled into this program and realized, ‘This is awesome,’” recalls Nick Johnston, who had just graduated from Sheridan’s computer programming diploma program and was picking up his transcript when he saw a pamphlet advertising the new degree. Classmate Joel Bowers transferred into BAISc after one year of Sheridan’s computer science technology diploma program, eager to learn new concepts and hoping the four-year credential would give him a better chance of becoming a systems administrator. Jesse Mukundi, an international student from Kenya who came to Sheridan with zero programming experience, attended one day of computer science classes before switching to the new degree because administrators felt it would provide him with better career opportunities. Joshua McDougall originally planned to study telecommunications at Sheridan before he went into the wrong room at an Open House event and learned BAISc accepted high school computer science credits as science credits.
No matter how they found the program, students were quickly hooked by its unique approach: general enough to allow them to find an area of cyber security that most appealed to them, yet more niche than university computer science degrees that offered specializations in cyber security. “Sheridan’s degree was absolutely ahead of its time,” says Bowers. “It was computer science with an emphasis on this new field that was being developed, structured in a way that gave us a really good sampling of the various options and fields we could go into.” Students also embraced the program’s cohort learning model that featured small classes and compulsory core courses, enabling instructors to closely monitor each student’s progress and address their needs.
“We were a bunch of miscreants who stumbled into this program and realized, ‘This is awesome.’”– Inaugural cohort member Nick Johnston
It was quickly apparent that the new program was on the right track. All 26 members of the first graduating cohort immediately found employment in their field — a harbinger of things to come — while Coltson left policing in 2007 to become Vice-President, Forensic Technology Services/Electronic Discovery for KPMG Advisory Services. In fact, it was Coltson who gave Johnston, Bowers and McDougall their first jobs, hiring them as interns and then as full-time employees at KPMG. “We always felt there would be demand for our graduates,” says Orlando, “but it might have even surprised Victor how much demand there was. And we were all surprised by the breadth of jobs and responsibilities that our graduates were qualified to perform.”
Students may have been qualified to perform a lot of those jobs before they even graduated. Though the program’s acronym was pronounced ‘basic’, most courses in the program were extremely demanding, and professors weren’t willing to compromise. Edmunds remembers walking through Sheridan’s Centre for Animation and Emerging Technologies (SCAET) building one evening and seeing Ralevich and Martinovic leading an after-hours tutoring session for a math course that the bulk of the class had failed. “In a normal academic setting, we might have curved the grades, but Victor and Dragana insisted that the students had to understand the subject matter — so they retaught everything at night, making sure the students truly understood everything that was important,” Edmunds says. “At first, we thought Victor was a taskmaster because of his advanced math and punishing exams,” admits 2013 graduate Andrew Turnsek, co-founder of the program’s robust student club that meets regularly outside of class to further discuss the latest cyber security trends and issues, learn from guest speakers and participate in skills competitions. “But we eventually realized his courses were like bootcamp for the military, making training (difficult) so that combat seems easy.”
Since students were literally being taught how to break into private networks, Ralevich was also a strong advocate of cyber ethics, ensuring students learned the industry’s moral and social implications. “One of the first things we had to teach students was the difference between knowing how to do something and being responsible about it. We had to convince them that they were not hackers, they were information security professionals,” Martinovic says. That mindset shone through when first-year students Richard Reinders and McDougall successfully hacked into Sheridan’s own IT network, then provided a detailed report of how they’d done it and how Sheridan could prevent it from happening again. “Our IT people had to tell the students that what they’d done was inappropriate,” notes Closson, “but the students had really done Sheridan a service by helping the IT department be more secure.” Shortly after the incident, Reinders — who would go on to work for Yahoo! and several other large companies — was hired by Sheridan as a part-time IT research consultant.
“(Completing my master’s) honestly was not that difficult after finishing my undergraduate at Sheridan. We’d just learned so much in those four years.”– Kroll Managing Director Joel Bowers
Many other students also worked in industry before they finished the program, with some even receiving full-time job offers at the conclusion of their eight-month internships. “Our students usually ended up filling really critical needs for the organizations where they were placed, so it was pretty hard for those companies to let them go back to school for another year,” Closson says. “Victor had to work hard to convince employers that if our students were employed after their internships, they were going to be deprived of their degree,” Martinovic adds. “The fact that all of our students came back for their fourth year was a huge testament to the program.”
Further validation came when articulation agreements were reached with Michigan’s Davenport University, Colorado’s University of Denver and Australia’s University of Western Sydney and Griffith University. Bowers was one of the first BAISc graduates to complete his Master of Science, Information Assurance at Davenport, receiving advanced standing into the program — including exemption from cryptography courses. “It honestly was not that difficult after finishing my undergraduate at Sheridan. We’d just learned so much in those four years,” says Bowers, who would go on to spend nearly a decade as a Global eDiscovery and Forensic Services executive at Duff & Phelps Canada before becoming Managing Director of Kroll’s Canadian cyber risk practices in 2018.
“Our students usually ended up filling really critical needs for the organizations where they were placed, so it was pretty hard for those companies to let them go back to school for another year.”– Former Sheridan Dean of Applied Computing and Engineering Services Gary Closson
Johnston also earned his master's at Davenport and worked in the field for six years at KPMG and Duff & Phelps, but he never completely left Sheridan. Immediately after graduation, he was one of several alumni Orlando hired to teach in the program, first as a part-time professor of applied computing specializing in information security and digital forensics, then as a full-time cyber security professor in 2011. “We were creating our own expertise and contributing to the capacity of the industry because our graduates would get jobs in the industry and get their master’s, then return to share what they’d learned,” Orlando says. “Because they were already so intimate with our curriculum, they became excellent teachers to the new students, and it became a self-sustaining model to recruit teaching talent.”
“It was a great mix of professors who were more academic-focused, like Victor, and people who had had boots on the ground in industry, like Nick or Joe,” agrees Turnsek. “That blend of academic and applied provided everything you needed to succeed in information security.” Sheridan students and administrators weren’t the only ones who felt that way. In 2014, BAISc celebrated its 10th anniversary in style by receiving the Association of Canadian Community Colleges’ Gold Program Excellence Award as the country’s most innovative and successful college program. “The BAISc degree program is a testament to the ability of colleges to identify and respond to emerging trends and industry needs,” said then-Sheridan President and CEO, Dr. Jeff Zabudsky. “Thanks to the leadership of Dr. Victor Ralevich, the BAISc has fostered a nucleus of information systems security professionals who are equipped to deal with the wide-ranging issues around security in the age of big data.”
BAISc founder Dr. Victor Ralevich accepts the Association of Canadian Community Colleges’ Gold Program Excellence Award from ACCC (now Colleges and Institutes Canada) President and CEO Denise Amyot in 2014
The accolade was a watershed moment, not only for Sheridan’s degree — still the only undergraduate program of its kind in Canada at the time — but for the field. “That award meant so much to Victor,” recalls Johnston, who would become the program’s co-ordinator two years later following Ralevich’s passing. “And we all saw it as recognition that cyber security is important. In the early days, it was a struggle at times to keep the program going. That award represented a turning point when the world and the industry seemed to realize that cyber security was a field that needed to be studied.”
Sheridan may have been the first in Canada to offer an undergraduate cyber security degree, but it certainly isn’t alone anymore. Nearly 75 post-secondary institutions across the country now feature some form of cyber security credential, and for good reason: the number of jobs for cyber security professionals in Canada is growing by seven per cent each year, according to a 2021 report by the Canadian Centre for Cyber Security. Sheridan has also expanded its suite of cyber security offerings through its Continuing & Professional Studies (CAPS), including three-course programs in Cybersecurity Foundations and Cybersecurity – Legal and Ethical Policies and Procedures; a variety of courses such as Cybersecurity Fundamentals, Principles of Information Security, Email Security for Small and Medium Sized Businesses, Web Security and Operating Systems Security – Windows; and new offensive and defensive cyber security micro-credentials that will launch this fall.
“It’s an eternal game of cat and mouse. Criminals keep finding ways around security measures, so we need to keep finding new ways to safeguard.”– Bachelor of Information Sciences (Cyber Security) coordinator Nick Johnston
“Cyber security professionals will always be in demand because it’s an eternal game of cat and mouse,” Johnston says. “Criminals keep finding ways around security measures, so we need to keep finding new ways to safeguard. You can never stand still.” Yet, despite that constant evolution — and the recent re-naming of the degree to Honours Bachelor of Information Sciences (Cyber Security) — BAISc’s core curriculum remains largely the same as when it was founded nearly 20 years ago, emphasizing foundational skills in database and network security, secure software development, forensics, ethics and legislation. “If you have a good background in science and mathematics, you can easily learn all other things” is how Martinovic sums up Ralevich’s generalist philosophy, and it still rings true today for graduates and employers alike.
“So much of the actual job is learned after the fact, once you’re in the field,” says Bowers, estimating that 85% of his team at Kroll is comprised by Sheridan graduates. “With all of the general skills that are taught at Sheridan, I know their graduates are going to be able to go into any situation with some ideas.” 2019 graduate Alana Staszczyszyn landed her first job in the industry after just one year of studies, working part-time as an information security analyst for Health Shared Services Ontario. “All of the different things we learned about quickly prepared us for a lot of different roles,” says Staszczyszyn, who is now conducting independent research into potential cyber security concerns of quantum computing. “The fact that I was equipped with enough knowledge to work in the field after one year is incredible, in my opinion.”
BAISc coordinator Nick Johnston (left) leads a workshop for local small business owners during a CyberSecurity Bootcamp organized by the Halton Industry Education Council.
There may be no Sheridan graduate who appreciates general problem-solving skills’ value in the industry more than James Arlen, who used the digital problem-solving abilities he honed as a Media Arts student in the mid-90s to launch his extremely successful cyber security career a decade before the BAISc program was founded. “Academia tends to try to produce specialists, but cyber security is an area in which de-specialization can actually work in your favour,” says Arlen, a lead author of the Cloud Security Alliance Guidance for Critical Areas of Focus in Cloud Computing and currently the Chief Information Security Officer at Aiven, a global cloud computing solutions provider. “When you can take a broad view, you often see things that may otherwise be invisible.”
Arlen believes those general problem-solving skills will be key to resolving new challenges emerging in the industry, such as manufacturing’s growing reliance on interconnectivity, automation, machine learning and real-time data. “How do we build systems that preclude bad behaviour while still maintaining flexibility? How do we create dynamically reconfigurable manufacturing lines while ensuring that safety doesn’t get configured out? If I can rewrite software to make it better, I can also rewrite it to make it worse,” he says. “A lot of plants have control systems from the 1980s, and security is snapped onto the sides of them in ever-increasing layers. The people building the next generation of manufacturing need to build this in a way that is intrinsically safe.”
Helping area manufacturing companies resolve those challenges is quickly becoming a larger goal of the program. Sheridan is an educational institution partner in the newly-formed Cyber Security Innovation Network (CSIN), an innovative and collaborative network that will enhance research and development, increase commercialization and develop skilled cybersecurity talent across Canada, and recently established the Lab for Innovation and Research in Industrial Cybersecurity (LIRIC) within its Centre for Advanced Manufacturing and Design Technologies (CAMDT). In one of LIRIC’s first research projects, Johnston and several students helped Brampton software-as-a-service (SaaS) company Simplified Automation identify and resolve security control gaps through the implementation of Multi-Factor Authentication (MFA) and other protocols.
“When Victor built this program, he wasn’t willing to compromise. It was university standard from the beginning, developing good work ethic and excellent background knowledge.”– Former Sheridan professor Dr. Dragana Martinovic
Dr. Dragana Martinovic (left) and Dr. Victor Ralevich
Prior to the COVID-19 pandemic, Sheridan students also shared their expertise with local small business owners at a CyberSecurity Bootcamp that was organized by the Halton Industry Education Council (HIEC), a not-for-profit social enterprise that promotes partnership, mentorship and workforce development. “Our community connections indicated there was a need for this type of support, especially small businesses who often lack the time, resources and expertise to be up to speed on all things cyber security,” says HIEC Director of Operations Michelle Murray. Some of the content Sheridan students developed for the workshop was later used by the HIEC as the foundation of another community offering that advised seniors about online banking security, targeted spam emails and other perils of the internet, as well as for career-awareness seminars with students in elementary and secondary schools. “We’re really hoping that through research projects and other initiatives, we’ll be able to help others improve their lives from a security perspective,” Johnston says.
That’s precisely what Ralevich set out to do at the turn of the century, long before the industry exploded into what it is now.
“It’s incredible. Just incredible,” Martinovic says of BAISc’s growth from a program that initially struggled to find students into an educational leader in cyber security that annually attracts 350 students and has a long waiting list. “When Victor built this program, he wasn’t willing to compromise. He wasn’t willing to accept the idea that since Sheridan was a college, the degree did not need to be university standard. It was university standard from the beginning, developing good work ethic and excellent background knowledge.
“The support we provided for our students helped create a community, and that created excitement.”