Defining a new domain
by Jon Kuiperij – May 19, 2022
The first time Joshua McDougall heard of cryptocurrency, he couldn’t have been more skeptical.
“I figured that if I could copy an mp3, I could copy whatever a bitcoin was,” says McDougall, who recalls Sheridan Bachelor of Applied Information Sciences degree founder Dr. Victor Ralevich discussing the potential for digital money during one of his cryptography classes — several years before bitcoin was created in 2009.
But it didn’t take long for McDougall to recognize that cryptocurrency was not only far more complex than audio files, it was also built using many of the same security concepts he’d already mastered at Sheridan. “Our schooling didn’t specifically prepare us for digital money, but it gave us the foundational knowledge of all the different pieces that suddenly came together to create digital money,” McDougall says. “That allowed us to try to break cryptocurrency, and also to understand why we couldn’t.”
“Our schooling... gave us the foundational knowledge of all the different pieces that suddenly came together to create digital money. That allowed us to try to break cryptocurrency, and also to understand why we couldn't.”– Joshua McDougall
Though McDougall would spend the first decade of his career primarily focused on digital forensics and investigations, he also parlayed that fascination with digital currency into several significant side projects. In 2014, he and fellow Sheridan graduate Michael Perklin founded the CryptoCurrency Certification Consortium (C4), a non-profit organization that provides certifications to professionals who perform cryptocurrency-related services. “Prior to C4, there was no way for hiring managers and placement firms to validate Bitcoin knowledge in their candidates like they can with other knowledge such as networking, security and accounting,” explains McDougall, who also helped develop the CryptoCurrency Security Standard that has become a benchmark for security techniques and methodologies used by cryptocurrency systems around the globe.
Another of McDougall’s part-time cryptocurrency ventures eventually became his full-time focus. McDougall recently stepped down from his long-time cyber risk management position at Kroll in order to concentrate on Slow Ninja, a game studio working on skill-based games that leverages blockchain technology to reward players.
“We’ve built an environment in which the lore of the game and the operations of the game are combined into one entity. In other words, the community of players runs the game,” McDougall says. “Gaming can also be a great way to onboard new users, which has always been a challenge in the cryptocurrency space. People can get started by playing, building up their in-game assets and then bringing them to an exchange to acquire bitcoin. It’s a new light-hearted avenue into the new digital economy.”
Fourteen-year-old Richard Reinders was in the library of his Netherlands high school in 1997 when a friend asked him if he’d heard about hackers who had vandalized the home page of the National Aeronautics and Space Administration website.
“Alex said, ‘I wonder how they did it’, and I couldn’t let that question go. I had to figure out how the heck someone could break into NASA,” Reinders says. “So I started learning one thing after another about how to hack into things, and I eventually got to the point where I felt like I could find vulnerabilities in NASA’s public infrastructure too.”
Reinders never tested that theory. But a few years later, he did find his way into another major private network — Sheridan’s — after he and Bachelor of Applied Information Sciences first-year classmate Joshua McDougall discovered how to view all of the college’s wireless traffic in clear text and take control of any school-issued laptop.
“We could have deleted all the files on those laptops, looked at tests on teachers’ computers or shut down the school ransomware-style,” recalls Reinders, “but it was never about making money or doing damage.” Instead, Reinders and McDougall promptly reported the network’s vulnerabilities to their professors, leading to a meeting with Sheridan’s Information Technologies (IT) department, a part-time job for Reinders as an IT student research consultant, and a more secure network for everyone at Sheridan.
Win-win outcomes like that have been a goal for Reinders throughout his professional career, whether it’s been for global media and tech company Yahoo!, business intelligence software and big data analytics platforms Looker and Sisu, or credit card processing and financial services company Gravity Payments. As a Track, Search and Rescue team leader at Yahoo!, he spearheaded a cultural change in how the company — still reeling after suffering two of the largest data breaches in history a few years earlier — handled vulnerabilities, leading to a 90% decrease in overdue or unresolved issues in just one quarter. At Looker, he came up with a patent-pending idea to make investigations of big data breaches more efficient, and at Sisu, he helped the company retain more clients by having its security measures vetted by third-party organizations.
“Having professors who were academic-focused and professors who were active in industry doing what they were teaching... that was a really good mix.”– Richard Reinders
Since becoming head of security at Gravity Payments in 2021, Reinders has already implemented a tool that automates compliance — saving time for employees and money for the company through discounts from happy auditors.
“Businesses just want to be able to do business safely and not have a big breach, so you need to figure out what’s driving your company and make proposals that align with that,” Reinders says. “Too many people miss the fact that you can make others’ lives easier through security measures, rather than making them harder. If I could convince cyber security people of one thing, it’s to figure out what the business needs to be successful, then figure out how to support that while making security gains at the same time.”
During her four years as a penetration tester at Security Compass, Alana Staszczyszyn saw countless issues that might have been avoided if classical computer systems hadn’t been built with security flaws. Now, as quantum computers capable of quickly solving complex issues — including the potential to crack most types of encryption used today — inch closer and closer to the mainstream market, she’s determined to help ensure history doesn’t repeat itself.
Staszczyszyn recently set out on an independent research project to explore past vulnerabilities in networks and devices and how they may pertain to five emerging technologies that will support quantum computing: 5G, cloud computing, internet of things (IoT), artificial intelligence (AI) and blockchain. “If there are inherent flaws in the architecture, those flaws will just propagate into more issues as that architecture matures,” she says. “I want to help fix this now, so that our industry doesn’t burn out having to fix things in the future.”
Building a secure quantum computing infrastructure, Staszczyszyn says, will require an all-hands-on-deck approach. “It’s well-known in the cyber security industry that there’s a big gap between the private and public sectors, largely because the private sector isn’t as restricted when it comes to investing capital into research,” she says. “I want to merge everyone’s efforts and also pull in any academic initiatives that are already looking into these issues at more granular or technical levels.”
Less than five years into her career, Staszczyszyn has been featured by several leading media outlets, including The Globe and Mail and the CBC, as a leading cyber security expert and a woman working in a traditionally male-dominated bastion. “If I had to tell (women interested in cyber security) anything,” the Etobicoke School of the Arts high school graduate told the CBC in 2019, “it’s that there’s room for every single talent in this industry.”
“Sheridan’s degree gave us a high-level, theoretical view of cyber security, treating it like an art instead of just focusing on practical implementation.”– Alana Staszczyszyn
Especially if you’re able to quickly pivot the way Staszczyszyn did from penetration testing classical software to researching potential security issues in quantum computing, an ability she credits to Sheridan’s generalist approach. “Sheridan’s degree gave us a high-level, theoretical view of cyber security, treating it like an art instead of just focusing on practical implementation,” says Staszczyszyn, whose expertise in the emerging quantum computing technology largely consists of what she taught herself on Google and YouTube. “Quantum uses a different type of mathematics from classical — namely, linear algebra instead of binary logic — but it’s not far off from what we learned in Sheridan’s program. It’s actually very accessible if you have an acuity for physics and math.”
Jesse Mukundi worked as a programmer for Ontario Hydro Authority and BlackBerry while he was still in school, was hired full-time by BlackBerry immediately after graduation, and is now a senior network security engineer for an international investment firm.
That’s an impressive resume for anyone in the cyber security field. But it’s even more remarkable when you learn he’d barely worked with computers before arriving at Sheridan from Kenya in 2004.
Still, Mukundi spent just one day in Sheridan’s computer science diploma program before transferring into the new Bachelor of Applied Information Sciences (BAISc) degree on the advice of Maureen Callahan, then Sheridan’s Vice-President of Academic, and Lenore Edmunds, Associate Dean of the School of Applied Computing and Information Management — both of whom felt the degree would provide him with better career opportunities.
Having to catch up to peers who were already adept in BASIC and Linux may have been daunting to some, but not to someone who walked five kilometers to school when he was in kindergarten. Mukundi put in countless hours studying outside of class with networking professor Fadi Shalabi and a tutor, passed each of his first-year courses and even took the Java Programming course a second time — putting off a summer trip home to Kenya — in order to improve his grade from a D to an A. “He was an inspiration to the other students,” Edmunds recalls. “He struggled at times, but he never said ‘I quit.’ He just tried harder.”
“Having a strong security background from Sheridan has helped me work with many different teams. I have always known what people are talking about and the different methodologies involved.”– Jesse Mukundi
The following summer, Mukundi spent three months working as a Java software developer at Ontario Power Authority, an experience that would eventually help him secure an eight-month internship at BlackBerry after his third year of studies. “I was ready to do anything they asked me to do,” says Mukundi, who spent the bulk of his internship performing security tests on new technology. BlackBerry agreed, offering Mukundi part-time employment during his final year at Sheridan and then hiring him full-time as soon as he graduated.
Mukundi would go on to work 14 years at BlackBerry, most of them as a senior network security specialist, before accepting a senior network security engineer position with Connecticut-based financial services company Interactive Brokers earlier this year. “Having a strong security background from Sheridan has helped me work with many different teams,” he says. “Whether it was risk assessment, compliance, governance or cyber forensics, I have always known what people are talking about and the different methodologies involved.”
When Joel Bowers transferred into Sheridan’s new Bachelor of Applied Information Sciences degree in 2004, he never imagined he’d someday manage Canadian operations of a global cyber security firm.
“I wasn’t learning anything new in my computer science technology diploma program,” says Bowers, “and I thought getting a security-focused bachelor’s degree might help me keep servers more secure if I became a systems administrator.”
Those career plans quickly changed when Bowers discovered digital forensics, a then-emerging field that involved combing through computers to find evidence that could be used in civil and criminal investigations. “I’d never heard of computer forensics before I got to Sheridan,” Bowers says of the second-year course built and taught by former long-time Peel Regional Police investigator Joseph Coltson, “and now I’ve worked in it every day for 15 years.”
Bowers’ first jobs in the field were also under Coltson, first at KPMG — where he and classmates Nick Johnston and Joshua McDougall worked as interns before being hired full-time — and then at Oakville’s Harvester Forensics. When Duff & Phelps purchased Harvester in 2012, it put Bowers in charge of its national forensic technology practice, a role in which Bowers oversees a team of approximately 20 employees and 300 contractors who perform digital forensics and litigation support services. “Nearly all of my local team is Sheridan graduates,” says Bowers. “With all of the general skills they learn in Sheridan’s degree, I know that they’re going to be prepared to go into any situation with some ideas.”
“Sheridan’s program was absolutely ahead of its time. It was a group of people trying to figure out the industry, and the structure of the program gave us a really good sampling of the various fields we could go into.”– Joel Bowers
One of Bowers’ career highlights came in 2013, when his expert testimony helped a major Hollywood studio land a $10 million anti-piracy settlement from a website that was streaming episodes and selling bootlegged merchandise based on a popular television program. Bowers performed a search and seizure of the suspected operator’s residence, then performed forensic technology analysis that found key evidence proving the studio’s claims, resulting in one of the largest anti-piracy judgements in Canadian history.
“I’ve always loved the problem-solving part of the job. You never know what scenario you’ll walk into,” says Bowers, whose primary focus shifted to data breach review when the Personal Information Protection and Electronics Document Act was passed in 2018, mandating that businesses report security breaches involving personal information to the federal government and to all affected individuals. “Ransomware is a huge issue these days, and before that was business email compromise. We don’t know what’ll come next, but there will always be another cyber threat that causes people problems.”
Long before she ever considered a career in cyber security, Preeti Dhawan recognized the perils of having too many personal details disclosed.
“In Grade 9, I was having a casual conversation with a classmate, and he became alarmed when I mentioned some things I knew about his personal life,” Dhawan recalls. “I told him, ‘I don’t know why you’re getting upset. You’ve shared various pieces of this information with me in previous conversations. I just put the puzzle together and now I’m presenting it back to you.’”
Dhawan has gone on to protect some very important puzzle pieces in her career as a cyber security and privacy professional. Prior to becoming a GRC (Governance, Risk and Compliance) Manager at Payments Canada in the spring of 2022, she spent two years safeguarding protected assets and information for the Government of Canada as a Security and Privacy Officer for Bell. Dhawan has also worked for Export Development Canada, a Crown corporation for which she defined and developed various cyber security standards, and eHealth Ontario, where she onboarded more than 400 health care organizations into the provincial electronic health record (EHR) system and ensured compliance with security regulations.
The gradual convergence of information privacy (the rights of individuals to have their personal data protected) and cyber security (how digital data is protected) has enabled Dhawan to work in a field that was traditionally reserved for lawyers. “We’re starting to see more privacy job postings that ask for a cyber security background, or at least an understanding of cyber security standards,” says Dhawan, who also chairs the Ottawa chapter and sits on the Training Advisory Board of the International Association of Privacy Professionals, the largest information privacy community in the world. “Having both a privacy background and cyber security background has helped me a lot in my career so far.”
“Once I started taking classes like risk assessment, auditing and forensics, I knew exactly what I wanted to do with my life. And I’m so grateful to have had (outstanding) professors... they were my support system and my mentors.”– Preeti Dhawan
It’s been a remarkable ascent for someone who had no computer programming experience when she joined Sheridan’s cyber security degree as an 18-year-old. “I always thought I’d become a doctor or a psychiatrist or a lawyer, but I felt a bit lost in my final year of high school and decided that I might want to become a hacker,” says Dhawan, who showed up to her first Sheridan class without a laptop because she didn’t know which kind she should buy. “Once I started taking classes like risk assessment, auditing and forensics, I knew exactly what I wanted to do with my life. And I’m so grateful to have had professors like the late Dr. Victor Ralevich and Nick Johnston — they were my support system and my mentors. There were a lot of challenges, but if I had the opportunity to do it again, I absolutely would.”
John Simpson spent much of his youth on the ice, training as a nationally-ranked figure skater. But when Simpson wasn’t working on his hold lifts, pull-throughs and drapes, you’d often find him sitting at a computer trying to make software act in ways developers didn’t anticipate.
“I basically grew up on the seedy underbelly of the internet,” Simpson says. “I was drawn to hacking culture, not because I wanted to do bad things to others, but because I was fascinated by how people could make a computer do something it wasn’t supposed to do.”
It took Simpson time to realize that he could parlay that fascination into a rewarding career. The demands of figure skating prevented him from pursuing postsecondary education when he graduated from high school, and after hanging up his competitive skates, he spent a decade unhappily working in retail until seeing an ad for Sheridan’s Bachelor of Applied Information Sciences degree.
Today, Simpson is a senior security researcher for Veracode, an application security company that serves more than 2,500 customers across the world. Rather than devising defenses against software vulnerabilities and flaws, he helps Veracode build tools that prevent developers from writing vulnerable code in the first place. “We’ve gone from having all of these firewalls and detection applications that stop hackers to thinking, ‘Well, if we wrote the software securely, a lot of that wouldn’t be necessary’,” Simpson says. “The root cause of many hacks is improperly-written code, which may sound like a simple fix but it’s a huge problem. At the end of the day, software is written by humans, and humans make mistakes.”
“I’m so genuinely thankful for the career that Sheridan’s program helped give me. It was literally transformational in my life.”– John Simpson
Ironically, it was a desire to find ways to exploit those mistakes — not prevent them — that attracted Simpson to cyber security in the first place. “From day one, I had it in my head that I wanted to be an ethical hacker, but penetration testing ultimately didn’t scratch my itch for technical puzzle-solving. I wanted a greater challenge,” he says, crediting the generalist approach of Sheridan’s degree for opening his eyes to the many other career opportunities in the field.
Remaining open-minded is advice that Simpson delivers to Sheridan students each year as a guest speaker for ISSessions, the program’s large student club. “Don’t be afraid to change things up frequently, especially early in your career,” says the club’s former co-host. “Working in different areas of cyber security will help you learn what you like and what you don’t like, and that’s how you’ll decide where you fit in the industry.”