Deep Ramanayke is a teaching professor of computer science and cybersecurity and the director of the cybersecurity program at Xavier University where he teaches information security, networking, perimeter defense, ethical hacking, and pen testing.
His research is currently focused on education and cybersecurity, engaging students with real-world hands-on experience, practice, and exposure to working in teams.
Listen to the full episode
Key takeaways from the interview
- Transition to cybersecurity: Around 2013, Ramanayke shifted his focus to cybersecurity, recognizing its growing importance. He was instrumental in developing a two-year cybersecurity degree at a community college and later joined Xavier University to lead their cybersecurity program.
- Cybersecurity education at Xavier University: The program at Xavier is relatively new and integrates cybersecurity as a concentration within the computer science degree. It emphasizes strong programming skills, ethical considerations (influenced by the Jesuit tradition of the university), and hands-on experience.
- Real-world application and engagement: Ramanayke stresses the importance of engaging students with real-world scenarios. This includes analyzing recent cyber breaches, participating in cyber defense competitions, and offering hands-on labs that mimic real-world cybersecurity challenges.
- Industry connection and curriculum relevance: The program maintains relevance through constant updates, industry advisory boards, and alumni involvement. Ramanayke highlights the challenge of keeping the curriculum current with the rapidly evolving field of cybersecurity.
- Student opportunities and research: Students are encouraged to participate in internships and research opportunities, particularly during the summer. The program also facilitates connections with industry professionals for practical insights and career guidance.
- Advice for aspiring cybersecurity professionals: Ramanayke recommends various resources for students interested in cybersecurity, including books like “The Art of Exploitation” and “Big Breaches,” as well as online platforms like TryHackMe and OverTheWire for practical exercises.
Here is a full transcript of the episode
Steve Bowcut: Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening. On today’s show. Our guest is Deep Ramanayke.
So Deep is a teaching professor of computer science and cybersecurity and the director of the cybersecurity program at Xavier University. We’re going to be discussing cybersecurity education opportunities at Xavier University in Cincinnati, Ohio. Let me tell you a little bit about Deep.
Deep teaches information security, networking, perimeter defense, ethical hacking, and pen testing. His research is currently focused on education and cybersecurity, engaging students with real-world hands-on experience, practice, and exposure to working in teams. With that, welcome, Deep. Thank you for joining me today.
Deep Ramanayke: Thank you for having me and it’s a pleasure to be here and I want to thank you for doing this as well. And this is what we need on the field. We need more awareness and I’m glad you’re doing this podcast and all the resources on your site. It’s going to help students to make decisions getting into cybersecurity, so thank you for doing that.
Thank you for that. I appreciate that. And that is the whole point of this podcast is just to be a free resource for students who are trying to decide if they would like to go into cybersecurity.
We want to give them an idea of what the educational part of that might look like, and I’m really excited to have you on the show because I know that you’ll be able to shed some light on what it’s really like to work in cybersecurity and I think that’ll help students make a good sound decision in that regard.
So let’s go through and learn a little bit about you, to begin with. So how did you first become interested in cybersecurity? Is it that you’ve always been interested in it or did it happen later in your academic career?
Deep Ramanayke:
It happened maybe 10, 12 years ago. I was always into technology and even when I was growing up in Sri Lanka, I had a curious mind. I always want to see how things work. So even when I was a little kid, I used to take my toys apart and see how they work and I’d get in trouble with my parents. “I’m not buying you anything anymore. You’re breaking things down.” I think I always fixed them. I’m originally from Sri Lanka, so growing up in Sri Lanka, there’s not much technology around. I didn’t even have a computer when I was graduating from high school, so-
Steve Bowcut:
Oh wow.
Deep Ramanayke:
… I really wanted a computer, so I just researched and learned as much as I could and actually built my first computer in late ’90s so I could learn and get into the computing field. So that’s how actually everything started in Sri Lanka. So then I decided to go into higher education and I got a scholarship to come to the USA. That’s how my career started. So I did my bachelor’s in mathematics and information systems in computer science, and I got my first job as an network administrator.
So I got a really good network foundation working as an network administrator and then decided, “I want to go into graduate school.” So I went to graduate school. Still, cybersecurity at that time, it’s not even a topic. I don’t think there’s any schools offering any colleges or classes in cybersecurity or any degrees at that time. So once I went to graduate school, I got a TA. So TA was to teach students. So that’s how I got into the teaching field. So my first job is to teach at a community college network administration, programming, all different kinds of topics.
So around 2013, cybersecurity started to become college type of degrees and we, at the community college, we decided, “Okay. We need to get into the field. We need to jump in right now and we need to create a specialized degree, a two-year degree in cybersecurity.” So I was like, “Okay. I want to get into this. I want to get into this. I want to be leading this and designing this program.” So that’s how I actually got into cybersecurity, but if you think about it, we’ve been doing this all along, all this time.
When I was working as a network administrator, you just want to make sure everything works properly. You want to make sure everything’s secure as well. So it’s been there with me all the time, but by nature, I’m a problem solver. So when I come to cybersecurity, we are trying to now not only design these networks and applications programs. We need to make sure we protect them as well.
I was like, “Oh, this is the perfect field for me to get into.” So that’s how I got into the cybersecurity field, but then I had to learn a lot as well. I know the background and I know the foundation.
At this time, around 2013 and 2014, NSA was sponsoring a lot of schools to provide cybersecurity training for faculty. So one of the schools I want to actually give credit is Dakota State University. They’re one of the leading universities that provide a lot of free workshops for faculty that want to get into the cybersecurity field.
So from 2014 all the way up to 2019, I took a bunch of workshops that were provided by Dakota State University. I attended these workshops. So I got to learn a lot and build a real good passion and a lot of skills under my belt going through those workshops and training.
Awesome. All right. Thank you for that. I appreciate that. So let’s shift our focus a little bit and look at Xavier.
So give us maybe a high level overview of the different cybersecurity programs that are offered there. Are they all undergraduate or are they post-graduate degrees and programs? What does that look like?
Deep Ramanayke:
Yes. So the program’s fairly new. It’s only four years old. Actually, I was hired after I finished… I was 10 years at community college and I was hired at Xavier to actually build the cybersecurity program and actually get the NSA designation.
Having NSA designation puts us in a specific category because you need to go through their specific review to get our classes to meet their standards. They have their knowledge units and standards. So I was basically hired at Xavier to build the program. The program is four years old. So what Xavier decided to do is instead of creating a separate program under the computer science program, they decided to add a concentration.
So students going into computer science, bachelor of arts or bachelor of science, do a concentration on cybersecurity. So they take this specific set of classes, five to six classes, and they will have a concentration in cybersecurity on the bachelor of science or bachelor of arts degree.
Excellent. Very good. Thank you. So how about extracurricular stuff? So I know some universities, there’s events and clubs and organizations and competitions and are you involved in any of that at Xavier?
Deep Ramanayke:
Oh, yeah. That’s the best part of the program as well. That’s the best part of my job as well. We have a cyber defense club. So for the last four years, we were developing and training students for… I would say one of the highlights from last year is how many competitions we participated last year in my cyber defense club.
And we participated more than, I would say, 10 to 20 different cyber defense games during the last whole year. One of the highlights is the CyberForce Competition. It’s done by the U.S. Energy Department. So that’s one of the big games, the red team, blue team game. All my students has to practice and I helped them before the games, setting up a mock network and seeing how they could defend.
So basically, they’re the blue team and they got this sample U.S. Energy network with different types of energy like IOT devices, controls, power grid. Their basic job is to make sure everything’s secure.
Steve Bowcut:
Wow.
Deep Ramanayke:
Go through… It’s very tough because it’s within specific three to four hours. You need to do lot of things to make sure you have the basic cybersecurity and the last part of the game is the red team comes and try to exploit and see if they find the vulnerability. So getting back to it, we do have a cyber defense club. We have really passionate students getting in there and we meet every Friday and practice to participate in these different games.
Since we are one of the NSA-designated programs, we get a lot of competition to participate that’s sponsored by NSA as well. Just to reiterate, “What’s the advantage of having a club?” Students get to actually get the feeling of real world experience, and not only that, I get students saying, “Hey, I took this programming class. I really don’t know if I actually know the skills.”
I was like, “Join the cyber defense club and you get to actually apply what you learn and there are some of the problems that you’ll solve that you might have reading Python code and figure it out what it does. So then you can validate your skills,” and actually students come and say, “Oh, I know this. So this is a way of I apply what I learned from the class in a real world situation.” So we have a lot of competition we do throughout the years and that’s the best way they’ll learn a lot of skills outside the classroom.
That’s totally awesome. Thank you. So looking at all the educational opportunities or options that students have, what would you say sets your program apart? What makes it unique?
Deep Ramanayke:
So if you look at some of the schools around here, since I mentioned we have the concentration. So our students in the computer science department, they take a lot of computer science classes at the beginning, a lot of programming classes, logic.
They learn problem solving. So.. They learn a lot of theory as well as some technology class. So they get that really good programming foundation and then when they come to cybersecurity, they get to learn how to secure those programs, how to secure coding, how to defend a network.
So what makes our program unique is our students will have a really good strong programming background. So that helps our students to fill the pipeline, especially reverse engineering, malware analysis, software exploitation. So because of their programming background, they go into those areas and most of our students getting the job are getting hired in reverse engineering, software exploitation, malware analysis area. Students graduating from our program get to fill those gaps.
So you ask about the unique. I completely blanked out. Another unique thing about our program is Xavier is a Jesuit institution. So being a Jesuit institution, there’s some core classes they had to take that help them to think ethically and work for the greater good. So learning cybersecurity is kind of like a double-edged sword.
So you could go be the good guy and the bad guy. So being this Jesuit institute, our students get that ethical moral classes that they take and that help them to think, “We are all working towards the greater good, and cybersecurity is one of the things that we can work through the greater goods and defending our nations and our personal data from not only just for the companies. For our own personal data as well as helping each other as well.”
Interesting. And we all know that understanding how these things work in theory is sometimes different from actual application when you’re working in the field.
And so I think I’d like to explore a little bit about how you provide real-world cybersecurity experience and how you help the students understand what it’s going to be like when they actually work.
Do you gather information from industry and incorporate that in the classes? I know you have experience, so obviously you can share your own experience, but how is that done? What prepares them to work in the field?
Deep Ramanayke:
So going back to the question about the real world challenges and that’s actually the challenge teaching cybersecurity. I actually have to change my books every semester or change my materials and update the class. So to keep in real world, one of the things I do, I’ll give you an example.
My introduction to cybersecurity class, the first thing I do is I cue students, “Hey, next week when you come to the class, this group is going to research some recent breaches in the industry. Do some research. Maybe within a month. If you can’t go for a month, go for two months.” I always say, “You can always find something being breached last week. So go and do some research and bring those topics to discuss in the class.” So when we come to the class, we find out, “Okay. What happened last week?”
Let’s say, for an example, maybe they found the Equifax breach. So we talk about that breach and we’ll talk about what happened, how the attackers got into the systems, what kind of a vulnerability that they exploited. So we discuss these recent attacks. So that actually brings up what’s going on in the industry and how people are exploiting this system. It might be a five-year vulnerability that nobody’s touched.
That’s how they got in. Or it might be a recent, really new vulnerability. So that keeps students… Not only are they engaged. Sometimes, actually, that’s all we do throughout this class. We discuss the breach and just get very engaged. We talk about why they haven’t done these things to protect your systems. “You are a big organization.” So we talked about those things. That’s one of the things that we do on my introductory classes, but when we go into a little bit more classes, we do a lot of hands-on labs related to recent breaches.
Maybe it’s because the virtual machines with the Linux operating system have a recent breach, and when I talk about hands-on, we actually do real hands-on. We actually set up our networks and we actually practice in a real world situation what would happen with one of these recent breaches.
So to do that, I always had to keep myself updated and I had to download a repository of all the different breaches and exploits. It’s pretty tricky. But one of the good things about our school is when I started the program, they set up our own lab and separated everything from the school network. We are an isolated network so we could do whatever we want without damaging our school network.
Steve Bowcut:
Very good.
Deep Ramanayke:
Those are some of the things we do. Hands-on activities, discussing these recent threats and not only discussing them. If you can actually find if it’s a malware sample, we actually download that and see how it actually exploits systems.
And thank you for that. And I wanted to touch on research opportunities and I think you’ve addressed some of that already with researching current cyber incidents.
Would you say that, and it’s an undergraduate degree, so I don’t suppose that there’s tons of opportunity for research or internships, but in addition to researching recent cyber incidents to contribute to the class discussion, are there other opportunities for research that the students have?
Deep Ramanayke:
There are some research opportunities for becoming a CA in accredited programs. There’s a lot of research opportunities that come from NSA and some of the NSA-participating schools’ software, especially the REUs for summer. So there are some opportunities. Students work on research opportunities during the summer and there are a lot of internships as well.
We don’t offer summer classes so we encourage students to work on cyber… If they’re in the cyber concentration, I always encourage them to find an internship to work during the summer. And almost all my students right now, they have some internship in cybersecurity working on… We also have our school.
The school cybersecurity department actually hires and gives internships for students every year. So that’s one of the ways they do internships during summer. Those are some of the opportunities available. Being, like you say, undergraduate, we don’t have our own research for students to work on, but we always encourage them to do an internship during summer.
And I love that you’re focused on getting the students engaged with industry, and that’s where I wanted to go next because I’d like to explore a little bit about how you… And I think we may have touched on this earlier, but input from industry is critical, right?
Because things are changing and lots of industries have different things that they’re focused on, because their threats and vulnerabilities are different. But do you have an industry advisory board or any other ways that you’re gathering information from industry and applying that to the curriculum?
Deep Ramanayke:
Yeah. We do have an advisory board for cybersecurity concentration. It’s one of the requirements from NSA when we get the designation. You need to have that industry feedback. That’s the problem being a faculty. You’re not working on the field and you don’t get to play with the latest tools or latest threats, so you need to bring this industry partner. So one of the inputs we got on the curriculum is the advisory board.
They review our curriculum and say, “Okay. These things are outdated. Maybe these things are not what we are currently doing in the industry. You might need to update it.” So that’s one part of having the advisory board.
Also, I have a lot of connections working on the field and being here in Cincinnati for almost 20 years, and I also work as a consultant on my previous job. So I have a lot of connections, a lot of my friends working on the field, so what I do is I bring them to the classroom.
So in some classes, they come and do hands-on experience. So they talk about day-to-day jobs, what they do, how to get into the field, how to be good at the field. “Do you need certifications? Should I get a certification?” “Yeah, go for this specific certification.” They talk about all these things now. Also, we have alumni come help with our cyber defense team. So they’re really passionate about having this team.
So I bring them and tell them, “Hey, I need your expertise in this specific area. Can you come and help these students struggling in this competition?” Maybe it’s a reverse engineering problem or they are learning some basic assembly language that they’re struggling with.
So these alumni students come and help during our cyber defense club on Friday evenings or sometimes even weekends. They take their time to come and help give feedback to not only keep updating. Also to help our teams as well.
Steve Bowcut:
Yeah. That’s excellent. Thank you. I’m always interested in how educators keep their curriculum current and up to date. Things in cybersecurity are changing so rapidly, it seems like.
Now I know some of the basics of defense and those kinds of things are probably not going to change that much, but do you find it a struggle to make sure… Curriculum takes some time to develop, right?
Deep Ramanayke:
Definitely.
Maybe annually, you’re changing the curriculum and things may be happening faster than that in cybersecurity. Do you find that to be a challenge to keep the information that you’re presenting completely up to date?
Deep Ramanayke:
It is a challenge, but it is also an opportunity, I would say. For me, it’s easier for me because I’m not a research faculty. I don’t have to publish papers. So what I do during summer is take a lot of workshops and right now, I’m taking a workshop. Actually it started yesterday. It’s in AI and cybersecurity. It’s a really new area. There’s not even a book you can find AI and cybersecurity.
We are trying to… So it’s really an interesting field to get in as well now. We can use the AI, again, a double-edged sword, so we can use AI in cybersecurity to automate a lot of things and help with some of the attacks and threats. So I’m taking a class. So actually, I’m taking three workshops during this summer to keep me updated so I can learn from the industry as well as in workshops and take it back to my students as well as updating the curriculum.
So I would say it is a challenge. But these challenges can be opportunities, so if you are willing to learn… If you’re going into cybersecurity, you cannot just use the same old information. You need to be reading and you need to be trying and practicing all these new technologies, new tools, new threats.
Otherwise, you’re going to fall behind. And I tell my students too, “If you’re getting into cybersecurity, you need to have a curious mind. You need to be willing to learn every day.” So somebody might say, “Ah, I don’t want to keep learning,” but I would say, “Do you want to do the same job every day or do you want to learn something new so you can keep… It’s exciting. You’re not going to be bored doing the same thing every day.
So that’s now the advantage of the cybersecurity field. You get to learn new technologies. You’re doing something new. That makes your job exciting. You get to wake up and go to a job that you enjoy. So if this is something you like, then you’re going to enjoy it.”
Very good. All right, so we’ve got a couple of questions left. We’re about out of time, and these are fun questions. This next one, I’d like to pick your brain a little bit.
So if you were to come up with your top picks for a cybersecurity reading list for students who were thinking about getting into cybersecurity and they could be books or papers or lectures or YouTube channels or whatever, websites, what would be on that list?
Deep Ramanayke:
Just a lot of reading. For example, if you want to get into reading The Art of Exploitation, the second edition is out there. It should be a really good book. There’s a book about breaches. It’s good to read about breaches, so you know what we are actually trying to do, so it’s called Big Breaches. It’s called Cybersecurity Lessons for Everyone.
That’s a really good book. And if you’re not a reader, I know a lot of younger students, you’ll see this generation, they’re not good readers. If you wanted somebody to actually get in and do something and play with it… So I always encourage my students, even in cyber defense, if somebody comes and says, “I’m cybersecurity, but I don’t know if this is what I want to do.” I’ll tell them, “Go into TryHackMe. Try some of the activities there.”
That’s one of the basic entry level. If you really don’t have too much knowledge of cybersecurity, TryHackMe is kind of step-by-step, walk you through what you need to do. There are multiple different modules starting from beginners to the experts. So that’s one of the things you should get into. If you want to practice some of the capture the flag type of challenges, you can go to OverTheWire: Wargames. That’s really nice.
So these are all free resources. It’s really good way to learn some basic Linux skills, because it’s very important for cybersecurity. You need to have really good Linux background or if you want to learn some basic networking, if these are the skills that you don’t have and if you want to get into cybersecurity, reading or doing something, that’s really good.
And the other thing is, none of these resources were there when I was a student in early 2000. I wish all these resources…
The YouTube, we have a lot of walk-throughs now. IppSec, I-P-P-Sec, is a really good YouTuber. Do a lot of Hack The Box walkthroughs. That’s a really good way to see. He’ll walk you through how to get access to Linux machine or Windows machine that are deployed on Hack The Box platform.
Really, really one of the top YouTubers for cybersecurity, I would say, if you want to see how the tools he used and how he explains things is very well done. And those are some of the things and our cybersecurity page, cybersecurity center page at Xavier has a lot of these resources I just mentioned.
Steve Bowcut:
Okay. So we’ll what we’ll do is we will put links to as many of these resources as we can in the show notes so that listeners to this podcast can just click on those and get right to those resources. So thank you very much for that. That will be very helpful.
So our last question is really a fun question and I know it’s a difficult question, but we ask you to dust off your crystal ball and look into the future and give us your perspective of what you think cybersecurity might look like in five years or 10 years. And I know it’s difficult because five years ago, I don’t think any of us would’ve anticipated the impact that AI is having, right?
Deep Ramanayke:
Yeah.
So what do you see coming down the pike in the future?
Deep Ramanayke:
Very interesting question. I might come back and see if I’m still here five or 10 years later and see if this is true.
Steve Bowcut:
See how you did.
Deep Ramanayke:
Yeah. Like you mentioned, AI is going to change the game. I think AI is going to be a double-edged sword, like I mentioned before. Also, it’s going to help in the cybersecurity. It will hopefully help us automate a lot of things to detect a lot of anomalies and threats on the current network.
So I believe the way we are doing, like you and I, we are all getting into helping students, hopefully, I’m hoping that cybersecurity is going to be not as… There’s going to be threats coming in. The breach is not going to go away.
There’s going to be software vulnerabilities because we are all human. We write code and there’s always going to make mistakes. But I think in the future with all these new technologies, I’m looking at the good side.
I’m thinking it’s going to be better to manage cybersecurity attacks, and if we keep educating students and the general population the way we are doing it, hopefully, we will be able to defend against attacks better than what we are doing today.
And hopefully, there’ll be less breaches, less exposure for personal data with the technologies with the way we monitor stuff. So if we all get together and do our jobs within the next five to 10 years, I’m hoping we are going to see a better side of cybersecurity then what we see today.
Steve Bowcut:
Yeah. No, I agree. And it occurred to me while you were speaking that we’re probably going to see much more regulation. It seems like there’s always talk of new regulation which is… The one side of that seems unfortunate to me because it would be nice as an industry if we would be able to provide solutions without lawmakers having to get involved.
But I’m not sure that there’s enough incentive there for people without some compliance issues to keep them motivated. But anyway. All right, so we’re out of time.
Thank you so much, Deep. This was fun. This was really fascinating. I appreciate that.
I appreciate you being with us today and a big thanks to our listeners for being with us. And please remember, subscribe and review if you find this podcast interesting, and join us next time for another episode of the Cybersecurity Guide Podcast.