Ralph Russo is the Tulane University School of Professional Advancement Information Technology Program Director. He is focused on keeping learning delivery and the Applied Computing curriculum on pace with cutting-edge technology, security, and industry advancement.
Russo also holds the title of Professor of Practice. He created and delivered the first graduate and undergraduate cybersecurity courses at Tulane in 2011 and has taught in both the Homeland Security and Information Technology programs.
Russo is a nationally recognized subject matter expert on technology in the homeland security and public safety domains. He has served in director-level leadership positions for technology/systems integration companies for over 15 years.
He has also consulted for multiple federal, state, and local jurisdictions to successfully guide the development, deployment, and adoption of IT systems for security and public safety. Faculty profile
Key takeaways from the interview
- Background and career path: Ralph Russo, Director of the Information Technology Program at Tulane University, has a diverse background, starting in law enforcement and transitioning to technology and cybersecurity. He emphasizes a holistic approach to cybersecurity, integrating both technical skills and big-picture strategic thinking.
- Diverse student interests: Russo notes an increase in students interested in leadership or coordination roles within cybersecurity, not just technical aspects. He emphasizes the importance of diverse skill sets in the field.
- Cybersecurity education approach: His programs at Tulane cater to both traditional and non-traditional students, offering hands-on labs and real-world scenarios to enhance learning, like the sandbox company ‘South Balance’ for practical exercises.
- Reading recommendations: Russo suggests resources for cybersecurity learning, including websites like the Center for Internet Security, DHS, CISA, NIST, Dark Reading, Wired, and works by Shira Ovide at the New York Times, as well as the Association for Computing Machinery’s monthly publication.
- Future of cybersecurity: He predicts that cybersecurity will become more regimented and structured, with a greater emphasis on governance, policy, and integration into overall IT operations. He advises students to focus on both technical learning and academic education, in addition to professional certifications.
How did you first become interested in cybersecurity, and how did that experience lead you to where you are now?
Mine has been an odd journey, but I think many people’s journeys are not linear, right? In my case, I learned about technology by building computers. I would buy parts, assemble them, and sell custom computers as a side gig. I would program and network computer systems as part of a small business I owned.
The first 20 years of my serious full-time working career was focused on physical security. In fact, I was in law enforcement.
I worked as an investigator, a counter-terrorism specialist, and intel specialist in my main job, then learned about technology as I built my hobby/side business.
For example, in the early 90’s I had a website up on the internet before most major companies did. The first NYPD-focused website was a hobby page that I put up – before there was an official NYPD site.
I had servers and networking cables running through my basement. I’d be doing side work for lawyers and doctors, keeping their systems going, providing them the ability to back up their data. Naturally, given my interest in physical security, I began to focus on systems and data security.
My experience in physical security and law enforcement allowed me to approach cybersecurity from a conceptual perspective. Security principles such as defense-in-depth, layered security, diversity, segmentation, deception, and resilience can apply to both physical and digital security.
The big-picture approach is still elusive. Some get so distracted by the latest security technology, product, or solution that they can’t see the forest for the trees. Implementation of a security product that is not fully designed to the whole, and not properly integrated may address some security needs but create other vulnerabilities.
Is there, or has there been, a predominant area of cybersecurity interest throughout your career?
Yes, my predominant area of interest has been the conceptual approach we have been discussing. It is great that some people are excited about setting up a firewall, pen-testing, auditing logs, encrypting data, or other technical aspects of cybersecurity — that is the bread and butter of cybersecurity. But for me, it has always been looking at security from the big picture, “holistic” security principles perspective informed by the real threat landscape — actors as well as malware.
When people in the cybersecurity industry are hyper-focused on a piece of the big picture, it reminds me of that cartoon about building a tire swing. They built something that seems to fill the need, but did they build it right in the big picture? Does it meet the real need?
Before turning to academia, I worked for various information technology companies, managing teams and overseeing extensive projects.
At one point in my career, I was a director for a company that built and sold CAD/RMS systems. Those are the computer-aided dispatch and records management systems that handle emergencies beginning with the 911 call through a detective’s investigation. The critical nature of those systems made that a fascinating job.
Your department offers a bachelor’s in science concentration in cybersecurity and a master’s in cybersecurity management. Can you describe the programs you offer at Tulane and the process you use to keep these programs relevant to an ever-changing cyber threatscape?
I’m Director of the Information Technology Programs at the School of Professional Advancement at Tulane, which is designed for career changers, adult learners and working folks. We have many traditional students, but we are uniquely constructed to service non-traditional students.
Serving the needs of non-traditional students is crucial at this time in our society. Many displaced workers need a skills refresh. Others need a complete career change, and others decide they want to level up. At the same time, there is a skills gap in cybersecurity and other technology fields. Given this, we can fill this gap and serve the community well through our academic/applied degree programs and certificates.
To me, serving these non-traditional students is exciting, and to me, it’s the future.
We offer an undergraduate bachelor of science degree and graduate degrees. We offer five undergraduate concentrations, app dev, cybersecurity, product and program support, enterprise systems and Cloud, and network and system administration for our undergrads. At the graduate level, we offer an IT management master’s degree and a cybersecurity management master’s degree.
Keeping our programs and courses relevant to an ever-changing industry was a big concern for me when I came into academia. My perception was that too often, course material was outdated, especially in technology fields.
The way we handle this is, we regularly offer special topics courses that cover emerging and new technologies and approaches. We engage a subject matter expert to teach these cutting-edge courses. If we decide the course meets an ongoing need, we send it through the University council, and our internal build process, and it becomes a part of our regular curriculum. This is one way we ensure our students are “industry-ready.”
The other thing we do is continuously update all our courses. We continuously review our existing curriculum and apply refreshes and rebuilds on an ongoing basis, ensuring every course is touched over time.
In doing so, we rely heavily on our Industry Advisory Board. Representatives from some of the biggest companies in the technology domain participate on this board. We also have smaller firms represented.
The Advisory Board meets once each semester. I update them on our strategy, and everything we are teaching or considering adding to our curriculum. They provide us with valuable input about what is needed to be aligned with real-world requirements. In this way, we can tailor our programs so that our students graduate ready to provide immediate value to an employer.
It’s expensive to do everything we do. Listen, the bottom line is that if I didn’t have the support of the Dean and the university, we couldn’t do this as thoroughly. It’s not an inconsequential spend. Whether you are sitting right in the middle of our New Orleans campus with some of the smartest students and instructors you will ever meet, or you’re online in Iowa taking one of our courses, you’re going to get the same Tulane quality education. Given that, Tulane SoPA courses are far less expensive than most people think, sometimes less than State school tuition.
Regarding your cybersecurity programs, are there options for students to learn on-campus, online, or a combination of offline and online?
Here’s where I think we may be a little different than others. Each of our courses are built so they can be offered in-person, online synchronous, or online asynchronous. A course is fully built out to be offered in any of these modalities. Online synchronous means it meets once a week; asynchronous means you log in when you can. Even our asynchronous courses have a once-a-month synchronous meeting to enable networking and allow the students to interact with each other and with their instructor in real-time.
We build our courses by teaming a subject matter expert from industry with a Ph.D. instructional designer and a graphics team. Over six months, they build the course to a high standard of quality to include specialized graphics, interactive experiences, specialized videos created for the course, and to be offered in any of the aforementioned modalities.
Each semester we offer a mix of these different formats. Our graduate degrees are all online, 100 percent either asynchronous or synchronous. Our undergraduate courses are a mixture. You can take them in person or online. Our online offerings allow us to be truly global. For example, we have students in South America and Afghanistan and an instructor in Australia.
To enable these turnkey offerings, each one of our IT students has their own Virtual Desktop on University servers, so students can log onto the virtual desktop, from any connected modern computer, from anywhere, and have access to all the software they need to complete our courses. Our web-based videoconferencing software and our Learning Management System further enable our ability to offer high-quality courses anywhere, anytime, via any modality.
What are your students interested in, or what kinds of cybersecurity projects are they working on?
We get many students with hardcore tech interests, the ones who want to learn how to bulletproof a DNS. But I see an uptick in students who may not have the same interest in the bits and bytes but are interested in leadership or coordination roles in the industry.
If you think of cybersecurity as a battle, which it is, not every soldier will be on the front lines. Some are needed to establish supply lines and support or lead the front-line troops. I think Napoleon learned about supply lines the hard way in Russia.
One of my concerns is about the students who are not coming to our programs because they believe that cybersecurity is all about turning “nerd knobs” and nothing else. When I run across prospective students that are hesitant because they assume that cybersecurity at a top-level school like Tulane will be super technical, I try to help them understand that while the technical is important, it takes all kinds to secure systems and that there is a place for everyone. For example, our IT Product and Program bachelor of science concentration focuses on the services, process, and leadership wrappers around the technical.
To be sure, we teach the nerd knob stuff. We have over 250 hands-on labs. We have created a sandbox company called South Balance. This virtual company ostensibly makes professional sports-themed yoga mats. It has an org chart, a mission statement, and a balance sheet. It has a fake headquarters but real infrastructure, email server, and so forth.
Our students are given assignments that include protection and threat mitigation for South Balance Inc. This includes technical activities as well as activities designed to support and govern a company’s approach to cybersecurity. Learning in context is powerful.
If you were to build a cybersecurity reading list, what would be your top picks? (this could be books, papers, or lectures)
I recommend students spend some time reviewing:
Center for Internet Security
If you are somebody that enjoys more topical and deeper cybersecurity thinking I suggest:
And my favorite is Shira Ovide at the New York Times. She covers technology current events in a way that is concise, educational, balanced, and engaging.
For those interested in research and algorithms, there is the Association for Computing Machinery, ACM. They have a monthly publication called Communications of the ACM which I read regularly.
What do you think the cybersecurity industry or landscape will look like in five years? Ten years? And what do you think students today can do to best prepare for that future?
I’d say cybersecurity is going to get more regimented, more structured, and more best practices are going to emerge. Governance, policy, and process will be adopted by more organizations, not only large firms. At the same time, cybersecurity is going to get a lot more integrated into the overall IT Department operations and development — for example DevSecOps. That’s where I see the industry headed. We are only at the beginning. It is an exciting time to be in cybersecurity. Of course, the threats, and the protections will be using far faster processing, so there will be the ongoing arms race.
To prepare for this future, I recommend that students should consider this convergence and standardization in addition to their technical learning and seek academic education in addition to professional certifications.
Thank you so much, Ralph. This has been a fascinating conversation. I have thoroughly enjoyed speaking with you.