Checklist 197: Staring at the Cloud with Dominique West
On this Checklist, we talk with cloud security expert Dominique West. The conversation covers career paths in infosec, today’s changing threat landscape, common misconceptions about cloud security, and the importance of community to the industry.
Into the cloud
More and more organizations are moving to cloud-based systems and services, especially in the wake of the COVID-19 pandemic. But this has created new security challenges — and a fair amount of apprehension about the cloud itself.
We sat down with Dominique West, a Senior Cloud Security Consultant at Ernst & Young in Atlanta, to discuss these and other issues. We started by asking West to say how she got into cybersecurity:
DW: My path was traditional (by today’s standards). I went to a four-year university, I got a degree, and all of my jobs have really revolved around some aspect of the tech industry, whether I was in security or whether I was just in technology in general.
Nowadays, many people who are entering the cybersecurity field aren’t coming from what I’d call “the traditional route”. They’re pivoting from different industries. They’re not going to university, maybe not because they don’t want to, but just because there are many different factors like time, money, etc. There are boot camps now. So there are different ways to get into the field.
When I was starting out in my career, it felt like I had to get a degree, I had to get certifications, and that was the only way I could break in. But that’s not the norm nowadays. So I really encourage people to look at the options.
You don’t have to do the “traditional route” or go to top-notch schools or do X, Y, and Z in order to be successful in this career. There’s definitely a whole bunch of different ways that you can be successful in cybersecurity, and in technology in general. It can be very, very overwhelming when people are getting started. So that’s why I say I took the “traditional route”. And I always kind of use that as a disclaimer as well — because when people ask me for advice, what kind of route they should take, how should they plan that blueprint for their career, I always tell them, “Hey, I didn’t pivot from another industry. So what I’m telling you is very general knowledge that I think would be beneficial for you and for anyone else. But you also have to understand that what my blueprint is won’t be yours, and it won’t be the next person’s”.
It’s hard to say, “Hey, this is what you should do to be successful”, because success depends on how you define it, and on what you decide your blueprint is going to be.
But although West’s infosec career has followed a fairly traditional trajectory, she wasn’t always interested in the field. In fact, when she first started college, she had a completely different goal in mind! But two pivotal experiences early on in her undergraduate studies set her on a path that would lead her to the world of cybersecurity:
DW: When I first started school, I was going to be a lawyer! I was convinced that I was going to be a top lawyer, like in “Law and Order” (because I love that show). I thought I was going to be this big shot international lawyer and that’s what I went to school for in my first year.
But after doing an internship, I realized that it wasn’t for me. I didn’t have the stomach for it. I knew that my other alternative was technology, because that was also something I was interested in. My father is an engineer and he taught me how to work with computers and take them apart ever since I was younger. So that had always been an interest just in case, you know, being a lawyer didn’t work out.
And then as I was studying, an incident happened with my mom and me where both of our credit cards were charged this absurd amount of money. We had two different cards, used at two different times, but for the same exact amount and at the same exact place. So we knew that someone had somehow been able to get our credit card information. And that baffled me! And it kind of introduced me into the world of hacking and credit card fraud, and also investigations and forensics. I would actually chat with the people working on my own investigation and ask things like “How did someone get our credit card information? Why was it for the same amount? What kind of stores did we go to at the same time?” l was really going down that rabbit hole!
So that introduced me to the world of security, and I’ve been…not “stuck”…but interested ever since, because there’s just so much happening in the industry. Things change so quickly, and so often, and I’m a person who really likes a challenge — and this industry definitely gives me a challenge.
West has now worked in the field of cybersecurity for 8 years, and says that in that time she has noticed several significant changes in the security landscape — both in terms of threats, but also in terms of the way businesses and individuals think about security:
DW: I can definitely say that the threat landscape is much larger.
When I was starting out, the norm was “traditional security”: everyone was on-premises; and (at least where I was working) we were very “old school” in terms of how we did security.
But fast-forward seven or eight years, and suddenly we’re so connected on the Internet, everyone’s information and business is everywhere, and that makes it a little bit more difficult to keep track of everything. So how we think about security, and how we’ve implemented security, has definitely changed over the years.
In terms of security awareness, I’d like to say, with hope and optimism, that people are being more careful. But reports and research continue to show that security awareness is…”still improving”, so to speak. So for example, people are definitely aware of data breaches, right? Breaches are in the headlines so often that they know our data is out there. They know hackers are trying to do what they’re trying to do. But I don’t think that they’re aware of just how prevalent these issues are, and of how easy it is for us to introduce risk into our lives.
We typically think, “Hey, organizations are the ones being attacked. Nobody wants to come after little old me. What do they want from me? All they’ll see is a bunch of student loan debt, and if that’s what they want, they can definitely come and get it!” But that’s not the case anymore. Your personally identifiable information (your name, your address, your phone number, your health information) is valuable. It’s a goldmine. And I don’t think people are really understanding that.
Every time we have to sign up for a new website, every time we’re entering our credit card information somewhere, every time we shop online — how many times are you actually doing that? Let’s just think about this pandemic, right? How many times have you gone to a website and entered your credit card information in the last six months?
And how often are you monitoring or keeping track of how many different websites you’ve entered that information on? You’ve probably done it, let’s just say, on the low end, maybe three to five times during this pandemic. And outside of that, if you’re doing that year after year, time after time, and you’re not keeping track of that — your information just kind of slips away from you. Your digital identity is just “out there”. It’s just lost. So I can definitely say that awareness has grown, but there’s still a lot more growing to go.
Thankfully, I think security is now coming to the forefront of everyone’s minds, whether or not it’s organizational and business leaders, or the everyday average person. That’s why I do what I do in terms of my platform, because I really want to make security accessible to everyone, not just people who happen to be in the industry or in tech in general. I think everyone should have access to this information so they can understand how to take back control over their digital identity and security at a time where it feels like we don’t have any control at all.
Cloudiness around the cloud
With so much changing so rapidly, it can be hard to keep up with it all — and it’s easy to get caught up in mistakes and misunderstandings about new technologies. West says that in her work, she sees certain misconceptions about cloud-based solutions and cloud security that seem to come up again and again. Here, then, is her own “checklist” of misconceptions about the cloud:
The cloud is unsafe
My cloud provider will keep me secure
You need a new team to tackle the cloud
You can’t innovate security
My on-premise strategy works in the cloud
Security today…and tomorrow
Like everyone else, companies and cloud security teams have been facing new challenges created by COVID-19. As West explains, the current pandemic has brought about a number of changes — and has resulted in something of a boom for the tech sector in general:
DW: COVID-19 has definitely increased the work for cloud teams, because companies are now having to quickly evaluate how they do business, and their shift to the cloud is quicker than they probably anticipated it would be. Last year, everyone was coming up with their 2020 budget and their 2020 plans of how they were going to migrate to the cloud, or if they were going to migrate to the cloud. But now, that has become “it needs to happen now, and not later”. And for many companies, whereas before they might have had a little bit more time to work out the kinks and really prepare that cloud strategy that I was talking about, now they don’t have that time anymore, because they need to meet demand right now. They need to make sure their employees can still do their jobs and that they’re meeting customer demand. And so now they have to bring in the consultants and the experts to do that. The technology sector has, for the most part, really benefited from this pandemic the most.
And we’re really just now starting to realize our reliance on the cloud. Before, there was a high percentage of companies either in the cloud or partially in the cloud. Now, many industries have to rely on so many technologies that are cloud-based. If you think about education, for example, in order for them to teach and to reach their students, they have to rely on the cloud. Companies that need to reach their employees are having to rethink things, and are maybe seeing that their on-premise strategy isn’t working for the times that we’re living in right now.
And then the question becomes: “What can I do to make this work? What can I do to make sure this doesn’t impact my business as significantly as the pandemic has for so many?” So I’ve definitely seen an increase in the need for more cloud security experts and professionals to really help businesses build and execute that cloud strategy.
Despite being focused on the challenges of the moment, West is also thinking about the future, not only in terms of her own career, but also in terms of the needs of the security community as a whole — and especially folks who are just entering the field:
DW: When I was getting started in the field, I didn’t even have any idea that there was a larger security community. Or maybe I should say, I didn’t know how to be a part of it. And much of that feeling probably stemmed from lack of representation, but also the fact that social media wasn’t as prevalent as it is now for the community. I like to emphasize community because I really think security needs to be accessible for everyone. And I really want to help the next generation of cyber-professionals feel like they belong. Not knowing that you belong is not a good feeling.
Something that always stuck with me throughout my career was this mantra I got from a school club back in college, where they would say: “You lift as you climb”. In other words, as I’m growing my career, I can help others to take their own steps forward and grow their careers at the same time. So it’s not just, “my trajectory, and others can figure it out” or “I’ll hand out some tidbits”. I’m still growing, even though I’ve been in the industry for a while, but I still feel like I just have so much more that I can do, and offer.
But as I’m doing that, I also know I’ve reached a point where I do have knowledge, and I do have the confidence to give back to others who might not have that. They might not see someone who looks like them, and to be able to be that representation for them, I think would be one of the greatest honors of my career. To be able to help someone say, “Hey, you know what, I see Dominique out here, and she started a podcast, she can do all of these things. I can do that too. I too have something that I can contribute to this community”.
Because everyone has the ability to contribute to the security community. Sometimes it can be a little bit scary to do so. But when you have a community and you have a support system, it not only just makes you better, I think it also makes the community at large better. When I grow, you grow. Everyone grows. And it just makes the industry much, much better to be a part of,
One important source of community, both for West and so many others in the cybersecurity field, has been the Women’s Society of Cyberjutsu (WSC). West talked a little bit about the work of the WSC, saying why it means so much to her, and what it has to offer to both women and men in infosec:
DW: The Women’s Society of Cyberjutsu is a nationwide nonprofit that aims to empower women in the field of cybersecurity. I joined them last year, and I lead the Atlanta chapter. We have chapters all over the nation: Florida, the Carolinas, Virginia, Las Vegas, we actually just opened one in Texas and one in New York City.
We provide resources for women to succeed in the field. That can include technical workshops — for example, we’re having a pentest lab coming up for those who wanted to get into the penetration testing field; we just had a resume workshop. I do study groups for those who are trying to get certifications. For example, Security+ is a really big entry-level certification that people go for, and I do study groups for them to figure out how to work through and create a strategy to pass the test. So we have a whole bunch of different opportunities and skill sets that we offer our members.
It’s one of the communities that I’m most grateful to have found because the friendship and the support that they have given me in my career (and vice versa) have just been amazing. So if you are ever looking for a community, they’re an amazing group of women to be a part of!
The Checklist would like to thank Dominique West for taking the time to speak with us. If you’d like to learn more about Dominique and her work, you can follow her on Twitter
or visit her website. To listen to her weekly podcast, Security in Color, visit the podcast page on her main site or on Apple Podcasts. If you’d like to learn more about creating a cloud security strategy, Dominique has a full video presentation on YouTube that covers the topic in greater depth.
That takes us to the end of another Checklist, but we’ll be back next week with a new episode. Until then, feel free to write to us with security questions, guest suggestions, or topic requests — and don’t forget to check out the show archives for all of our past podcasts.