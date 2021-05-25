Learning when not to take things personally is hard but valuable. It used to be really tough to separate myself from the work I was delivering, so when someone criticized my work, I took it to heart. Once I learned to build, write, or make things and release them into the wild, I was able to listen more constructively and accept feedback without beating myself up. A technical failure doesn’t mean I’m a failure.

As a part of my series called “Wisdom From The Women Leading The Cybersecurity Industry”, I had the pleasure of interviewing Kimber Dowsett. She is the Director of Security Engineering at Truss, a software infrastructure consulting firm servicing both the public and private sectors. Prior to joining Truss, she served as a Security Architect and Director of Infrastructure Engineering at 18F, a Federal agency providing digital delivery services housed within General Services Administration (GSA). She also served 6 years as a Mission Information Specialist at NASA, securing instrument and ground systems at Goddard Space Flight Center. Kimber is passionate about privacy, encryption, and building user-driven technology for the public.

In her spare time, Kimber developed and maintains the framework for the Mock Interview and Resume Review (MIRR) Workshop, a project that partners mentors with mentees from underrepresented communities who are un/underemployed in tech and seeking opportunities for professional development. She enjoys designing and building PCB-based electronic projects and is an avid admirer of Chiroptera, comic books, and video games.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I was born on a military base to teen parents. I grew up in poverty, moving from place to place as my parents looked for work and housing. I changed schools 8 or 9 times in 12 years, so forming meaningful connections was never easy and I didn’t give much thought to my future. After I left home, I realized pretty quickly that no one was going to come along and change my life or take care of me; I was the only one who could do it. I worked 3rd shift at a copy shop for years so I could attend college during the day. It took over a decade and a crippling amount of student loan debt, but I earned a BA from Salem College and an MFA from Maryland Institute College of Art (MICA). I was recruited by Apple a few months after earning my MFA, and my career in tech officially began when I attended my first Apple technical training in Cupertino, CA in 2005.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

I’m a huge fan of classic horror films and stories. Mary Shelley’s Frankenstein; or, The Modern Prometheus (1818) and the film Frankenstein (1931) with Boris Karloff and Colin Clive are my absolute favorites, along with the film Bride of Frankenstein (1935) starring Elsa Lanchester. At the heart of Frankenstein; or The Modern Prometheus, there’s a deep commitment to the pursuit of knowledge, for better or worse. The doctor isn’t inherently bad, nor are his monsters. Technology is a critical element in the film, used as a tool to bring creatures into the world capable of immense destruction. In Bride of Frankenstein, the male monster is humanized and sympathetic, longing for love and companionship, while the bride character is reduced to her gender and expectations of women at that time, making her a non-sympathetic character. These stories resonate with me because, in many ways, I’m both the doctor and the monsters. It would take a thesis-length paper to explore and explain, but for those interested, some good reads on the subject are Technology and Impotence in Mary Shelley’s Frankenstein, Why Frankenstein Matters: Frontiers in Science, Technology and Medicine, and Themes of Sexuality and Gender in Frankenstein: or, The Modern Prometheus and The Bride of Frankenstein.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I stumbled into cybersecurity without even realizing it, before I knew about the industry terms or certifications that were part of the status quo. I was working on a small engineering team doing quality assurance (QA) work. Most of my days were spent trying to break our application with SQL injections and brute force attacks while defacing/destroying webforms that weren’t using input validation. I was doing this type of work for a couple of years before my company hired a CTO who called what I was doing “overzealous penetration testing” and promptly changed my title to Security Analyst. It’s interesting to look back and realize a simple job title change changed the trajectory of my entire career. It’s also something I point to when folks suggest that job titles don’t matter. (They do.)

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

It didn’t feel very funny at the time, but I once deleted an entire production system I thought was my test environment. I suppose the lesson learned was that I really should’ve double checked naming conventions before standing up (and tearing down) a test environment to avoid a catastrophic loss of production data. YOLO. Another early mistake was running a full attack on a production system while I was logged in as an admin. Although I’d technically logged out, the tool cached my admin credentials and ran the attack as root. I was in the office when a dev ran to my desk looking for help because prod data was being destroyed by a hacker. Oops! I learned to flush creds and triple check privileges before running a pentest on prod systems. Fast forward 10 years and IT has to twist my arm to give me admin rights on anything. I usually respond with, “No thanks.” Honestly, root is a giant headache, and I don’t want it anymore.

Are you working on any exciting new projects now? How do you think that will help people?

It’s not a new project, but the Mock Interview and Resume Review (MIRR) workshop is a labor of love. MIRR is a personal project aimed at partnering experienced mentors with mentees from underrepresented communities who are unemployed or underemployed in tech and seeking opportunities for professional development. I’ve partnered with Lesley Carhart to do the workshop in person more than a few times, and they have done some amazing work wrangling their own resume workshops virtually during the last year. Prior to the pandemic, the in-person workshops directly contributed to dozens of folks from underrepresented communities landing security jobs or promotions. The workshop content is on GitHub so folks are empowered to use the framework to bring the workshop to their own professional communities, regardless of field. We also encourage folks to contribute to workshop content by uploading sample interview questions, workshop formats, and commenting on existing content. It’s been exciting to see folks managing to wrangle the workshop remotely during the pandemic, and I’ve appreciated receiving feedback on improving the format of future virtual and in-person events.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

Some things I find interesting lately are supply chain attacks, securing the continuous integration/continuous deployment (CI/CD) pipeline, and visible improvements in diversity initiatives across the industry, although we still have a long way to go.

A great example of an effective supply chain attack was SUNBURST. It was a pretty exciting attack for researchers to dissect, but not so great for incident responders who had to deal with the fallout. In any event, it’s a solid case study for a supply chain gone wrong, and it’s worth reading about to understand the sheer magnitude of the event. I suspect it also prompted a lot of security teams to update their incident response (IR) playbooks and tabletop exercises to include catastrophic supply chain attack scenarios.

A lot of formerly theoretical attacks are possible now by way of the CI/CD pipeline. Since many of us are trying to automate ourselves out of jobs so we can retire, automation has opened up a world of opportunities for malicious actors. Monitoring and logging are more critical than ever, and many times we find ourselves searching for a needle in a needle stack. CI/CD vulnerabilities are becoming more common, but secure code reviews along with other solid DevOps practices can save organizations a lot of incident response time (and pain).

While there have been a large number of companies focused on improving diversity, inclusion, and equity across their organizations, as an industry, there’s still a lot of opportunity for growth. It’s not enough to treat diversity like any other checkbox. It shouldn’t be hard to grok that just hiring someone from an underrepresented community doesn’t reflect an organization’s commitment to supporting diversity initiatives. Efforts like mature code of conduct policies, reasonable job requirements, unbiased job descriptions, transparent salaries, mentor/mentee or pairing programs, and inclusive benefits packages are just a few ways organizations can demonstrate their commitment to building strong, diverse, and inclusive teams. As an industry, we’re not there yet but it’s exciting to see companies like Truss paving the way.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

Only 3?

I’ll start with fear mongering. There’s a lot of profit to be made when a company markets fear. It’s problematic in a lot of spaces, but most recently the fear and disinformation campaigns surrounding election security are particularly devastating. Convincing folks that elections aren’t secure tears at the very heart of our democracy and faith in free and fair elections. Security professionals have to keep speaking out to counter false narratives while partnering with election officials and vendors to identify and remediate security issues. Another concern I have with the industry is gatekeeping and its impact on community diversity. Requiring expensive certifications, advanced degrees, or extremely lengthy, specific experience for a somewhat generic entry-mid level tech or security role is most certainly going to elicit a pool of applicants that excludes folks from underrepresented communities. In order to improve teams and build better systems, it’s critical to have diversity of thought, experience, and talent. Slashing diversity initiatives with unreasonable and unnecessary requirements at the top of the pipeline is a sure-fire way to miss out on great talent. Finally, a quick word about charlatans in our industry. Cybersecurity is a hot commodity right now and there are more than a few folks out there trying to cash in. Contact references and ask questions. Don’t rely on follower counts or resumes to validate credibility. Do independent research before hiring a consultant. Don’t skip the behavioral and technical interviews. Ask questions about transparency and cross-team collaboration. A candidate who looks great on paper but demands a rapid decision may be a convenient hire, but the best hire will be willing to go through the interview process to make sure they’re a good fit for both the organization and the team.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

Supply chain and CI/CD pipeline attack numbers are growing exponentially. Many companies need more robust monitoring and alerting systems in place to catch things their current systems may be missing. Using SUNBURST as a model for a supply chain attack is a great way to add a catastrophic response plan to an org’s incident response (IR) playbook. Pipelines can be a little tricky since each company operates slightly differently. Figuring out ways to break down the silos between security, infrastructure, and engineering teams is the first step toward improving an organization’s overall security posture. In an effort to tackle this problem space at Truss, we’ve combined our Security and Infrastructure teams to form our Infrasec practice and are doing a ton of Infrastructure and Security pairing sessions. So far, so good!

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

As a former civil servant who currently works on federal systems, there aren’t too many of these stories I can share. I will say that most breaches in the federal space are the result of configuration errors, unsupported legacy systems, and/or user error. Oftentimes, misconfigurations, poor configurations, or default admin credentials are spotted by Shodan users. Years ago, I received a message from someone who claimed to have access to the National Emergency Alert System. They felt confident they could send out a nationwide Amber Alert for Pikachu (at the time, Pokémon Go was super popular). Although I worked at one of the larger federal agencies and had a lot of security contacts, it took days to track down the system owner to report the misconfiguration. Everything worked out in the end, but the takeaway is that folks can’t report vulnerabilities if they don’t have a point of contact. Publicly available vulnerability disclosure policies (VDPs) should be part of every organization’s security program. Championing this initiative was part of the work I did at 18F.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

These days, I’m on the executive leadership team at Truss so I don’t use security tools too often at work anymore. Day to day, I use GitHub for code commits, command line interface (CLI) to manage AWS, Terraform (infrastructure as code tool), and I occasionally peek at our asset management tool to make sure user systems have the latest patches (but I try not to step on our IT Specialist’s toes). For the fun stuff, Kali has most of the tools I play with preinstalled.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

For regular users, Have I been pwned? is a great place to see if your email address has been compromised in a data dump. There are tools out there to scan for spyware on phones, tablets, and computers. I honestly just assume I have been hacked and take steps to limit the damage. I use a camera cover so I don’t have to worry about my green camera light turning on when it shouldn’t. I use a separate password manager for my work and personal accounts. My password manager account passwords are the only ones I have memorized. I use the auto-generate feature of my password managers to create ridiculously long, complex passwords and I don’t reuse them. I have 2FA or MFA turned on for every platform that supports the feature. Is it a pain sometimes? Sure, but if one of my accounts gets popped in a data breach, it’s only that single account on one platform. In the big scheme of things, it’s not a huge deal. A good day in security for me is when something happens that’s slightly annoying but not devastating.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Identifying the what, why, and how of the breach as quickly as possible is the only way to move forward. Remediation can be quick or can take months. Assuming the security team has figured out what went wrong and engineers have plugged the leak, transparency is the key to restoring trust after a breach. Be honest with customers about what happened, be specific about the data that was compromised, and outline how the company will respond to and prevent this type of breach in the future.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Manual configuration of infrastructure seems to be the root of most data security issues I’ve seen over the past year. With a large number of companies moving to cloud-based platforms and adopting a more modern approach to DevOps and security practices, team leads should be pushing back hard against manual system, security, or infrastructure configuration and changes. Solid, secure infrastructure should be consistent and repeatable. Companies not investing in DevOps teams focused on security automation and infrastructure as code (IAC) are playing with fire. These orgs will continue to struggle with breaches of their manually configured, unchecked systems, probably while amassing a $20,000 per month S3 bucket bill logging all the wrong events. Hypothetically.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

I do believe things are changing for the better for women and non-binary folks in tech, but when I look around at CEOs, CTOs, CISOs, and COOs, I still see (mostly) cis white men. Representation is important and until all young folks are able to see themselves represented on leadership teams, it will be harder for them to imagine a world where they’re the CEO of a Fortune 500 company. Specifically, companies need robust organizational systems in place to support diversity, inclusion, and equity programs so folks have professional development opportunities and the support they need to grow into leadership positions. We’ll know we’re doing things right when we’re able to spot demographic shifts across tech companies at the executive level.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

From Echosec: Hacking, which originates from a Germanic word meaning “to cut in pieces,” is the process of compiling information (or anything, really) together in a novel way that results in something interesting or useful. In a computer context, the word originated with a positive connotation — for example, Steve Wozniak, one of Apple’s original founders, was an exceptional hacker.

There’s a difference between a hacker and a malicious actor. One can be a hacker without being malicious. I’m not reading private text messages; spying on Instagram, Facebook, or Twitter accounts; spoofing cell phones; stealing Roblox accounts; or [insert other weird, random request here]. I’m not going to waste a day trying to steal someone’s private photos. Hacking is not a crime, but a lot of questionable characters online seem to think hackers will commit crimes for cash. It’s just bizarre.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why?

Transparency is the path to trust, and trust is the path to honest feedback. An echo chamber doesn’t help organizations improve. When the feedback loop is broken, systems can and will break down. I welcome feedback and encourage radical candor focused on my leadership and strategic initiatives. Learning when not to take things personally is hard but valuable. It used to be really tough to separate myself from the work I was delivering, so when someone criticized my work, I took it to heart. Once I learned to build, write, or make things and release them into the wild, I was able to listen more constructively and accept feedback without beating myself up. A technical failure doesn’t mean I’m a failure. Self-care is critical to survival and sets the tone for positive team culture. I wasn’t willing to take a vacation until everyone on my team had some time off this past year. Once everyone took the time they needed, I kept coming up with excuses for why I couldn’t. Bad move. If leadership isn’t taking time off, team members question whether they should or not. Team leads have to normalize time off and mental health days and champion vacations, even their own. I hold myself to higher standards than I need to. My boss once asked me to write down what I think he expects of me. My list was WAY longer than his. It was a great exercise and he was able to say, “no wonder you’re always busy and exhausted!” Another wonderful thing about the exercise was the list of things he told me to drop or delegate. I highly recommend doing this with your boss and direct reports (if you have them). It’s ok to not be ok. I am not a superhuman. I get tired, cranky, sad, exhausted, depressed, and anxious. This past year has been rough. It’s ok to say “no” and it doesn’t mean I’m weak. I spent my early years in tech as a people pleaser, burning myself out because it’s the role I thought I had to play to be taken seriously. For the past few years, I’ve had “No as a Service” (NaaS) in my bio, proudly and unironically.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!

Thanks for inviting me to share!