What inspired you to choose the master’s in cybersecurity engineering program at UW Bothell?
While pursuing my undergraduate degree at UW Bothell in Computer Science & Software Engineering, I interned in the pilot cybersecurity co-op program run in partnership by T-Mobile USA, Inc. and UW Bothell. This internship gave me my first experiences working in a professional environment as a software engineer and also gave me an introduction to the world of information security. Prior to joining this co-op program, I hadn’t really thought about the security implications of the things I was building as a software engineer, and found it fascinating that there was an entirely new plane of software and technology that I knew nothing about.
Once I finished the internship, I graduated from UW Bothell with my bachelor’s degree and transitioned into a full-time role as an application security engineer at T-Mobile. Learning about new security concepts, theories, and working hands-on to mitigate and prevent vulnerabilities in my day-to-day work sparked my curiosity to further my learning in the information security space. I immediately applied for the cybersecurity master’s program to continue my education at UW Bothell and started the master’s program the following autumn.
Any big question you asked yourself before enrolling to make sure the program was the right choice for you?
I definitely took a look at the courses available and the degree requirements to see if what I’d be learning aligned with my professional career goals and interests. I was not only interested in the technical side of information security, but also in the non-technical aspect (e.g. human factors in cybersecurity, risk and compliance, standards and policies, etc.) What I found was a large variety of courses that would empower me with a large breadth of knowledge in information security, and I imagined that the depth would come from the research-driven projects throughout the program.
What would you say makes the program unique?
The program is unique in that it covers both technical and non-technical coursework. Many of the programs I have looked at focus on specifically technical skills within cybersecurity OR non-technical skills in cybersecurity. Although most security professionals work in one or the other, having knowledge in both sides gives a more circumspect understanding of overarching security challenges and how to mitigate or resolve them. It is much harder to look at the bigger picture when designing a solution when you have only a small subset of context and knowledge in the problem space.
What are some highlights from your student experience?
Hands-down, the highlight of my student experience throughout the master’s program would have to be the ability to define my own research interests and pursue them in most of the courses I took. The overall structure of these courses was to provide lectures covering the foundational knowledge needed in a specific subject matter, and then assigning a research project where the students could propose their own project ideas within that umbrella subject. It is really difficult to produce high-quality work (especially within research) when you are uninterested in the topic or project at hand.
As a result, another highlight was being able to publish a conference paper (with enormous help from Professor Marc Dupuis) and present my research at the 20th Annual Conference on Information Technology Education (SIGITE ‘19). I ended up being so interested and invested in this research topic that I worked on it further for my master’s final project with Professor Dupuis as my faculty chair.
What courses did you enjoy the most, and was there an area of research that inspired you?
There are two courses that come to mind: Human Factors in Cybersecurity and Ethical Penetration Testing.
- My work (then and now) focuses mainly on application security, so I often dealt with human error in misconfiguration of services or misuse/abuse of systems in day-to-day work. Better understanding the human factors involved in security and what could lead to potential vulnerabilities or social engineering attacks gave me the tools to help mature the security education and awareness training available to coworkers at my job. I have contributed to internal phishing training as well as courses on threat modeling, writing secure code, and when/how to engage with the information security team. In the academic space, I also found human factors to be a point of interest purely because I had prior experience in software engineering and user experience design, and I have found many gaps in how companies drive projects through the design, implementation, and security review phases that could be improved. This ended up being the driving force behind my master’s project research.
- The other aspect of my work also includes handling external white hat (ethical hackers) vulnerability reports, so the Ethical Penetration Testing course gave me some foundational knowledge to see things from the perspective of an attacker rather than a defender of a system. I believe that having the awareness of both perspectives helps largely contribute to designing and implementing more robust prevention controls and detection tooling.
What were the most challenging and rewarding parts of being a student?
The most challenging AND rewarding part of being a student was the fact that I was working full-time and part of an engineering on-call rotation within my team. The challenging part was time management and having to deal with unforeseen conflicts like being paged while on call to handle a security incident during times when I was in class or supposed to take an exam. The rewarding part was being able to see in real time how the knowledge and skills I gained through the cybersecurity master’s program translated in my day-to-day work and improved the quality of my work output.
Do you have any advice for future students?
If you are working full time, don’t be like me and attempt to do 10 credits per quarter right off the bat. Start with five and see how your time management goes, especially when in a new role. As you go throughout the coursework in the program, take note of what topics interest you and try to use your quarter-long course-specific research projects as primers for potential research topics to explore in your final culminating master’s thesis or project.
Where are you currently working, and what is your job title?
I currently work at Twitter as an application security engineer II, with a part-time allocation to AppSec tooling for vulnerability detection/discovery and a part-time allocation to running our bug bounty program.
Do you feel the degree prepared and supported your professional career goals? How did this job opportunity come about?
Yes, I think the degree did a good job preparing me for the breadth of knowledge I needed to get started in this role. When I first started at Twitter, I was doing security reviews, code reviews, and working on small security tooling projects. When reviewing technical designs for security issues, it is definitely good to have that breadth of knowledge and then building the depth comes with time (as the technology stack varies depending on where you work).
This job opportunity sort of fell in my lap. I was interviewing at multiple companies at the time, and Twitter was not on my radar—I was completely unaware Twitter had any presence in the Seattle area. A recruiter found me on LinkedIn and messaged me to gauge my interest in interviewing for the application security engineer role. The job description listed “4+ years of professional experience in this field” as a requirement, and I explicitly told the recruiter I did not meet this, but they encouraged me to interview anyway because I had work experience and research in the niche skill set and subject matter they were looking for. I ended up interviewing and accepted their offer over a few other tech companies because the positive work environment and amazing company culture was really evident and apparent during the interview process. In my opinion, good cultural fit between yourself and your employer’s core values is just as important (if not more) as functional and technical fit for the role.
Are there any other thoughts or advice you would like to share?
To my fellow women and other underrepresented minorities in cybersecurity and the larger technology industry: your input is just as valuable as the next person. Be unapologetic and speak up when you have input or opinions. Everyone experiences imposter syndrome at some point. Spend time to reflect on self-doubt, figure out where that stems from, and address it from there. Your age, years of experience, gender, seniority, etc. do not make you any more or less valuable than other members of your team. Gate-keeping is such a large issue in the tech industry. Employers all want to hire folks with 3-5+ years of experience for specific skills, and it makes it hard for new graduates to get an honest start in the industry. Here’s some advice for both employers and candidates:
- Stop having strict years of experience listed on job descriptions, and start listing expected skills and competencies at the levels you are hiring for,
- Invest more in training and developing junior employees, and
- Make sure to reevaluate your hiring processes (resume review, screening, rubrics, questions, number of interviewers) often especially if you have an extremely low hire rate.
- Candidates (students applying to jobs)
- Apply to jobs even if you don’t meet every single requirement listed,
- Be aware of both your strengths and weaknesses,
- Make sure to gauge cultural fit during your interviews, and
- Ask for general feedback after each interview so you can iterate and improve on your next one.