Women of Cloudflare Security: Elle Dougherty and Imma Uche
Presented by: Elle Dougherty, Imma Uche, Jacqueline Keith
Originally aired on October 12, 2022 @ 1:00 PM - 1:30 PM EDT
Cloudflare Security prides itself on a diverse and inclusive environment. Join Jacqueline Keith in an interview with Elle Dougherty and Imma Uche on their professional journeys as security engineers on the 1-year-old Security Operations Engineering Team.
English
Security Awareness Month
Transcript (Beta)
Hi, everyone. Welcome to Security Awareness Month. My name is Jackie and I run the Cloudflare security engagement team.
Today I have a really exciting interview for us.
I have two of my co -workers, Imma Uche and Elle Dougherty are here from our security operations team.
The team is about a year old. Earlier this week, you heard from Dimitris and Ishwarya who are also on that team.
So we thought it would be really fun to talk to a few more members of the team and learn about their background and their perspective.
Elle, can you tell us a little bit about your background and interests?
Yeah, so I majored in undergrad in computer science. My mom half jokingly told me I could major in anything as long as I also majored in computer science.
And here I am. And then I did grad school. I got a master's degree in secure computing from IU, Indiana University.
Cloudflare is my second job outside of college.
So where did you go to undergrad at? Grinnell College in Iowa. It is a small liberal arts school and it is not Cornell.
And how did you make the jump from an undergrad that's a liberal arts degree to a master's in computer science?
So my undergrad was computer science, a bachelor of arts, not bachelor of science.
But I was getting ready to graduate and had no idea what I wanted to do afterwards.
And I had one job offer as basically a help desk technician in Des Moines.
And then I had an acceptance into the secure computing program and I was like, well, we're going to go to grad school and put this off for a little while.
That's pretty much the same reason I went to grad school. I just didn't know what to do afterwards.
So school seemed really safe. Yeah, exactly. Do you have any personal interests that are kind of related to your degree or something that's unique or interesting about you?
I'm a chronic dabbler. I will get into anything and then like hyper focus on it for a couple months and then sometimes stick with it or come back to it.
And sometimes it's just like, so that happened. But lately I've been into a lot of DIY hardware for computers and stuff.
I've made my own keyboards and been experimenting with different layouts and stuff for split keyboards.
Oh, that's a pity. More ergonomically correct than some of the things we're using today.
Oh, that's cool. We also have Ima. Ima, why don't you tell us a little bit about your background, your schooling and some of your interests?
Hi, so I went to community college first. I majored in computer science in community college and then I transferred to a four-year college, John Jay, CUNY in New York to get my bachelor's in computer science.
Unfortunately, five weeks into my first semester there, I had to go home because of COVID.
So yeah, that's my background.
Three years in classrooms, one and a half years of doing school from home, homeschooling.
So I guess I'm homeschooled, so to say. I also did computer science in college and I graduated with a bachelor's of science in computer science.
And then this is my first job right after college. So yay me. I pretty much knew that I wanted to go do something related to computers, computer science.
I just wasn't sure. I just didn't know it would be security because when I got into computer science, what I had known about it was mostly around software engineering.
And I started to really learn about security on transferring to a four -year college because the major, the computer science major in my four-year college was more security focused.
It's like computer science and information security.
And that got me into it and was like, oh wait, with all these systems and programs that are getting built, they have to be secure because you're hearing about this hack this day and this hack tomorrow.
And my cryptography class that I took in college got me really interested in like breaking crypts and encryption, decryption, how security works and how things are transferred in email.
And yeah, so that brought me here today.
And when I'm not geeking out on security stuff, I am writing.
I like to write fantasy stuff. So yeah, waking up as another person in another century.
I guess I'm really into escapism. But yeah, and I like to paint. So I do have like a couple horrible paintings that I display in my apartment.
But yeah, I like to dabble a lot.
Like Elle says, I'm a chronic dabbler. I got an easel lately, hoping that I would paint more, but I haven't used it.
It's been sitting there for four months.
But yeah, I'm writing, painting, things that are sort of artistic.
And I also like to read a lot of novels during my free time.
So yeah. It sounds like you have both sides of your brain working really, really well, the creative and the logical side.
So that's a talent.
Not many security people have it. So you've developed it early. Oh, thank you.
You're very welcome. So you kind of delved into my first question already, which was for both of you, what sparked your interest in security?
And was it your first choice career?
Or did you have something else in mind before you went down the security path?
Oh, yes. Like I said, I had software engineering in mind.
And I had been like, you know, coding, hackathoning, getting ready for my software engineering career, when I got railroaded into security accidentally, through, I think it was a program that I had started in college, but couldn't complete because of COVID.
And it was a security introduction to security, we're doing CTFs.
And I found that really interesting. And I using Burp Suites to like, intercept messages.
And it was, I was like, wow, I like this.
I enjoy doing this. It was like a very practical side of I thought I was cool, actually, but that's the thing.
I thought it was really cool.
And I thought doing it would make me cool. And so I continued to do it.
And I wanted to do more of it. So I pursued a career in security instead. Oh, that's killer.
I like that story. How about for you? What how did you? How did you turn the corner?
Well, like I said, I had a job offer and an acceptance into grad school, and I chose grad school.
But what kind of got me to apply for grad school in the first place for secure computing?
I really like just doing deep dives.
Like, I like knowing how things work, like on the back end, the details, the nitty gritty, and security is really just one big deep dive when you get down to it.
Whether you're trying to break something or you're trying to protect something.
It's all just like the intricacies of the program or the server or whatever.
So that I'm sorry about that. Oh, no, it's just, you know, that's kind of what what drew me to it was just the little details.
Yeah. So on that front, you guys are both a few years out of school a little bit more.
But is there anything that you learned in school that you really thought was going to be Yes, this is something I'm going to use for sure, this is important.
And you're surprised now that you're in the job, and it's just not relevant, or vice versa.
Is there something that you kind of learned about and thought wasn't going to be a big deal?
And now suddenly, you're in it all the time. This isn't really to do with security, necessarily.
But I am pretty proficient in Spanish, my grandmother is Puerto Rican, her first language is Spanish, and I took it all through middle school through undergrad.
And that actually ended up coming in handy in my first job.
One of the assignments I got pretty early on was to like figure out cybersecurity, like legislation, regulations, etc, for a number of countries that my company was doing business in, and a lot of them were South America.
And my boss hadn't had any luck with his thing. So we like gave it to me as sort of like, well, here's your first project, try and figure this out.
And then I came back to him with all of these notes.
And he's just like, how did you I'm like, I know Spanish.
So I just looked up Ciberseguridad Argentina, and read from there, I read the Argentinian Constitution.
And he's just like, Oh, that would help.
Yeah, like, yeah, you know, you better watch out, I might try to recruit you for our team, because we have to look at legislation.
Demetrius, if you're watching, watch out.
Emma, how about for you? Yeah, for me, it's more of us, actually, I would say, coding itself.
Now, it's not like, I don't need coding now, but more of learning it.
So back in college, now, mind you, I had transferred from I had, when I went into community college, I had decided to major in nursing.
And then after one semester, I switched to computer science. And I got into computer science classes and realized that the professors will only be like, well, this is C++, I, I++.
And here's the homework. And so I'm like, well, we didn't learn anything, how are we supposed to do or do a homework?
And it's like, well, you figure it out.
And I didn't realize, I thought the professors were just being mean, and they didn't want to teach.
But I didn't realize how much that factors into the job itself, that a lot of the times, you're doing a project, and you're literally learning a whole new programming language to do it while doing it.
And that's when I realized that, oh, well, okay, I guess the professors are really getting us ready for the job.
Back in college, I didn't realize that aspect of it would really factor into the career itself.
And, yeah, working in security now in computers, doing a little bit of coding, I realized just how much that transferred, how much the skill of picking it up on the go really is how it's done in the real world.
Yeah, especially at Cloudflare, we are just so engineering focused.
And some of the larger companies that are more established have maybe a little bit more resources or larger teams.
But here, we're almost all expected to be experts in our area.
And a lot of that is winging it as we go. So you're right that you pretty much had the Cloudflare experience in school.
So you were well -seasoned and ready to come to us.
And you were already a remote person, so you already knew exactly how to work.
So you've been such a good addition to our team.
So for both of you, I wanted to transition kind of into why you chose Cloudflare.
So Emma, for you, it was the first job. Elle, it's your second. I'd like to know about your recruiting experience.
I think when we were chatting and prepping for this, we all had the same recruiter.
He's a fantastic recruiter. Shout out to Billy.
He makes the experience very, very good. But I'd like to have you tell everyone how your experience was and why you're here.
Yeah. So I chose Cloudflare because of a series of coincidences that happened.
I remember one time doing certain homework with school and having to research DNS.
And the website was like definition was so like really was so explanatory.
I, as a security student, as a layman, really understood it.
And I used that as a reference was Cloudflare website.
It was a Cloudflare blog. And so it's just like one of those things you see in passing.
You Google something and you find a blog that Google recommends.
And it didn't really stick at the time. And then moving forward, a podcast, I was listening to a podcast while cleaning and it mentioned Cloudflare.
Now, this sounded so familiar. I've seen this before. And that went by in passing.
And 2020 circles around. And I was looking through, I was trying to dabble in investments and stocks with all the rage that was going on.
And net owned by Cloudflare comes up.
And I'm like, you know what? I'm gonna buy a couple of this. I have $200.
So let's do it. Oh, and so I did that. And I was 2021. I was searching on LinkedIn for security related jobs to apply for where Cloudflare came on.
Like, of course, I'm going to apply.
It says you need five years of experience. But the hell with that.
Let's go ahead. Perfect. I love it. It's been following me around. I'm going to work here.
So I applied. And Billy reached out. And he was like, hey, I see you're applying for this position.
I really like your resume. I like what I see on your resume.
But this position is a little bit but we have a new team that we're building that I think you might be interested in if you want to look at it and see if you're interested.
And that's really how I got into Cloudflare. So it was just a series of points of death.
And I kept the company kept popping up. And like several like instances to me, because to be fair, like Cloudflare is like, I think it's a big name in like the tech industry, but it's like to those who are in right.
Many people outside wouldn't really know what Cloudflare is when you say it out.
But lately, I've been seeing Cloudflare like when I search something on Google, sometimes it will be like, oh, something went wrong.
I'll see Cloudflare. But it wasn't before.
It wasn't like that before. It was very obscure. So I was just really glad I chose Cloudflare because while like meeting up with Cloudflare, coincidentally, all those times, I did a little bit of research.
I did a little bit of research when I wanted to buy the two stocks I got.
And it was I liked what I saw about the company.
I saw growth. I saw I saw the company's like ability to innovate in the way change like the circle, the field.
And it was something I wanted to be a part of.
I wanted to be a part of that growth. And that was why I chose Cloudflare.
How about you? So you were happily at your previous job, spending your life entrenched in policy, which now I know.
And then you came to Cloudflare.
So what was the catalyst for you? So by the time 20, the end of 2020, beginning of 2021 rolls around, I was no longer looking at policies of or like Argentina's concept of habeas data and all this stuff.
I was basically a sysadmin. I was still on one of the security teams at my company, but I was maintaining one of the platforms we used.
And there just wasn't I didn't see any way for me to get more into the security side as opposed to the systems administrator side.
And I didn't really see any development going for me there.
So I started looking on LinkedIn.
And the security operations engineer position, I ended up directly applying to that because being a sort of like being well, being an operations team and just sort of as the job description and like the team concept was laid out, it seemed like there would be a lot of opportunities to touch different aspects of security and interact with different teams, like vulnerabilities or real time alerts or policy, because I don't mind policy.
But yeah, so. I applied and here I am. It's really good to see more women coming onto the team, and we've grown so much.
I started in twenty nineteen and we were much smaller.
A lot of the core folks that were there at that time are still here, but it's been incredible to see who we've brought on in the meantime, like incredible experts, different perspectives.
I find that we're very diverse, even in our just way of thinking.
Obviously, we have locations globally.
We're all U.S. based, but it's been awesome to grow in EMEA and we've got one person in APAC.
So it's been cool to kind of have a follow the sun model, which also includes diverse ways of thinking.
So on the thought of what we're thinking about and the way we're viewing security, do you guys have a favorite person, a security person or a media outlet that you follow to stay up to date on current news or commentary?
I wouldn't say I stay up to date, but my obsession with stories, I guess I like listening to stories and so like I mostly listen to Darknet Diaries.
It's a podcast and it basically tells in the story format of some thing that happened security wise, some hack.
And it does still manage to keep me up to date, I guess, because recent things that happened, how these hacks happened, they were all discussed.
And I find these stories really interesting.
And like I said, I think those people are really cool.
I remember we did talk about podcasts.
So that's, I mostly listen to podcasts and maybe when I do remember one time following a newsletter, a security newsletter back in college, but I didn't really keep up and I used my college email.
So that's all in the place I can't really reach right now.
I'm probably going to like resubscribe to have something to like actually read through, but for now I just listen to podcasts.
Yeah. No, it's a good way to get your news.
I listen to mine when I'm walking. So it forces me to exercise and listen.
So that's been my, that's my MO. Elle, how about you? Do you have someone that you follow?
Or we talked a little about the Swift on Security Twitter handle, which I told you guys about, which has funny little takes, but not, they're not, it's not long form obviously, but for you, what do you listen to?
So I have a lot of podcasts. I do listen to Darknet Diaries, but I also listen, I listen to Malicious Life every now and then.
I'll catch episodes of Smashing Security sometimes if there's been some, something in the news that I want multiple takes on because I hyper -focus on stuff.
Like I said earlier, but I also like, I, I've got a ton of podcasts that are just kind of like general tech stuff that I'll listen to.
And sometimes they talk about security, but a lot of them are like open source related or just techie in general or current events, which sometimes involves security if like some big hack has happened.
So like I check The Verge basically daily, see what's going on there, but they're more general consumer tech stuff as opposed to security related things.
Yeah. And I've been surprised on some of the major outlets.
I mean, they'll talk about a security topic, but it's so surface. I mean, I understand that we need to make sure that everybody can understand what's happening, but sometimes I find even the basics are wrong and I kind of want to get in there and be like, no, that's not actually what happened.
Right. Or that's not that the real way to explain how that happened.
But I think there's a lot of room in media for us to improve security messaging and draw more people in to see how interesting it is on that front.
So when we're talking about interesting projects, I think we all agree that security is not going anywhere.
Privacy is definitely not going anywhere.
When you guys are thinking forward in your careers, a few years, what are some projects or things coming over the horizon that you think will be interesting or hot?
A lot of like, I don't know how to put it.
I mean, saying that web security is going to be important is like saying that the sky is blue.
But I think a lot of stuff is probably going to happen around, or it should happen at least, around like, what's the word?
Infrastructure, infrastructure, security, both for like individual companies and like securing their servers and stuff, but then also electric, like physical infrastructure, like the electric grid and plumbing and stuff.
Yeah, critical infrastructure is a big deal. In fact, I did my master's, I'm not going to call it my thesis, major project on hacking SCADA systems, which are what our electrical grid is on.
And people thought I was nuts.
And then things happened. So I'm very happy to hear you say that. I feel very validated now.
It's been 14 years at this point, but thank you for saying that.
I feel good. Emma, what about for you? I really have no thoughts on that.
Like I said, infrastructure is a really good one. But aside from that, I really can't really think of anything that I would say needs to change in the security.
I feel like infrastructure is already changing also. And a lot of things are getting built on the cloud, but we still haven't completely moved away from the physical part of it.
I feel like that's what will make its final metamorphosis.
I am excited to see how it's all going to be replaced. But yeah, I think the biggest thing with security mostly that will change is the infrastructure is something that's also already changing.
And also, the big thing now I think is like Zero Trust.
I feel like it didn't use to be like that. But security is beginning to figure out that better just like let people who should be let in in than figure out who should not be let in.
That's a change that I really look forward to and I'm happy to see.
And I'm not really sure what other changes might come up in the future.
We don't have a crystal ball of course. But yeah, I would say I'm just excited to be here and be a part of it.
Yeah, that's awesome. I'm excited to see where your careers go.
You're coming in at such a time and a company where you're going to be able to move quickly.
I started in the government and it was an amazing experience.
I got to do a lot of intelligence analysis, but it moves very slow.
And you guys are really getting to see something that moves quickly and is going to be the real pace of technology growing.
So I kind of wish I would have started in that.
So we just have a couple of minutes left. I just wanted to cover one more question and that is what advice do you have for other people coming in and starting their careers in security, whether they're coming fresh out of college or looking for a career change?
What's a real easy in security specifically, but like in tech in general to just sit there and be like, I have no idea what you're talking about.
What I am like completely lost.
None of this makes sense. I know nothing. And honestly, A, you don't necessarily have to know everything as long as you're willing to learn and to listen to the experts.
But then also a lot of times you know a lot more than you think you do or that other people are willing to give you automatic credit for.
So like just be confident in what you know and yourself and don't let anyone tell you that like, oh, you don't know what you're talking about.
Or like, are you really into tech? Like, yes. Yes. Emma, we have just 30 seconds left.
What is your big advice for anyone breaking into security? Always say yes to learning opportunities.
That's the big one. Just always say yes to any opportunity to learn something new, even though you might not know it might be a new project.
You don't know how to do it. Say yes. You will learn how to do it. And that's going to be something else under your belt and continue to be curious.
That's the biggest thing. I love it. Thank you for this session, ladies. And happy Security Awareness Month to everybody that's watching.
Hope you enjoyed the segment.
Hope you take the advice of my colleagues here and have a good day.
Bye.