An interview with Tobi West

Tobi West
I was working as a systems analyst, and…one of the first things that came up in my new role was a web breach…our website was hacked and as part of that breach, I was asked to go through every medical record and look up patient addresses so that we could notify them of the situation.

At the time, I didn’t know anything about what these things meant except that there were obvious consequences of identity theft and things like that. So I understood from that aspect. 

Cybersecurity Guide
You were also in school at the time, correct?

Tobi West
I was going to University of La Verne, working on my bachelor’s degree and my background interest was digital forensics. 

There was this concurrent thing happening where I was learning about different things at work and at school, and they just came together over the years. Then, I found the MSBA program at Cal Poly Pomona. 

Tobi West
This was just before the term cybersecurity became popular. I didn’t really know the word “cybersecurity” at that time. I knew what web breaches were and I knew that things needed to be secure, but the term cybersecurity wasn’t as popular or relevant yet. Information assurance was typically the phrase that it was termed as. 

I just kept going ahead with my education and found out about the CISSP. I moved forward learning about security and became more highly involved with security at work, especially as I started to work on the systems development projects.

Tobi West
I’m a full-time professor at Coastline College, which is my primary role. I teach classes in cybersecurity and some in computer networking as well. Digital forensics is still my passion. I knew I loved it before I started taking the classes at Cal Poly, and I’ve loved it ever since. I enjoyed teaching it at Cal Poly as well.

As part of that growing passion, I have a project with the National Science Foundation to develop a degree program for Coastline which will be fully online. The program is digital forensics and incident response, which includes six classes for a two-year associate’s degree.

Tobi West
We’re about at the midway point on the three-year project right now. The exciting part is here. We’re working on the labs where we’re making forensic images that’ll have all of the evidence and the investigative items that the students will search for in the classes…it’ll just be really great.

That’s one of the major projects I’m working on right now. I also do a lot of outreach activities and a lot of that tends to be related to cybersecurity and digital forensics.

Tobi West
We’ll soon be working on a K-12 pipeline and pathway project that’s at the state and national levels. It’s very exciting to collaborate with a national team to develop articulation and dual enrollment agreements in cybersecurity. We already have quite a few dual enrollment programs at Coastline to begin with.

Then I’m also a Ph.D. student at Dakota State University in the Cyber Defense program. As I’m learning more and more about Dakota State, I’m realizing how incredibly important the work they’re doing is for the nation.

Tobi West
They are definitely one of the standout universities for cybersecurity education. I’m doing a lot of research related to data privacy, and of course, then contact tracing comes up as a great privacy-related research topic because of the pandemic. I’m looking at what sort of dissertation research topic I could have related to privacy, the pandemic, and even possibly digital forensics to try to bring all of those interests together.

Tobi West
Since the NSF project is awarded to Coastline, the courses will be Coastline courses to begin with. We’ve already written the course outlines for Coastline and then we’ll put the course content and assignments into the learning management system called, “Canvas.” Most of the 115 community colleges use the Canvas platform for their courses and many universities and others do as well across the country.

The six courses that are related to the project will be in Canvas, and they’ll be available in the Canvas Commons for other colleges to take and adapt and adopt for their program. Coastline’s courses are an adaptation of other college programs and a combination of mapping to the NICE cybersecurity workforce framework. This is from the National Initiative for Cybersecurity Education which defines the work roles and the knowledge, skills, and abilities needed to perform those work roles.

We’re using SANS exam objectives from their digital forensics and incident response certifications, and then using Cyberseek to hone in on the pathways that they show for the incident response and digital forensics work roles. The courses we develop using this methodology will be on the Canvas platform. We’ll deliver them online at Coastline and then other schools can take them and make them hybrid, or in person, or whichever modality they prefer.

Cybersecurity Guide
So it’s like an open-source course curriculum?

Tobi West
Yes.

Tobi West
Yes, I do see a wide variety. Students come to Coastline for different reasons. Coastline’s program is meant to be flexible so students can either take a standalone class or they can take multiple classes. Students can work towards a certificate, which is a collection of three to eight classes in an award.

The certificate could be a general cybersecurity focus or more specialized like penetration testing or digital forensics. Students can also continue beyond the certificate to work towards an associate’s degree. Because many of our students come to Coastline with a bachelor’s degree already, they often work towards a certificate that may help them with a promotion or transition to cybersecurity from another career.

But because the classes can be specific to CompTIA exam preparation (maybe Security+ or Network+), students don’t always yet know what cybersecurity topic they want to work towards. In the past students would come to Coastline for our Cisco program and find out we had cybersecurity. Now, students are finding Coastline because of the cybersecurity program.

Tobi West
Over the past five years since I started at Coastline, we’ve really developed out the cybersecurity and Computer Information Systems programs. We rewrote the associates degree, to make it more cybersecurity focused and follow the state’s model curriculum.

Tobi West
Since we’ve updated our AS degree and Cyber Center website, that has really brought a lot more students who are focused on cybersecurity. We’re also a Center of Academic Excellence in Cyber Defense Education, that has attracted a lot of students as well and we’ve listed our courses on the NICCS websites.

That is a career website that helps students learn about Coastline’s cybersecurity program and course options. I believe the changes and update of the associate’s degree has really brought more students seeking cybersecurity education.

Tobi West
We’ve also added more of the CompTIA pathway courses, PenTest+ and Cybersecurity Analyst+. Previously, we had a gap with basic courses missing and then courses after A+ and Security+, it would jump to CISSP, which is assuming 5 years of work experience before a student would normally want to take a class like that. There wasn’t much in between, and that’s what we’ve been working on—to help develop courses for those gaps.

Tobi West
Some courses are meant to help with exam prep, they are foundational. Students still need to study for the exam and continue to develop their technical skills to prepare the exam. For the most part, most of our students take the exam right after the course, because they are motivated to work towards it.

These courses are not like an expensive boot camp where you have to cram to study the material in five days before taking the exam. These courses are low-cost and provide the foundation needed to learn the material and the labs to develop the skills needed for the professional certification exam.

Tobi West
Yes, definitely. We’ve just recently added Data Analytics to our CIS program, with an associate’s degree and two certificate options. Students have the option to pursue a degree at Coastline or take the courses in a certificate program if they already have a degree.

The digital forensics and incident response is the NSF project, which has just been officially approved in the last month. The first course, the Intro to Digital Forensics is already offered at Coastline and is on the Fall schedule. The other courses are being built out, including the hands-on labs with digital evidence that students will access for their assignments.

Tobi West
Data privacy is the topic that I’m more interested in at the moment for research—but on the cybersecurity side in all of the articles and things that I’m reading online, they’re focused on all of the new work-from-home endpoints and how that’s a much bigger attack surface now. One of the articles that I most recently read said that the biggest cyber attack in history is about to happen.

Tobi West
That’s all because they’re predicting that so many people are working from home, making it so much easier for that access to happen. It’s very concerning of course, and we’ve all worried about it, and I know just from our own experience that all of a sudden one day they closed our campus and they said, “Go work from home.” I’m sure that same thing happened to a lot of other people and what does that look like? What does their home network look like?

Tobi West
I think that’s one of the biggest concerns right now. Considering all of the things that people save on their home computers, and that could help an attacker gain access to—then to their corporate environment, who knows? It’s really important for everyone to keep their home network and mobile devices secure to begin with. 

Tobi West
Privacy has always been something that my family talked about…now I’m learning about privacy as a different segment of cybersecurity. Contact tracing definitely concerns me, and not so much that, not that Android and iPhone and all these corporations aren’t securing the data or planning to keep it private, but that the information is then given to the contact tracing companies to make the phone calls, etc.

All of that contact tracing data is sitting there possibly unsecured…what’s going on with all this information? How many copies are being made and stored? 

Tobi West
CyberPatriot was one of the first outreach activities that I got involved with at Coastline and that was after having experienced what Cal Poly Pomona did with Los Angeles Unified School District. While I was a student at Cal Poly, Dr. Dan Manson brought in about 250 LAUSD students to compete in CyberPatriot. 

LAUSD had a great after-school program. Once I started at Coastline and they said we had funding to do something related to CyberPatriot, I said, “Great, I have the perfect idea.” We provided a monthly training and competition environment for about 125 middle school and high school students in Orange County. We’ve been hosting it since 2016.

Tobi West
We started when the kids didn’t know yet what CyberPatriot was and we brought them in the first round of the competition—we had 125 kids. I thought that was really phenomenal to bring so many kids together who had never even heard of CyberPatriot—bring them into one room, give them some training, and show them what virtual machines are. Show them what the program is about, they stayed with us, and they kept coming back.

Every month, we brought them in for training or competition—because CyberPatriot itself, being a national competition, has its own calendar. We wanted to help prepare them, and give them the environment to play in and compete in. We had laptops for them to borrow if they didn’t have one to bring.

Coastline has computer labs in the classrooms to give the students access to high-speed Internet and fast computers. It’s just been a phenomenal program ever since we started. We’ve been running it for about four years now, and we’re a CyberPatriot Center of Excellence as well.high-speed

Tobi West
Our CyberPatriot program has just been growing and growing. We had more interest than expected. We branched off to add additional programs for the schools in the Cypress College and Irvine Valley College areas, and they have over a hundred students each as well, all being part of this pipeline. That was the first outreach program we worked to build.

Then for me, women in cybersecurity has always been something that I cared about, but at the time I thought, “Do I really want to do something gender-specific?” Because some people get upset and they say, “Well, what about the boys’ day? Why don’t you have CyberTech Boys?” I understand where they’re coming from but we still hear that the majority of the students attending events and STEM classes are boys.

If anybody really understands the gender gap and the problems and challenges that there are in getting a girl interested in cybersecurity, they can see why we’d have all girls events. So what I started initially was CyberGirlz and it transitioned into a rebranding specific for our activities called CyberTech Girls, because it’s really not only about cybersecurity—we also go into the computer hardware side of things so that girls can understand what you’re securing, what devices need to be secure.

Tobi West
CyberTech Girls is a one-day event for middle school and high school girls. At my first event there were over a hundred girls. I was delighted to have so many for a first event but it was all new to me too. It can also be called “A pathway day.” The students get to engage with the hardware—find out what digital forensics and cybersecurity are all about. The girls can get an idea of what it would be like working in the field, these are the types of activities they would be doing. 

We also bring in mentors from industry and government that are working in these roles. They share their stories and talk with the girls to help them get a sense of what the jobs are like and why we need more women in cybersecurity. We talk about empowerment and the need for skilled cybersecurity professionals to defend our businesses and government systems.

Tobi West
There is only so much content you can deliver in a one-day event, but what’s great about it is the girls get to see that other girls like cybersecurity. They get to see the excitement and the thrill of going through the hands-on activities in each workshop and talk to professionals that actually do this type of work.

My favorite workshop is the digital forensics lab with mock evidence, of course. I have an entire mock crime scene setup for the girls to go through and collect digital devices as evidence, then we go through the chain of custody process, and I get to play as if I’m in my dream job as an “FBI agent” for the day. We go through the crime scene and show the girls how to collect the evidence and then we go to the lab to analyze the evidence with forensics software.

We show them a floppy disk, all the old storage media, and different types of thumb drives too, because they probably have a certain thing in mind of what a flash drive looks like. I have all sorts of different ones that are leather-bound and magnetic and all kinds of things that are just different than the traditional thumb drive you might find at a local store. That’s an overview of a CyberTech Girls event.

Then, in my opinion, a pathway has to have—and a pipeline has to have—everything going all the way through the college and university levels. This means that the girls can see a starting point with education and activities they can currently be involved in, through to college activities that lead to careers.

Cybersecurity Guide
Can you give us an example of that?

Tobi West
I feel that the pipeline can’t stop at, “I’m doing a middle school, high school event.” I see that it has to keep going. GenCyber is one camp that we offer which goes beyond the one-day CyberTech Girls event, but that’s still focused on middle school and high school students. At the college level we have the Western Regional Collegiate Cyber Defense Competition (WRCCDC) to continue the pathway activities.

That competition used to be hosted at Cal Poly Pomona, and that’s how I originally became involved with it. Now, Dr. Brandon Brown, our other full-time faculty—he runs the WRCCDC events out of Coastline.

Dr. Brown was able to transition it to fully virtual within just two weeks as the social distancing of the pandemic began. What that competition does is really help college students to get their hands on a networked environment to see what it would be like in the real world to try to keep the network secure for a business.

The competitors are given a business scenario and then real-life security professionals attack their network relentlessly…It’s a blue team versus red team competition that simulates real scenarios. The competitors are defending systems and having their systems attacked in real time. They have to keep the systems up and keep things running, just like you would while on the job.

The National Cyber League is also part of the pipeline to teach students about cybersecurity. Coastline is often able to cover the costs of student registration fees through grant support—and National Cyber League is fully virtual which aligns with our online courses.

Tobi West
The California Cybersecurity Apprenticeship Program is hosted by Coastline College. It is grant-funded by the State Chancellor’s Office. The program includes eight college credit courses, industry certifications, which are CompTIA industry certifications relevant to those courses. There are currently no costs to the qualified apprentices for courses, certification exams, or textbooks. Apprentices are expected to work in a cybersecurity role for 2,000 hours of paid on-the-job training at the state required wages.

We’ve had about 70 registered apprentices over the past few years. The next cohort is coming up for fall. It’s just an amazing program. We are working on a new version of the program in partnership with National University and City University, hopefully as a coalition to have a complete pathway all the way through to the master’s program.

Tobi West
Some of the apprentices already have a bachelor’s degree. Many of them are in the 30 to 45 age range just because our program’s population is usually in that age range. It’s really meant to be an entry-level that a student can come to Coastline to begin their academic journey in cybersecurity. For example, one did, she had a biology bachelor’s degree, and she was working in a lab. She came to us to change careers and once she passed her Security+ exam, which is about two courses into the program, she became a Security Analyst and moved on to a master’s program at Cal Poly Pomona.

It really can be entry-level and it depends on the student, their interest in applying themselves, and studying, and preparing for these jobs. I think that is a phenomenal, exciting story. I’ve had another student that moved from California to New York with a major promotion. Unfortunately, that meant he couldn’t be in the program anymore, but he got a really great promotion and continued to work in cybersecurity which is what we’re hoping for. He was already working in a security role and got a really great promotion after a few courses in the apprenticeship program.

Tobi West
Yes. What convinced me to move into doing the CyberTech Girls events in the first place was I went to a conference and a security professional, Jenn Henley, from Facebook was giving a talk. She was talking about the gender gap in cybersecurity and all the surveys that LinkedIn, Facebook, and Google and others had done, and found out that the girls surveyed often said that they weren’t encouraged by their parents or their peers to go into cybersecurity.

I thought, “That’s so weird,” because my parents were always encouraging me to go to school, but on the other hand they said, “We can’t afford it.” They always said that school is really important, but we just can’t afford it. I thought, “How does this relate to other kids?” Maybe they’re being told it’s really important to have a great career, but it should be this, or it shouldn’t be that… a doctor, a lawyer, an engineer.

That’s what really drew me to the girls’ events in the first place. What she talked about the need for diversity in design teams and cybersecurity teams, it really struck a chord with me. She talked about the different mindsets or different ways that you see a problem and solutions, and thinking about all the cybercriminals out there, they’re not all the same either.

Tobi West
So if the team trying to defend the system is all the same, then how do they think like all those different adversaries? So you have to have everyone on the team with different mindsets, different cultures, different belief systems, different values in order to have that ability to defend the system against a wide variety of adversaries from around the globe, right? Because those adversaries don’t say, “Oh, you’re not in my geographic area so I won’t attack your system.” 

Tobi West
Yes, definitely. One of the other things is—and this is part of a grant that’s coming up as well—is really getting into the concurrent and dual enrollment and bringing those classes to the students at the middle schools and high schools. We’re working very closely with the high schools in our area to develop a pathway that helps the students earn college credit while in high school and prepare for the additional cybersecurity courses that Coastline offers. 

Cybersecurity Guide
Can you explain how it works with Coastline?

Tobi West
In one instance, you have students in a high school class who are also getting credit for the college class. So for us, that means the high school teacher becomes a faculty member of Coastline College. They come and they take the class with Coastline as a student first. They understand what the class rigor should be, and then they deliver that course in the high school class. 

Then you have the other opportunity where we offer classes at the high school campus, after school. The course may be taught by the high school teacher or it could be taught by a Coastline College faculty member. We deliver the same class that we would have at the college. It’s not an articulation, it’s just a college class that’s offered on the high school campus with the intent that we market specifically to the high school students, but the public can also come to the class.

Tobi West
We’ve been highly successful with that in the business pathways, science and cybersecurity. They’re starting to look at our new Data Analytics program. Once we get the concurrent and dual enrollment setup with our local high schools, I see that as one of the really big deliverables is to make students aware that these classes and these pathways exist.

So it’s great that CTE pathways are becoming important and relevant to the high schools. I know some of that has to do with funding…What I’m hearing from the middle schools is, “Why aren’t you talking to us?” They’re coming to the advisory meetings and they’re asking, “What should we be doing to prepare our students for those high school pathways?”

They are asking what we can offer because the middle school students might take a robotics class and then nothing happens for three or four more years until they get to the end of their high school journey, and they might find only one after school college class.

To me, that’s all part of what we need to be developing out, to have a robust pathway that students can count on from middle school through to the graduate level.

Tobi West
It’s definitely all over the place, but it’s [a question of] where can you make the connections with the high schools and who’s interested in partnering on pathways? Because not every district is interested or possibly not capable of working on it due to limited resources.

We’ve had great involvement at the Assistant Principal level, he goes through the curriculum of our classes, and maps them to the classes already offered at the high school campus, changing them and evolving them to match and align with our classes.

Tobi West
Which is what we’re trying to do with the CSUs. Of course, Cal Poly is my biggest interest right now, because I’m aware of their program, completed their program, and I see how we align with what they’re doing.

In the past, Coastline College and community college programs were looked at as more vocational education…what we’re seeing from the community college side is that the universities offer more theoretical courses and the community colleges are offering more of the hands-on learning required in cybersecurity roles.

Tobi West
I believe it’s becoming more mainstream because it’s in the news and affects the public when there’s a breach. However, when you ask people about their understanding of cybersecurity and the jobs in cybersecurity, they still seem to have a vague understanding.

Tobi West
Besides the regular news about cybersecurity breaches, I think that that’s coming down from the government level, the federal government is really helping permeate that by offering different programs and different funding opportunities so that we can make these pathways and programs possible.

Just seeing all of the different attacks with let’s say the life insurance companies, the health insurance organizations, or even the hotels Marriott, or Target—all of those breaches I think have become dominant in the cybersecurity news articles and things that people see and recognize.
Then you have the identity theft aspect behind it, and people are starting to understand that well, if you don’t secure things, then you can have your identity stolen. 

Then as IoT devices came into play more, people started to question, how does cybersecurity relate to IoT and all of these devices? I think that it’s definitely becoming more mainstream. It’s not just me talking to people who know what it is. It’s being able to see that kids care about it and kids want to be secure, and safe online, and they don’t like cyberbullying and that sort of thing. I think all of these issues relate to building awareness about cybersecurity.

Tobi West
Yeah, I think also at one point, a lot of people talked about creating jobs to set-up smart homes…I considered setting up a program at Coastline when I first started like, “Is this something that will really become an actual job that people seek?” Of course, you can get things, order them from Amazon and someone will come and install them.

You can do that, but is there really a need for somebody who comes and sets up every smart home device at your house all at once? Probably not.
I think as people are wanting those devices and recognizing how those devices can be attacked, then they can understand cybersecurity a little bit better.

Tobi West
One of the things I think has evolved, too, when [my kids]  played video games as young kids, they didn’t talk to people online. Even once they started to (as it evolved a little bit when they became teenagers), they said it was all tech. So you had to type your messages, and you had to be fast at typing, or you didn’t bother sending a message to somebody. Now, kids are playing fully online, talking to strangers around the globe in real-time.

I’ve tried to explain to kids, “You’re being recorded. Every word you say, everything you’re talking about, where you live, everything is being recorded. So you think you’re safe with this person you’re sharing this info with — because you think they sound like a kid — but are they?” Who can hear that information that’s being recorded, and is it transcribed somewhere? What’s the impact of that?
Right?

Cybersecurity Guide
Right.

Tobi West
My mentor from Cal Poly always says, “Just have fun.” So if I’m going to have an event with a hundred kids, of course, I ask myself, “How can I make sure that they have a good time and that this becomes something they’re interested in?” I want them to care about cybersecurity as much as I do, and go into the profession or just secure things wherever they end up working.

Just have fun has been the biggest piece of advice that I always try to remind myself of — if it’s not fun and engaging, why am I doing it? 

Tobi West
As far as giving students advice, I always try to ask them questions to find out what it is that they’re striving for, or working towards. I try to share resources, and I do have a lot of students come back and tell me about the wonderful jobs that they get.

I was especially excited to hear from the student that told me that they’re working in digital forensics after taking my Intro to Digital Forensics class. 
Sometimes you’re giving advice [and] you don’t really realize it. Just looking at the resume and trying to help shape it towards what that student wants to do.

I always try to go through and help them, “How will this impact you financially to make this change? Is it worth taking some small pay cut now because you have the potential for many, many promotions in a certain job?” or “What is it that you need to achieve or learn in order to get the job that you want to go after?”

Tobi West
If the person wants to go into cybersecurity, and they want to know what penetration testing is like, The Hacker’s Playbook would definitely be something of value. Daniel Solove’s The Taxonomy of Privacy is really interesting because there isn’t anything comparable when it comes to privacy frameworks.

I’ve done a lot of research to find what other organizations, what different people are doing, and Solove really spells it out. It does go into surveillance and other types of privacy as well, leading back even to contact tracing vaguely, because contact tracing is a method of surveillance. It’s very interesting to me. 

Tobi West
I did enjoy a couple of articles in the SANS reading room in particular. SANS is [an] amazing program. Not everyone can afford to attend a SANS bootcamp, but a SANS reading room has a lot of articles. I read about the details of the Target breach, and that really spelled out a lot to me how attackers use third-party vendors to make their way into an organization. I didn’t really understand the Target breach to that depth until reading that article in the SANS reading room.

In the SANS reading room, tons of different approaches to cybersecurity. So if you want to be very specialized or generalized, a lot is there to choose from. The Verizon data breach investigations report is really, really great too. I

t spells out what’s going on globally, how organizations are being attacked and what types of organizations are being attacked. You can see how cybersecurity is evolving, how attacks are evolving, and how organizations are working really hard to combat it, but that there’s always something new.

Cybersecurity Guide
Yeah, interesting. I’ll check that out. I haven’t looked at that one, but that sounds cool.

Tobi West
It’s written with a little snarky attitude to it, so it’s great.

Tobi West
One is privacy, that is definitely on the horizon. GDPR is really bringing that to life around the world. And the fact that organizations need somebody with a title of data privacy controller is very telling right? Then if you’re looking at machine learning and artificial intelligence and thinking about the chatbots that Facebook is coming up with and other organizations like that and looking at how the algorithms of Google search engine have just evolved so incredibly over the years…

The web we have today wouldn’t exist without those types of algorithms. I’m just seeing that even on the defense side, the organizations are trying to figure out how to use AI and machine learning to get rid of false positives, but also to change the system dynamically as it’s being attacked. How do you change your defense in response to an ongoing attack? Then how do you leverage this machine learning and AI type of direction that everything is going? Looking at the resources and strategies of private organizations versus those of the federal government.

Of course, we need to keep everything secure, but at the organizational level, how will AI and machine learning help defend—and a lot of organizations try to choose a strategy of either hiring a person to do the security or how do I hire a company that’s going to secure my system using monitoring software? 

Cloud is obviously another direction that technology is going, a lot more people are working in the Cloud. So there’s a lot more to secure and a lot more Cloud environment exists, but a lot of organizations are also trying to switch over to put their information in the Cloud and how much does that cost versus hosting it locally and paying somebody to take care of their data at the local level?
Coastline is also preparing an AWS, an Amazon Web Services, Cloud certificate. That’s on the horizon for us and we will work that into an associates degree over the next year.

Cybersecurity Guide
Thank you