Operations // Careers & People
5/2/2014
04:55 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Security Pro File: IT Risk Manager Julie Fetcho

The skills women are traditionally encouraged to cultivate -- like communication and relationship building -- are becoming more valuable to the security field, says Julie Fetcho, who leads TIAA-CREF's IT risk governance team.

Part of a new series of profiles introducing the people responsible for securing their organizations.

When Julie Fetcho went to computer camp at age 13, there were only two other girls in attendance.

Since then, women have slowly flooded into all sectors of the IT industry... all sectors but security.

Fetcho, who leads the IT risk governance team for TIAA-CREF, a Fortune 100 financial services organization, thinks this will change. She believes the process will accelerate as organizations further integrate information security with risk management and build closer relationships with other lines of business.

"I think the infosec-pure techie is evolving," says Fetcho. "You can no longer just put up firewalls and tell people, 'You're secure.' You still need people messaging. And I think that is one of the places -- the place where IT risk management meets information security -- that will become attractive to more women. There's already less of the old boys' club mentality, and that's going to be beneficial for everybody involved."

The skills women are traditionally encouraged to cultivate -- like communication and relationship building -- are becoming more valuable to the security field, Fetcho says. Women currently in careers as business analysts, for example, could easily transfer their skills to risk and security. Yet few women set out to land a career in IT from the get-go. They tend to fall into it later, as Fetcho did way back when she was an office administrator. (That's "office," not "MS Office.")

"I fell into IT because I was always the one who could help fix the printer and the copier," Fetcho says. "Somebody one day said, 'Hey, they're hiring people to help support Win 95 when it launches. You ought to look into that.' And I did."

Her next gig was officially an IT job, at a major insurance company in the Midwest. Her manager assigned different people to work closely with different groups of technical experts -- networking, applications, and security. Her manager said to her: "'You deal with security, because they're difficult to deal with.' My boss basically said, 'You're good with people. Go deal with these people.' I knew nothing about security other than that it's probably good to have a password on things."

She then set out to learn everything she could about security, and she became the second person in her company to earn a CISSP certification.

Now years later at TIAA-CREF, she leads the IT risk governance team. Fetcho's team is kept very busy complying with what regulators are asking for today and predicting what they're going to ask for tomorrow.

"I'm not going to say we have a crystal ball, but some days, I wish I had one," says Fetcho. "The biggest challenge is to move the corporate culture on IT risk forward. The value proposition is that of helping the business understand the IT risk decisions they're making, what they're already living with, and to help them avoid unnecessary risks, so they can take risks that make them competitive.

"The key is relationship management and going the extra mile to speak the language of the business. I think finding the common ground is the most important accomplishment."

When she describes her work, terms like "encryption algorithm" and "deep packet inspection" don't come up very often.

"For a short period of time in my career, I loved the idea of being a highly technical person, but I think what gets things done more than anything is the people connection," says Fetcho. "There are some amazing technical talents out there -- in fact, I sit right down the hall from many of them -- though there is still room for anybody who can build a relationship and anyone who can communicate with the business."

Fetcho's department is expanding, so she's doing more hiring. But she's not panicked about the so-called security skills shortage that draws complaints from lots of other companies.

"I don't really believe we have as much of a skills shortage as we may lead ourselves to believe," she says. "You can teach somebody security. The mindset and the communication skills and the general ability to interface with people are the inherent talents that come to mind. I think it starts by being far more aware of what we're looking for. And also we need to take more chances. We're a risk-averse industry by nature, so that's tough."

Is there anything in particular that every good security and risk professional should have?

"A level of flexibility is really important," she says. "I think it's really critical that we begin to, as an industry, focus more on the tradeoffs. Because it isn't possible to eliminate all risk in the world -- and we wouldn't want to, because risk leads to innovation in some cases. It's important to remain flexible and always remember both sides."

Personality bytes
Has compliance improved your security or not? "I think in general it's helped. The company would have gotten there anyway, but what it does is provide a basic framework. It's a double-edged sword. Regulations can place a burden on companies, but regulations that are aligned to support doing the right thing in the business are invaluable."

Which is more secure: open-source or closed-source? "Not sure. The jury's still out."

BYOD: Love it or hate it? "I think, if it's done well, it's a great alternative. I don't know if it's right for every company."

Are hacktivists mostly heroes or mostly nuisances? "I hope the people truly think about their actions when they get involved in hacktivism. It's more than just making a statement. You bring down the grid, and suddenly people are without electricity because you want to make a statement. If it wasn't in the digital space, would people still be doing things this extreme? There's some misaligned cause-and-effect stuff going on there. At some point, it becomes digital terrorism."

Is privacy dead? "I certainly hope not. I would like to think that my privacy is still a priority of all the merchants I deal with. I know it's a huge, huge priority for my company. I think we will just have to keep doing what we do in order to make sure that it's not dead."

If you weren't in security, what career would you want? "I'd like to be an independently wealthy philanthropist. I would like to be Andrew Carnegie with less facial hair."

What does your workspace look like? Right now, Fetcho is working from home while the office is being remodeled into an "agile workspace," she said. "The goal is to have shared space with all sorts of really awesome tech supporting it, more of an open environment. It's a sign you've arrived when they let you start changing the furniture."

What mobile devices do you have with you at all times? "My Android phone and my Surface. I have to say my personal laptop has become almost a thing of the past. I've become a convert to the tablet, much to the chagrin of my chiropractor."

Favorite operating system: "Windows 95. Nobody's going to respect me for this answer, but the reason I like Windows 95 is because I met my husband doing support for it. To be quite honest, it was a really challenging operating system, which is why we all had jobs."

Favorite nerdy entertainment: Marvel Agents of Shield, Captain America, and Firefly. "I'm definitely a brown coat."

Favorite Dr. Who: "Tom Baker, for the scarf alone."

Favorite sports team: "I'm a dyed-in-the-wool Green Bay Packers fan."

If you could go into outer space, would you? "I think I'm just fine here on planet Earth. I've seen too many sci-fi movies -- it never ends well."

What's your music collection like? "It's a cornucopia of weird, traditional, and guilty pleasures. Collective Soul, 80s stuff, Jimmy Buffett, some classical, some opera -- it's all over."

What do you do for fun? "Photography and traveling to the mountains of western North Carolina with my husband and our two Carolina dogs."

General philosophy? "My general philosophy is that infosec, not unlike life, is a journey, and the most important thing is to do something you believe in for a company you believe in, working with people who you trust and who believe in you. If you can achieve that, it makes work feel like you are in the right place. It makes it feel like you've done something of value."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AlSitte
50%
50%
AlSitte,
User Rank: Apprentice
5/6/2014 | 12:15:59 PM
Re: Great profile, raises interesting questions
I think the higher bar is more relative to the capability, and willingness, of people to do the work necessary to implement and manage an InfoSec program of any kind.

Most of the systems technicians I meet are NOT interested in doing the documentation "slog" that is SOP for any InfoSec pro.  They like the technical work, but not the writing work.

Also, most people from the technical side of the InfoSec equation prefer to NOT engage in learning the "soft skills" or people skills necessary to help get things done.  Some of them may not even be capable to interact with people outside of the technical facilities.

Often I have to poke SAs AND business owners for the most basic documentation (or even decisions) regarding systems and processes.  From my 10 years of IA experience (outside of the DoD) the people who do get into InfoSec career fields (and do well at it) have a willingness and knack for the documentation efforts involved AND the people skills necessary to help make things happen.

Hrmm...  sounds like a similar problem that organizations have finding good managers.

Again, this is my assessment based on my experiences.  Others may have a different viewpoint.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/6/2014 | 11:37:27 AM
Re: Great profile, raises interesting questions
Thanks, @AlSitte. It doesn't surprise me that many InfoSec professionals, like yourself, grew into the job from a more general IT background. What surprises me is that there seems to be a higher bar for entering the InfoSec profession today. (See Flash Poll: Your Take On The IT Security Skills Gap)

 
AlSitte
50%
50%
AlSitte,
User Rank: Apprentice
5/6/2014 | 11:01:18 AM
Re: Great profile, raises interesting questions
I have to admit that most of the InfoSec professionals I have met or worked with have come from one IT relevant field or another.  To be honest, I am also in that background category.

I fell into InfoSec by close association.  As a member (now retired) of the US military, InfoSec became second nature to the technical work I conducted.  A technician in the military lives a very regimented InfoSec life.  As such, it is not uncommon for the DoD IA professionals to be drawn from the systems technician teams.  The technical knowledge these people have gained by working in the field augments the capability to conduct the InfoSec work they must do.

I would not be surprised if this happens quite often outside of the DoD or Federal IT world.  System technicians often get tasked with applying InfoSec policy due to the technical nature of many controls.  The best InfoSec professionals I know have a deep technical background that allows them to see when systems technicians are blowing smoke.

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/5/2014 | 5:17:48 PM
Re: Great profile, raises interesting questions
That's an interesting question, Marilyn. I would love to hear from our readers if they have had similar paths, or know of some co-workers who have.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/5/2014 | 9:18:15 AM
Great profile, raises interesting questions
I really enjoyed reading this profile, and it raises a really important question about the so-called skills shortage in InfoSec today. Is it still possible for someone to "fall into" a cybersecurity career, as Julie did, learn the ropes on the job and achieve success in a management position? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-4801
Published: 2014-12-18
Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x through 2.0.1.1, 3.x before 3.0.1.6 iFix 4, 4.x before 4.0.7 iFix 2, and 5.x before 5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.