04:55 PM
Connect Directly

Security Pro File: IT Risk Manager Julie Fetcho

The skills women are traditionally encouraged to cultivate -- like communication and relationship building -- are becoming more valuable to the security field, says Julie Fetcho, who leads TIAA-CREF's IT risk governance team.

Part of a new series of profiles introducing the people responsible for securing their organizations.

When Julie Fetcho went to computer camp at age 13, there were only two other girls in attendance.

Since then, women have slowly flooded into all sectors of the IT industry... all sectors but security.

Fetcho, who leads the IT risk governance team for TIAA-CREF, a Fortune 100 financial services organization, thinks this will change. She believes the process will accelerate as organizations further integrate information security with risk management and build closer relationships with other lines of business.

"I think the infosec-pure techie is evolving," says Fetcho. "You can no longer just put up firewalls and tell people, 'You're secure.' You still need people messaging. And I think that is one of the places -- the place where IT risk management meets information security -- that will become attractive to more women. There's already less of the old boys' club mentality, and that's going to be beneficial for everybody involved."

The skills women are traditionally encouraged to cultivate -- like communication and relationship building -- are becoming more valuable to the security field, Fetcho says. Women currently in careers as business analysts, for example, could easily transfer their skills to risk and security. Yet few women set out to land a career in IT from the get-go. They tend to fall into it later, as Fetcho did way back when she was an office administrator. (That's "office," not "MS Office.")

"I fell into IT because I was always the one who could help fix the printer and the copier," Fetcho says. "Somebody one day said, 'Hey, they're hiring people to help support Win 95 when it launches. You ought to look into that.' And I did."

Her next gig was officially an IT job, at a major insurance company in the Midwest. Her manager assigned different people to work closely with different groups of technical experts -- networking, applications, and security. Her manager said to her: "'You deal with security, because they're difficult to deal with.' My boss basically said, 'You're good with people. Go deal with these people.' I knew nothing about security other than that it's probably good to have a password on things."

She then set out to learn everything she could about security, and she became the second person in her company to earn a CISSP certification.

Now years later at TIAA-CREF, she leads the IT risk governance team. Fetcho's team is kept very busy complying with what regulators are asking for today and predicting what they're going to ask for tomorrow.

"I'm not going to say we have a crystal ball, but some days, I wish I had one," says Fetcho. "The biggest challenge is to move the corporate culture on IT risk forward. The value proposition is that of helping the business understand the IT risk decisions they're making, what they're already living with, and to help them avoid unnecessary risks, so they can take risks that make them competitive.

"The key is relationship management and going the extra mile to speak the language of the business. I think finding the common ground is the most important accomplishment."

When she describes her work, terms like "encryption algorithm" and "deep packet inspection" don't come up very often.

"For a short period of time in my career, I loved the idea of being a highly technical person, but I think what gets things done more than anything is the people connection," says Fetcho. "There are some amazing technical talents out there -- in fact, I sit right down the hall from many of them -- though there is still room for anybody who can build a relationship and anyone who can communicate with the business."

Fetcho's department is expanding, so she's doing more hiring. But she's not panicked about the so-called security skills shortage that draws complaints from lots of other companies.

"I don't really believe we have as much of a skills shortage as we may lead ourselves to believe," she says. "You can teach somebody security. The mindset and the communication skills and the general ability to interface with people are the inherent talents that come to mind. I think it starts by being far more aware of what we're looking for. And also we need to take more chances. We're a risk-averse industry by nature, so that's tough."

Is there anything in particular that every good security and risk professional should have?

"A level of flexibility is really important," she says. "I think it's really critical that we begin to, as an industry, focus more on the tradeoffs. Because it isn't possible to eliminate all risk in the world -- and we wouldn't want to, because risk leads to innovation in some cases. It's important to remain flexible and always remember both sides."

Personality bytes
Has compliance improved your security or not? "I think in general it's helped. The company would have gotten there anyway, but what it does is provide a basic framework. It's a double-edged sword. Regulations can place a burden on companies, but regulations that are aligned to support doing the right thing in the business are invaluable."

Which is more secure: open-source or closed-source? "Not sure. The jury's still out."

BYOD: Love it or hate it? "I think, if it's done well, it's a great alternative. I don't know if it's right for every company."

Are hacktivists mostly heroes or mostly nuisances? "I hope the people truly think about their actions when they get involved in hacktivism. It's more than just making a statement. You bring down the grid, and suddenly people are without electricity because you want to make a statement. If it wasn't in the digital space, would people still be doing things this extreme? There's some misaligned cause-and-effect stuff going on there. At some point, it becomes digital terrorism."

Is privacy dead? "I certainly hope not. I would like to think that my privacy is still a priority of all the merchants I deal with. I know it's a huge, huge priority for my company. I think we will just have to keep doing what we do in order to make sure that it's not dead."

If you weren't in security, what career would you want? "I'd like to be an independently wealthy philanthropist. I would like to be Andrew Carnegie with less facial hair."

What does your workspace look like? Right now, Fetcho is working from home while the office is being remodeled into an "agile workspace," she said. "The goal is to have shared space with all sorts of really awesome tech supporting it, more of an open environment. It's a sign you've arrived when they let you start changing the furniture."

What mobile devices do you have with you at all times? "My Android phone and my Surface. I have to say my personal laptop has become almost a thing of the past. I've become a convert to the tablet, much to the chagrin of my chiropractor."

Favorite operating system: "Windows 95. Nobody's going to respect me for this answer, but the reason I like Windows 95 is because I met my husband doing support for it. To be quite honest, it was a really challenging operating system, which is why we all had jobs."

Favorite nerdy entertainment: Marvel Agents of Shield, Captain America, and Firefly. "I'm definitely a brown coat."

Favorite Dr. Who: "Tom Baker, for the scarf alone."

Favorite sports team: "I'm a dyed-in-the-wool Green Bay Packers fan."

If you could go into outer space, would you? "I think I'm just fine here on planet Earth. I've seen too many sci-fi movies -- it never ends well."

What's your music collection like? "It's a cornucopia of weird, traditional, and guilty pleasures. Collective Soul, 80s stuff, Jimmy Buffett, some classical, some opera -- it's all over."

What do you do for fun? "Photography and traveling to the mountains of western North Carolina with my husband and our two Carolina dogs."

General philosophy? "My general philosophy is that infosec, not unlike life, is a journey, and the most important thing is to do something you believe in for a company you believe in, working with people who you trust and who believe in you. If you can achieve that, it makes work feel like you are in the right place. It makes it feel like you've done something of value."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
5/6/2014 | 12:15:59 PM
Re: Great profile, raises interesting questions
I think the higher bar is more relative to the capability, and willingness, of people to do the work necessary to implement and manage an InfoSec program of any kind.

Most of the systems technicians I meet are NOT interested in doing the documentation "slog" that is SOP for any InfoSec pro.  They like the technical work, but not the writing work.

Also, most people from the technical side of the InfoSec equation prefer to NOT engage in learning the "soft skills" or people skills necessary to help get things done.  Some of them may not even be capable to interact with people outside of the technical facilities.

Often I have to poke SAs AND business owners for the most basic documentation (or even decisions) regarding systems and processes.  From my 10 years of IA experience (outside of the DoD) the people who do get into InfoSec career fields (and do well at it) have a willingness and knack for the documentation efforts involved AND the people skills necessary to help make things happen.

Hrmm...  sounds like a similar problem that organizations have finding good managers.

Again, this is my assessment based on my experiences.  Others may have a different viewpoint.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
5/6/2014 | 11:37:27 AM
Re: Great profile, raises interesting questions
Thanks, @AlSitte. It doesn't surprise me that many InfoSec professionals, like yourself, grew into the job from a more general IT background. What surprises me is that there seems to be a higher bar for entering the InfoSec profession today. (See Flash Poll: Your Take On The IT Security Skills Gap)

User Rank: Apprentice
5/6/2014 | 11:01:18 AM
Re: Great profile, raises interesting questions
I have to admit that most of the InfoSec professionals I have met or worked with have come from one IT relevant field or another.  To be honest, I am also in that background category.

I fell into InfoSec by close association.  As a member (now retired) of the US military, InfoSec became second nature to the technical work I conducted.  A technician in the military lives a very regimented InfoSec life.  As such, it is not uncommon for the DoD IA professionals to be drawn from the systems technician teams.  The technical knowledge these people have gained by working in the field augments the capability to conduct the InfoSec work they must do.

I would not be surprised if this happens quite often outside of the DoD or Federal IT world.  System technicians often get tasked with applying InfoSec policy due to the technical nature of many controls.  The best InfoSec professionals I know have a deep technical background that allows them to see when systems technicians are blowing smoke.

Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
5/5/2014 | 5:17:48 PM
Re: Great profile, raises interesting questions
That's an interesting question, Marilyn. I would love to hear from our readers if they have had similar paths, or know of some co-workers who have.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
5/5/2014 | 9:18:15 AM
Great profile, raises interesting questions
I really enjoyed reading this profile, and it raises a really important question about the so-called skills shortage in InfoSec today. Is it still possible for someone to "fall into" a cybersecurity career, as Julie did, learn the ropes on the job and achieve success in a management position? 
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.