Security Pro File: IT Risk Manager Julie FetchoThe skills women are traditionally encouraged to cultivate -- like communication and relationship building -- are becoming more valuable to the security field, says Julie Fetcho, who leads TIAA-CREF's IT risk governance team.
Part of a new series of profiles introducing the people responsible for securing their organizations.
When Julie Fetcho went to computer camp at age 13, there were only two other girls in attendance.
Since then, women have slowly flooded into all sectors of the IT industry... all sectors but security.
Fetcho, who leads the IT risk governance team for TIAA-CREF, a Fortune 100 financial services organization, thinks this will change. She believes the process will accelerate as organizations further integrate information security with risk management and build closer relationships with other lines of business.
"I think the infosec-pure techie is evolving," says Fetcho. "You can no longer just put up firewalls and tell people, 'You're secure.' You still need people messaging. And I think that is one of the places -- the place where IT risk management meets information security -- that will become attractive to more women. There's already less of the old boys' club mentality, and that's going to be beneficial for everybody involved."
The skills women are traditionally encouraged to cultivate -- like communication and relationship building -- are becoming more valuable to the security field, Fetcho says. Women currently in careers as business analysts, for example, could easily transfer their skills to risk and security. Yet few women set out to land a career in IT from the get-go. They tend to fall into it later, as Fetcho did way back when she was an office administrator. (That's "office," not "MS Office.")
"I fell into IT because I was always the one who could help fix the printer and the copier," Fetcho says. "Somebody one day said, 'Hey, they're hiring people to help support Win 95 when it launches. You ought to look into that.' And I did."
Her next gig was officially an IT job, at a major insurance company in the Midwest. Her manager assigned different people to work closely with different groups of technical experts -- networking, applications, and security. Her manager said to her: "'You deal with security, because they're difficult to deal with.' My boss basically said, 'You're good with people. Go deal with these people.' I knew nothing about security other than that it's probably good to have a password on things."
She then set out to learn everything she could about security, and she became the second person in her company to earn a CISSP certification.
Now years later at TIAA-CREF, she leads the IT risk governance team. Fetcho's team is kept very busy complying with what regulators are asking for today and predicting what they're going to ask for tomorrow.
"I'm not going to say we have a crystal ball, but some days, I wish I had one," says Fetcho. "The biggest challenge is to move the corporate culture on IT risk forward. The value proposition is that of helping the business understand the IT risk decisions they're making, what they're already living with, and to help them avoid unnecessary risks, so they can take risks that make them competitive.
"The key is relationship management and going the extra mile to speak the language of the business. I think finding the common ground is the most important accomplishment."
When she describes her work, terms like "encryption algorithm" and "deep packet inspection" don't come up very often.
"For a short period of time in my career, I loved the idea of being a highly technical person, but I think what gets things done more than anything is the people connection," says Fetcho. "There are some amazing technical talents out there -- in fact, I sit right down the hall from many of them -- though there is still room for anybody who can build a relationship and anyone who can communicate with the business."
Fetcho's department is expanding, so she's doing more hiring. But she's not panicked about the so-called security skills shortage that draws complaints from lots of other companies.
"I don't really believe we have as much of a skills shortage as we may lead ourselves to believe," she says. "You can teach somebody security. The mindset and the communication skills and the general ability to interface with people are the inherent talents that come to mind. I think it starts by being far more aware of what we're looking for. And also we need to take more chances. We're a risk-averse industry by nature, so that's tough."
Is there anything in particular that every good security and risk professional should have?
"A level of flexibility is really important," she says. "I think it's really critical that we begin to, as an industry, focus more on the tradeoffs. Because it isn't possible to eliminate all risk in the world -- and we wouldn't want to, because risk leads to innovation in some cases. It's important to remain flexible and always remember both sides."
Has compliance improved your security or not? "I think in general it's helped. The company would have gotten there anyway, but what it does is provide a basic framework. It's a double-edged sword. Regulations can place a burden on companies, but regulations that are aligned to support doing the right thing in the business are invaluable."
Which is more secure: open-source or closed-source? "Not sure. The jury's still out."
BYOD: Love it or hate it? "I think, if it's done well, it's a great alternative. I don't know if it's right for every company."
Are hacktivists mostly heroes or mostly nuisances? "I hope the people truly think about their actions when they get involved in hacktivism. It's more than just making a statement. You bring down the grid, and suddenly people are without electricity because you want to make a statement. If it wasn't in the digital space, would people still be doing things this extreme? There's some misaligned cause-and-effect stuff going on there. At some point, it becomes digital terrorism."
Is privacy dead? "I certainly hope not. I would like to think that my privacy is still a priority of all the merchants I deal with. I know it's a huge, huge priority for my company. I think we will just have to keep doing what we do in order to make sure that it's not dead."
If you weren't in security, what career would you want? "I'd like to be an independently wealthy philanthropist. I would like to be Andrew Carnegie with less facial hair."
What does your workspace look like? Right now, Fetcho is working from home while the office is being remodeled into an "agile workspace," she said. "The goal is to have shared space with all sorts of really awesome tech supporting it, more of an open environment. It's a sign you've arrived when they let you start changing the furniture."
What mobile devices do you have with you at all times? "My Android phone and my Surface. I have to say my personal laptop has become almost a thing of the past. I've become a convert to the tablet, much to the chagrin of my chiropractor."
Favorite operating system: "Windows 95. Nobody's going to respect me for this answer, but the reason I like Windows 95 is because I met my husband doing support for it. To be quite honest, it was a really challenging operating system, which is why we all had jobs."
Favorite nerdy entertainment: Marvel Agents of Shield, Captain America, and Firefly. "I'm definitely a brown coat."
Favorite Dr. Who: "Tom Baker, for the scarf alone."
Favorite sports team: "I'm a dyed-in-the-wool Green Bay Packers fan."
If you could go into outer space, would you? "I think I'm just fine here on planet Earth. I've seen too many sci-fi movies -- it never ends well."
What's your music collection like? "It's a cornucopia of weird, traditional, and guilty pleasures. Collective Soul, 80s stuff, Jimmy Buffett, some classical, some opera -- it's all over."
What do you do for fun? "Photography and traveling to the mountains of western North Carolina with my husband and our two Carolina dogs."
General philosophy? "My general philosophy is that infosec, not unlike life, is a journey, and the most important thing is to do something you believe in for a company you believe in, working with people who you trust and who believe in you. If you can achieve that, it makes work feel like you are in the right place. It makes it feel like you've done something of value."
Sara Peters is contributing editor to Dark Reading and editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other ... View Full Bio