Security Pro File: IT Risk Manager Julie Fetcho
The skills women are traditionally encouraged to cultivate -- like communication and relationship building -- are becoming more valuable to the security field, says Julie Fetcho, who leads TIAA-CREFs IT risk governance team.
Part of a new series of profiles introducing the people responsible for securing their organizations.
When Julie Fetcho went to computer camp at age 13, there were only two other girls in attendance.
Since then, women have slowly flooded into all sectors of the IT industry... all sectors but security.
Fetcho, who leads the IT risk governance team for TIAA-CREF, a Fortune 100 financial services organization, thinks this will change. She believes the process will accelerate as organizations further integrate information security with risk management and build closer relationships with other lines of business.
I think the infosec-pure techie is evolving, says Fetcho. You can no longer just put up firewalls and tell people, Youre secure. You still need people messaging. And I think that is one of the places -- the place where IT risk management meets information security -- that will become attractive to more women. Theres already less of the old boys club mentality, and thats going to be beneficial for everybody involved.
The skills women are traditionally encouraged to cultivate -- like communication and relationship building -- are becoming more valuable to the security field, Fetcho says. Women currently in careers as business analysts, for example, could easily transfer their skills to risk and security. Yet few women set out to land a career in IT from the get-go. They tend to fall into it later, as Fetcho did way back when she was an office administrator. (Thats office, not MS Office.)
I fell into IT because I was always the one who could help fix the printer and the copier, Fetcho says. Somebody one day said, Hey, theyre hiring people to help support Win 95 when it launches. You ought to look into that. And I did.
Her next gig was officially an IT job, at a major insurance company in the Midwest. Her manager assigned different people to work closely with different groups of technical experts -- networking, applications, and security. Her manager said to her: You deal with security, because theyre difficult to deal with. My boss basically said, Youre good with people. Go deal with these people. I knew nothing about security other than that its probably good to have a password on things.
She then set out to learn everything she could about security, and she became the second person in her company to earn a CISSP certification.
Now years later at TIAA-CREF, she leads the IT risk governance team. Fetchos team is kept very busy complying with what regulators are asking for today and predicting what theyre going to ask for tomorrow.
Im not going to say we have a crystal ball, but some days, I wish I had one, says Fetcho. The biggest challenge is to move the corporate culture on IT risk forward. The value proposition is that of helping the business understand the IT risk decisions theyre making, what theyre already living with, and to help them avoid unnecessary risks, so they can take risks that make them competitive.
The key is relationship management and going the extra mile to speak the language of the business. I think finding the common ground is the most important accomplishment.
When she describes her work, terms like encryption algorithm and deep packet inspection dont come up very often.
For a short period of time in my career, I loved the idea of being a highly technical person, but I think what gets things done more than anything is the people connection, says Fetcho. There are some amazing technical talents out there -- in fact, I sit right down the hall from many of them -- though there is still room for anybody who can build a relationship and anyone who can communicate with the business.
Fetchos department is expanding, so shes doing more hiring. But shes not panicked about the so-called security skills shortage that draws complaints from lots of other companies.
I dont really believe we have as much of a skills shortage as we may lead ourselves to believe, she says. You can teach somebody security. The mindset and the communication skills and the general ability to interface with people are the inherent talents that come to mind. I think it starts by being far more aware of what were looking for. And also we need to take more chances. Were a risk-averse industry by nature, so thats tough.
Is there anything in particular that every good security and risk professional should have?
A level of flexibility is really important, she says. I think its really critical that we begin to, as an industry, focus more on the tradeoffs. Because it isnt possible to eliminate all risk in the world -- and we wouldnt want to, because risk leads to innovation in some cases. Its important to remain flexible and always remember both sides.
Personality bytes
Has compliance improved your security or not?
I think in general its helped. The company would have gotten there anyway, but what it does is provide a basic framework. Its a double-edged sword. Regulations can place a burden on companies, but regulations that are aligned to support doing the right thing in the business are invaluable.
Which is more secure: open-source or closed-source?
Not sure. The jurys still out.
BYOD: Love it or hate it?
I think, if its done well, its a great alternative. I dont know if its right for every company.
Are hacktivists mostly heroes or mostly nuisances?
I hope the people truly think about their actions when they get involved in hacktivism. Its more than just making a statement. You bring down the grid, and suddenly people are without electricity because you want to make a statement. If it wasnt in the digital space, would people still be doing things this extreme? Theres some misaligned cause-and-effect stuff going on there. At some point, it becomes digital terrorism.
Is privacy dead?
I certainly hope not. I would like to think that my privacy is still a priority of all the merchants I deal with. I know its a huge, huge priority for my company. I think we will just have to keep doing what we do in order to make sure that its not dead.
If you werent in security, what career would you want?
Id like to be an independently wealthy philanthropist. I would like to be Andrew Carnegie with less facial hair.
What does your workspace look like?
Right now, Fetcho is working from home while the office is being remodeled into an agile workspace, she said. The goal is to have shared space with all sorts of really awesome tech supporting it, more of an open environment. Its a sign youve arrived when they let you start changing the furniture.
What mobile devices do you have with you at all times?
My Android phone and my Surface. I have to say my personal laptop has become almost a thing of the past. Ive become a convert to the tablet, much to the chagrin of my chiropractor.
Favorite operating system:
Windows 95. Nobodys going to respect me for this answer, but the reason I like Windows 95 is because I met my husband doing support for it. To be quite honest, it was a really challenging operating system, which is why we all had jobs.
Favorite nerdy entertainment:
Marvel Agents of Shield
,
Captain America
, and
Firefly
. Im definitely a brown coat.
Favorite Dr. Who:
Tom Baker, for the scarf alone.
Favorite sports team:
Im a dyed-in-the-wool Green Bay Packers fan.
If you could go into outer space, would you?
I think Im just fine here on planet Earth. Ive seen too many sci-fi movies -- it never ends well.
Whats your music collection like?
Its a cornucopia of weird, traditional, and guilty pleasures. Collective Soul, 80s stuff, Jimmy Buffett, some classical, some opera -- its all over.
What do you do for fun?
Photography and traveling to the mountains of western North Carolina with my husband and our two Carolina dogs.
General philosophy?
My general philosophy is that infosec, not unlike life, is a journey, and the most important thing is to do something you believe in for a company you believe in, working with people who you trust and who believe in you. If you can achieve that, it makes work feel like you are in the right place. It makes it feel like youve done something of value.
Tags:
Security Pro File: IT Risk Manager Julie Fetcho