nThe Certified Information Systems Security Professional (CISSP)ncertification is considered to be the gold standard in information security.nThis is so because of all the doors that certification opens to a CISSPnprofessional. Those doors lead to many different types of positions andnopportunities, thus making the information security community dynamic andnmultifaceted.n
nnIn this installment, we talk tonnTheresa ‘Terry’ Grafenstinenn. Terry tells us about her time working as the appointed Inspector Generalnof the U.S. House of Representatives and her journey to becoming ChiefnAuditor for Global Technology at Citi. She shares with us her passion forncybersecurity and her advice for those considering it as a career.n
nnWhat job do you do today?n
nnI am the Chief Auditor for Global Technology at Citi.n
nnWhat problems does your job solve?n
nnCiti is one of the largest financial institutions in the world, and it’snconsidered the most global financial institution in the world, meaning thatnwe’re in more countries than any other financial institution. We’re numbernone in that regard. Citi obviously is a big player in the financial servicesnspace and is considered systemically important to the entire fabric ofnfinancial systems across the world. So it’s definitely an importantnorganization in terms of the role that I serve. I am the global chiefnauditor for technology. So what does that mean? I’m providing assurance fromna third-line perspective. To clarify, there are three lines of defense. Thenfirst line consists of the people that actually enact the controls. ThenSecond line comprises the people who are looking at the risk managementnaspects, and I’m head of internal audit for all of technology.n
nnThe kinds of things I would be looking at include all the differentnapplications that Citi has in its various legal entities and jurisdictions.nAn application may look different in Nigeria than it does in the UK, or innthe United States, depending on locality-based preferences or regulatorynrequirements. One facet of my job is a lot of heavy application-type ofntechnology reviews.n
nnI also oversee audits in cybersecurity, business continuity, crisisnmanagement, and resilience. As you can imagine, with Citi being such a bignpresence in financial services, we’re obviously going to be a big target asnwell for bad actors from a cyber-perspective. In a world of disruption,nbusiness continuity, crisis management, and resilience are equally asnimportant. I also oversee audits of our tech infrastructure, which includesnthings like controls over cloud services and data centers.n
nnThere’s an added level of complexity in all of these areas because they spanna big global footprint, and so many different regulatory requirements andnregional types of concerns, that it’s a lot to keep the pulse of, but it’s anjob that I love.n
nnnDid you start your career in cybersecurity or was it some other routenthat brought you to cybersecurity?nn
nNo, I did not start off in cybersecurity. I actually started off in USngovernment as an auditor at the Office of Inspector General in the USnDepartment of Defense. The things I was looking at there were very “nationalnsecurity” focused. Much of what I audited included things that don’t soundnlike cybersecurity at all, such as supply chains, and contracts, andnacquisitions for weapons systems. It was kind of like the precursor toncybersecurity. Over time, I really understood national security implicationsnof the audits that I was doing. And we wound our way to “Year 2000”n(Y2K), which nownseems sort of silly, but in retrospect, at the time it was a big deal.nn
nnOnce you pivoted into cybersecurity, what attracted you to studying forna qualification?nn
nnI initially focused on internal audit and accounting types ofncertifications. However, one of the things I’ve found is, when you’re havingnconversations with people who are doing cyber for living, and they’re thenfirst line of defense, dealing with the actual unknown threat, they have annatural tendency to think about audit as a little bit “lightweight”.nGenerally, they are of the mindset that auditors just criticize and don’tnreally know cybersecurity.n
nnGetting my CISSP was a conscious effort to show that I have technical chops.nI do know what I’m talking about, and I want to make sure that I’m notntalking over the first line, but that we’re having a productive conversationnabout the risk and control environment for cyber. Part of that is showingnyou have the credibility, and that you do deserve a seat at that table fornthose kinds of discussions. As auditors, we need to show that we actuallynhave done our homework, so when we’re providing risk based guidance on cyberncontrols, that it’s based on knowledge of the area and not just sort of ournown half-baked understanding of it.n
nnWhy did you choose the CISSP credential?n
nnIt gives a lot of street credibility with the people who do this for anliving, because they all understand what a CISSP is. It is definitely annimportant designation to have on your calling card. I see it as the goldnstandard in cybersecurity. When you think cyber, there’s a lot of nichencertifications that will look at one aspect or another, but the CISSP is thenone most recognized in the security community.n
nnHow long did it take you to achieve it when you set out?n
nnI only just earned my CISSP about four years ago. It’s actually a laterndevelopment in my career, but it fits into an interesting story: You get tona certain point when you’re rising in the ranks, where having certificationsnyou’ve already kind of paid your dues a little bit, and gettingncertification seems to be something that you do earlier on as you’re tryingnto build your resume. It occurred to me that I don’t have to getnthis, because by that point, by the time I got my CISSP, I was the sittingnInspector General for the US House of Representatives. I did not neednanother credential because I already had at least six others. Yet, althoughnI didn’t need another one, I looked at it just as we were getting ready tondo a big penetration test of the US House of Representatives’ network.n
nnThis was a high-stakes engagement, and I thought, why am I above showingnthat I have that credibility? I may know in my heart that I am qualified tondo this, and the people I’m individually interacting with know that I’mnknowledgeable, and that I know what I’m doing, but if I’m preaching to mynstaff that they should get the CISSP for credibility, and to show thatnthey’re committed to the profession, why was I going to be exempt from that?nI needed to demonstrate that myself, so I held myself to the same standard.n
nnI actually took vacation days to go take the test. I did it all on my ownntime. It was just something important to me personally.n
nnnThat’s so inspiring. Did you do anything else to prepare or did you takenany official training or other training?nn
nnI did two things. First, I bought study books, and I just read them cover toncover. I also created little index cards, just like I did when I wasnstudying for the Certified Public Accounting (CPA) exam. Any chance I hadnbetween meetings, walking up and down Capitol Hill to different meetings, Inwould always have those index cards stuffed in a suit pocket, and with justna quick flip through the cards, I would remind myself of all the concepts innthe domains.n
nnSecond, I took a week-long boot camp class during my vacation. This was angreat experience.n
nnThe boot camp was like other seminar trainings; a lot of the value you getnis from networking with others. This seemed especially true with the CISSPnboot camp, because the other “students” tend to be specialists in variousndisciplines. You have all the different disciplines and all those voices atnthe table to through the material from different perspectives. I found thatnvery interesting.n
nnnWas there anything that surprised you about the CISSP in terms ofncontent that it covered perhaps that you hadn’t expected?nn
nnWhat surprised me, and I thought it was a good surprise, is that I thinknbeing an auditor actually was an advantage because the test covered a lot ofndifferent topics. For example, fire protection types, such as firensuppression systems within data centers. As much as that sounds sort ofnniche and odd, my audit background exposed me to a lot of audits thatnincluded fire protection systems. This was a familiar subject for me, asnwere other domains in the CISSP Common Body of Knowledge.n
nnIn some cases, I found that the specialists were at a disadvantage becausenthey were experts in one particular domain, but they never worked in some ofnthe other domains. I was surprised at my audit background actually ended upnbeing an advantage for taking that exam.n
nnnDid it change how you approached your work or how you thought about yournwork afterwards? Did you notice anything different as a result ofncompleting the CISSP course of study?nn
nnHad I taken it earlier in my career, I could probably say it would have hadncreated a much bigger tactical shift, but because I had already been in myncareer for so long, I was already sort of established in the way that I didnthings. It did, however, bring certain other aspects of the discipline intonclearer focus. It gave me a deeper understanding of certain things, so yeah,nthere was a change, but I don’t know that it would have been as wholesale ofna change had I taken it a little bit earlier in my career.n
nnnI understand that. Were there any other kind of unexpected benefits ofnachieving the CISSP designation?nn
nnI think other people were surprised. When I took the boot camp course, itnwas funny when we had to go around the room and introduce ourselves, andnwhat our title was. When I introduced myself as the Inspector General of thenCongress, it was shocking to people. Many wondered, why are you here, whatnare you doing, and, does this even make sense?
n
nIt was really about leading by example. When I came back and was granted thenCISSP designation, there was a certain level of surprise that I had takennthe time to study for it, because, nobody was clamoring for me to get anyncerts at that point. From a government audit perspective, I had hit thenpinnacle of what you can be in that career field.
n
nNow, launching into the private sector after life after government, thenCISSP is absolutely incredibly important, because it’s seen as an absolutencommitment to the cyber and InfoSec profession. It definitely gives me thatncredibility that I have the background and that I deserve a seat that table.n
nnWhat steps led you to your career decisions from achieving CISSP to yourncurrent role?nn
nnUnder Congressional rules, you can retire after 25 years of federal service.nEven though I was in my forties, I could actually retire, but there’s no waynI was ready to retire. I definitely saw it as a demarcation point,nwondering, well, what do I want to do with the rest of my working life? Instarted to think about that, and I looked at a lot of different things, notnjust cyber.n
nnThe cyber piece of it is the stuff that really, really interested me and thenthing that is just I’m really good at, and so I thought, okay, this is wherenI want the rest of my career to be focused on. And the CISSP was like one ofnthese tickets that I saw myself as being able to transform myself into andedicated role.n
nnI left the House of Representatives, and was at Deloitte for about two yearsnas a Managing Director. I worked in the defense and national security spacenfor first-line people, and helped them with their IT general controls. Thatnwas a great experience. It transitioned me from the government space intonprivate industry.n
nnThe people at Citi heard me speak on artificial intelligence and roboticnprocess automation, and different cyber concerns that audit should benlooking at. They offered me a position at Citi to stand up an entire cybernteam that audits this area and defines how Citi addresses auditingncybersecurity. There was no way that I could pass that up. Recently I wasnpromoted to become the overall Chief Auditor for all of technology. So nowncyber is a sub-component of the overall tech portfolio that I oversee.n
nnnCan you tell me what is it about your job that you love so much?nnn
nnI love the fact that if I look back across my career, the thing that drew mento work for the Dept of Defense Inspector General right after college was,nit felt it called to my sense of making a difference that I could go and usenthese skills that I had gained in my university, and use it to make andifference and the way that we manage risk across the US government; itnreally drew me to that.n
nnWhen I was looking at what I wanted to do, post-Inspector General world,nCiti really resonated with me because Citi is systemically important innfinancial services. If something happens to Citi, it would rattle the entirenfinancial services system across the entire world, so the idea that I couldnbe somebody who helps make Citi safer and more secure, and help reduce risk,nand fine-tune controls, and really attending to making them safer, that justnappeals to me at a level that I feel like I’m making a difference. That’snsomething that’s really important to me.n
nnnYou’ve had some wonderful achievements. What are you most proud of?nn
nnThere’s just been so many different opportunities and experiences I have hadnin my career, it’s hard to point to a single one. At one point, thennInstitute of Internal Auditorsnn(IIA) chose me as one of the top 10 thought leaders for the entirenprofession, and they inducted me into their Hall of DistinguishednPractitioners, which was just stunning to me and unexpected. Other times,ndifferent acknowledgments have recognized different parts of the things thatnI do. Those addressed my pure internal audit background. Other times, I’venbeen recognized as the “Golden Gloves Federal Executive of the Year” and then“CPA Government Leader of the Year”. More recently, I was recognized innSecurity Magazine, and ISC2 has been part of that andnrecognizing me in that, and as a thought leader in the cybersecuritynprofession. I’m really excited about that.n
nnnThat’s fabulous. How do you make sure your skills continue to grow then?nn
nnYou can never get to an age or a point in your career where learning is nonlonger important. If you stop learning, you stop, just period. Even ifnyou’re 100 years old, you need to keep going. My grandmother, lived untilnshe was 94, and even after she went blind, she would listen to audio books.nShe believed that if you must continue to feed information into your brain;nyou need to keep learning. I am confident that continual learning, whethernthrough formal training, or continuing professional education (CPE), butnalso just reading things and being plugged in with other humans is importantnto the overall learning process. A lot of times, I learn as much from peoplenon breaks at conferences, and the debates over things. You just need toncontinue to be engaged.n
nnnWhat do you think the biggest challenges are for cybersecurity rightnnow?nn
nnI think it’s so dynamic, and that it changes every single day. There’snalways this risk mitigation that was good enough yesterday, but is not goodnenough today. So how do you keep on top of that constantly changingnenvironment? There’s always that possibility that you’re providing assurancenon yesterday’s risks, and then today, a new one happens that nobody saw ornthought about. When you think about the most recent significantncybersecurity event, did anybody predict that? Were we thinking about that?nWhat does that do to the perception of the profession? The biggest challengenfor us is keeping apace of risks as they dynamically and rapidly change.n
nnWho inspires you in the world of cybersecurity?n
nnThere’s just so many people I know, like on a personal level. One thatnimmediately comes to mind isnnDr. Ron Rossnn. He is a personal friend and he’s a Fellow at the National Institute ofnStandards and Technology (NIST). He’s one of the foundational creators ofnnNIST 800-53nn. When you think about all of the cyber controls, we think about thencybersecurity framework, everything kind of ties back to that NIST document.nHe’s just somebody, I just, I can’t say enough good things about.n
nnI am also so excited withnnClar Rossonnbeing appointed as the CEO of ISC2. I’ve known Clar for annumber of years, and she brings such a clear vision. She’s somebody whonbrings people together from different backgrounds. I’m enthusiastic to seenwhat she’s going to do, not only for ISC2, but for the securitynprofession in general, because she’s such a visionary.n
nnnFinally, what do you think people who might be considering a career inncybersecurity should know?nn
nnI would say definitely pursue it, and don’t be overwhelmed. I think comingnin on the first day with any job, whether it’s cyber something else, therenis a tendency to feel overawed. I remember one of my very first days at thenDepartment of Defense Office of the Inspector General way back when I wasn22. I was meeting with an Air Force team and Air Force General. They couldnspeak for hours without saying English words, because everything was innnacronyms.nnI can remember going back to my hotel room and wanting to literally cry, andnthinking that I picked the wrong profession. I wondered, how can I do this?nI don’t know what they’re talking about. That can happen to anybody comingninto a room if this is your new profession. What I would say to them is,ndon’t get overwhelmed. If you’re dedicated, and you’re willing to do thenhard work, and the extra reading and the extra research, you will do well.n
nnYour skills are needed because, cybersecurity is like being on the frontnlines. Cyber war is the new theater for war, unfortunately. By going intonthis profession, you’re like a proxy warrior, where you’re going to go innand protect your organizations from these threat actors that can work fromnafar to bring your whole organization down.n
nnn
nnCybersecurity is exciting!n
nnTo discover more about CISSP download ournnUltimate Guidenn. Or read our whitepaper,nn9 Traits You Need to Succeed as a Cybersecurity Leadernn.n
nnOr, check out more interviews with CISSPs as a part of thisnCISSP interview series.n
]]>