The Certified Information Systems Security Professional (CISSP) certification is considered to be the gold standard in information security. This is so because of all the doors that certification opens to a CISSP professional. Those doors lead to many different types of positions and opportunities, thus making the information security community dynamic and multifaceted.
In this installment, we talk to Theresa ‘Terry’ Grafenstine . Terry tells us about her time working as the appointed Inspector General of the U.S. House of Representatives and her journey to becoming Chief Auditor for Global Technology at Citi. She shares with us her passion for cybersecurity and her advice for those considering it as a career.
What job do you do today?
I am the Chief Auditor for Global Technology at Citi.
What problems does your job solve?
Citi is one of the largest financial institutions in the world, and it's considered the most global financial institution in the world, meaning that we're in more countries than any other financial institution. We're number one in that regard. Citi obviously is a big player in the financial services space and is considered systemically important to the entire fabric of financial systems across the world. So it's definitely an important organization in terms of the role that I serve. I am the global chief auditor for technology. So what does that mean? I'm providing assurance from a third-line perspective. To clarify, there are three lines of defense. The first line consists of the people that actually enact the controls. The Second line comprises the people who are looking at the risk management aspects, and I'm head of internal audit for all of technology.
The kinds of things I would be looking at include all the different applications that Citi has in its various legal entities and jurisdictions. An application may look different in Nigeria than it does in the UK, or in the United States, depending on locality-based preferences or regulatory requirements. One facet of my job is a lot of heavy application-type of technology reviews.
I also oversee audits in cybersecurity, business continuity, crisis management, and resilience. As you can imagine, with Citi being such a big presence in financial services, we're obviously going to be a big target as well for bad actors from a cyber-perspective. In a world of disruption, business continuity, crisis management, and resilience are equally as important. I also oversee audits of our tech infrastructure, which includes things like controls over cloud services and data centers.
There's an added level of complexity in all of these areas because they span a big global footprint, and so many different regulatory requirements and regional types of concerns, that it's a lot to keep the pulse of, but it's a job that I love.
Did you start your career in cybersecurity or was it some other route
that brought you to cybersecurity?
No, I did not start off in cybersecurity. I actually started off in US
government as an auditor at the Office of Inspector General in the US
Department of Defense. The things I was looking at there were very “national
security” focused. Much of what I audited included things that don't sound
like cybersecurity at all, such as supply chains, and contracts, and
acquisitions for weapons systems. It was kind of like the precursor to
cybersecurity. Over time, I really understood national security implications
of the audits that I was doing. And we wound our way to “Year 2000”
(Y2K), which now
seems sort of silly, but in retrospect, at the time it was a big deal.
Once you pivoted into cybersecurity, what attracted you to studying for a qualification?
I initially focused on internal audit and accounting types of certifications. However, one of the things I've found is, when you're having conversations with people who are doing cyber for living, and they're the first line of defense, dealing with the actual unknown threat, they have a natural tendency to think about audit as a little bit “lightweight”. Generally, they are of the mindset that auditors just criticize and don't really know cybersecurity.
Getting my CISSP was a conscious effort to show that I have technical chops. I do know what I'm talking about, and I want to make sure that I'm not talking over the first line, but that we're having a productive conversation about the risk and control environment for cyber. Part of that is showing you have the credibility, and that you do deserve a seat at that table for those kinds of discussions. As auditors, we need to show that we actually have done our homework, so when we're providing risk based guidance on cyber controls, that it's based on knowledge of the area and not just sort of our own half-baked understanding of it.
Why did you choose the CISSP credential?
It gives a lot of street credibility with the people who do this for a living, because they all understand what a CISSP is. It is definitely an important designation to have on your calling card. I see it as the gold standard in cybersecurity. When you think cyber, there's a lot of niche certifications that will look at one aspect or another, but the CISSP is the one most recognized in the security community.
How long did it take you to achieve it when you set out?
I only just earned my CISSP about four years ago. It's actually a later development in my career, but it fits into an interesting story: You get to a certain point when you’re rising in the ranks, where having certifications you've already kind of paid your dues a little bit, and getting certification seems to be something that you do earlier on as you're trying to build your resume. It occurred to me that I don't have to get this, because by that point, by the time I got my CISSP, I was the sitting Inspector General for the US House of Representatives. I did not need another credential because I already had at least six others. Yet, although I didn't need another one, I looked at it just as we were getting ready to do a big penetration test of the US House of Representatives’ network.
This was a high-stakes engagement, and I thought, why am I above showing that I have that credibility? I may know in my heart that I am qualified to do this, and the people I'm individually interacting with know that I'm knowledgeable, and that I know what I'm doing, but if I'm preaching to my staff that they should get the CISSP for credibility, and to show that they're committed to the profession, why was I going to be exempt from that? I needed to demonstrate that myself, so I held myself to the same standard.
I actually took vacation days to go take the test. I did it all on my own time. It was just something important to me personally.
That's so inspiring. Did you do anything else to prepare or did you take any official training or other training?
I did two things. First, I bought study books, and I just read them cover to cover. I also created little index cards, just like I did when I was studying for the Certified Public Accounting (CPA) exam. Any chance I had between meetings, walking up and down Capitol Hill to different meetings, I would always have those index cards stuffed in a suit pocket, and with just a quick flip through the cards, I would remind myself of all the concepts in the domains.
Second, I took a week-long boot camp class during my vacation. This was a great experience.
The boot camp was like other seminar trainings; a lot of the value you get is from networking with others. This seemed especially true with the CISSP boot camp, because the other “students” tend to be specialists in various disciplines. You have all the different disciplines and all those voices at the table to through the material from different perspectives. I found that very interesting.
Was there anything that surprised you about the CISSP in terms of content that it covered perhaps that you hadn't expected?
What surprised me, and I thought it was a good surprise, is that I think being an auditor actually was an advantage because the test covered a lot of different topics. For example, fire protection types, such as fire suppression systems within data centers. As much as that sounds sort of niche and odd, my audit background exposed me to a lot of audits that included fire protection systems. This was a familiar subject for me, as were other domains in the CISSP Common Body of Knowledge.
In some cases, I found that the specialists were at a disadvantage because they were experts in one particular domain, but they never worked in some of the other domains. I was surprised at my audit background actually ended up being an advantage for taking that exam.
Did it change how you approached your work or how you thought about your work afterwards? Did you notice anything different as a result of completing the CISSP course of study?
Had I taken it earlier in my career, I could probably say it would have had created a much bigger tactical shift, but because I had already been in my career for so long, I was already sort of established in the way that I did things. It did, however, bring certain other aspects of the discipline into clearer focus. It gave me a deeper understanding of certain things, so yeah, there was a change, but I don't know that it would have been as wholesale of a change had I taken it a little bit earlier in my career.
I understand that. Were there any other kind of unexpected benefits of achieving the CISSP designation?
I think other people were surprised. When I took the boot camp course, it
was funny when we had to go around the room and introduce ourselves, and
what our title was. When I introduced myself as the Inspector General of the
Congress, it was shocking to people. Many wondered, why are you here, what
are you doing, and, does this even make sense?
It was really about leading by example. When I came back and was granted the
CISSP designation, there was a certain level of surprise that I had taken
the time to study for it, because, nobody was clamoring for me to get any
certs at that point. From a government audit perspective, I had hit the
pinnacle of what you can be in that career field.
Now, launching into the private sector after life after government, the
CISSP is absolutely incredibly important, because it's seen as an absolute
commitment to the cyber and InfoSec profession. It definitely gives me that
credibility that I have the background and that I deserve a seat that table.
What steps led you to your career decisions from achieving CISSP to your current role?
Under Congressional rules, you can retire after 25 years of federal service. Even though I was in my forties, I could actually retire, but there's no way I was ready to retire. I definitely saw it as a demarcation point, wondering, well, what do I want to do with the rest of my working life? I started to think about that, and I looked at a lot of different things, not just cyber.
The cyber piece of it is the stuff that really, really interested me and the thing that is just I'm really good at, and so I thought, okay, this is where I want the rest of my career to be focused on. And the CISSP was like one of these tickets that I saw myself as being able to transform myself into a dedicated role.
I left the House of Representatives, and was at Deloitte for about two years as a Managing Director. I worked in the defense and national security space for first-line people, and helped them with their IT general controls. That was a great experience. It transitioned me from the government space into private industry.
The people at Citi heard me speak on artificial intelligence and robotic process automation, and different cyber concerns that audit should be looking at. They offered me a position at Citi to stand up an entire cyber team that audits this area and defines how Citi addresses auditing cybersecurity. There was no way that I could pass that up. Recently I was promoted to become the overall Chief Auditor for all of technology. So now cyber is a sub-component of the overall tech portfolio that I oversee.
Can you tell me what is it about your job that you love so much?
I love the fact that if I look back across my career, the thing that drew me to work for the Dept of Defense Inspector General right after college was, it felt it called to my sense of making a difference that I could go and use these skills that I had gained in my university, and use it to make a difference and the way that we manage risk across the US government; it really drew me to that.
When I was looking at what I wanted to do, post-Inspector General world, Citi really resonated with me because Citi is systemically important in financial services. If something happens to Citi, it would rattle the entire financial services system across the entire world, so the idea that I could be somebody who helps make Citi safer and more secure, and help reduce risk, and fine-tune controls, and really attending to making them safer, that just appeals to me at a level that I feel like I'm making a difference. That's something that's really important to me.
You've had some wonderful achievements. What are you most proud of?
There's just been so many different opportunities and experiences I have had in my career, it's hard to point to a single one. At one point, the Institute of Internal Auditors (IIA) chose me as one of the top 10 thought leaders for the entire profession, and they inducted me into their Hall of Distinguished Practitioners, which was just stunning to me and unexpected. Other times, different acknowledgments have recognized different parts of the things that I do. Those addressed my pure internal audit background. Other times, I've been recognized as the “Golden Gloves Federal Executive of the Year” and the “CPA Government Leader of the Year”. More recently, I was recognized in Security Magazine, and ISC2 has been part of that and recognizing me in that, and as a thought leader in the cybersecurity profession. I'm really excited about that.
That's fabulous. How do you make sure your skills continue to grow then?
You can never get to an age or a point in your career where learning is no longer important. If you stop learning, you stop, just period. Even if you're 100 years old, you need to keep going. My grandmother, lived until she was 94, and even after she went blind, she would listen to audio books. She believed that if you must continue to feed information into your brain; you need to keep learning. I am confident that continual learning, whether through formal training, or continuing professional education (CPE), but also just reading things and being plugged in with other humans is important to the overall learning process. A lot of times, I learn as much from people on breaks at conferences, and the debates over things. You just need to continue to be engaged.
What do you think the biggest challenges are for cybersecurity right now?
I think it's so dynamic, and that it changes every single day. There's always this risk mitigation that was good enough yesterday, but is not good enough today. So how do you keep on top of that constantly changing environment? There’s always that possibility that you're providing assurance on yesterday's risks, and then today, a new one happens that nobody saw or thought about. When you think about the most recent significant cybersecurity event, did anybody predict that? Were we thinking about that? What does that do to the perception of the profession? The biggest challenge for us is keeping apace of risks as they dynamically and rapidly change.
Who inspires you in the world of cybersecurity?
There's just so many people I know, like on a personal level. One that immediately comes to mind is Dr. Ron Ross . He is a personal friend and he's a Fellow at the National Institute of Standards and Technology (NIST). He's one of the foundational creators of NIST 800-53 . When you think about all of the cyber controls, we think about the cybersecurity framework, everything kind of ties back to that NIST document. He's just somebody, I just, I can't say enough good things about.
I am also so excited with Clar Rosso being appointed as the CEO of ISC2. I've known Clar for a number of years, and she brings such a clear vision. She's somebody who brings people together from different backgrounds. I'm enthusiastic to see what she's going to do, not only for ISC2, but for the security profession in general, because she's such a visionary.
Finally, what do you think people who might be considering a career in cybersecurity should know?
I would say definitely pursue it, and don't be overwhelmed. I think coming in on the first day with any job, whether it's cyber something else, there is a tendency to feel overawed. I remember one of my very first days at the Department of Defense Office of the Inspector General way back when I was 22. I was meeting with an Air Force team and Air Force General. They could speak for hours without saying English words, because everything was in acronyms. I can remember going back to my hotel room and wanting to literally cry, and thinking that I picked the wrong profession. I wondered, how can I do this? I don't know what they're talking about. That can happen to anybody coming into a room if this is your new profession. What I would say to them is, don't get overwhelmed. If you're dedicated, and you're willing to do the hard work, and the extra reading and the extra research, you will do well.
Your skills are needed because, cybersecurity is like being on the front lines. Cyber war is the new theater for war, unfortunately. By going into this profession, you're like a proxy warrior, where you're going to go in and protect your organizations from these threat actors that can work from afar to bring your whole organization down.
Cybersecurity is exciting!
To discover more about CISSP download our Ultimate Guide . Or read our whitepaper, 9 Traits You Need to Succeed as a Cybersecurity Leader .
Or, check out more interviews with CISSPs as a part of this CISSP interview series.