Christie Terrill – Partner, Bishop Fox
Christie Terrill is an IT security compliance, governance, and risk management specialist with 15 years of experience in the cybersecurity industry. She started the Enterprise Security practice at Bishop Fox, where she is currently a partner, and has worked as a security consultant for Fortune 500 clients across the financial services, products, healthcare, and resources industries. Ms. Terrill was featured at the 2017 Women in Cybersecurity Conference, where she was on a panel entitled “Stories from the Battlefield – Cybersecurity Incident Response.” She graduated from UC Santa Cruz in 2001 with a Bachelor of Arts in English and French Literature, and a minor in Communication and Rhetoric. She also holds a CISSP certification, which she has maintained since 2005.
[OnlineEducation.com] To start with, how would you describe your position at Bishop Fox?
[Ms. Terrill] I am one of five partners. Each partner plays a slightly different role. My role has been to build out one of our consulting practices, which is called Enterprise Security. We provide a range of services, including information security governance, risk compliance, and technical controls. Very recently, I transitioned roles internally, and Enterprise Security was merged with our other consulting practices. I am currently focusing on sales and on running the company.
[OnlineEducation.com] I’m curious how you moved from an undergraduate degree in literature to a career in a technical field like cybersecurity?
[Ms. Terrill] Even during college, I was interested in technology and one of my favorite classes for my Rhetoric and Communications minor was a Technical Writing and Editing course. I enjoyed it so much that I pursued a summer internship in technical writing between my junior year and senior year of college. I created a paid internship for myself by contacting people through my alumni career advice network, and I continued to work part-time as a technical writer and editor through my senior year of college.
The first few years out of college were after the dot-com bust, so entry-level jobs weren’t the easiest to find. I enrolled in a programming class through a community college, thinking that I should gain more hands-on technical skills. To be honest though, I hated it, which confirmed that not all aspects of technology were for me. After a year of temp work, I landed a contract job in an IT PMO for a few months, and then transitioned to a business analyst role in IT Finance at a utility company. That allowed me to use my communication, analytical, and organizational skills in a tech field.
My first job in information security was as a consultant at Ernst & Young, where I was hired into the security consulting practice. They knew I did not have formal education in computer security (which practically didn’t exist at the time) or in computer engineering, but they were confident in my ability to learn and their ability to train me.
[OnlineEducation.com] When you made that transition, was it your impression that cybersecurity was an unusual career choice for women, and was that even a consideration for you?
[Ms. Terrill] Whether women were or were not in cybersecurity was not a consideration for me. I had already been working on teams where women were a statistical minority, but I did not feel that the environments I worked in were negative toward women. I was more focused on getting into consulting, which I knew I would enjoy due to the variety, travel, and expectation for continual learning and adaptability. Cybersecurity happened to be the type of consulting where I had my first opportunity.
[OnlineEducation.com] One aspect of cybersecurity that I keep hearing about is the importance of communications skills, particularly the skills needed to articulate technical matters pertaining to information security to people who do not have a technical background. Was that an advantage for you?
[Ms. Terrill] I didn’t necessarily focus on that, but I will say that my communications skills, and my organization and project planning skills have been a differentiator. Whether it’s in the context of consulting, or on a team, everyone needs to contribute in the ways that they can. I have found myself in situations, even when I was in junior positions, where I had greater access to the executives in the company or to members of a team because I was tasked with detailing and explaining the risks and issues in the work we were doing. So even very early on in my career I started to translate between engineers and executives and different team members. That clearly helped me. I did not plan it that way, but I capitalized on it once I realized that was the case.
I should say that that these days it’s more of a requirement to have a technical background. When I entered the field 15 years ago, there were no cybersecurity programs. There are different educational options now. So, as a hiring manager, it’s more of an issue. If I see an applicant for an entry level job, and that person doesn’t have a computer science background or some kind of technical training, I would want to understand that person’s story. You know, why are they interested in this field? And, if they are interested in this field, why didn’t they study it, because there are educational options. It’s not an absolute prerequisite. But, there are many jobs in cybersecurity that do require intensive technical skills that you’re not going to acquire just playing around on a computer in your parents’ basement. That’s the hacker mentality. While talent can be found that way, there are lots of roles, doing things like forensics and incident response, that you do need specific training to do effectively. You have to have the technical chops to do those jobs.
While I am very proud of my career and the trajectory that I have taken, and I do want to be as encouraging to as many people as possible. There are many roles that require technical aptitudes that I don’t have. I have managed to progress in my career without that. But, it is different for different people at different stages in their career.
[OnlineEducation.com] You got your CISSP certification, so you have some formal technical training.
[Ms. Terrill] Sure, even though I may not feel like I’m the most technical person in the room, and sometimes I may feel like I’m the least technical person in the room, I have a lot of technical knowledge compared to people who are not in the industry. Most of what I learned was hands-on. The CISSP, which I got fairly early on, was more of an academic exercise. You read books and you take a crash course and you pass a test. It’s a subject matter test, so it doesn’t necessarily prove that you know how to apply the knowledge.
In contrast, on one of my first projects I was tasked with running queries on password files on UNIX systems. I had never used UNIX before. But I had one of my colleagues sit down with me, and show me some basic commands. I read up on UNIX, and I was able to do the project. I’m not a UNIX admin, but I am able to learn technical skills when there is a purpose for it, and apply those skills on the job, and then move on.
[OnlineEducation.com] So you do look for applicants that have a certain amount of clear technical training?
[Ms. Terrill] As a hiring manager, I look for passion (doing something related to the industry outside of your current school or work commitments), dedication (a clear focus on why you want to pursue cybersecurity), and the ability to learn quickly (adapting and integrating new information and experience into your repertoire). I’m looking for something that would indicate passion or interest in the industry. That could be a membership in a college hacking club, or it could be that a person volunteers to go out to schools and educate kids about online safety. In the same way that every top college looks for extra-curricular activities, we look for the same kinds of things, beyond a person just passing courses in a CIS program or a cybersecurity program. We want to see what they do outside of their job or outside of the classroom to give us an indication that they’re committed to working in this field.
One of the questions I do ask in interviews is, “What was the last thing you geeked out on?” The answer doesn’t have to be work related. I’m looking for someone to tell me something like, they went to a restaurant, had the best fish they’ve ever had in their life, asked the chef how it was made, found out it was done using sous vide, and went home to read up on and practice how to sous vide. You want to find people who have that kind of curiosity and the motivation to constantly learn new things and hone a craft. Even if you’re still a student and haven’t had any professional experience, that’s what I’m looking for.
[OnlineEducation.com] This pertains to both men and women, but what is a good reason for wanting to pursue a career in cybersecurity?
[Ms. Terrill] That’s a great question. I was at a job fair at the Women in Cybersecurity conference in Tucson a few weeks ago. I met a couple of people who were students, and I asked them that question, because I wouldn’t have even thought to pursue a career in cybersecurity when I was their age.
There’s a huge spectrum of answers to that question, and many of them are perfectly acceptable. Some people care deeply about the privacy aspects of cybersecurity, and they want to be involved in an industry where they can help protect privacy and data. So, it’s something they’re clearly passionate about being involved in. Other people might glorify the idea of being a hacker. There are plenty of things out there, like Mr. Robot, that make it look cool. As far as computers and IT goes, it seems like one the sexier things you could do. I mean, I get lots of people who tell me that they want to be a penetration tester, but they haven’t done it before, and they have no idea what it’s really like. I can’t tell them if they’re going to like it or not, much less whether or not they’ll be good at it.
I often say that I like cybersecurity because there’s no one right answer to a problem. This actually relates to my own educational background. The reason I was drawn so much to English and literature is that it was really about reading texts and coming up with opinions about those texts. In a literature essay, you present a hypothesis or a reason or a defense of an opinion. It has less to do with the mechanics of the English language, then with using the English language to be persuasive, to communicate a point, to get people on your side.
What I like about cybersecurity is that you need to persuade and convince team members, executives, and boards of directors to go down a certain path. There are so many ways to invest millions of dollars in security, and you may not see a dedicated ROI. It’s not that if you spend X number of dollars then you’re going to be secure. You have to use your experience and other tools to communicate a plan. It’s not just about bits and bites and numbers and inputs and outputs. I enjoy that ambiguity. I thrive on that ambiguity because I have the skills to thrive in that environment.
[OnlineEducation.com] Getting back to women in cybersecurity, you mention teamwork, and clearly that’s an important aspect of IT security. That would also seem to be a good practical argument in favor of promoting diversity in the field, if only to get a broader range of perspectives onto a team.
[Ms. Terrill] Cybersecurity is a broad label that we’ve put on what is actually a collection of very different sub-specialties. I have met very few people who are an expert in all of the different specialties that are part of cybersecurity. Teamwork is a necessity, and having a diversity of perspectives is critical in this field, because there is such a wide range of skills and perspectives necessary to solve what we label as cybersecurity problems. You can’t do this solo. You can’t do this in isolation.
[OnlineEducation.com] From where you sit now professionally, is it your impression that women are underrepresented in the field of cybersecurity?
[Ms. Terrill] I agree that women are underrepresented in cybersecurity, but I don’t think the solution is a simple one.
[OnlineEducation.com] What advice would you give to women who are considering and/or preparing for a career in cybersecurity?
[Ms. Terrill] The hardest part of breaking into any field is getting your first internship or job. I have found the most luck finding all my jobs through my personal network, where people are more likely to take a chance on you. Formal entry-level programs are also a great way to get that first real-world experience. I don’t know that there’s a particular degree or particular certification that is guaranteed to work. But, I do think that you should talk to as many people as you can in the field. If you’re a student or already working, attend conferences and events, build a network of people in the field who you can talk to about their experiences. I do recommend that women entering cybersecurity are dedicated, confident, skilled, and at the top of their game compared to their peers.
I feel like I have not been subjected to overt sexism in my career. If I’m brutally honest though, I’ve probably just been a little blind to it when it has occurred. I have many friends in security and tech who have personal stories of blatant sexism holding them back or preventing them from getting the same opportunities as their male peers, and I think that it’s important for women entering the workforce to be on guard against this type of discrimination. That being said, sexism is not only relevant to cybersecurity.
[OnlineEducation.com] If we set aside overt sexism, what else do you think might account for the underrepresentation of women in cybersecurity jobs? Is it a branding problem? An issue with professional culture in the industry?
[Ms. Terrill] It wasn’t a very well known industry until just a few years ago. I’ve been in it for 15 years, and I used to have to explain what I did to every taxi driver I got in a cab with. I would say that I was an information security professional. Now everyone calls it cybersecurity, and when I tell cab drivers I’m in cybersecurity, they know what I’m talking about. Until very recently, that just wasn’t the case. And, if people aren’t even aware that cybersecurity is a potential career path, you’re not going to get an equal cross section of men and women pursuing those careers.
As far as what other barriers there might be, I get a little uncomfortable when I’m thinking about talking about women in cybersecurity. I’m still forming my own opinions on the subject, so I don’t have a fixed view. But, I do think the lack of perceived mentors or real mentors who are women has got to be a factor. If you are doing job interviews as a young woman, and you are going on site, and you don’t see any other women in the department, that’s probably a factor. While it didn’t faze me back in the day, that type of anomaly is more of a recognized problem now. If you don’t see women ahead of you in that field, it may not seem like a practical career choice.
[OnlineEducation.com] Do you think that the popular conception of the lone-wolf hacker as a representation of what goes on in the world of cybersecurity might also be a factor?
[Ms. Terrill] I don’t know. The reality of what you do on a day-to-day basis in this field is not very glamorous. You might be in a security operations center, and that might involve reviewing log files all day long. You stare at a screen and look for anomalies. Or, if you’re in compliance, you’re might be going through the same spreadsheets again and again and again. No one really talks about that being the real work when they advertise for a position.
When I give career advice, I emphasize the importance of knowing yourself, and knowing your temperament. For example, I always test on the introvert side on personality tests like Myers-Briggs. But, I’m a very social introvert. I can go out there and be the life of the party, but then I need a day and a half at home just to not talk to anybody. I know that about myself. So, if I have four client meetings a day for three days, I need a break. Knowing that about yourself is important when you’re thinking about a career.
This is off on a tangent, but my mother had two careers. She was a dental hygienist and then she was a psychologist. She thought both of those careers were exactly the same. As she saw it, she met with one patient at a time in a room; she could focus on that person, and help solve that person’s problem. She found two very different fields that she excelled in because she knew her own personality. I don’t know if people talk about jobs in that way enough when they’re thinking about careers.
[OnlineEducation.com] Is it your impression that many or even a significant percentage of jobs in the field of cybersecurity require professionals to be on call round the clock, or that there are particular demands that make it difficult to maintain a reasonable work/life balance?
[Ms. Terrill] I don’t think there is much of a difference between the work/life demands for professionals in cybersecurity compared to other corporate or professional fields. Personally, I think it’s America’s corporate cultural expectations and lack of mandatory paid maternity leave or part-time job role options that cause women to reconsider certain professional careers. It is not an issue isolated to cybersecurity.
Most of the jobs in cybersecurity can be scheduled during regular business hours, and planned out in advance. The only reason I’ve had to be on call as a consultant over the years has been to help a client in an emergency situation. If I can help in a situation, then I’m going to help. But, I’ve never had it in my job description that I have to be on call or work odd shifts or anything like that. There are only a few roles where that is a requirement. So, yeah, in those jobs that might be a consideration for women, young parents, or anyone who doesn’t like that particular lifestyle. I just don’t think that applies to a large number of the jobs that are out there in cybersecurity.
[OnlineEducation.com] Are there particular areas within the larger world of cybersecurity that have been more open to women, or more successful at attracting women?
[Ms. Terrill] I know successful women in all specializations, so without the support of data or metrics to prove me wrong, I can’t say that any one area is more supportive or accommodating to women over others. Many people cite some of the less technical specializations within cybersecurity as areas where women are making strides. But I think that is the case mostly because these are areas that people (women or men) can more easily transition into from other specialties. Given the lack of security talent, employers are becoming more flexible and creative about a candidate’s educational and professional background.
[OnlineEducation.com] Is there anything you’d like to add?
[Ms. Terrill] Maybe a couple more thoughts. I guess when I get uncomfortable about potentially talking about women in cybersecurity it’s because I want to understand that person’s intent, where the conversation is going to go, what are they trying to prove or achieve by it. I don’t think that there are that many problems in cybersecurity that are exclusive to cybersecurity. Whether it has to do with work/life balance, gender imbalance in the industry, or any issue like that, you could say that about so many other fields. I don’t want to falsely point a finger at any other professions, but maybe it’s the same for surgeons, and in the past it may have been true for lawyers. There are so many fields in which women are or have been underrepresented. I don’t think cybersecurity is unique in that way. This is a societal problem, not a cybersecurity problem. That’s how I see it.
It’s not an easy problem to fix or even talk about because there are so many different aspects of it – whether it’s STEM careers as a whole, and women understanding that STEM careers are an option for them, or women being supported culturally and by their families. There are so many things that have to change on a basic level at such a young age before we’re going to see a real change in the numbers for cybersecurity. One of the reasons I wasn’t fazed about going into an industry that was and is male-dominated was the just the way I was raised, the parents I had, and the exposure I had to talking to my dad about business and technology. I always thought that being an executive at a company was an option for me. I’m not saying that women think it’s not an option to do something like that. I’m saying that women may not even realize that the option exists. It’s just not presented as an option. Or, maybe it’s presented as an option at school, but not at home.
It’s complicated, and I think some of the programs that are trying to bring more women into cybersecurity may be starting a little late, and that you’re only going to move the needle a little bit by talking to women who are mid-career. You are going to get some takers, but it’s probably not going to change the number from 11% to 45%. I have a healthy skepticism about some of these efforts, and yet I support them. I go to the conferences, and I participate in forums because I want to be part of the solution.