Interview - Switzerland

Critical thinking is the key

Theresa Grafenstine, Global Audit Leader for Cyber, Resiliency & Third Parties at Citibank
Critical thinking is the key

Before taking up a position with Citi as Managing Director/Chief Auditor for Cyber, InfoSec & Continuity of Business, Theresa spent some time as Managing Director at Deloitte. Prior to that Theresa was the first female Inspector-General of the House of Representatives in Washington, and has also been the chair of ISACA, the professional body for IT audit, risk, security and governance. Her views about cyber and audit are both perceptive and based on wide experience, as the challenges of cyber risk have grown and their implications for audit have evolved.

The relationship between cyber and audit

Through her career, Theresa has seen the role of audit change with the emergence of cyber risks. She sees audit as a crucial necessity for tacking them.

“In the very beginnings of my career, people thought of audit as something financially-focused. Then we had IT controls and IT auditors, but as cyber developed to become one of the biggest risks engulfing society, we now realise that audit has to be part of the measures to tackle it.

Auditors have many skill sets. They can look at problems from beginning to end, across departments and the entire organisation, and so they can understand the problems and risks with abuse or stealing of information. They can call out risks and see if controls are in place to address them.”

What does the Future of Audit look like?

“It’s going to be a different kind of audit. Old audit concepts, such as the separation of responsibilities, are still relevant but we need to do much more. When you bring complexity into systems, it means there are more opportunities for mistakes. People like to talk ‘big data’, but to use big data you need to understand all the data you have, across boundaries, and harness what you have in all those silo database systems. You need to expose and break down data, and see how it all interrelates. The problem is that when you expose data, even internally, this gives rise to access issues, and it creates a new kind of risk.”

The role of audit will increase, but it will also change. Technology will take away the need for auditors to look at the routine and mundane, but it becomes a more technical and analytical task.

The perception of auditors: critical thinking

“I agree that auditors and security people are seen as the ‘Office of No’ and impediments to progress. So we need to be clear and crisp in our messaging about what our role is and why we are advising on risk. The message is that we aim to make systems safe, and you can’t make advances in business unless you are sure that your system is safe.”

Critical thinking has always been important – asking things, being intellectually curious and not being satisfied with a superficial answer.

“To provide value auditors need to understand why something works and question the rules. Do they make sense? We don’t simply ensure that the rules are applied. AI (Artificial Intelligence) will do what its algorithms tell it to and we need to ensure compliance with what seem appropriate. We present problems to people who are in a position to fix things.”

The evolution of cyber security: the need for resilience

“Early on we focused on security at the perimeter of systems – virus protection, then firewalls, and this morphed into intrusion detection systems. Nowadays we say that our system will inevitably be breached because there are so many ways to get into a network. Ransomware, malware – it just requires one person to click on a link. So for good security, we need vigilance. If we know that someone will get into our network, do we have the tools and the people skills to be able to distinguish between malicious activity and normal activity?

How quickly do we spot a breach of systems and how quickly do we do something about it. Do I have back-up so that if they have stolen or altered my data, am I resilient enough to recover quickly without serious loss of reputation? Somebody will get in, but it’s about how we manage that. It’s the world that we live in.”

Some words of advice for starting out in cyber security

People often ask Theresa about obstacles to career progress for women.

“There are glass ceilings, but don’t limit yourself. Get over your fears and don’t be your own self-imposed glass ceiling. If you can’t express an opinion at a meeting, how will you ever become a leader in your career?”

A second piece of advice is to show moral courage.

“The idea that I could become Inspector-General of the House of Representatives was mind-boggling. But you are dealing with people who have power. As an auditor, you need the moral courage to Speak Truth to Power. At the end of the day, if you can’t stand up to powerful people, you shouldn’t be in your role.”

“Networking is incredibly important. People should try to find role models and a mentor – it needn’t be a formal relationship – who you admire and who is willing to give you a few minutes and a bit of advice. That’s something I try to do myself: helping others with your experience and know-how. It’s giving back something to a world of working that has given so much to me.”

Women in Cyber

Read all the stories