Interpersonal Skills Over Smarts

Theresa “Terry” Grafenstine is the Global Chief Auditor, Technology for Citi, which encompasses leading audits, infrastructure, cybersecurity, business continuity, crisis management, and technology across all platforms globally. She had the opportunity to speak with Cyber Security Tribe's podcast partner, Dr. Rebecca Wynn, host of Soulful CXO which you can listen to here; in addition to being incredibly engaging and humorous, she shared her wisdom on:

• How to build trust in a new organization
• Communicating with Stakeholders
• Setting boundaries

CPA to Technology

During the year 2000 problem (also known as the Y2K problem, Y2K scare, the millennium bug, or Y2K), Grafenstine, a CPA, was a senior auditor at the US House of Representatives Inspector General’s Office. As some of you may recall, there was mass panic around Y2K including the political divide in the House which was Republican-controlled at the time. Grafenstine was put in charge of the project and whether people were being treated fairly. She found the concept that a software bug could potentially bring down society “cool,” and at that moment decided to shift to the IT side of the house and get her CISO certification which is where her technology career began.

One of her first top projects was to look at Active Directory. Being in a political environment, the concern of having Active Directory was ‘what's going to happen with enterprise administrators?’ They could technically go in and hop across the different member offices and committees. Usually, auditors are just looking at the controls, but she had to get out in front of all these committees, and different House committees, and talk about why she felt comfortable that there wouldn't be any political shenanigans with people crossing the different parts of the Active Directory. An unimaginable stressful scenario.

Grafenstine shared that she approaches that stress as she would in any facet of life, ‘you can't control what you can't control. You only can control your reaction to it and get through the next thing so you take it in increments.’

Transformative Leadership

Grafenstine’s approach relies heavily on relationships. In her words, what it all comes down to is that although you can be the smartest person in the room, if you don't have interpersonal skills and the ability to make relationships, it's almost a waste. You must be able to make those relationships and you must prioritize those. If you're a new face coming in, people need to understand why they should listen to you. They may be fearful you could have some agenda to ‘take them down.’ You will want to invest time in the front end as to why a person should trust you. The reason why they trust you is through consistency, doing what you say and saying what you do. Follow-through is critical.

From an audit perspective, one of the classic things that people are afraid of is that someone will zero in on minutia. Transparency is critical; letting them know exactly what is being done and why in advance. The goal is to look at how safe the organization is, making it safer and offering improvements. Focusing on the fix and the outcome becomes the cornerstone of the audit.

For all leaders, there’s the understanding that you must do what's right. You need a moral compass and to live with yourself, making sure you’re doing the right thing. There’s a critical balance of getting the job done, while still ensuring that you are human and understand others’ perspectives. COVID-19 was a clear example of the need to not just focus on the task at hand, but to understand what your team was going through. Seeing beyond the job and being cognizant of the struggles people were facing. It was a transformative time that paved the way forward for many leaders and organizations.

Security Risk Posture Communications

When discussing the best way to provide communication such as the security risk posture, Grafenstine says just state the answer upfront. Often people feel the need to show how all the great work they did. They want to show 10,000 pages, bullets, appendices and supporting spreadsheets because that's what's meaningful to them, they want to show all the work they did naturally. It has to be summarized so that way when telling the stakeholder, they are clear on what they need to worry about. If the

stakeholder wants to drill into the detail, the info is readily available and all the work done can be shown.

Gaining Trust

From Grafenstine’s perspective, the biggest mistake someone can make when coming into a new organization is to know all the answers and want to change everything before you know where the restroom or the cafeteria is. Even if you've heard rumors or during the recruitment process, they stated something really needs to be fixed, you still must go through it with an open mind. Start with just getting a sense of the lay of the land. The first thing she recommends is to meet with all the people. Meet with your team because those are the people you’ll be working with, meet your peers, stakeholders, and your boss. Through each one of those, including peers who are managing different departments, they're going to give a piece of the puzzle as to how the overall organization works.

The first 30 days are about meeting all the humans and then setting up recurring meetings. Simultaneously, you’re getting a better sense of all their different views on what's going well, and maybe what's not going so well. You also have to take into account the fact that people aren't necessarily going to be telling you everything that's bad.

The Burnout Discussion

There’s the reality when you first join a new organization that you are putting in significant time and balance is not a reality. It’s necessary to get ramped up and to learn the ins and outs. Eventually, though, you need to set boundaries. In Grafenstine’s words, “So what are those boundaries? Because if you are all just living work and your kids don't know who you are or your partner doesn't know who you are, it's like, Well, what am I doing this for? So, I think that it's okay to double down and to really invest yourself and work in these kinds of key periods of time where you're having to learn a new thing or build a new process or build a new team. But after that, you kind of got to set those boundaries.”

For the more in-depth discussion and a plethora of additional insights from Grafestine, watch the full podcast here.