My Path to Security - How Christie Terrill Got Into Security

Meet Christie Terrill, VP of Customer Success at Bishop Fox

Christie Terrill didn’t set out to become a security professional. In fact, she graduated with a degree in English and French Literature with a minor in Rhetoric and Communication, hardly a normal InfoSec career path. But after spending the early part of her career working as an IT project manager for a utility company, she landed an InfoSec consulting role at Ernst & Young and knew she had found her professional passion. Several organizations and much hard work later, she’s now an executive at Bishop Fox with continued plans for both her organizational and InfoSec career growth.

What originally drew you to security?

It wasn’t so much that I was attracted to the security space as I wanted to get into consulting. I loved the idea of working with different companies and traveling. I had been working in IT, so security was a natural transition.

However, what ultimately made me stay in security was that I loved the problem-solving aspect. I can draw similarities between studying communication and working in security in that there isn’t a singular answer to problems. It’s all about judgement and risk management. It’s about thinking critically about what makes sense. There is no perfect-world scenario – everything is a trade-off. It is only through analysis and communication that you can determine what works.

How did you get your first job in InfoSec?

Every job I’ve ever gotten has come down to networking. It’s true when they say it’s “who you know.” I landed my first job in security because of a connection from my last job. And I landed that job through a connection as well. Everything was through networking and reaching out to people to set up “informational interviews.” Everyone likes to talk about themselves, and when an opportunity interested me, I asked to set up an interview to learn more about them. In the case of my job that led to Ernst and Young, we had a great rapport and that became a real opportunity.

Tell me about one career highlight.

One of my roles in my mid-20s allowed me to move to London for three years. Living abroad had always been a dream of mine and it ended up being everything I could have hoped for. One of my first clients when I arrived was Barclays and my job was to travel all of Europe visiting their subsidiaries. It was a very rewarding and fulfilling time for me, both personally and professionally.

Where would you like to be in the next 5-10 years (career wise)?

As an executive, I do absolutely see myself with Bishop Fox in 10 years. However, I love that my role in the company is flexible and changing based on what the company needs and what suits my personal skillset. What I am doing now compared to five years ago is already so different. I’m open to seeing how my role continues to evolve.

What was one unexpected challenge you have encountered?

I’m a very optimistic person and therefore I can’t really think of any specific challenges. I don’t see roadblocks, it’s just about reframing to keep moving forward.

The only thing that comes to mind is that I ultimately decided a while back that I wasn’t willing to make the personal sacrifices necessary to become an executive at one of the larger consulting firms. It was a trade-off I didn’t want to make. However, I did want to keep moving up in management and therefore was grateful to find a firm the size of Bishop Fox that didn’t require such a trade-off. Now that I am married and have a son and am able to still be fulfilled professionally, I know I made the right choice with a smaller firm.

What advice would you give to someone wanting to break in and/or advance in security?

As mentioned before, find people who you want to work for and whose job you admire, and ask them for an “information interview.”

Also while it wasn’t the case for me, in the security space now I think it’s important to demonstrate two things when you are applying for any position. First, show one tangible skill you can do from day one that will add value to the company. And it doesn’t necessarily have to be something technical, maybe you are good at project management, research, or editing. And second, have a passion for the industry. It is somewhat unique for this space, but if you don’t show you have any interest in security outside of work, you are probably not going to succeed in this industry.

What is the greatest resource you have found?

For me, it’s exposure to what companies are actually going through and the challenges they face daily. There is a lot of content shared online and at conferences and it tends to be the same thing all the time. And it doesn’t always line up to what I’m seeing when I interact with different companies. The reality is far more interesting than the marketing and talking points. For me and a lot of other folks in this industry, you must also be your own resource, too. Everything I’ve learned about security has been through on-the-job training and my willingness to seek answers.

What’s the biggest misconception in security?

I think there’s a misconception from people outside the industry that everyone in security is a hacker. Sure, at Bishop Fox this is pretty true – but the percentage of job roles that are specific to pen testing are minor compared to all the other job roles necessary to support security.

The industry involves so many different people, teams, and sets of skills to do right. Once you get behind the curtain, you can see that there are a dozen different required skill sets necessary to get it right. It’s an integrated team effort at any company.

What is your current security obsession?

The Zero Trust Security Model (or Google’s BeyondCorp). It’s a totally different way of looking at your network architecture from what we have done in the past. The traditional model was to “build a wall” around your network, but once you got inside, everything else was easily accessible. This new model aims to protect things through access management – user by user – and device by device. This model assumes people will get in and assumes that everything can be vulnerable.

We haven’t seen the majority of companies moving towards this model yet, but I think this idea is going to be hugely impactful in the future and change the way we approach security. It is one of the biggest fundamental changes I’ve seen in my 15 years in the industry

Tell me one interesting fact about yourself.

Between 2008 and 2009, I took a year off from work and traveled around the world. And in that year, I got my advanced certificate in wine and spirits. I’m *almost* a wine sommelier and I briefly considered switching to the wine and spirits industry.