Reimagining Cyber - real world perspectives on cybersecurity
Explore the critical intersection of cybersecurity and business impact while gaining insights into CISO priorities with "Reimagining Cyber." Stay informed on the latest cybersecurity news, trends, and solutions tailored for today's CISOs and CIOs. Hosted by Rob Aragao a seasoned security strategist with CyberRes, this podcast is your go-to resource for staying updated on cybersecurity developments and addressing common challenges in the rapidly evolving digital landscape.
Reimagining Cyber - real world perspectives on cybersecurity
Leadership, Empathy, and Women in Cybersecurity - Ep 111
In this episode of "Reimagining Cyber," Rob Aragao hosts a conversation with Tammy Klotz, a best-selling author and current CISO at Trinseo. Tammy discusses her career trajectory, which includes leadership roles at Covanta Energy and Versum Materials, and shares insights from her recent book, Leading with Empathy and Grace: Secrets to Developing High-Performing Teams.
Additionally, she addresses the challenges women face in cybersecurity, offering advice on building confidence, taking risks, and overcoming barriers in a male-dominated field. The episode provides valuable takeaways for aspiring leaders and women looking to enter or advance in the cybersecurity industry.
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
[00:00:00] Rob Aragao: Welcome everyone to another episode of re imagining cyber Rob here. And today's guest is Tammy Klotz, a best selling author and currently serving as the CISO at Tuncio. She previously held the role of CISO at Coventa Energy, Pursue Materials and leadership roles at Air Products and Chemicals. Tammy also serves as the president of the Lehigh Valley chapter of the Cloud Security Alliance, membership chair for women in cyber security, and was named as a top 100 CISO by Cyber Defense Magazine.
[00:00:28] Acknowledging her outstanding contributions and leadership in the industry. Welcome, Tani. It's exciting to talk to you again. We've had a long standing relationship. I'm just glad to pull you back in for an episode. Anything else you'd like to share in your background?
[00:00:41] I think you covered the highlights, Rob.
[00:00:43] Thank you for that. It's just kind of crazy that. 30 years in the industry. I'm not exactly sure how that happened, but definitely had a great career and looking forward to being able to share some of my insights with your audience today.
[00:00:58] Well, excellent. And we're looking forward to it as well.
[00:01:00] I mean, we're, we're going to get into obviously the leadership approach that you've taken. And there's a lot of that principle I want to bring forward, the women in cyber aspect, especially. So we'll cover that. But I do want to start by giving you an opportunity to discuss a little bit of background on a book you recently released, right?
[00:01:17] Entitled Leading with Empathy and Grace, Secrets to Developing High Performing Teams. So kind of help us understand the basis, like what, What sparked you to drive forward and write this book?
[00:01:27] Tammy Klotz: The book was actually inspired by a leader I experienced in my career, probably about 20 odd years ago now actually, but I could air products, right?
[00:01:40] And we were, I was in a IT service management role at that point in time, spending some time with our healthcare business. And one of the things that he had said to me was, Timmy, he's like, you need to teach people to lead the way you do. And I said, Okay. I said, but this is kind of just who I am.
[00:02:03] He's like, yes, but we need more of you. So figure out how to teach people to do it. So, you know, that's stuck with me for a really long time. And I've had several examples over the course of the years where, you know, there are things that don't necessarily appear obvious to me because of, you know, It's, it's what I do, but I've had others say to me, you know, well, Tammy, when you did this you know, you made me feel, you know, like I was an equal contributor or I was able to make a difference.
[00:02:37] So. You know, I've kind of hooked those on to that initial inspiration from my air products leader. And then in March of 2023, I voluntarily took a leave of absence from the CISO world from corporate America. And it was during that time that I took about six months off before I came here to Trinzio.
[00:03:02] And it was during that time I said, you know what, Now's probably a really good time for me to kind of think about actually doing this book idea. So it's been very humbling. It's crazy to see it on Amazon and the feedback has been overwhelming and I'm just super blessed.
[00:03:20] Rob Aragao: Rightfully so. It's great that you had that opportunity in your career to say, you know, I'm gonna hit kind of the pause button.
[00:03:27] Reflect, but also apply, as you said, you know, over the 20 plus years of where that kind of inspiration came from and pull that back forward. So, so it's great that you've gotten it out there. Now we obviously direct people. We'll put it in our show notes to go take a look at your book up on on Amazon and other channels, of course, as well, but I want to connect, obviously the book, your point of reflection, kind of pulling it all together.
[00:03:51] back into the world where you've done so many great things as it relates to the field of cybersecurity, especially being a major champion for women in cybersecurity, which is extremely needed. And then tie that though, to the six principles in the book that you referred to as tipsy. So, so it'd be great for us to kind of hear what are the six principles at a high level, right?
[00:04:12] We don't want to give away the book, Tammy, right? Let them go read it, but like top level. Take us through it. What is it all about?
[00:04:17] Tammy Klotz: Sure. So I'll, I'll start with TIPC and what it stands for, first of all. And then we'll, we'll talk a little bit about how that part lays into cyber as well as women in cyber and my work there.
[00:04:28] So TIPC, T T I P P C is actually Transparency, Togetherness, Inclusion, Presence, Participation, and Consistency. These principles will actually go into, you know, how do you build. Trust and respect within a team that you're leading within an organization. So transparency, I'll start with, because, you know, there are definitely times in a leadership role that you have information that you can share, and then you have information that you can't share for whatever reason.
[00:04:58] Right. So being you know, 100 percent transparent in the delivery of those messages becomes very important. So. I always will tell the team, if there's something that you ask and I know the answer to and I'm able to answer it, I will. If you ask and I don't know, I'll go find out and if I can share, I will.
[00:05:20] And if I can't share, I will tell you I can't share, at least not at this time, and I will when I can. So that starts to build that respect, right? And making sure folks understand that, you know, You get the real story, right? When you're, when you're sharing these types of things. So the other piece the second T is around togetherness.
[00:05:41] And that's really trying to find some creative ways of how to build unity and harmony within the team. And, you know, for me specifically right now at Trendio, my team is geographically dispersed, right? So we can't, All ever get together, you know, you know, to go for drinks for happy hour or whatever.
[00:06:01] So what are we going to do to really start to build that sense of teamwork? And we instituted something very recently called Friday fun. So Friday fun happens every Friday morning, nine 30 to 10. Cause everybody's working then. And the only rule is, you know, No work, you're not allowed to talk about work.
[00:06:21] It's about what are you doing this weekend? How is your vacation? You know, what did the dog do yesterday? Whatever, you know and we really you know, we make sure everybody contributes. And it's really become the highlight I think of everybody's week because they know they have to that to look forward to on a friday and it's just relaxing and it's just easy
[00:06:42] Rob Aragao: And personal connection
[00:06:43] Tammy Klotz: exactly exactly so building that Kind of safe space for everybody to share is has been very effective.
[00:06:53] Inclusion, you know, should go without saying, but you know, it's very important as a leader within an organization to make sure that you are equally accessible to all of the members of your team. And that, you know, There's no perception of favorites or I'm giving more time to one individual or another.
[00:07:13] I'm equally available for everybody as long as they're willing to be a key contributor to the conversation as well. Presence again, another one that should go without saying, but making sure When you are in a one on one conversation with a team member, that you are 100 percent present with them, right?
[00:07:33] In this world, where we're online through Zoom, through Teams, whatever it happens to be, when you're geographically dispersed, it's way too easy to be distracted, right? And you need to commit to be 100 percent available for, you know, whether it's an hour, a half hour, whatever the time, give them your time you know, undividedly so that they can ask you your questions, you can ask them questions and it just sets you up for success.
[00:08:00] Rob Aragao: I think just one, no, I want to pull in it. This was from a meeting that I actually had this morning, a bunch of different team members globally, and he just triggered it for me, which was the person that opened up the call, opened it up. Basically, thanking me for making time for them. And I said, no, thank you all for making time for me.
[00:08:24] Like, this isn't right. Our time is mutually important, right, to, to us as individuals, but also to our teams and for everyone to have a voice on this conversation we're going to have today. So I think that's a great example of, as you were discussing that. That just triggered for me the realization like we, sometimes people just think differently about who we are and our roles and whatnot.
[00:08:43] And they shouldn't. We're all human. We all want to interact and engage and make everyone better.
[00:08:47] Tammy Klotz: Yeah. And it, you know, it's that intentionality that, you know, you need to, to make that concerted effort. Right. And even like at the end of every one on one, at least, I try to practice this at the end is, you know, is there anything else that I can do for you to help you be successful, right?
[00:09:04] Because it is a give and take relationship. So and then just to finish out tipsy participation, making sure everyone's engaged, giving everybody a voice at the table. If somebody is being talked over, making sure you're coming back to them and say, I understand that you were trying to make a, You know, a statement, what, what did you have to say?
[00:09:23] And then consistence consistency, you know, is that reliability if you're going to have a team meeting once a month, once every two weeks, make sure that you're sticking to that, right? Make it important. Don't dismiss it. Don't reschedule it. Make it something that they can count on. And then the other thing that I really tried to do is make sure that we have a, a consistent, a consistent agenda.
[00:09:49] So again, that there's no surprises. And also during those meetings, I've really worked the agenda such that everybody gets to contribute. So it's not only just me talking to them as well. So,
[00:10:00] Rob Aragao: yeah, absolutely. I think those are very key principles for everyone to take away and apply to their work life or personal life as well.
[00:10:08]Tammy Klotz:Absolutely. Any, any leadership environment that they're in.
[00:10:12] Rob Aragao: I agree. Now, as I kind of opened up, we've known each other for quite some time now. And we've had this conversation in the past that I want to have you kind of share with people again, this approach, because it's been very successful in the different organizations and roles that you've had, which is you typically get off to a fast start in any organization that you're joining, whether it's past relationships, whether it's brand new relationships.
[00:10:35] But it's about that keyword trust. It's building trust with new stakeholders at high levels, the executives, board level positions. You, you do a great job in preparing yourself for that success with the homework you do, even I know part of the interview process and then once you're there, right, let's engage, let's engage in a way also when you're doing your broad portion of the presentation on cyber and the program and the things you're looking to accomplish.
[00:11:04] You've already had these conversations with others coming into it because now you have that sponsorship. You have that relationship established. So I'm kind of giving away some of the things, obviously, that you're doing, Demi, because I know you. But it's, it's, it's, it's great to have you share, you know, kind of some key takeaways that people can learn from that.
[00:11:21] Tammy Klotz: Yeah. So I'll, I'll share kind of what I've done when I moved on to Covanta and then now to Trendio, you know, this was the first time I was walking into a place where, like, there Nobody knew me. So it was a little weird, right? So basically I spent time going through the organization chart and saying, okay, who are all the people that I need to know or that need to know me?
[00:11:42] And I basically set up meet and greets. With all of them, half hours I did my research on who they were, who I knew, where they worked, who I knew that was connected to them, right, so that we could develop that synergy that we may not have discovered otherwise and then really just introduce myself, sat down and talked to them, this is what I'm here to do, what are your pain points, what are your thoughts, very simple conversation, but then also, I You know, following up with the thank you note afterwards and the connection on LinkedIn afterwards.
[00:12:14] So really that intentionality, again, there's that word building those relationships. Because I could have gone in and started doing my job and they would have been like, who is this person? We don't even, you know, when'd she get here type thing, right? But it was more along the lines of what I was being brought into the organization to do and obviously, you know, it doesn't, it's not just once and done.
[00:12:37] You've got to work at those relationships as well. And somebody used the phrase with me the other day, Rob, that has really stuck with me and it was around personal capital, right? And you were kind of alluding to that early on, like people. You know, when I go in, if I have relationships that I already have built, whether it be with an external community or partner, being able to bring them into a conversation earlier, they're coming because of the relationship that they've formed with me, the trust that is there.
[00:13:07] Right? So, and, and using, I will say maybe relying on that personal capital to help you. May be successful as I get started in a new organization. Right. But then also the other thing that comes with that, which, you know, may not be obvious in the very beginning, but, you know, and I say this with my teams though, as well.
[00:13:29] So it may, it makes complete sense because once you have this trust and once you have the respect even if you have to deliver Not so great news or not the news that somebody wanted to hear. It is heard very differently because the empathy and grace, if you will. Right. So, you know, whether, whether it's a vendor that I've done a recent proof of concept with and have had to go back to and say, look, just not the right time for us right now, love the product, just not there, but it's never, It's never been to date, like a hostile situation, it's more about, I get it, right?
[00:14:05] And I, I know that, you know, if and when you're ready you'll come back, right? So you know, it's being genuine, it's being authentic, you know, it's not just a bunch of words so that, that helps. So personal capital has become like a new term for me now because it's, it's the investment in the relationship that allows and contributes to the success.
[00:14:26] Rob Aragao: Yeah. I totally agree with that. It's funny. You were talking about, you know, being genuine and authentic. I think those are very key attributes. I, I had, this just brings it back because I had done a talk, I think it was like last spring and it was about the role AI is playing in cybersecurity. And I was very direct and saying, you know, just take this marketing buzz and put it over here.
[00:14:46] Let's focus on reality of the things that we can really put our attention on. And you have no idea how many people came up to me after and said, really appreciate the reality of the story you told. Being authentic about, you know, and it was those key words, genuine, authentic. And I think that just goes so far to build that trust again.
[00:15:04] But also now those relationships that I came away from that event with, they've been lasting because it's, it's, it's more of a, what are your thoughts amongst us as a peer group talking versus, Hey, this particular kind of flashy thing over here that we're calling AI that does all these, no, stop the marketing.
[00:15:20] Focus on this and just, just say it the way it is, and that goes a long way. So, just connecting the dots back to some of the examples that you're sharing out there, I think is, is, is also important. I want to get into women in cybersecurity because it's such a critical area of focus. I've been a proponent of it.
[00:15:36] I know you're a major champion of it. And what I'd like to get your thoughts on, again, to share with the audience is, If you're starting out wanting to get into cyber security as a female, if you're in a specific field, different, completely separate from technology even, right, kind of what recommendations would you give to that person who's just looking, you know, maybe coming out of school kind of, hey, I want to jump in, or I'm over here doing something I'm not really kind of that excited about any longer, pick it, doesn't matter.
[00:16:05] But this over here looks really interesting in cybersecurity. Kind of what are some of the different, you know, thoughts that you would share with them how to do so?
[00:16:11] Tammy Klotz: Yeah. So, and I'm currently actively mentoring a few folks right now. And actually a woman that I mentored previously, she and I are going to connect tomorrow for lunch.
[00:16:20] And it's, it's about the connection, right? And being able to have a conversation with somebody who, you know, I, I, if you read the book, I mean, I raised my girls as a single mom and I had the opportunity to be successful in my career. Right. And sometimes that can be very daunting. Right. So, you know, when I'm working with somebody who's one, either, you know, trying to get started or wanting to move, as you described, it's really about Trying to get into their, their psyche about what motivates them and what they're passionate about, right?
[00:16:53] So when I was approached to take on the CESAR role initially at Versoom, I was like, are you kidding me? Like, I've never done this before, right? And I was like, there's gotta be, you know, somebody more qualified. And that is typically, you know, A female response to that type of question. Right? And it was more about, I give a lot of credit to the, the CIO who was hiring me at that point in time.
[00:17:18] And he's like, but you've got this, this and this, you know, you can figure out the rest of it, Tammy. And I was like, Okay, so take, you know, you had, you have to take that risk and have confidence in yourself. And I think you know, one of the key differentiators when going through like a a job description and you're looking at everything that's available, what we will tend to do is we'll want to make sure that we can check every box.
[00:17:45] Where our male colleagues will say, oh, I can do those too. Yeah, I'm good, right? So what I try to instill and encourage those that I'm mentoring and coaching is please don't worry about that. I said, you know, you need to still apply and then figure out how you're going to get the interview, right? And spend the time on that so that they can be intrigued with what you can bring to the table.
[00:18:08] And then you demonstrate what you're capable of. So I think breaking down those barriers about, you know, it's okay not to have every box checked. Also, to be confident in what your capabilities are. I recently did a panel discussion back in March for women in tech. And I was moved during the session because one of the attendees raised her hand and she's like, you know, but I'm really struggling to figure out, like, where I can specialize, like, the, and, you know, she's like, the guys seem to know everything about every bit.
[00:18:47] Everything about everything. And I was like, okay, just stop. Right. I'm like, one, they don't. And two, you know, what makes you think that you can't, right? So it's, I don't know. It, it. Makes me sad to some extent, right? That that is still what folks are dealing with as they're entering into a, a male dominated space.
[00:19:14] But for me, like if you, if you know your stuff, it doesn't matter. Right. Right. Bring, bring that to the table and let all the other stuff go. And right now we never have to wait in the line for the restroom when we go to a conference because there's not that many of us there. But yeah, it's, it's easy to be intimidated, right?
[00:19:36] But the person who knows you best is you and bring your best, bring your best self to the table is the most important thing. And you know what? If they don't like it, then maybe that's not where you belong.
[00:19:48] Rob Aragao: That's right. That's right. And that, that's just awesome. And I, I reflect back on like my daughter as an example and how, you know, well dad, I'm not sure that I can go for that next role right within the company because, and she's in finance by the way.
[00:20:02] So another industry that's very much nailed down. So it's the same principle. And I said, you know, we actually had, I think read a study previously where it was, I want to say it was like men look at a list and if they're like 60%, maybe. Checking the boxes? Yeah, I got this. I can go for it. Female, as you were saying, it's got to be like close to 100%, if not 100%.
[00:20:25] And it's like, forget about that. All the things you discussed, like have the confidence, go for it. Think about how you're going to be able to achieve those things, because you can do it, right? And it's all about how you apply yourself. And the other thing is, as you just said too, and if you get in there and it's not for you, there's many other opportunities to move on quickly, go do your thing.
[00:20:44] So I think that's, that's one of the biggest takeaways for sure to consider.
[00:20:48] Tammy Klotz: And the other thing I just want to add, Rob, because I, you know, this can be, it can be a very sensitive subject in a lot of cases, but I, I never want to get my next role because I'm a female CISO.
[00:21:02] Rob Aragao: Yeah, this is a good point.
[00:21:03] Tammy Klotz: I want to get my next role because I'm a great
[00:21:07] Rob Aragao: CISO,
[00:21:07] Tammy Klotz: regardless, right?
[00:21:09] So I think, you know, there, there is definitely, as with any situations, there's a positive perspective and a somewhat negative perspective that can come to the table, but I'm never going to use that card to get the next job that I want. So,
[00:21:24] Rob Aragao: and, and that is a touchy subject and because at times it's like, you know, check the box.
[00:21:29] I got the number filled now and then that's just the wrong way. So I think you bring it up is it's extremely real. Okay. Thanks. That's what we're seeing out there in places, and that's not right in certain situations. And I know you're not one of them for sure. And I think that's important though for people to realize like, no, go for it for yourself.
[00:21:44] It's all about you for putting yourself first.
[00:21:46] Tammy Klotz:Absolutely. Absolutely.
[00:21:48] Rob Aragao: So, I want to close with one thing that is recent, impactful, but maybe draws upon some of these discussion points that we've been having. And that goes back to, and I know that you had to deal with this with the team there at at Trincio, as related to the outage that came from some CrowdStrike was implementing on some Windows systems and whatnot, right?
[00:22:10] Many globally, obviously, impacted. People know that it's more about kind of what maybe key lessons were learned as you went along the way, especially as it relates to some of the collaboration that had to happen, obviously, at the highest roles within the organization, because it's an operation, major operational impact.
[00:22:27] And then coming out of those lessons learned. You know, as well as how you communicate it, but what adjustments maybe have you decided to make, or has the team at Trincio decided to make to go forward?
[00:22:39] Tammy Klotz: Yeah, so that morning was an interesting morning. I, I woke up, normal time, ready to go to the gym, looked at my phone I had 65 messages.
[00:22:50] I was like, oh dear, what are we going to do? So and you know, I immediately reached out to a member of my team who is, is always the one who says, I got it, Tammy, not to worry. And I said, you know, what do I, what can I do? And he said, I need to talk to you right now. Okay. That's a very telling sign.
[00:23:12] So they had already like instituted the whole priority one process. There was a major incident. And you know, I kind of got on the first call, listened to what was going on. And then we agreed to regroup and then, you know, gave me a little bit of time to figure out what all was going on. And when we got on the, the next major incident call after that, it was really about Level setting, the team that was on the phone, right, because in so many situations when there is a crisis, which this would qualify as, right, people are frantic people are nervous and things can get very chaotic very quickly.
[00:23:53] So bring that all back in and say, okay, let's talk about what this is and what it is not and really focusing on the facts of the situation and what we knew to be true at that point in time. So we focused on the fact of one, it wasn't a cyber attack. So that. Causes a different set of rules to be invoked if it would have been what it was, was a, a bad channel update and we had a corrective action plan and we knew what had to be done, but we did not have a plan where how we were going to accomplish that.
[00:24:28] Or how we were going to make sense of, you know, how far we had gotten or how much more we had to do. So at that point in time, you know, we basically broke it up into four different work streams, workstations, servers, applications, and manufacturing locations. And we. Appointed a leader to each one of those who was going to kind of spearhead each of that and would have to report back every time we got on the major incident call.
[00:24:56] So there was structure and everybody knew what needed to happen, right? And everybody was aligned. The other piece of it is, is that with that common understanding and the acknowledgement of there is only one way to fix this and it's manual. So let's go after it. We had a team of 50 ish people who came together cross functionally.
[00:25:20] It didn't matter who you worked for, where you sat in the organization. If you were part of this, you were helping and it didn't matter. Right. So we had people from the plants who were helping. We had people from our OT environment who were helping our IT environment. And then. It was a divide and conquer type of approach and, you know, they, well, they were out, you know, hands on keyboard fixing blue screens of death.
[00:25:47] We had two other separate activities going on from what are we communicating to the user community. And what are we communicating to the executive team? And there were two respective individuals who were, who were leading those activities as well. So it was about no organizational boundaries, true collaboration.
[00:26:06] We had a teams meeting running the whole time. We had a spreadsheet that we were tracking everything in and it, everybody rallied and just pulled together to get done what needed to get done. So much so that we did a lessons learned. The CEO came and thanked everybody, which was amazing. And now from a lessons learned perspective, it's okay.
[00:26:27] You know, this is the first time something of this magnitude had affected us. What can we learn from it? What could we do different? And there are definitely, while we rallied and the team did fabulously, there's definitely rooms for. You know, improvement things like, you know, do we need to look at maybe a different toolkit for what we do on servers versus laptop laptops?
[00:26:51] We don't know yet. We haven't figured all that out yet. But, you know, evaluating those types of things, especially from a manufacturing perspective becomes extremely critical. Fortunately, our process control systems were not impacted. We don't run CrowdStrike on those by design at this point. But we did have one plant that struggled to recover for reasons I won't go into.
[00:27:12] But it was really a matter of, okay, the team was working, working, working, and we finally said, okay. When are we going to stop and what are we going to restore from backup? Because right now we're wasting cycles. And then we had to get buy in from the business that they agreed. So it was a truly collaborative troubleshooting effort by a team that just did an amazing job.
[00:27:35] Rob Aragao: Yeah. Well, it's great to hear. One, what you could share, but also just how the team came together. It didn't matter what role you played in the organization. You played a role on the team to get things back and operational as best as possible. And I think it's a, it's a, it's a great understanding of really dealing with a major crisis, crisis management coming forward to reality, you know?
[00:27:54] Tammy Klotz:Yes. Yeah. We got to do disaster recovery. Yeah.
[00:27:59] Rob Aragao: I was going to say a deeper, like tabletop exercise. And here's like, Thank you.
[00:28:03] Tammy Klotz: I'm not banking CrowdStrike for that, but you know, I couldn't go that way. So, but
[00:28:09] Rob Aragao: no, no, nobody is, no one is. People are thinking about, you know, how they potentially evolve from this, let's just say.
[00:28:16] So yeah, we'll see how it plays out. But listen, appreciate you coming on today. And sharing, you know, we, we tied it back to your book, but sharing the principles that really led through many different examples. And I think we kind of just closed it off with a perfect example of applying all those things in one, right.
[00:28:30] With this latest issue around the CrowdStrike outage. So really great having you on. We're so happy that you were able to come out and share. We'll put the information out there in our show notes to get people to look at the book as well, of course, but thanks again, Tammy. Appreciate it.
[00:28:45] Tammy Klotz:Thanks, Rob. Always a pleasure.