In this episode of The CTO Show with Mehmet, we are joined by Tammy Klotz, a cybersecurity veteran and CISO with over 30 years of experience in IT and cybersecurity. Tammy shares her journey, starting in infrastructure roles and moving into cybersecurity leadership, currently holding her third CISO role in the manufacturing industry. She emphasizes the importance of translating cybersecurity risks into business risks and how this communication is vital for effective leadership.
Tammy discusses the high-pressure nature of cybersecurity, reflecting on a recent global incident involving CrowdStrike. She outlines her leadership techniques for managing stressful situations, such as organizing teams into structured workstreams and maintaining clarity of roles. Tammy also highlights the critical role of empathy in leadership, particularly during crisis situations, and how maintaining a calm, composed, and inclusive environment allows teams to perform at their best.
The conversation touches on how Tammy integrates empathy and grace into her leadership style, focusing on active listening, creating inclusive discussions, and ensuring that every team member’s input is valued. She stresses the importance of trust and respect in building high-performing teams and how these values help in retaining top talent. Additionally, Tammy reflects on her approach to hiring in cybersecurity, noting that while technical skills are important, passion and a willingness to learn often outweigh strict qualifications.
Tammy also discusses the evolving cybersecurity landscape, especially in the AI era, and how CISOs must stay updated on the latest trends while balancing innovation with security. She explains the importance of not being the ‘office of no,’ but instead fostering a partnership with business leaders to implement secure solutions that drive productivity.
Finally, Tammy shares her thoughts on work-life balance in the cybersecurity industry, especially for those in leadership positions. She highlights the need for self-awareness and setting boundaries to maintain personal well-being while managing the demands of a cybersecurity role. Tammy wraps up by inviting listeners to connect with her on LinkedIn and check out her book, Leading with Empathy and Grace, available on Amazon.
About Tammy:
Tammy Klotz is a highly accomplished cybersecurity executive leader with over 30 years of experience in the field. Here are a few highlights about her:
Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and Certified in Risk and Information Systems Control (CRISC)
Awarded the 2022 "Covanta Leadership Award" and named a Top 100 CISO by Cyber Defense Magazine in 2023
Author of the book "Leading with Empathy & Grace"
Expertise in building high-performing teams, embracing empathy and grace in the corporate world, and developing resilience as a single mother, daughter, and partner.
https://www.linkedin.com/in/tammyklotz
00:00 Introduction and Guest Welcome
01:13 Tammy Klotz's Professional Journey
03:00 Why Cybersecurity?
08:00 Handling High-Stress Situations
13:16 Empathy and Leadership
17:19 Hiring and Retaining Talent
22:39 Balancing Innovation and Security
27:55 Privacy, Regulations, and Ethical Considerations
35:36 Work-Life Balance in Cybersecurity
40:11 Conclusion and Contact Information
[00:00:00]
Mehmet: Hello and welcome back to a new episode of the CTO show with Mehmet today. I'm very pleased joining me Tami Klotz. Tami Thank you very much for being with me on the show today The way I love to do it is I keep it to my guests to introduce themselves So a little bit more about you your [00:01:00] journey And what you're currently up to and then we can start to take the conversation from there, which I promise the guests at the Sorry, the audience.
Mehmet: It's something really really cool So the floor is yours
Tammy: Thank you for having me today. My mat. I'm happy to be here and would love to tell you a little bit more about me. So I am currently a 30 year veteran of the it technology space. Um, spent several years, um, in, uh, infrastructure related roles. And then for the last 10 years have been very much focused.
Tammy: Um, in the cybersecurity space, I am actually, uh, currently in a CISO role at a company called Trend. And this is my third ciso, uh, stint, uh, in, in, uh, the, uh, the manufacturing industry. Um, so, um, one energy, uh, two chemical manufacturing organizations. So, um, that's kind of the helicopter view from a [00:02:00] professional perspective.
Tammy: Personally. Um, I, uh. Live in Allentown, Pennsylvania. I have two, um, successful, uh, daughters, um, and, um, yes, native to the Allentown area, grew up here, haven't ventured far, but, uh, with all of my professional experience, I've had the opportunity to travel around the world, um, and work with a lot of great people, um, and most recently, um, in April, I released a book called leading with empathy and grace, um, and, uh, doing a lot of.
Tammy: Focused, um, discussions like these really focused on leadership techniques to build high performing teams. Uh, it's something that is a passion of mine. And, uh, I've been told I bring a lot of unique and positive energy, uh, to an organization. So I'm really wanting to help instill that, um, in your listeners today.
Mehmet: That's great. And thank you again, Tammy, for taking the time and being with us here today. [00:03:00] A question that I didn't prepare honestly, but uh, you know, every single guest I had who was specifically in cyber security, I asked them why cyber security? And you know, especially being a CISO and I have, you know, in my network, a lot of CISOs, you have probably the worst Difficult job ever is to keep the lights on and, you know, make sure that is there anything specific that attracted you to be in that space or like, uh, what was like the main thing that, you know, made you decide, you know what, I want to be in this space.
Tammy: Okay. So it's an interesting story. So let me give you a little bit of background. Um, so, um, I, I spent 24 years, um, at air products. The last three years of that part of my career were actually in the internal audit function where I had a lot of, um, opportunity to understand, [00:04:00] Um, and then as part of that, we had done the first ever cyber security assessment of the program at air products.
Tammy: Um, so that was really my first dip, um, if you will, into the cyber security space and then what happened, um, uh, the company had decided to spin off its chemicals division and start up a brand new company. Um, which, uh, was then known as VersuMaterials. And as part of that, there was an entirely, uh, new, uh, leadership team that was being formed.
Tammy: And I was given the opportunity to interview for one of those positions. And I had interviewed for something, um, that was not the cybersecurity role or the CISO role, um, but after the interview process, the, uh, incumbent CIO came to me and he said, I want you on the team, I don't want you in the role that you interviewed.
Tammy: role before, but I want to in the cyber security of the CISO role. And I kind of looked at him and said, really? Um, and the [00:05:00] reason, um, cause I, I said, well, you know, there's probably a lot more people out there that know a lot more about this than I do. But his point to me and, um, very wise at that point in time was, um, Look, you've been with the company 24 years.
Tammy: You have excellent relationships with the leadership team. Um, you know, the business and you also have the audit background from a controls perspective. Um, we can work on all the rest of the stuff. And, um, you know, so it was kind of that push or that nudge that actually got me into the cyberspace. Um, and I've stayed there ever since.
Tammy: And I think one of the things that has kept me here is one, You know, the ability, uh, to translate, um, cyber security risk into business risk and working with the business leaders in the organization is something that I thoroughly enjoy doing to distill some of those complex terms, uh, into, you know, business impacting statements, why it's important, [00:06:00] um, you know, how, how is it going to affect the bottom line of the company?
Tammy: So teaching is something that is kind of inherent in my style. So that kind of feeds right into that. And then the other thing that I, I will add to that is with regards to the cyber security community, um, it is a very, I'll say, strong community from an industry perspective. Um, and I remember walking into one of my, um, first, um, cyber security professional organization meetings and I knew nobody like 10 years ago.
Tammy: Um, but that organization and many others, um, is a very. strongly connected family, if you will. And in this space, we're all, you know, fighting the same enemy. We're all having to deal with the same sort of attacks. So the collaboration that you get from that community is something that is extremely beneficial and makes all of us successful [00:07:00] because we can learn from each other.
Mehmet: Absolutely. You know, and what a journey, Tammy. And, uh, you know, it's really inspiring. And, you know, I, I was going through, uh, many things that you have done and you mentioned a couple of things, the role of the CISO in addition, of course, you know, to, to translate, as you said, um, you know, the technical details into something that the business can understand.
Mehmet: So you need also to be at the same time on top, Of everything as as a leader, right? So the first thing I want to ask you, you know, cyber security by itself. And I mean, you know, the audience knows. So when we say cyber security, we talk about all the risk, all the, you know, the attacks that happens on the business.
Mehmet: And, you know, whenever there is an incident, it's like very, very like, uh, you know, everyone will be on on on a high standard. High alert. High alert, like very high stress [00:08:00] situations. So from, from leadership perspective, and I'm very curious to know, like, tell me from you, um, how you can maintain this You know, ability to manage the stress while at the same time, you know, managing the team in a way that you get them to perform under this extremely, extremely high pressure.
Tammy: So that that's a great question. And I think, you know, we we've had to recently practice that not from a cyber attack perspective. perspective, but with the recent, uh, global crowd strike incident, right? And, you know, there are definitely some things that you need to bring to the table as, you know, somebody who's leading, uh, the effort, um, because what, what tends to happen, as you said, you know, in a high alerts, uh, situations, emotions are high.
Tammy: People are like, um, stressed. They're trying to figure out what to do next. Um, [00:09:00] so one of the first things, um, that needs to happen and it may take a little while is to really focus on what the facts are. What do we know at this point in time? What is true? Um, what is not true? Um, and then really putting together, you know, a structured plan, um, ad hoc in a lot of cases, although we all have our, you know, um, incident response playbooks that we follow.
Tammy: Um, but every situation is unique and different, right? So get the team aligned on what the facts are and then, you know, structure the troubleshooting, the recovery efforts in such a way that it is very clear of who's responsible for what. Um, and how we're going to manage and track, um, the incident. So I'll use my personal experience, um, from the CrowdStrike incident.
Tammy: You know, it was focused on the fact of what, what were the end points that were actually impacted? There were laptops, there were servers, there were applications, there were manufacturing facilities that were impacted, [00:10:00] um, and we couldn't haphazardly go through this process and figure out what we had resolved and what we hadn't resolved.
Tammy: Um, so essentially we came up with four work streams. One folk with a leader focused on each one of those. Um, and they took lead and they took charge to what had to happen in each of those spaces. And then, as the broader team came back together, the reporting actually happened across each of those work streams.
Tammy: So identifying. You know, what the action plan is going to be having regular checkpoints and, you know, trying as hard as possible as it can be sometime is to really keep the emotion out of it. Um, because oftentimes there, you know, people will want to maybe blame other organizations for what actually happened.
Tammy: Um, or they won't agree with what, you know, somebody is, um, you know, suggesting that be done. And being able to really, um, filter and. Be the voice of reason through those [00:11:00] activities becomes extremely important. Um, and then two other things that I'll add is, you know, one, acknowledging the effort of what everybody is contributing, uh, to the situation.
Tammy: Um, we had over 50 people that were, uh, signing into those checkpoint calls. Um, and. Everybody was engaged. Everybody was collaborating. Um, and, you know, it just, it worked because everybody was aligned and everybody knew what their job was. Um, so, and then the last piece of that piece of that is, is that.
Tammy: While the technical team was off doing what they needed to do, um, you know, there is, you know, there's the media that's going on, you know, everybody wants to know what's happening. Nobody can log onto their computers. So you really have to manage the communications. Outward, um, as well. And outward can be to your executive leadership team within the company.
Tammy: It [00:12:00] can also be to external, um, counsel or your cybersecurity insurance company, or, um, the media in some cases as well. So, and it's very important, the consistency of the message and the facts of the message, um, and how that is conveyed. So while the technical team is off doing their thing, you want to protect them.
Tammy: So that they can stay focused and people aren't tapping them saying, what's going on, what's going on, what's going on. Um, and then, you know, my role was, you know, essentially being the, I'll say the translator of taking the information to the executive team and in a way that they could digest and understand what was happening and what the impact was.
Tammy: Um, so those are some of the texts. Techniques that I use, um, you know, the CISO in my opinion, and a lot of others is not the technical role. It's more the business leadership role. Um, but being able to bounce from both sides of the conversation is one of [00:13:00] the things that makes you successful in this role.
Mehmet: Absolutely. And what a great example, Tammy, you know, like, because every, you know, like, it's probably one of the most stressful event, at least in the past couple of years, like I have witnessed. Now I'm going to ask you about something. And even I know you have a, a, written a book about that, which is, Empathy, right?
Mehmet: Empathy. And I would relate empathy, honestly, with resiliency. And the reason I'm, and the reason I like to relate these two, because I think, and correct me if I'm wrong, Tami, and this is where I want you to highlight to us and, you know, for fellow CISOs and even someone who might be looking to become CISOs or even any role in, in, in technology these days, you know, So leadership, we see this all the time in different places.
Mehmet: It's about, you know, being resilient, being able to manage also the stress that you just mentioned. But at the same time, you need to show the empathy, the [00:14:00] empathy, right? So here You know, how you can integrate, you know, this, these values right into, into, you know, the kind of leadership style that you have, especially, you know, cybersecurity is very dependent.
Mehmet: And what you just mentioned, you know, I can't bring any other good example about a stressful event such the one that happened last month. And of course, because it's gonna be, you know, a month after. So now it's been two months since the CrowdStrike event. So All right. I would love to hear your opinion on that, Tammy.
Tammy: So, um, yes. So empathy and grace, um, are definitely not two words that you hear typically talked about, um, in, in I'll say corporations, um, and, It's a, there are two skills that I think are critical to the success for, um, the acknowledgement of the fact that everybody is a human being. Um, [00:15:00] everybody does, um, have feelings and sometimes feelings.
Tammy: Nobody is, you know, really like wanting to talk about or skirt around. Um, but that is in, is in fact what makes all of us so special. Tick as human beings, regardless of where we live, what, um, you know, where we work, um, what, what our beliefs are, et cetera. So, you know, the, the way that, you know, I defined empathy is really around making sure that I'm continuously aware.
Tammy: Of other people's feelings and maintaining a neutral position and being inclusive, um, with, um, their thoughts and ideas as well. So, you know, as you're in a, a high pressure situation, um, this isn't about, you know, making people feel good necessarily, but it's, um, one acknowledging their contributions, um, and listening to their ideas so that they know that they're being heard.
Tammy: [00:16:00] It doesn't mean that you're going to act on everything they tell you, but by listening and active listening to what they have to contribute and what they have to offer and not cutting them off mid sentence, not allowing somebody else to talk over them, but giving them the space and time that they need.
Tammy: And that's a delicate balance, especially when you're in a crisis situation, depending upon, you know, the individuals who are contributing, you know, some folks like to dominate the conversation, um, which may be with relevant information or irrelevant information. So you really have to be, um, the gauge in that conversation.
Tammy: And, you know, if somebody needs to be, um, you know, Asked to give somebody else some time or basically to stop talking for a little bit. It's all about how you go about doing that. Um, because the respect will come, um, as you know, if you say, okay, well, we got to move on [00:17:00] versus well, okay. So. You know, Tom, that's what you had to offer.
Tammy: Um, Sam, what are you going to bring to the table and really making that inclusive conversation in a very effective, um, and timely type of conversation because let's face it, we've got work to do and we've got to get it done.
Mehmet: So, Tammy, I, the, the, the question, you know, that, that came to my mind, you know, and part of the initiative that you do, and part of the, I mean, operation tasks that you have to do is, is to hire, you know, the, the, the team and, um. You know, so two things here. So first thing I hear a lot is that it's very hard nowadays to find the skills in cybersecurity.
Mehmet: Right? So like, is this what you're seeing also from your side? The second thing, and part of being a, you know, a leader, how or what are like some of the things that you do or the strategies to make sure that once you have the right talent, you keep them [00:18:00] With you so, you know, because they are very Right.
Mehmet: So want to hear your opinion on this?
Tammy: So with regards to finding the right talent, um, and yes, there's you know There's all kinds of statistics out there that say, you know, there's so many open jobs. There's so much demand Um, but it's actually pretty hard to find resources when you're looking for it is what my personal experience has been and whether that's from a You A cultural fit, a talent match, um, a skill set, um, you know, alignment, um, it can be, you know, it can be challenging.
Tammy: So one of the things that I will typically look for, and it depends on the role in the organization as well. But let's say we're looking for somebody to come into a, uh, a cyber, uh, security operations center role. Um, and, you know, there's a lot of questions with regards to, okay, so, you know, what experience do they need to bring to the table?
Tammy: What type of degree do they need to have? What type of [00:19:00] certificate do they need to have? And this oftentimes will become, um, a rub between, um, you know, maybe, you know, In general, the technology space in HR, um, but specifically for me, I've had to discuss this several times and because I've been in manufacturing, um, you know, combining the, the efforts and skills of both the OT security, the operations technology that happens on the shop floor and the enterprise wide on the it side.
Tammy: Um, oftentimes I will look at what somebody has done prior, uh, to, uh, applying for the job and some will be right out of school. Some will be, you know, trying to move within a company and it's, it's about, um, one, what experience they bring, but two, what is their appetite to learn and their passion, uh, to, to advance themselves and demonstrate what their.
Tammy: Their skills are from a troubleshooting for perspective, from a [00:20:00] communications perspective. So I won't automatically dismiss somebody if they don't have the right degree. Um, this is more about, are you a good fit? Can you learn, do you have the passion and the desire to be successful? Um, so that is that is one.
Tammy: And that's probably where a little bit of the empathy comes in, um, as well. And then, Mehmet, your second question, um, was specifically around, um, uh, remind me,
Mehmet: just retaining, retaining them. Excellent. Uh, yeah.
Tammy: How do they, how do they stay with me? So, um, that goes to the building, um, high performing teams part, right?
Tammy: Right. 'cause as you build out the team and you develop, um, a level of trust and a level re of respect, um, with them, um, it becomes easy. In my opinion for two or easier to retain them, right? Because they know you have a vested interest in them and in their success. Um, and as [00:21:00] long as they feel like they're, um, adding value and their efforts are recognized, I do believe those are the things that will keep them.
Tammy: Folks anchored, uh, within an organization. Um, if they're wanting to technically advance or, you know, they've decided to pursue a different, um, career opportunity that that's understandable. Right. But I don't, I don't want anybody to leave an organization because of their relationship with me, uh, in particular.
Tammy: Right. So I do spend a lot of time on, you know, in one on ones. With my teammates, um, making sure that they know that I am present, um, and listening, um, to them, um, at any given point in time. I make a rule of if I'm in a one on one, there are no other distractions because that's their time, uh, to spend with me and ask me for what they need help with.
Tammy: Right. So I think. How you retain them is you build, um, a foundation of, of trust and one of [00:22:00] respect. Um, and then even if I have bad news to deliver, it's much better received because they know that I'm being transparent with them based upon our relationship.
Mehmet: Fantastic. Now, another part, which is, you know, I'm trying to cover as much as possible, you know, from leadership perspective, the role of the CISO.
Mehmet: So, I know the answer, but I always like to hear it from, from, uh, like fellow CISOs like yourself, uh, Tami. Again, part of, you know, the hard tasks that a CISO has is keeping up with the latest, right? So, so dealing with stressful events like the The one you mentioned a couple of minutes ago about like the CrowdStrike event that happened or maybe a cyber attack that could happen Yeah, so that's fine.
Mehmet: People would expect that and you know, maybe it's a kind of a loaded question So, excuse me if [00:23:00] i'm putting too much information No worries So the first thing, of course, like the landscape, the technology landscape is evolving through the, you know, the way the attacks happen evolves, you know, the techniques evolves.
Mehmet: At the same time, you know, I'm sure like, as I see you, you have to deal with a large number of people coming in front of you and saying, Hey, like, We've got like, you know, this cool thing that gonna do X, Y, and Z. So this is by itself, I think it, you know, I imagine it takes also some power and energy from any CISO.
Mehmet: So I want to hear your point of view on this, about handling the quick changes that are happening, especially we are living in the AI space. Sure. You know being bombarded by all the messaging that comes and I can't blame anyone here. I understand I was there So how how you're dealing with this?
Tammy: Um, so one one of the [00:24:00] challenges first is to stay abreast of what is actually going on like as an individual Um, you know You know, from a, from a CSO perspective, how do I keep my eyes on everything that is, is going on?
Tammy: And part of that is from that industry networking with my fellow CSO community here in Philadelphia. Um, we have a very strong network that we, we spend a lot of time, um, comparing notes, sharing stories, et cetera. So, um, to, to be able to do that, um, is extremely helpful. And then I think, um, the, the other pieces to address that, uh, from, uh, uh, you know, staying on top of things and how, how you deal with changing technology and everybody who wants to do the latest and greatest cool thing.
Tammy: Um, so. There's something to be said for one, the overall balance between productivity and security, right? How do you, how do you enhance productivity without sacrificing [00:25:00] security and what I what I try to do in my role is really talk to folks in terms of risk, um, and really not be, um, The office of N. O.
Tammy: Because that's what a lot of security folks are perceived as being as a blocker. They get in my way. I can't do anything. Um, and we change that, um, that dialogue and, you know, basically turn it on its head and have a different conversation about talk to me about what you're trying to do and why you want to do it.
Tammy: Where's the business value of what you're, um, You know, wanting to do. And then let's talk about how we do that secure securely so that your needs and the, the, the needs of the organization from a protection perspective are also kept in mind. The other piece of that is really understanding the organization that you work with.
Tammy: Work for what is their risk appetite? How much are they willing to [00:26:00] take on? Um, in in the name of innovation or in the name of new technology. Um, so, you know, some of it comes down to what you have embedded in, like your, um, acceptable use policies and your business code. It's of conduct because there is a behavioral element.
Tammy: Um, to all of that, you know, you know, don't put company intellectual property out in chat GPT, for example, that's not really a good idea, right? So we can try to control everything from a technical perspective, but you also need to focus on that education and awareness piece with your, um, End users because they are, you know, the most common attack vector.
Tammy: Um, so making sure that they're educated, um, and understand what the risks are and make them pause as part of their daily, um, interactions to say, okay, like if it feels. Wrong. I probably shouldn't doing be [00:27:00] doing it or if I have concerns about it. So having them pause and then being able to ask the question.
Tammy: So I will spend a lot of effort on that training and education and awareness for the organization at large. So everybody is more prepared. With relevant content. And then, you know, it's all about partnership, right? So, um, we have an AI task force that's in place right now. Um, and we have partnered very closely with our, um, R and D organization, our technology organization.
Tammy: What are you trying to do for our customers with AI? What do we need to be concerned about from a security perspective? So, you know, It's about talking. It's about conversing is about listening and really putting together a joint plan of how we can accomplish this for the organization.
Mehmet: Fantastic. Now you mentioned a little bit about, you know, uh, kind of the privacy [00:28:00] issues, you know, and putting some data in chat GPT or any single tool.
Mehmet: So I believe, you know, one of the. things that I always discuss with peers, I mean, people that they work in the industry, um, which they see it sometimes kind of You know, you can see challenges, you can say, like, I don't know where you have this mix of, you know, the privacy concern, uh, plus like we add to it regulations and then we add to it, like also sometimes ethical considerations.
Mehmet: Right. And now you have, now you have a nice mix and then you have to go and deal with it. Like, you know, and the reason I'm saying this, because And, you know, here where I want to hear your opinion on that, Tammy. So, sometimes people think that, you know, all these [00:29:00] measures that The security team put on us is trying to Limit our ability to be protective.
Mehmet: We have to go over many things You know, like you're making our lives miserable, right? um and I feel you know, and I want to hear your opinion on this like How is the best approach to do and I know like, you know, uh training and you know Doing this awareness is obviously a strategy but what can we do better?
Mehmet: better to have, you know, because till now I get surprised to know, for example, people, they don't know much, you know, about, you know, these concerns of regulations, like maybe data can be exfiltrated by, by a threat actor and it can be published on the internet. So I still think, you There's some missing link between the end users or even sometimes the IT department and the security team Because of all these things.
Mehmet: So [00:30:00] what are you seeing in that space? And what strategies, you know You've seen like working good because we have also the ethical aspects, especially i'm sure like even in industrial Uh domain you have these because for example, it's very obvious in in health care We have a lot of ethical issues that might come up Occur because of data breaches and privacy concern.
Mehmet: Tell me more about this. What's your point of view?
Tammy: So my point of view is yes, um every industry is Has their own set of regs that they need to follow a set of controls that need to be in place specifically, you know around publicly traded companies or Um, like you said, healthcare or energy from a NERC perspective, et cetera.
Tammy: So one, one of the things is to make sure the, that you are aware and understand what regs your organization is actually being held, um, held to and how you, um, are currently in compliance. [00:31:00] Hopefully with those regulations one. So getting yourself well versed, and that is, uh, probably first and foremost. Um, but, you know, when, when people are, you know, getting frustrated with security or, you know.
Tammy: Why are we doing this? You know, well, because security said, so, um, it's kind of like the audit song, right? Like, well, you know, we're doing this because internal audit said we needed to. Well, no, no, that's really not the case. Um, we're doing this because we need to do this for, you know, our companies as an organization.
Tammy: What I do in those situations is, you know, it's never about, you know, we're doing this for the sake of security. So yes, I'll take a very simplistic example, right? So we are requiring you to, um, you know, enroll in MDM. Uh, a mobile device management tool if you want to use, uh, [00:32:00] your personal phone to access company property.
Tammy: Well, that's annoying. I really don't want to do that. You're a big brother. You're going to be watching my personal phone. And it's like, look, if you want the convenience of having one phone and using it to access corporate assets. This is the requirement. This is what you need to do. Um, I think, you know, so explaining to folks about why you're doing something and not just saying this is what we're doing becomes extremely important.
Tammy: You know, go back to the days when multi factor authentication was first being introduced. Everybody was like, I don't want to have to do this. I don't want to have to do it on my. You know, personal phone or, you know, are you gonna give me a work phone if I'm gonna have to do this? Like, so there's definitely, you know, trade offs and discussions that can be had.
Tammy: Um, I think the other piece of it is really around, um, when you, when you have examples, um, that are happening within your organization, I think the transparency of sharing that information. So [00:33:00] folks do realize that. This stuff does happen here, and it's not in in a way to name or shame, you know, somebody who accidentally clicked on a link that that's not the point.
Tammy: The point is turning that into a learning opportunity to say, look, you know, this. Did just happen, right? Or using or using examples of events that have happened, uh, that are very, um, publicly being talked about like CrowdStrike, like mayors, like the colonial pipeline, pick, pick and pick an incident, right?
Tammy: Um, and talking about that in the terms of, okay, how, if this would have happened to us, would we have been impacted? What could have happened if it happened to us? So we try to do, you know, I'll call them case studies, maybe that show, you know, if there's something in the news, that's very relevant, uh, to our organization.
Tammy: There's been recently an AK that's been filed for Orion, which is a chemical manufacturing company. [00:34:00] Um, that, uh, was most likely a result of a business email compromise scan. Well, it's somebody in our industry. So let's talk about that and how does that happen? Um, so again, I am a huge training and awareness person, and I don't mean like taking courses online.
Tammy: I mean talking about, you know, the stuff that really does happen and putting in the context of your own business.
Mehmet: You know, that's, I think this is a better way, Tammy, because, you know, um, people who rely, for example, only on the online, uh, trainings, of course, I'm not saying they are useless. Don't get me wrong.
Mehmet: Uh, and even I've seen people, they get like good at, for example, they can measure. Okay. We were like from this percentage of people clicking the wrong link. And now, you know, it, it gets reduced to this. But the thing is that, you know, I think talking about it and letting people. You know just in a human to human conversation understand, you know What [00:35:00] are the consequences of something wrong happen that it might even affect their jobs, for example And you know i've seen like this is you know Even from a consultancy perspective telling it in a story format like look i'm not here to scare you But look like this company face this You know, and this is what happened to them, and they had to do 1, 2, 3, which is not good, and it can happen to us, right?
Mehmet: And, you know, the reaction is, oh, okay, now I get it. So it's not like kind of just bombarding people with knowledge that they don't understand. So 100 percent agree with you on this. Now, Tami, as we are almost, you know, coming to the end, Something I want to ask you, which is I think we didn't touch on, we repeated that.
Mehmet: Yes, cyber security is stressful. Cyber security is not easy to do, and especially being in a leadership position that add another layer of difficulty. So what have you seen working to [00:36:00] have? a Proper work life balance because you might get calls in the middle of the night, right? Something wrong has happened Um, so what what what you can tell us about managing this?
Mehmet: balance
Tammy: So, um, one of the things I there's a chapter in the book that's really focused on self care um, which work life balance is part of uh that that chapter as well and really um, you know, I think One it's It's a very individual decision, um, that folks also need to think about and, and respect, right?
Tammy: So, you know, for me, um, and being in a high crisis, uh, type of industry, um, you know, the acknowledgement of there is going to be times where, yes, you know, and we all know this, like there is no typical day, right? Because one, we're always connected. Um, but we [00:37:00] may. You know, there are going to be times where the weekend of July 19th, I was working all weekend, right?
Tammy: It wasn't, it wasn't an option. It was just something that we had to do. So what I tell people who I, who work for me and who I mentor and I coach is as part of that self care, um, you need to make sure that as an individual, you understand what your boundaries are. And you need to set those boundaries for yourself and you need to acknowledge when you're willing to compromise and when you're not willing to compromise.
Tammy: Um, and if you operate consistently within those boundaries, you will, um, have a, a work life balance that is something that is acceptable to you. Um, I, I was recently on a panel, uh, with a group of women during women in tech week, and you know, the one woman on the panel, she said, you know what, she's like. I like to work 14 hours a day.
Tammy: Don't tell me I, I can't, don't tell me, you know, I [00:38:00] don't, you know, that's not good for me because it's what I want to do. Right. So it's the acknowledgement and that self awareness of what is, you know, your style, what you're comfortable with. Doesn't mean it's for everybody. And then you also have to make sure that as you're working with your team, that if, if I'm working 15 hours a day, which I am.
Tammy: I don't always do sometimes, right? That it's not the example that I'm setting for them. So I have a very conscious conversation about that to say, Hey, look, if I'm responding to an email at midnight, I'm not expecting a response at 15 minutes later. When you get on the next day, that's fine. Um, you know, I have another individual on my team right now.
Tammy: He's a, he's a active learner. All the time. Well, he would continually get feedback. Well, you know, you're always online. You always respond. So we've had to modify that a little bit, right? Because there are some regions of the world where that's Not allowed from a legal perspective as well. [00:39:00] Um, and it's okay if you're learning, but then don't make yourself available in teams or, you know, whatever Slack to, to be interrupted, make that your time.
Tammy: So developing those boundaries. for yourself, working within those boundaries, I think is what becomes most important. And they're going to change over time. When I was raising my girls, um, you know, they came first and I had to make some decisions that said I'm going to be present for them. Um, and you know, that sometimes meant I didn't work on a Friday afternoon, um, because of something that was going on, but I made sure that my job was still getting done.
Tammy: And if you can focus on that, that, you know, the, the, The boundaries of an office are obviously very different these days since COVID. Um, we all work remote, but the most important thing is that you're getting your job done and you're maintaining that sense of self and the boundaries that you've established for yourself.
Mehmet: You know, this is again [00:40:00] eye opening. I would say, um, on on, you know, doing this life, uh, work life balance in a proper way. And thank you for sharing your experience. Tammy with us. Uh, finally, this is the final thing I asked my guests where people can get, uh, to connect with you and learn about your work.
Tammy: Sure. Um, so, uh, The best way to connect with me right now is on LinkedIn. Um, look me up, Tammy Klotz. Um, the one thing I would ask if you want a connection is that you just drop a note that says, I heard you on the CTO show and would love to connect with you. That would always be helpful for me. Um, and then, um, if you're interested in, uh, purchasing the book, the book is available on Amazon.
Tammy: It's, uh, leading with empathy and grace. And, uh, I would love to have you pick up a copy, read it, give me feedback, uh, put an Amazon review out there. Um, but I would, I would love to hear from folks after you've had the opportunity to listen to me today.
Mehmet: Sure. Uh, for [00:41:00] the false listening or watching us, don't worry.
Mehmet: I will put the link to the Amazon book in the show notes or in the description if you are watching this on YouTube. So you can find it over there. And yeah, as Tami mentioned, uh, Leave your feedback and also like, uh, leave feedback to me also as well. Like if that is how, and this is how usually I end my, my episodes.
Mehmet: So if you just discovered this podcast, thank you for passing by. I hope you enjoyed the conversation today with Tammy. And if you did, so. Please give us a thumb up subscribe and share it with your friends and colleagues And if you are one of the loyal followers who keep coming listening and give me their feedbacks Please keep doing so because I really Want to know what you think about the show what I can improve better what I can do better Better and you know, so i'm always open to listen to your feedbacks.
Mehmet: Even if you don't like something No problem. Just let me know about it. And as I say as usual, thank you for [00:42:00] tuning in today We will meet again very soon. Thank you. Bye. Bye