People are a company’s most important assets and not its most vulnerable links, says Tammy Klotz, CISO at Trinseo, consultant and author.
With a distinguished 30-year career in IT, Tammy has held diverse roles, from her early days at Air Products and Chemicals to her influential positions at Versum Materials and Covanta. In her cyber security journey, she focused on resilience, empathy, and a commitment to empowering teams.
In a recent conversation with Chaleit’s CEO, Dan Haagman, Tammy shared her insights on nurturing a resilient cyber security culture, creating efficient training and awareness programs, and dealing with vulnerability management challenges.
Watch the interview for valuable insights and practical advice, and read the main takeaways below.
Resilience is not about looking at one alert but about analysing a compilation of data and applying critical thinking to better understand and address risks at an organisational level.
The essence of cyber resilience
Resilience is not about preventing every cyber threat but rather about how an organisation responds and recovers when faced with an incident or breach, Tammy explains. Organisations’ reactions in those situations determine how they are perceived by customers, the public and the media.
Perfect security is unattainable, but positioning yourself to respond and recover efficiently will make a difference.
Organisations must strive to be transparent and acknowledge gaps to the extent that confidentiality allows rather than try to project an unrealistic image of complete control. It’s not about painting a rosy picture, but a factual picture, she notes.
All in all, resilience is not about looking at one alert but about analysing a compilation of data and applying critical thinking to better understand and address risks at an organisational level.
Resilience also extends to the cyber security teams themselves, as organisations must recognise the demanding nature of professionals’ work and implement measures to prevent burnout.
You need cyber security professionals who can focus, troubleshoot, problem-solve, and connect the dots to understand what is going on, Tammy stressed.
Improper tool configuration, redundancy, or underperformance can leave your organisation vulnerable. Strong people and well-defined processes are equally important to defend against attacks.
Empowering security teams
Drawing from the title of her recently published book, “Leading with Empathy and Grace,” Tammy talked about the importance of treating people as an organisation’s strongest link in cyber security defence.
Top-notch security tools are essential, but they’re not enough, she explained. Improper tool configuration, redundancy, or underperformance can leave your organisation vulnerable. Strong people and well-defined processes are equally important to defend against attacks.
Tammy stressed the significance of empowering security teams to raise concerns and present scenarios without fear of repercussions.
She offered practical advice on how to do this and gave the example of having “accountability partners” within the team to foster collaboration, knowledge sharing, and mutual support.
This approach promotes resilience and creates an environment of trust and open communication.
From a training and awareness perspective, recognising desirable behaviours is more beneficial in the long run than immediate disciplinary actions.
Cyber security training and awareness
To improve security, it is essential to create engaging training and awareness programs that resonate with employees on both professional and personal levels rather than relying on traditional, tedious methods.
Tammy described a practical approach she implemented at a previous organisation, where a security breach was turned into a learning opportunity. The responsible individual was not named and shamed, but the situation was presented clearly so that people could understand what can and does happen.
From a training and awareness perspective, recognising desirable behaviours is more beneficial in the long run than immediate disciplinary actions. In Tammy’s view, people get to make a mistake once.
Implementing gamification techniques, such as reward systems and scavenger hunts, is also a great way to engage people in the cyber security process, she shared from her experience.
Organisations must develop methodologies that allow people to prioritise and mitigate vulnerabilities effectively. This involves risk ranking, determining which vulnerabilities pose the most significant threats, and deciding on the appropriate mitigation strategies.
Vulnerability management challenges
CISOs have to manage an overwhelming and never-ending volume of vulnerabilities, where addressing the top vulnerabilities only leads to the emergence of new ones.
To deal with this challenge, organisations must develop methodologies that allow people to prioritise and mitigate vulnerabilities effectively. This involves risk ranking, determining which vulnerabilities pose the most significant threats, and deciding on the appropriate mitigation strategies.
Another key point Tammy raised is the importance of governance in vulnerability management. Vulnerabilities are often assessed and categorised by external vendors. However, the ultimate decision on how to address these vulnerabilities lies within the organisation. This involves engaging in meaningful conversations about risk acceptance and mitigation with business owners.
Metrics play a significant role in this process. While tangible, quantifiable data from scanners can be compelling, it can also lead to a narrow focus on numbers rather than a holistic view of security. Organisations must balance their reliance on these metrics with broader risk assessment strategies.
Should vulnerability management be best handled internally or externally? The decision depends on various factors, including the organisation’s size, industry, and regulatory requirements.
For larger, highly regulated organisations, Tammy suggests that external services might offer broader perspectives and better resources. This broader view can be invaluable in identifying and mitigating emerging threats.
In contrast, smaller organisations might manage vulnerabilities internally but must ensure they have the right people in place. These internal teams must be proactive, not just ticking boxes but actively monitoring external trends and adapting their strategies accordingly.
Struggling with cyber vulnerabilities and building a strong security culture? Let’s talk about how you can empower your team and build a proactive strategy for a secure future.
If you’re looking for more practical advice from top cyber security minds, check out our blog and YouTube channel and subscribe to our monthly newsletter.