Category Archives: Higher Education

  • 2
Joanna Grama headshot

Episode 003: Joanna Grama–Leader and Influencer

Category:EDUCAUSE,Higher Education,Information Security,Introverted Leadership,Leadership,Podcast

Episode 003: Joanna Grama–Leader and Influencer Notes


Joanna Grama headshotJoanna Grama is a senior consultant for Vantage Technology Consulting Group where she specializes in advising clients on information security, privacy, and risk management issues. In our second discussion on the podcast, Joanna and I discuss how meetings can be challenging for introverts, and how she’s become a leader and influencer.

Key concepts

  • Meetings
  • The slow thinker
  • Processing internally
  • Win-win scenarios
  • Connecting and investing
  • The five Cs
  • Don’t be a jerk!


I’m just doing my job. I’m just trying to get through the day, and–and you know–leave as little drama as possible in my wake. But maybe that’s being a quiet leader.

We all have moments in the office or in our professional lives where we’re really not proud of our behavior, whether it’s the language we used, the tone we used, our facial expressions and our body language. I mean, we all have those moments, but it’s just, it’s really important to try not to be a jerk. That goes a long way towards getting along with people.

You have to challenge yourself everyday, and it sounds trite to say that, but if I didn’t have mentors pushing me and saying you’re great and you can be even better, and forcing me to do uncomfortable things, I wouldn’t be where I am today!

Resources or Products Mentioned in this Episode



Ben: Joining us again is Joanna Grama. Today we’re going to finish up our conversation that we started in our last podcast about her experience as an introverted leader and the thoughts that she has to share with us.

Ben: So, one of the things that you and I had talked about in previous conversations is meetings. And I had–I’ve mentioned this in another podcast, but I had an individual in one of my workshops who talked about his meeting performance and, much like you said, somebody told you that you needed to overcome this anxiety about public speaking and do well at it. He had a situation where his manager said he needed to perform better in meetings, and I know what he did to solve it. He talked to his manager and arranged to meet with that manager ahead of time, so he’d have a preview of what was on the agenda and that helped him.

Ben: What has your experience been like with meetings as an introvert and what have you found has been helpful or maybe not helpful?

Joanna: Yeah. Meetings can be a really tough scenario for introverts even when you are 100 percent engaged in the meeting. So I–similar to the other person that you talked to–I had a supervisor once who commented in front of a group of my peers that I was a slow thinker in meetings. And it really sort of–and this sounds strange–but it really hurt my feelings. Not because it was true or it wasn’t true, because it is true, but because of the negative connotation that I associated with the comment. I am a slow thinker. I do like to think about issues and ru(minate) them over in my mind before deciding on a course of action or making plans or something. That’s just being thoughtful, and being that type of thoughtful cautious decider is something that is so ingrained in who I am as an attorney, as an information security professional, as a parent, as a person.

Joanna: But, on the other hand, there are times when, as a knowledge worker, you really do have to be able to react and provide feedback on the spot, but you don’t have to do it all the time. So with the supervisor that called me a slow thinker, we eventually came to an agreement that, for those items that we could put off for a day or two, I could come back to the table with comments after having time to think. And then for the items that had to be discussed and where feedback had to be provided right away, we agreed that I would provide those immediate comments and I would just get comfortable with it, but that we both understood that my best thinking always comes after reflection time, and so I could always provide additional feedback the next day, relatively contemporaneous with the urgency of the conversation if needed. And that seemed to be how we dealt with the situation in a way that worked for my supervisor and me, that worked for my peers, that worked for decision-making within the organization. I am really trying to come to terms with being a slow thinker, although I have amended that label to thoughtful and comprehensive thinker in my head.

Ben: I would say that is a little less negative way to address that. Slow thinker, I don’t think there’s a way to spin that positively.

Joanna: No. There’s just not.

Ben: Considered thinker, reflective thinker, well considered–all of that makes sense. And that’s all very positive, which could be spun in a negative way, I’m sure. But slow thinker? No, I don’t think there’s any way to take that positively, And it’s funny because I’ve used this conversation that we’ve had about this in workshops and other things to talk to people about–as an introvert, you may be accused of this, because we are thinking through things before we speak. We process internally. What’s interesting–and I think there have been a number of studies around this–in meetings, what typically happens if you have a mix of introverts and extroverts, is the extroverts will speak first because they will process externally and they will come up with an idea, and because they–it may have been the first idea or they’re very confident about the idea–people will say, “Oh yeah. We’ll do that.”

Ben: However, there doesn’t appear to be any correlation between who speaks first with an idea and positive results from it. So I definitely empathize with you on the slow thinker part in meetings, and I’ve come to the point where I can speak pretty quickly in response to things, but I will also tell whoever’s running the meeting if I’ve got–if it’s a really important subject–I want time to go away and dwell on that, so I can come back with a really superior solution that I can feel good about and that I’m convinced will work. There are too many thoughts that occur to me after the meeting about “Well, that would have been a real show stopper,” or “Have we considered adding this part?” and that could make something so much stronger, or a word I hate to use, robust.

Ben: Let’s change gears a little bit. Recently I did an article for Intercom magazine and it was about becoming an influencer and a leader in the workplace. How do you feel it works for you in the workplace? In terms of when you can be an influencer, when you can be a leader, what works best for you? Do you consider yourself to be an influencer or leader in the workplace? As somebody external, I certainly consider you to be one.

Joanna:  Well, thank you. I’m always sort of surprised when someone says you’re a leader or an influencer. Not because I don’t think I can’t be a leader or an influencer, but sometimes I just think, how can I be a leader or an influencer? I’m just doing my job. I’m just trying to get through the day, and leave as little drama as possible in my wake. But, maybe that’s being a quiet leader. I don’t know. I love the process of building consensus and sort of negotiating, maybe not a win-win scenario, but a, you know, least destructive scenario or a scenario most of us can live with. I’m making sure I hit–I’m going to call it win-win–making sure I hit that win-win scenario’s important, which you probably have to find hilarious given both my training as an attorney and the merciless way I treated you during our last game of Exploding Kittens.

Joanna: I just really think that getting to a place where you and whomever you’re working with can move forward as a team is so important, and that goes back to making a connection and having an investment in your colleagues, having an investment in your organization, and that sort of thing. Some of it is, “Don’t be a jerk!” We all have moments in the office or in our professional lives where we’re really not proud of our behavior, whether it’s the language we used, the tone we used, our facial expressions, and our body language. I mean, we all have those moments, but it’s just, it’s really important to try not to be a jerk. That goes a long way towards getting along with people.

Ben: So, I can see we have our subtitle for this episode. It’s going to be, Don’t be a Jerk.

Joanna: Don’t be a jerk, yeah.

Ben: We’ll play with that a bit. I’m sure.

Ben: So, in terms of you being a leader and an influencer, some of the ways that I’ve seen that: one, I’ve had an opportunity to observe you over the last couple of years when I’ve been at conferences, and I’ve been part of these EDUCAUSE working groups where you’ve been kind of the program manager for them. What’s been interesting for me, I thought that was really helpful, as I think I’ve seen times where you’ve really kind of gone beyond what I would say is the call to duty. One example of that is a couple of years ago when I was working on putting together survey results about what are the best characteristics or preparation for somebody who’s going to be a security awareness practitioner, somebody who’s going to explain very technical security things to a “normal” audience. So I was struggling to get this research bulletin prepared, and I was about ready to give up on it, and I told you I was going to give up on it, and you didn’t let me do it. You pretty much shepherded me through it, you know, provided feedback. We went back and forth about, “Ah! I caught a typo,” which you were not thrilled with, but in general you helped me actually get that thing done. and I was quite happy with the result. But that being able to reach out and collaborate and help someone get the work done and complete it was really important. So, I’ve seen you as a leader and an influencer in that context as well.

Joanna: Oh, well, I’m really glad that you see me as a leader in that context and not as a nag! I think in that situation in particular, now that I’m looking back at it with hindsight, right? I have the opportunity to be eloquent. That paper was really important. We talk about how important information security training and awareness is to higher education institutions, to our organizations, but there’s not a lot of, or there wasn’t at that time, a lot of thought leadership on why it is important or what skills do the people who are actually doing that training, what do they need to have in order to be successful? Because, if those leaders aren’t successful, then information security awareness and training isn’t successful, which means data is at risk at our institutions, which can lead to all sorts of bad downstream things. So really, I was professionally motivated by the fact that I wanted this literature out there and you had the expertise and the data, so you needed to be the one to get it out there.

Joanna: And then, you know, personally, I knew you! I wanted you to have the success. It’s important to me to help my friends. I don’t know that I would call it going beyond the call of duty, as much as I would say it was getting to that win-win scenario where you got something out of it, I got something out of it. I really thought that the process was fun, once we sort of decided that we were going to regroup and work on it together–and those things are so important! It would have been too easy, Ben, to walk away from that, and I’m so glad we didn’t.

Ben: No, I agree. I think it was important. I’m actually fairly proud of the work and excited that it was published,…

Joanna: You should be!

Ben: and I hope it has provided a foundation for people when they’re looking at what are the qualifications someone needs or, just as importantly, what qualifications do they NOT need to be an information security or cyber security awareness practitioner.

Ben: What recommendations would you have for introverts who want to become influencers or leaders? What thoughts do you have for them?

Joanna: Sure. So I read a long time ago this article that talked about–I think it was called the four Cs or maybe the five Cs, but essentially it is, some big ideas for how to live your life. And so I like to follow the five Cs, which are Curiosity, Compassion, Courage, Conviction, and Conversation. I think that as an introverted leader or an introverted influencer,–just an introvert or a person trying not to be a jerk–those are some really good–those are some good ideas to have. You can’t be a doormat, but you can be compassionate and courageous. And I think that’s important for me. I sometimes add a sixth C, which is Calm, to remind myself when I need to take a break or to recharge and get reinvigorated about things. I have to remember not to let the external environment or the external context, impact my internal context.

Joanna: So that’s why I add Calm. And part of it is being true to yourself. I really struggled with who I was as a person and potentially a leader or a worker in an organization, or just anything, until I acknowledged some fundamental truths about myself. I need to recharge. I am a–what did you call it?–A conscientious thinker. I am shy and reserved almost to the point that people who don’t know me or are meeting me for the first time, might think I’m standoffish, and I have to do things to make sure that that’s not the impression that I leave people with. And just, those are important.

Ben: Do you have any other thoughts you’d like to share?

Joanna: You know what? You have to challenge yourself everyday, and it sounds trite to say that, but if I didn’t have mentors pushing me and saying you’re great and you can be even better, and forcing me to do uncomfortable things, I wouldn’t be where I am today! And I’m so thankful and grateful and happy with where I am today. A little bit of honoring yourself, and a little bit of stepping outside of your comfort zone is important.

Ben: That’s great. Well, I think we’ll wrap up now. Thank you so much for sharing your thoughts today. It’s been a fun conversation!

Joanna: A pleasure!

Ben: And we look forward to maybe having you join us again on another podcast. Assuming we can find a whole new set of things to talk about, which I’m sure we can.

Joanna: I’m sure we can!

Become a Patron!

  • 1

Building a Culture of Digital Self-Defense

Category:EDUCAUSE,Higher Education,Information Security,Infosec Communicator,Lessons Learned,Social Networking Tags : 

Note: This article was previously published on September 20, 2016 in the EDUCAUSE Review Security Matters Blog

One of the biggest challenges in information security is raising the awareness of our communities so that they recognize threats and understand how to defend themselves. The difficulty of that challenge is exacerbated with up to 30 percent turnover of students, faculty, and staff yearly. It’s a multiyear process, but the key is to stick with it and not be afraid to try new ways of raising awareness and enrolling your communities so that they become part of your security team. I’ve provided a list of key components to building that security culture below. I’ve also provided some examples of our work at the Rochester Institute of Technology (RIT).

dsdmagnetnoqrcodeThink Strategically

You can’t change or create a culture overnight, and gains may seem almost imperceptible at times. Recognize that you need to think of security awareness as a key component of your information security strategy. (Yes, you need a security awareness strategic plan.) A strategy enables you to identify long-term goals. Security is often reactive. For example, we might respond to phishing attempts by warning our communities as the attempts occur, rather than employing a phishing simulation program1 so that they’ll recognize phishes on their own. To create (and harden) a security-aware culture, you must be proactive. It’s not always possible to get ahead of specific threats, but we can train our communities to recognize many of them.

Have a Plan

Thinking strategically requires a plan. A plan enables you to define how you’ll reach the goals defined in your strategic plan. What communication vehicles are already available? What needs to be developed? Where do your audiences (you have at least three: faculty, staff, and students) get their information? Are there community or departmental leaders they follow? What topics should you cover and when? (EDUCAUSE provides a calendar of topics and member-created content that you can leverage.)

Brand Your Security Awareness Efforts

RIT’s security awareness efforts are branded under Digital Self-Defense. A brand helps make your security awareness efforts visible and memorable. Almost every communication or event around security awareness at RIT bears our “DSD guy” (seen above). After more than a decade, most constituents recognize him. (Your university or college might have requirements around branding that may or may not make security awareness branding possible. However, you can still use a common layout and design in your communications.)

Leverage Existing Opportunities

What existing opportunities are available for improving security awareness? Are there orientation events for students, faculty, or staff? Are there benefits or wellness fairs in which you can participate? Have you contacted departments to schedule security awareness discussions? Have you created an ongoing security awareness class, either in person or online? Have you put posters on your buses? Given away swag with security awareness messaging at orientations? Look around and see what existing opportunities you can leverage.


Be All Over Social Media

Where do your constituents get their information? Your university or college may have official news outlets or communication mechanisms. Does everyone follow them? Do students even read e-mail anymore? Who’s using Facebook? Twitter? Instagram? Pinterest? Snapchat? The rapidly evolving social media landscape offers opportunities, as well as challenges. Go where your audiences are. They’re unlikely to come to you. (As I write this blog post, we’re in the midst of our annual social media “like” campaign and expect to surpass 10,000 followers in our social media outlets.)

Identify and Leverage New Opportunities

Has your campus become a hotbed for Pokémon™ GO!? Have you thought of how you might leverage Poke Stops where students congregate? Maybe set up a security awareness table. Hang posters at Poke Stops inside buildings. What about Snapchat? Snapchat filters are really popular. Did you know that Snapchat allows you to create custom geofilters? Why not create some security awareness-oriented filters and offer them at high-traffic times and locations?

Hire Students with the Right Skill Sets and Mindsets

One of the strengths of our security awareness program at RIT is that we hire technology-savvy students with strong communication skills. After a while, you’ll probably find that well of inspiration you draw from has started to run dry. Student employees are a great source of innovative ideas and more importantly, they’re students. They understand how students communicate and how best to get their attention. Give them the freedom to be creative.

Enroll Your Community

It’s not really a secret, but we know as security professionals and IT organizations that we cannot secure our campuses without partnering with our user base. Have you thought about how you might enroll your users in your efforts? In fall 2015, we began our Digital Self-Defense Team program. The purpose of the program was twofold: we wanted to develop a sense of shared responsibility around information security, and we also wanted to begin measuring our successes with a survey. With small incentives for taking the survey, we had over 600 survey participants from a faculty/staff population of about 3,000. Almost half of the survey participants signed on to the Digital Self-Defense Team. That’s a growing population of security advocates on campus.

Volunteer and Network

I’ve been a member of the Higher Education Information Security Council (HEISC) Awareness and Training Working Group for almost 10 years. The innovative ideas and helpfulness of the group to new members are without parallel. Participation in the working group ensures a steady flow of new ideas and solutions to problems faced by all of us. Each of us has ideas to share, and the working group has developed a number of security awareness resources available today.2 I invite you to join us.


  1. Learn more about phishing simulation programs and read these 10 key points about implementing a campaign.
  2. The HEISC Information Security Guide: Effective Practices and Solutions for Higher Education includes several resources developed by the Awareness and Training Working Group: a quick start guide, detailed instruction manual, cybersecurity awareness resource library, and National Cyber Security Awareness Month resource kit.

  • 0

Updated Shock-proofing your Use of Social Media Presentation

Category:Facebook,Higher Education,Information Security,Infosec Communicator,Internet Safety,Lessons Learned,password,Presentations,Privacy,Risk,Social Networking,STC,STC Rochester,Summit Tags : 

I’ve updated my Shock-proofing your Use of Social Media presentation for the Fall 2014 New Student Orientation program at the Rochester Institute of Technology. I’ve changed the passphrase example, added a new cartoon, and generally worked to make the presentation more culturally relevant to 18 to 20 year olds.

Let me know what you think of it!

Site Search


Support Introverted Leadership on Patreon

Blubrry affiliate banner