Category Archives: Information Security

  • 1
Joanna Grama headshot

Episode 002: Joanna Grama–Networking and Public Speaking

Category:EDUCAUSE,Information Security,Introverted Leadership,Leadership,Podcast

Episode 002 Show Notes: Joanna Grama


Joanna Grama headshotJoanna Grama is a senior consultant for Vantage Technology Consulting Group where she specializes in advising clients on information security, privacy, and risk management issues. Joanna and Ben discuss the challenges of working at home, her introvert strengths, networking, and our progressions as public speakers.


Key concepts

  • Working remotely and maintaining connectivity
  • Being in helping professions
  • Business development
  • Conferences and meeting new people
  • Biggest strengths
    • Listening to understand
    • Building relationships
    • Making the connection
    • Rebuilding processes
  • Progressing as a speaker
  • Mentoring
  • Classroom Teaching
  • The Princess Bride


The odds of making a connection are really stacked against you as a remote worker and as a shy introvert.

And so for me, making sure that I honor the fact that being visible and under the spotlight requires a tremendous amount of energy. Energy expenditure is super important. If I find that if I don’t make sure that I have time to recharge and recover from the day, that I suffer, and when I suffer, the people around me suffer.

We do have a few very treasured and very, very deep relationships, and I just feel that that connection and that shared understanding is–is something that is so, so profound and valuable. And when you have it, you really can accomplish a ton both personally or professionally.

Resources or Products Mentioned in this Episode



Ben: Joining us today is Joanna Grama. Joanna is a senior consultant for Vantage Technology Consulting Group where she specializes in advising clients on information security, privacy, and risk management issues. A reformed lawyer. Joanna has more than 15 years of experience in higher education with a strong focus in law, information technology, security policy, compliance, governance, and data privacy. Joanna is a credential hoarder and committee joiner, prolific author, frequent public speaker, and shy introvert, trying to cope with an extroverted world. She also plays a ruthless game of Exploding Kittens. You can contact Joanna at or on Twitter @runforserenity.

Ben: Joanna and I have been friends for several years and first met each other at the EDUCAUSE Security Professionals Conference in San Antonio where we both provided training seminars on cyber security topics. I often see her as a shining star and role model for women in Cyber Security. I can also attest to her ruthlessness and competitiveness when playing Exploding Kittens. I was the victim. To be fair. I’m also very competitive when playing games. The point is to win. Correct?

Joanna: Hi Ben. Thank you so much for having me here today.

Ben:  Well, I’m excited. I think we’re going to have a great conversation. Joanna–many introverts face challenges in their workplace. I know you’ve worked out of a home office for awhile, so your experience may be a bit different. Would you describe your current role and maybe chat a little about your previous experience?

Joanna:  Sure, I’d be happy to! I currently work as a strategic consultant. That means that I advise clients on the strategy, implementing information security, privacy risk programs, and then addressing issues within those programs.

Joanna: In my current role and in former roles, I’ve worked at home. I’ve been a remote worker for almost seven years now. At first I thought working from home would be fabulous, especially for someone who is highly introverted and it really really was. However, after the novelty of working from home wore off, I found that one of the things that I really struggled with was loneliness that–you know–it’s pretty funny, but the making a connection odds are really stacked against you as a remote worker and as a shy introvert. And that meant that I really, really have to push myself so that I reach out to my colleagues regularly, both just to keep track of work tasks, but also to establish meaningful relationships with them. Having those meaningful relationships with my work colleagues is really, really important to me. Being happy at work–we spend so much of our time at work that that connection is really important.

Ben: It’s interesting, because working at home seems like the dream job in some ways for me also, but I suspect I would be climbing the walls after a few weeks of not seeing anybody outside of the area and especially in the winter up here–where it’s–am I going to go outside and at least clear the walk and get the dog outside for awhile? But otherwise, it’s cold. It’s miserable. So working at home is, kind of a mixed blessing I guess in many ways?

Joanna: It’s a mixed bag to be sure. When I first started, I went two whole weeks without leaving my home, not even to go to the mailbox, because my spouse is wonderful and would bring in the mail or ask if we needed anything from the store before he came home. And so I didn’t go out of our home for two weeks, and that was too much. I have learned that even this introvert has limits to being alone and two weeks is perhaps a week too much.

Ben: Yeah. Though it does give you an opportunity to save on doing laundry and things, I’m sure!

Joanna: Absolutely!

Ben: So you’re working as a consultant from the home. I got to know you through EDUCAUSE where you were the program manager for the cybersecurity program, and I know the roles have changed a little bit. What did you find to be most challenging as an introvert in your EDUCAUSE role and in your new role now as a consultant–what are the big introvert challenges?

Joanna:  I have always gravitated towards jobs or to professions–to helping professions in some way or another. And I think for me, I really like to be able to see that my professional efforts, or even my volunteer personal efforts, have helped an individual, an organization, or a community. And so, there is a certain amount of networking and coalition building, and now, even business development that goes along with being in these sorts of helping professions. I found that it means that you have to be available and out there in the limelight sometimes. And so for me, making sure that I honor the fact that being visible and under the spotlight requires a tremendous amount of energy expenditure is super important. If I find that if I don’t make sure that I have time to recharge and recover from the day, that I suffer, and when I suffer, the people around me suffer. It took me a really long time to sort of acknowledge and accept that I needed this recharge time.

Ben: Yeah, that’s really interesting because I know for me, many people see me at a conference, (like they see you) and we’re very public. We’re very appearing extroverted because we’re talking to people, we’re chatting with people a lot, and afterwards I just feel totally exhausted, and I don’t really want to do anything for the next several days. Now it’s always a bit of a challenge, because I’m married to an extrovert, and she would really prefer to see my conference-type behavior be my home behavior. But, while at a conference I may say, “Oh yes, let’s get together with these people for dinner.” We’ll stay up til midnight. We’ll go here, we’ll stay up PAST midnight, most likely actually. I’m not so much that way at home. I’d just as soon stay home and kick back, watch a series on Netflix or something, read a book–pretty much just get that time to recharge. So I find that challenging also. Now you’re in a business development role right now in terms of building your consulting business as part of this consultancy. How is that working? The introvert in the–really, it’s an entrepreneurial-type role so it’s a little bit different.

Joanna: It is a little bit different, but the thing that I have working in my favor is, the early part of my professional career was in the–in the practice of law, and when you work at a small firm or when you’re a sole practitioner, you have those same requirements about business development, and just business development and that sort of thing. And so I’ve got some tips and techniques from the good old days rattling around in my head that I can work for I think.

Joanna: I feel like an introvert’s coping in the world or how you engage with the world are very–mine are very situational dependent, and so there is the Joanna who has to show up for the job and get something done. And I know that hiding behind a column or a plant isn’t going to work for getting that job done, right? And you need to make sure that you’re talking, that you’re making connections. With my family and my close friends, they probably think I’m the world’s biggest goofball, because–and they would never imagine that I was an introvert–because sometimes you can’t get me to shut up. But that’s because I’m with people whom I feel very, very comfortable with. But I can tell you if I’m going to a conference and I don’t have a role to fulfill at that conference, and I don’t have a networking obligation or a business development obligation, I’ll be there, but I am going to sit back and observe, and I’m not going to put on the professional face, or do the professional things sometimes a job or other circumstances might require. Maybe that’s an energy conservation mechanism. I don’t know, but to some extent I feel like I can compartmentalize: I’m in this situation. When I’m in this situation, I have to do this thing, and I just–sometimes you have to get over yourself no matter how hard it is. But much like you, I will have to crash the week I get done with any sort of event like this just to rest and recover.

Ben: You know, it’s interesting, because you talked about if you go to a conference where you don’t have specific responsibilities to be a host or to engage people, or to–in a sense–be directed to network with specific people. I tend to hang back and not chat with people also, and one of the things I think as introverts is that we don’t tend to have a lot of deep friendships. We have very deep friendships with a few people, and for me, even with the EDUCAUSE conference a couple of years ago, when I found out that the two people I normally hang out with weren’t going to be there, it’s like, “What am I going to do?” Because now, I’ve got to potentially meet somebody new. I have to not be myself or feel like I have to not be myself. So I found that to be a challenge–even attending a conference I normally go to. If that core group actually isn’t there, it really changes things up for me.

Ben: So it’s interesting that we’ve got a lot of the same feel towards conferences. I also have the situation where if I go to a conference, and I have that specific role to play, I can play that role no problem and I can maintain it usually for the course of the conference. But again, like we’re talking about, there’s a crash period afterwards.

Ben: Let’s talk about introverted strengths a little bit and we haven’t really talked about what you’ve identified as your biggest strengths. What would you say those are? How do you leverage them?

Joanna:  Well, I like to think that I am an excellent listener, and I listen because I really like to understand how people and processes work. Although my caveat to that is, I really REALLY like to understand how processes work so that I can break them and rebuild them–not with people, just with processes! I think listening to understand and ultimately to make some sort of connection with or investment in the person that I’m talking to has always been really important to me. And I think a lot of introverts might feel this way.

Joanna: You mentioned, we don’t have a lot of shallow acquaintance-type relationships, but we do have a few very treasured and very very deep relationships, and I just feel that that connection and that shared understanding is–is something that is so, so profound and valuable. And when you have it, you really can accomplish a ton both personally or professionally. So, I think that listening, the building the relationship, the making the connection, breaking the processes and rebuilding them–those are probably my biggest strengths as an introvert.

Ben: I can definitely see that in you as well! One of the things that you mentioned or that I read in that little brief bio at the beginning was that you’re a frequent public speaker. How often are you speaking and do you find that to be a challenge and, or did you ever find that to be a challenge and what do you do in terms of preparing to speak, as an introvert?

Joanna: So, it’s changed a lot over the years. I suspect that if you talked with friends and colleagues who knew me professionally about 10 to 12 years ago, they would remember that Joanna who needed to be sick to her stomach before talking to a group of about 30 people. I really was a wreck. And so it’s almost –my evolution in public speaking is almost–a really good indictment on career counseling in high school and college. No one ever should have said to me, wow, being a lawyer and working in a courtroom is a great job for you, because if they had understood early–early in my development–how traumatic public speaking was for me, no matter the size of the audience, they would have said no, you need to be a–insert isolationist profession here–because the public speaking was just so hard. I had a mentor when I was working at Purdue University who essentially said, this thing is going to hold you back. If you can’t get a handle on public speaking, it will–you have tremendous potential–but this will hold you back. So, I am going to make you speak at every single thing we do in our department until you’re no longer sick to your stomach before a public speaking gig, until you no longer make me listen to your practice session seven or eight times before a speaking gig, until you go into a speaking gig, completely unprepared and do a spectacular job.

Joanna: So I still haven’t gotten into–gotten to that–go into a speaking gig spectacularly unprepared and do a spectacular job. I haven’t reached that yet. But being asked to speak no longer gives me the anxiety that it used to. I probably speak between six and 10 times a year in various contexts, whether it’s at conferences or to small groups personally and professionally, webinars, and that sort of thing. And I–I really can say that with practice comes a certain amount of familiarity and it lessens the anxiety for me. That’s not to say that if I had to speak in front of a group of 500 people tomorrow, that I–I wouldn’t spend every blessed minute before that presentation, cramming and practicing and making sure I can say my name correctly. But, even seven years ago, that type of context would have, would have stymied me and crippled me and it doesn’t anymore. And it’s just a mentor who said, you’re going to do this until you can do this well.

Ben: It’s really interesting, because I look back–my public speaking journey, so to speak, which I haven’t looked at it in that way. I think I did my first conference presentation somewhere around 2012, 2011. So, we’ve been speaking really, for about the same period of time.

Ben: I was really unsure of myself. What was funny, was the first opportunity I had at a conference was actually to do a lightning talk (and for our listeners a lightning talk is 20 slides that move on their own every 15 seconds, whether you’re prepared for them to move or not. So there’s always a possibility of a real train wreck happening with the speaker.) But that was the opportunity I was given and the chance to volunteer to do that at a conference–I think–helped me get past some of that fear of speaking.

Ben: The other thing that was interesting, was that I was video recorded, and I had so many mannerisms that I wasn’t aware of, and like, oh wow, I stand exactly like my mom used to with her hand. Or, just different things that are not necessarily bad things, but just things that I wasn’t aware of. So it’s really interesting. But my progression on speaking, I never had anyone come say, “You have to do this or it’s going to hold you back,” probably because I was not in a role where that would be the case. But my progression I think happened for a couple of reasons. One, I do classroom teaching every year, usually one or two classes per year, so I’ve always got that “in front of the students thing” which can still be terrifying on the first day, because at least for the first few years, I was sure they all knew more than I did about the subject.

Ben: Now, I’ve since learned differently about that–or maybe I’ve learned more about the subject–so I didn’t have quite that fear, but I still always have a concern about, “How are they reacting? Are they engaged with what I’m talking about? Will they understand the references that I use?” I was talking with somebody today–talking–when I talked to my Intro to Computing Security class last fall. We have a section where we talk about Remote Access Trojans (RATS), and MEECES, and MICE. They’re all these acronyms they’ve come up with, so I thought it would be really clever to slip in ROUSs, and only one person in the entire room understood the reference–even though I had a picture of the ROUS from The Princess Bride. So I’ve pretty much given up about references to films and things because there’s too much, “Oh yeah. Didn’t that come out when I was three?” sort of thing. And so that’s kind of been a little–I won’t talk about that part of it. But what was interesting in the public speaking at conferences, I kind of worked my way up because I did the five minute crash lightning talk–which actually went pretty well–but the following year, I co-presented with somebody, and I co-presented with somebody the next time, and that made it so much easier for me just to have someone up there with me.

Ben: And, we were both introverts. I think we were both nervous about it, but it just helped knowing that you are partnering with somebody. I didn’t actually do my first solo big presentation at a conference until two or three years ago. And that was the first time I spoke about introverted leadership, and discovered, hey, there are a lot of introverts in this group and this is important information for them. And that’s part of what has become the trigger for actually doing this podcast as well. But, I don’t want to monopolize the time with me by far here, but the public speaking thing is really, really interesting. Now…

Joanna: Well, I think, Ben, one of the things that you need to consider for your class is making The Princess Bride required viewing. I mean–I just think that is a base level of knowledge that any person today should have.

Ben:  That’s very true, and if I can find some way to work information security references into it, there may be a way to get by with it. I have to think about that for awhile. But I agree, that’s kind of fundamental to our culture. How can you not know, “My name is Inigo Montoya. You killed my father, Prepare to die.” It’s just such a base part of our culture.

Joanna:   “You killed my father, Prepare to die.”

Ben: Looking forward to the second part of our conversation.


Imploding Kittens Collar of Shame

How I felt after playing Exploding Kittens with Joanna.

Become a Patron!

  • 0

Ben Woelk–Spring 2018 Speaking and Conference Schedule

Category:EDUCAUSE,Information Security,Introverted Leadership,Leadership,Presentations,STC,Summit

Updated 18 February 2018

It’s going to be a busy few months for speaking engagements for the first half of the year! I hope to see many of you.

Speaking Engagements through June 2018

Topic Date Venue Registration Link Notes
Slack for Technical Writers and Editors 23 Jan STC San Diego and STC Rochester Virtual Workshop NA With Sara Feldman; Recording available.
Slack for Communities 16 Feb STC CAC Leadership Virtual Workshop NA With Sara Feldman
Lessons Learned on an Introvert’s Journey to Leadership 22 Feb STC Atlanta Webinar Sign up on Meetup to receive registration instructions
Lessons Learned on an Introvert’s Journey to Leadership 27 Feb Webinar for Quebec City Private
Digital Self Defense 28 Feb meRIT webinar Register Open Registration
Digital Self Defense 20 March American Society for Quality, Rochester Section 0204 Register
Spectrum 2018 25-27 March Rochester Institute of Technology Register on Eventbrite Co-chair, no formal presentation, 40+ presentations and workshops over 3 days
Digital Self Defense 3 April Rochester, NY Private
It Doesn’t Take Magic: Tricks of the Trade to Create an Effective Security Awareness Program 10 Apr Preconference seminar, Baltimore, MD Register at EDUCAUSE With Tara Schaufler, Princeton University. EDUCAUSE Security Professionals Conference, Separate registration required
Different Boats for Different Folks: Tales of Security Awareness Follies and Successes 11 Apr Panel Discussion, Baltimore, MD Register at EDUCAUSE With Sandy Silk, Harvard University; Christine Bonds, Elon University; Emily Harris, Vassar College, EDUCAUSE Security Professionals Conference
Slack Workshop TBD STC PMC Virtual Workshop TBD With Sara Feldman
Summit Leadership Program 20 May STC Summit Register
Temperament-Based Strategies for Excelling in the Workplace 20 May STC Summit Preconference Workshop Register Additional registration required
The Introvert in the Workplace: Becoming an Influencer and Leader 21 May STC Summit Presentation Register
Yes and…: Improv’ing Your Corporate Communication Skills 21 May STC Summit Workshop Register With Jack Molisani; Additional fee ($20) required; limited to 20 participants per session.
Yes and…: Improv’ing Your Corporate Communication Skills 22 May STC Summit Workshop Register With Jack Molisani; Additional fee ($20) required; limited to 20 participants per session.

  • 1

Building a Culture of Digital Self-Defense

Category:EDUCAUSE,Higher Education,Information Security,Infosec Communicator,Lessons Learned,Social Networking Tags : 

Note: This article was previously published on September 20, 2016 in the EDUCAUSE Review Security Matters Blog

One of the biggest challenges in information security is raising the awareness of our communities so that they recognize threats and understand how to defend themselves. The difficulty of that challenge is exacerbated with up to 30 percent turnover of students, faculty, and staff yearly. It’s a multiyear process, but the key is to stick with it and not be afraid to try new ways of raising awareness and enrolling your communities so that they become part of your security team. I’ve provided a list of key components to building that security culture below. I’ve also provided some examples of our work at the Rochester Institute of Technology (RIT).

dsdmagnetnoqrcodeThink Strategically

You can’t change or create a culture overnight, and gains may seem almost imperceptible at times. Recognize that you need to think of security awareness as a key component of your information security strategy. (Yes, you need a security awareness strategic plan.) A strategy enables you to identify long-term goals. Security is often reactive. For example, we might respond to phishing attempts by warning our communities as the attempts occur, rather than employing a phishing simulation program1 so that they’ll recognize phishes on their own. To create (and harden) a security-aware culture, you must be proactive. It’s not always possible to get ahead of specific threats, but we can train our communities to recognize many of them.

Have a Plan

Thinking strategically requires a plan. A plan enables you to define how you’ll reach the goals defined in your strategic plan. What communication vehicles are already available? What needs to be developed? Where do your audiences (you have at least three: faculty, staff, and students) get their information? Are there community or departmental leaders they follow? What topics should you cover and when? (EDUCAUSE provides a calendar of topics and member-created content that you can leverage.)

Brand Your Security Awareness Efforts

RIT’s security awareness efforts are branded under Digital Self-Defense. A brand helps make your security awareness efforts visible and memorable. Almost every communication or event around security awareness at RIT bears our “DSD guy” (seen above). After more than a decade, most constituents recognize him. (Your university or college might have requirements around branding that may or may not make security awareness branding possible. However, you can still use a common layout and design in your communications.)

Leverage Existing Opportunities

What existing opportunities are available for improving security awareness? Are there orientation events for students, faculty, or staff? Are there benefits or wellness fairs in which you can participate? Have you contacted departments to schedule security awareness discussions? Have you created an ongoing security awareness class, either in person or online? Have you put posters on your buses? Given away swag with security awareness messaging at orientations? Look around and see what existing opportunities you can leverage.


Be All Over Social Media

Where do your constituents get their information? Your university or college may have official news outlets or communication mechanisms. Does everyone follow them? Do students even read e-mail anymore? Who’s using Facebook? Twitter? Instagram? Pinterest? Snapchat? The rapidly evolving social media landscape offers opportunities, as well as challenges. Go where your audiences are. They’re unlikely to come to you. (As I write this blog post, we’re in the midst of our annual social media “like” campaign and expect to surpass 10,000 followers in our social media outlets.)

Identify and Leverage New Opportunities

Has your campus become a hotbed for Pokémon™ GO!? Have you thought of how you might leverage Poke Stops where students congregate? Maybe set up a security awareness table. Hang posters at Poke Stops inside buildings. What about Snapchat? Snapchat filters are really popular. Did you know that Snapchat allows you to create custom geofilters? Why not create some security awareness-oriented filters and offer them at high-traffic times and locations?

Hire Students with the Right Skill Sets and Mindsets

One of the strengths of our security awareness program at RIT is that we hire technology-savvy students with strong communication skills. After a while, you’ll probably find that well of inspiration you draw from has started to run dry. Student employees are a great source of innovative ideas and more importantly, they’re students. They understand how students communicate and how best to get their attention. Give them the freedom to be creative.

Enroll Your Community

It’s not really a secret, but we know as security professionals and IT organizations that we cannot secure our campuses without partnering with our user base. Have you thought about how you might enroll your users in your efforts? In fall 2015, we began our Digital Self-Defense Team program. The purpose of the program was twofold: we wanted to develop a sense of shared responsibility around information security, and we also wanted to begin measuring our successes with a survey. With small incentives for taking the survey, we had over 600 survey participants from a faculty/staff population of about 3,000. Almost half of the survey participants signed on to the Digital Self-Defense Team. That’s a growing population of security advocates on campus.

Volunteer and Network

I’ve been a member of the Higher Education Information Security Council (HEISC) Awareness and Training Working Group for almost 10 years. The innovative ideas and helpfulness of the group to new members are without parallel. Participation in the working group ensures a steady flow of new ideas and solutions to problems faced by all of us. Each of us has ideas to share, and the working group has developed a number of security awareness resources available today.2 I invite you to join us.


  1. Learn more about phishing simulation programs and read these 10 key points about implementing a campaign.
  2. The HEISC Information Security Guide: Effective Practices and Solutions for Higher Education includes several resources developed by the Awareness and Training Working Group: a quick start guide, detailed instruction manual, cybersecurity awareness resource library, and National Cyber Security Awareness Month resource kit.

  • 0

  • 0

What’s in a Name (and a Price)

Category:Information Security,Infosec Communicator,Internet Safety,mobile device,password,Privacy,Social Networking

Shockproofing CISSPI’ve changed the subtitle of my Kindle eBook on using social media safely to better communicate the subject matter. I’ve also lowered the price point to $0.99. The book sold reasonably well during the week-long reduce price promotion as a Kindle Countdown book, so I’ve reduced the price.

Thank you to my reviewers for providing their impressions of the book. Authoring and self publishing has been an interesting experience. I found my conversations with Guy Kawasaki and his APE: Author, Publisher, Entrepreneur to be especially helpful.

Nick Francesco is doing well with his Your Guru Guide submissions. I recommend checking them out if you’re interested in Chromebooks or how to best leverage Google Docs.

What would you like to see for my next eBook?

Site Search

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 2,111 other subscribers


Support Introverted Leadership on Patreon

Blubrry affiliate banner