S3 E10: A Compliance Journey with Tamara Lauterbach

Audio version

A Compliance Journey with Tamara Lauterbach

Transcript

Jordan Eisner: This is Jordan with Compliance Pointers in a special edition today. This is a Compliance Journey with Tamara Lauterbach of Guthrie Clinic. Tamara, great to have you on. You’re our first Compliance Journey guest.

Tamara Lauterbach: Thank you for having me. I’m super excited to lead the brigade here.

Jordan Eisner: Yeah, we’re excited as well. For our listeners and watchers, this is a little bit of a different take than what we typically do on this podcast. Now, Tam is going to give us a plethora of knowledge, I’m sure, in telling us about herself and her journey and what she’s accomplished. They’re going to be good nuggets of information to share and learn from that. That’s really the intent of this podcast, is to hear from somebody in the industry, somebody that’s lived it, breathed it, practiced it, has had success in it, and I’m sure has had failures in instances and has learned from those.

Yeah, we’re going to get started with this. I think it’s going to be very meaningful for our audience. Thank you for your willingness to participate.

Tamara Lauterbach: Of course. I’m happy to be here. Thank you for having me.

Jordan Eisner: Let’s start with, you are the Manager of Cybersecurity, the Guthrie Clinic. Tell us a little bit about your role, your responsibilities, maybe different groups you work with, how long you’ve been there. What would you want our listeners to know about you going into this podcast and your interview?

Tamara Lauterbach: Sure. I guess I’ve been with the Guthrie Clinic for almost two years now. I’m the manager of cybersecurity, so that is focusing on our GRC department, as well as our identity and access management.

Since I’ve been here, we have been making changes to our third-party risk management process, control, self-assessments, as well as ensuring that compliance and internal audit are aligned with our initiatives and requirements as well as regulatory requirements that we have to meet.

And then with identity and access management, we are doing everything under the sun we possibly can to just make sure that we are improving on our day-to-day processes, as well as ensuring that first line of defense is truly being managed and maintained for our caregivers, as we would call them here at the Guthrie Clinic, to ensure better quality of service.

So it’s just a constant battle. I would say working in cybersecurity, partnering with compliance and internal audit, it is a constant battle of understanding which level you need to be at from a risk perspective, and then also trying to change the culture as well to understanding the importance of corporate requirements that we have to manage and maintain on a regular cadence, but also ensuring that we are producing risk across the board. So it’s a challenge, but I welcome it, and honestly I love it, and I’m so grateful to be a part of the cybersecurity community as well as assisting compliance and internal audit throughout this journey.

Jordan Eisner: So you, like many cyber folks that I know, when asked the question of, hey, what do I do there, what are some of my roles and responsibilities, had a long laundry list of things, which is pretty typical of somebody in cyber. I think you folks are tasked with a lot, trying to manage a lot, and you’re aware of a lot of the risks that could befall an organization, and it just seems like an endless amount of work, right? Probably a hamster wheel a bit.

So part of how a cyber professional, at least in my understanding, can really be supportive of an organization is through culture and understanding that this is a team effort. It takes all of us together, one person, two persons, even a small team, or even a big team can manage all this. A lot of the incidents, a lot of the mistakes happen by employees for lack of a training, awareness, team buy-in.

So you talked about in your opening your role and your responsibilities, and you talked about the importance of culture and maybe changing the culture a little bit. So let’s talk about that to start. Give us a little sense of how you were able to do that, maybe some challenges you saw around that and recommendations you’d have for others for culture change.

Tamara Lauterbach: Yeah, so culture change is always going to be a huge process for any organization, regardless of your risk tolerance that you’re willing to take on.

As we were going through our original processes, we were identifying issues here at the Guthrie Clinic that were just some easy fixes. As we identified these easy fixes, we were updating our policies, we were making sure we had sponsorship from an executive level and above to ensure that when somebody who did not like the change came down the pipeline and started to just more or less be disgruntled about it, was able to be redirected in the right direction and understand that this is for the positive of the organization. We are trying to make these changes to bring on a level of awareness that we have to manage, maintain, and also just adapt to.

Every organization is totally different. There are organizations that still are working, in my opinion, over in the 1990s kind of level. There’s also organizations that are right there in 2025 where they’re trying to meet every tiny little requirement that is now put in place by cybersecurity regulations, frameworks, and etc., which is wonderful.

As you go through those changes, shifting from, like I said, the 90s to now 2025, you see that there’s still people that are behind the ball, I guess is a great way to put it. So try to get them to understand the why, understand why we are truly having to do these things now and not just saying, hey, it’s a regulatory requirement, but better yet, here’s the bigger picture of what we are trying to do as an organization. We’re not doing this to you. We’re doing this to the entire organization to be more risk-focused and try to reduce risk intake at the same exact time.

So we’ve seen challenges with our caretakers, our caregivers, I mean, as well as just trying to explain to them the importance of these things and understanding laws, regulatory requirements. Yeah, we understand extending password links can be difficult, but at the same exact time, it is what’s beneficial. We’re securing our information, our customers’ information, our proprietary information.

So it’s definitely been a challenge. I think beefing up our policies as our main one, the acceptable use of IT technology was probably our biggest process, it got individuals to start understanding like, okay, this is a company-owned device. And I preach that policy in every organization I’ve ever worked at.

Jordan Eisner: I’m glad you brought that up, talking about different organizations you’ve worked at. We’ve had the benefit at CompliancePoint of working with you at a couple of stops. So I’m aware that you’ve made multiple organizations better from a cybersecurity standpoint. What did you learn along the way that helped you, I’d say, inspire that culture change right and deal with some of those situations head on, whether it was just permanent employees or maybe there wasn’t an adoption or there had been a lack of adoption in the past.

You talk about it’s better for the organization, it’s better for the people, but anything for our listeners from a tactical standpoint that you would advise as well, this was a real game changer and I learned this at this stop and this is how I’m going to do this here on out in the future, meeting some of these challenges head on.

Tamara Lauterbach: Yeah, so I would definitely say from organization to organization, industry to industry, it’s of course 100% different every single time. The one commonality between them is how do you enforce that change?

And the way that I enforced it, I have learned, okay, well, if you just put the policy in place and just say that’s the policy, try to educate individuals by pushing out an LMS kind of learning or better yet, just a mass email. It doesn’t really get the message across. Everybody’s always super busy, they’re trying to work as fast as they can, do as much as they can, but still there’s always those times where it’s just, you miss that email. Or better yet, they don’t have enough time to pay attention to that learning video that you put together.

So I’ve identified definitely starting from sponsorship, building out the program in whole, having the policy ready to go, having it reviewed by our compliance department as well as our internal audit, HR, legal, making sure that you have buy-in from all those different areas before you decide to push out that program or that culture change has been a huge improvement across the board.

Having every level of leadership involved has been tremendous. And I mean, here working at the Guthrie Clinic, we also have our caregivers. So getting our lead doctors, wear them at the different hospitals and just communicating it downward. So then that way it has been a smoother process versus again, we’re doing this to them versus we’re trying to do what’s best for the organization.

Jordan Eisner: I’m sure you do deal with all different personality types too there too when you’re talking about corporate type jobs at the Guthrie Clinic, right? Business type, and then you also have your caregivers as well. So multiple personalities, so good on you for making that culture change. That takes somebody with passion about this industry and these areas.

So we started and we dove straight into the culture change and technically how you were doing that. But tell us a little bit more about yourself. How did you get into cyber? What interested you about it? How long you’ve been doing it now?

Tamara Lauterbach: So I originally got into, I’d say reporting analysis when I first started out. Then I shifted into security. So I started working in the SOC at a major bank.

As I continued to keep moving forward into my career, I started shifting more into healthcare. That’s where my passion originally started whenever I was younger. So I decided to kind of realign myself to a level of just want and desire and also a familiar spot.

So yeah, whenever I was younger, I started with a bachelor’s degree in psychology, moved into a master’s in public health and information technologies and systems and an MBA in fraud, forensics and leadership. So it has just been a continuous journey of education.

I would say to anybody ever starting out in cybersecurity, definitely having the foundations of a degree is huge and then making sure you get the certifications that’s really going to benefit you in your career path.

I have shifted from being in the SOC and thinking from forensics, threat intelligence, insider threat, helping build programs like that with multiple different organizations to now developing the GRC framework and developing these relationships with these other departments and found out that I get to bring a different skill set than just doing what I used to do and what I absolutely loved, which was insider threat user behavior analysis from a psychological level to now being able to explain, okay, here are the rules and regulations and the guide rails that we have to stay within as an organization. This is what internal audit and compliance is saying to us. This is what the rules are saying to us. This is how we need to interpret it.

So I found, I would say, a bigger passion in helping other individuals in IT and in cybersecurity understand and bridging that gap between everybody to help make sure that we are meeting the control objectives and reducing risk at the same time.

Jordan Eisner: I want to dive into that a little bit. So I like what you’re talking about and you to me embody somebody that started at the ground level, right? And some of these very frontline positions learned a lot about their cut your teeth on that.

Now you’ve of course moved on to manager type roles, but talking about going from where your passion was in forensics, threat intelligence, and now you’re, I wouldn’t say behind the scenes, but the policy, the governance, the risk, the compliance programs. We talked about culture a lot, management of personnel and getting organizational buy-in. How did what you, where you started help you, you know, I think where you are now and then how did that passion evolve to? Cause I know a lot of times it’s like, no, I want to be in, I want to be in the action and be doing these things. And this, this feels passive, just writing policies and that sort of thing. I want to actually be executing on that.

So talk a little bit about how starting there helped you get to where you are now, and maybe that awareness and knowledge of how it actually works and not just dictating policy and how you were able to keep the passion all along the way too.

Tamara Lauterbach: Well, I get told all the time, I’m very passionate about my work. And you know, sometimes that’s a really great thing. Sometimes it can over be a little bit overwhelming at times too.
Starting from forensics and starting from, you know, threat modeling, threat intelligence and cyber threat programs. It really allows you to see the nitty and gritty tiny details of how these programs are working on a very detailed minor level. You’re really getting into the nitty and gritty gear. Like you said, boots on the ground, frontline type of aspects. And you’re seeing the psychology of why people are doing certain things or why they clicked on certain things and trying to understand how to redevelop the program a little bit better, at least from that level.

When I shifted into GRC, I would say over six years ago now, almost seven, now that I think about it. It was definitely a change. It definitely took a lot of coaching to understand that it’s not all black and white, that there is a lot of gray. And with the controls that allows for that black and white tendency, but again, the controls are just words. They are just guide rails to say this is what an organization needs to achieve.
So the control, for example, would say, Hey, you need to be encrypted. It doesn’t say exactly what level of encryption you need to have or what tool to use for that level of encryption. So you need to then work with those other departments to tell the story, to say, okay, well this is the control. The control says we need to have encryption. We have TLS 1.2 or AES 256 or whatever the case may be. And these are the tools that we are using. This is how we’re enforcing it. This is how we’re monitoring it. This is how we’re measuring it. Here are the procedural documentation. Let’s beef up the policy to make sure it’s meeting the requirements of what it is at this time. So it’s really going into those tiny, nitty-gritty details, kind of similar to what you would see in a SIEM, just in a totally different perspective.

So once I was able to shift my brain from looking at an individual to looking at the control as the black and white, I was able to see that gray area and be able to develop it to meet the requirements of their organization. So it’s just shifting from using Splunk to using a compliance manager tool and explaining it to an auditor of how it works at our organization. So it’s been a challenge.

Jordan Eisner: So speaking of auditor and explaining things to auditors, and you’ll have to correct me if I’m wrong on this, but did I see recently that Guthrie Clinic is pursuing HITRUST?

Tamara Lauterbach: We are pursuing HITRUST. That is correct.

Jordan Eisner: Talk to us a little bit about why HITRUST, where you are in that process, what your expectations are for the rest. Have you done it before?

Tamara Lauterbach: So I’ve done HITRUST testing before whenever I worked at a major payer provider system for pretty much the United States. So I’ve had experience in that. I used to be a HITRUST practitioner myself. So it was really helpful to understand the scoring mechanism of how HITRUST works because it is a unified framework. And with it being unified, we can easily create a crosswalk from HITRUST into SOC into NIST into ISO and all the other different types of frameworks, which has been quite helpful.

The one thing I like about HITRUST the most is that it gets into a little bit more of the specifics of the control. Like I said, it goes into those tiny details that you wouldn’t usually see at a control framework. It will specifically say you have to have the encryption level at XYZ, for example, and you need to show proof of that to those details.

So with the Guthrie Clinic, the reason we’re going for HITRUST is we’re trying to test our parameter. So think of it like a medieval castle. We are testing our infrastructure as our perimeter and identifying if it is going to meet to these requirements or not, which we have done a readiness assessment already and had really good test scores, in my personal opinion, and as well as our auditors. So we’re going to be going for validation here shortly. So it would just be an E1. And eventually we’re planning to expand it as we continue to keep growing.

But as every organization, as it goes for any type of framework, instead of jumping two feet in and just hoping that you meet those 300 or 400 or 500 controls without an issue, it’s easier to develop that culture change and develop the true sense of true organizational control monitoring by doing a crawl, walk, run process versus, like I said, just jumping in with both feet and just praying for the best because we’re trying to be strategic with cost, time, and also what tools we need to invest more time in.

Jordan Eisner: So you’re stair-stepping a little bit in HITRUST, of course, with all its various options nowadays gives you that capability. Well, that sounds good. Sounds like you’re going to be expecting good results on the validated assessment.

Tamara Lauterbach: Yes. We are quite excited.

Jordan Eisner: So look, I mean, there’s no shortage of experience and I think expertise even demonstrated in the 15 minutes we’ve been talking so far.

What about some of the biggest challenges you faced in cybersecurity and how you overcame those or things maybe you still don’t like to this day to do in cybersecurity? Are you just truly that passionate? You like it all?

Tamara Lauterbach: Well, of course, I like all of cybersecurity. I mean, just like anybody who works in cybersecurity, you have your strengths and you have your weaknesses.

I’ll say definitely my strength is in GRC, although it sometimes can be my weakness as well. So it just depends on, I guess, the day and the subject more or less, trying to just kind of feel the right path, finding who you are, what you want to do, what you truly want that inner voice to be, what do you want your career to truly state of who you are as an individual is, I guess, what you need to hone yourself into.
Over the years, I’ve found challenges across the board of just maybe there’s a better way I can communicate this. Maybe there’s a better way I can handle it.

So I would say that’s my own personal challenges I have been noticing over the years and with age as well and just time and the role and time and experience in everything you do. It makes you a little bit better at it every day.

Jordan Eisner: So you were saying communication. And yeah, I agree with you. I think every person gets better at communicating over time. But for those listening from a cybersecurity standpoint, they might think, well, it is what it is. Like you said, right? It’s black and white. You got to secure the organization. They need to like it or not. But maybe this is where you go back to the culture thing or even you were talking earlier about there’s more grade to it than you think. And you need buy and adoption. And so you see communication as a big piece of that. And that’s a lot of what you’ve learned across your journey.

Tamara Lauterbach: Absolutely. Yeah, there are so many things you could get better at. So many things you could get better at. And communication is one of the biggest ones, especially developing the way that you’re going to deliver that communication. So being a true storyteller has been a huge process of my career and something I can always get better at. You know, definitely not the best.

Jordan Eisner: So I had a thought while you were talking about some of that. And if the answer to this is no, obviously CompliancePoint looks at itself with organizations as a third party, third party expert in helping. How about the role of consultants or auditors or vendors really in this instance, third-party vendors in helping communicate to the employee base and helping communicate the importance of cybersecurity? Is that something you’ve leaned on?

Do you feel like it’s been more just internal development and focus and maybe peer groups and networking groups you’re part of? Or have third parties played a role in that?

Tamara Lauterbach: Well, definitely third parties have played a role in it. You know, definitely utilizing our compliance department as well as our internal audit and external audit department have been huge with, I would say, almost being a sounding board of where my thoughts were at and how maybe we should convey the message of the culture change or the changes in general that we are trying to enforce have been a huge help.

I will also say, you know, my mentors and even my leadership have been a help as well in that process because there is just so many things to take into consideration. You know, understanding the psychology of just how people think on a regular basis to as simple as how it could be perceived by an end user and et cetera.

So, you know, having those multiple different areas of avenues, you know, just for an outlet and just say, hey, does this sound right? It has made a world of a difference just with communicating effectively.

Jordan Eisner: So another thing I’m glad you brought up because I’ve been working with individuals in the cybersecurity space and IT, legal side, regulatory compliance for over 10 years now, but there’s always a theme with cybersecurity professionals I see and that’s the importance of mentorship. They talk about their mentors. But then also on the flip side, I see a lot of mentors talking, you know, really taking it real seriously, mentees and educating in this space.

I’d be interested in why you think that’s so unique to cybersecurity. And you also mentioned, I know you’re an active member in Women in Cybersecurity organization, so maybe somebody watching or listening, how do they get involved?

Somebody might be saying, well, I’m in cybersecurity, I’m an analyst, I’m doing this. I don’t even know where to start, where to go, because they don’t have it in my organization or it’s too political or some of the nature. Where can I seek this mentorship in organizations or elsewhere to help me grow personally like you have, Tam?

Tamara Lauterbach: Yeah, definitely reaching out to your direct leadership would be a huge part in that. Of course, you could always go to Women in Cybersecurity’s website, you know, log in, become a member. I don’t believe it costs anything to associate yourself with a specific area.

Same thing with InfraGard is another one that I’m a part of. There’s the Association of Certified Fraud Examiners I’m a part of. All of these organizations, even ISACA, for example, have been huge benefits to my understanding, my knowledge, my entire gain in my career as well. Without talking to these individuals or learning from these individuals or participating in these conferences or talks, I don’t think I would have been as successful because it helps me talk to like-minded individuals, let you understand that, you know, hey, the way you’re thinking is actually accurate. You’re not off base. And instead, you’re staying right in the spot you need to. So it’s not giving you that self-doubt. Am I thinking too much into this? Am I doing it wrong? Because cybersecurity is pretty complex.

And even from a compliance or even internal audit standpoint, yeah, there’s a level that you have to take into consideration and understand of what this organization is trying to do. And like I said, each organization is different of what they want to do and how they want to assume the risk. So having like-minded individuals to talk to and bounce ideas off makes a world of a difference.

So just go out to those sites and, you know, try to be a part of a local chapter.

Jordan Eisner: Well, yeah, I was about to say it’s more than just signing up. You got to actually put yourself there. You know, maybe in an uncomfortable situation, you have to go out, you have to join the networking events, you have to ask questions, you got to meet people. Your mentors, were they people that you reported into, leaders at your company or was it people that you met at these sort of organizational events and in these groups or a combination?

Tamara Lauterbach: It’s been a combination. You know, definitely my mentors have usually been my direct leadership or in one way, shape or another. I have mentors outside of my organization as well that I really value having a quick chat of 30 minutes to an hour and just saying, you know, this is what’s going on. Is this normal? Is this going on this way too? Okay, we’re all failed this way. Then it’s definitely just the world of today.

You know, I’ve met people at conferences where we talk about how we’ve made our organizations better and what steps we have taken, compared ideas, identified, you know, oh, yeah, that was such a pain for us to try to move forward. I would suggest going maybe this way if I had to look back and, you know, heeding each other’s advice versus being like, oh, well, they were unsuccessful. It’s like, no, learn from their mistakes too so you can be better. So honestly, getting out there helps.

Jordan Eisner: Yeah, there’s wisdom in that.

You’ve had multiple stops across your journey. What’s a common issue, efficiency. I don’t want you to speak ill of, you know, current or former, right, employers and organizations. But what do you run into time and time again when you’re starting a new organization or when you’re talking with peers or others in your network when they’re starting a new organization that is perhaps low-hanging fruit to clean up or is high impact enough that even if it’s not low level of effort needs to be addressed quickly. So where do you see that continuing to be a common issue within organizations?

Tamara Lauterbach: You know, each one is totally different. When I worked at the payer provider system, we were dealing with little nitpick things that we just needed to get better at. We needed to improve. At the banks I’ve worked at, same exact things.

Here at the Guthrie Clinic, it’s totally different. We already have a program, we’re instituting it, we’re making it better, we’re massaging out the issues and making it better. So it’s never the same across the board.

Jordan Eisner: So constant maturity, just constantly maturing operations and increasing process, which is a lot harder to do than it sounds, especially when the bad guys are constantly changing maybe at a rate quicker than compliance and the good guys can keep up. What are some of the best avenues you’ve tapped into for doing this for constant improvement from a cybersecurity or GRC standpoint?

Tamara Lauterbach: You know, we’ve leveraged other organizations’ impacts. So similar ones that would be similar to the organization that I’m working for showing, okay, this is what organization XYZ went through. This just happened in the last six months to a year. This is where we’re currently standing.
So comparing their model to our model on similarities of what we do know, because we don’t always know what’s behind the scenes at company XYZ. But taking our most educated guess and then saying, how can we strengthen that perimeter that I was talking to you about and make it better? So that is definitely one of the bigger pieces that we had to bring into play.

So it’s understanding the threat intelligence. Like you said, trying to be smarter and quicker and faster than the bad guys before they get into our system and take advantage of us in any way, shape or form.
It has been nothing but a challenge, but it’s a good challenge because you’re doing muscle memory. You’re expanding those muscles. You’re growing them. You’re educating your company even on, hey, I understand you just got a call from the fake sheriff department down the street wanting you to turn yourself in for traffic tickets.

But in reality, it’s teaching individuals a level of education, a level of due diligence too. Saying, now why would they call you? They should be showing up at your door. Let’s think that one through. Let’s think through a level of common sense here. They’re using scare tactics to get you to do what they want. And that’s kind of what they’ve always done. It’s just they shifted the narrative.

Jordan Eisner: So, yeah, I’ve known people, experts even, that have fallen for some of those things. They can be sneaky good.

I really liked how you, knowingly or unknowingly, you were able to do that. And you talked about constant process improvement. You talked about individually in your networking and your peers and using organizations or it’s not organizations, sorry, others in your network as sounding boards for how to do things and learning from others’ mistakes. And you bridge that to organizationally. How do you continue with process improvement? Well, you look at somebody that’s similar to you from an organization setup, industry standpoint, and you learn from their mistakes, your own and theirs. So that was a good, whether intentional or unintentional.

I guess as we start to get towards the end of this podcast, you’ve worked in healthcare. That’s where your passion is in cybersecurity. There’s such a threat against that industry and it’s constantly being attacked. And we’re seeing more and more. And there seems to be a lot of immaturity in that industry as well. Or maybe that’s just what we’re led to believe because of all the incidents and all the attacks and it scrutinized a lot.

But it looks like there’s changes. I can’t say it looks like there’s changes. There’s a lot being proposed, a lot being talked about in the healthcare industry and enhancement of requirements and enforcement. And some people look at it as well. They’re catching up for other frameworks and that sort of thing.
But what are your thoughts? As a takeaway, maybe we start to wrap this podcast on why the healthcare industry is targeted so heavily and what you see changing or coming in the horizon for that industry for cybersecurity professionals in it to correct some of what’s been some deficiencies and some big losses historically.

Tamara Lauterbach: Well, I mean, if you just look back at history, it kind of explains it for us. It already set the path up. So with financial institutions, big tech as well as oil and gas, those types of industries, they have certain regulations they have to meet. And there’s no ifs, ands, or bets about it, to be honest, because it is so regularly traded. And so they have to meet this level of a golden standard, which enforces a lot of these control sets to be in place.

Now, if you look at what is happening in the world today, healthcare organizations are being targeted. And that is because there was this level of honor among thieves. Why wouldn’t you go and target a bank versus why would you go and target a hospital? Well, you could be eventually at that hospital even as a threat actor one day. So why would you want your personal health information to be potentially leaked? Think about that level of psychology. The same could be said about somebody’s bank account. But again, there’s a level of insurance in place.

So I’m not saying hospitals haven’t been heavily regulated because there is regulations with HIPAA. But they maybe didn’t have to enforce it to the level of say, those financial institutions have had to. So with the turn of what is happening since even COVID, we’re seeing that honor among thieves that I talked about slowly deteriorating over time. And that is because the healthcare industry wasn’t as maybe to the point of regulatory requirements as say, the financial institution. Like the state of New York has beefed up their regulations, so has California and other major states to ensure that our public health information is being maintained and measured on a regular cadence to ensure that those control maturities are in place. So as we continue to keep moving forward and we keep identifying the risks, keep identifying the patterns that we are seeing that are happening across the board, it’s going to allow these industries to really grow and develop and set those higher level of expectations for healthcare companies across the board.

Jordan Eisner: Well put. I think that’s a great end to this podcast, Tam. Thank you so much for your time. I think there’s been a lot of meaningful information they’ve shared here. And I think the audience will get a lot out of it. And we’re going to have to have you back on here sometime.

Tamara Lauterbach: I’d love to come back and speak again. So thank you for having me. I appreciate it.