Tammy Klotz – Versum Materials, a subsidiary of Merck KGaA

When Air Products & Chemicals Inc. spun off its electronic materials business in October 2016, the spinoff’s CIO asked Tammy Klotz to lead the information security program for the new company, Versum Materials.

She was flattered, but apprehensive. After all, the world of electronics moves at rapid speed, with instant access to sensitive information providing constant business risk. The only certainty would be late nights focused on balancing business productivity and security risk—daily.

Tammy Klotz | Chief Information Security Officer

“IT tends to be a little insular,” Klotz says. “It’s usually all about keeping the lights on. But understanding how the business operates and how IT enables the business is key. I had the opportunity and relationships with both my IT colleagues and our business partners to be successful in this new challenge.

Natural progression

Not long after receiving the offer, she accepted, and has since been the chief information security officer leading all security initiatives for the company.

In October 2019, Versum was acquired by Merck KGaA of Darmstadt, Germany—with 55,000 employees in 66 countries working in a range of industries, and technologies that include semiconductor materials, chemicals and gases for semiconductor fabrication, polymer removal chemistries, conductive adhesives … anything an advanced electronics manufacturer might need.

In some ways, Klotz describes her story as a natural progression. “I started at Air Products immediately after college in the company’s career development program. It was a set of rotational assignments during my first three years of employment with the company.”

With an IT staff of more than 600 when she started, Klotz was challenged to network. After 21 years in the IT organization holding a variety of leadership positions, she was tapped on the shoulder to take an opportunity in internal audit.

Initially leery, Klotz said “I’Il go talk to them.”

In hindsight, she says, “It was one of the best things I could have done. Moving out of the IT organization gave me a broader perspective on how the company actually ran.”

The feeling was mutual.

Necessary evil

Publicly traded Air Products was subject to multiple regulations, including the Sarbanes-Oxley Act of 2002 which aimed to stop accounting errors and fraudulent practices in the wake of scandals at Enron, WorldCom, Tyco and others.

Klotz was among a select few inside Air Products with knowledge of the law, known colloquially as SOX.

SOX changed how IT departments stored corporate electronic records and defined which records should be stored, and for how long, (“not less than five years”) with penalties including fines and imprisonment.

“There are regulations in SOX where IT general controls play a key part,” she says. “Folks need to understand how those internal controls can impact the financial reporting of the company.”

Communicating SOX to the executive leadership team in a non-threatening way was key, Klotz says. It needed to be presented accurately so folks could understand the business requirements and reasons for compliance, rather than wielding SOX as a big stick just to get things done. IT controls are a necessary evil that the company is dependent on for accurate financial reporting. Explaining how IT fits into the big picture of a company’s success is fundamental. Is it easy? Definitely not!

“I’m a big proponent of distilling things down to relevant points and topics for folks,” Klotz says. “We got into conversations around concept of risk—why it was important, how you mitigate, what is residual risk, and is that acceptable?”

Leveraging her relationships in IT served her well when it came time to evangelize about SOX. Good strategy also helped.

“Bringing in audit early, as opposed to the end of a discussion about compliance, is really key to demonstrating a solid partnership between IT and audit,” she says.

It was a similar exercise in strategy when asked by the board of directors to perform a cybersecurity audit. While this could have been perceived as opportunistic, it was looked upon much more as a threat. Laying the necessary groundwork to support the audit was a struggle and did make for some headaches.

New day

When Air Products got a new CEO who wanted to focus the company “on being the best industrial gas company in the world,” Versum would be spun off as an electronic materials business focused on chemical manufacturing for the semiconductor industry.

Klotz had worked with Versum’s newly named CIO Dave Beltz while in IT at Air Products. With her deep experience in audit, internal controls and security, and with a broad knowledge of the business, Beltz encouraged her to apply to the IT leadership team to lead the security program.

Her first year in that role at Versum was spent “churning,” and Beltz told her: “You took a risk to join me. If things don’t work out for some reason, invest in yourself and get your certifications so you are marketable when then time comes.”

Klotz dove headlong into the certification process and achieved CISSP, CRISC and CISM designations within months, studying at night and on weekends, online and after work.

When Versum launched, she had a new title and her biggest role in an already accomplished career—responsibility for designing a security program around three primary pillars: IT security, information security, and operational technology (OT) security.

Klotz says she’s most proud of the latter, setting up three different types of systems. The first was for production process control equipment, such as valves, temperatures and gauges that affect quality and production; the second for analytical systems to make sure work is meeting customer specs; and the third for research and development systems serving any work done in research.

“With intellectual property involved in manufacturing,” she says, “it’s very important to have these operations properly segregated to not be a threat to one another. If ransomware were downloaded via the enterprise architecture, it would be very dangerous to have the manufacturing side exposed to that.”

Moving forward

In recent years, Klotz has been busy implementing programs around a strategy of “working anytime, from anyplace, on any device.”

That means the lean Versum IT staff of 28 IT professionals is focused on protecting the identity of employees and the data of the company. This includes ensuring data in the cloud is properly handled, coaching employees on how to secure their devices, and more.

“It’s all coming full circle,” Klotz says. “We’ve been a small, agile company that gets things done swiftly. We migrated 2,400 endpoints and 40 network locations globally. Applications were migrated to the cloud or other Software as a Service platforms. And we did it all securely!”

Which isn’t surprising. After all, Klotz isn’t afraid of a few late nights.