Shawn opens with a refreshingly honest framing of his own transition. Moving from cybersecurity director to CIO was not a pivot away from what he knows, it was the next seat at the table, with broader authority and broader responsibility. He acknowledges that the jump can feel intimidating for security professionals who have spent years becoming deeply competent in their lane, but his approach is consistent with how he handles everything: start with a solid foundation, do not rush the advanced stuff until you understand the basics, and treat failure as a data point rather than a verdict. That philosophy runs through every part of this episode and gives it a coherence that is rare when a conversation covers as much ground as this one does.
The most memorable story Shawn tells is the one he did not expect to tell. He decided to inventory how people in his organization were actually using the Copilot licenses they already had. He made phone calls, asked questions, and mostly found people using it for email. Then he got to a colleague he had already written off as the email guy, a bit older, not exactly a technology enthusiast by reputation. That man had 32 agents running, had worked through every level of the Microsoft training curriculum from beginner to developer, and was receiving a morning briefing PDF in his inbox by 6:00 AM every day summarizing everything he needed to know to start work. Shawn tells that story with the kind of genuine surprise that lands because it is clearly real. It also sets up his broader argument: AI adoption at the enterprise level is not being led by the people you expect, and the skill driving results is not technical fluency, it is the managerial ability to onboard a new tool the same way you would onboard a new employee. The Microsoft internal study on Copilot proved exactly that. Only 15% of users at a technology company became sustained power users, and the common thread was not their technical background. It was that they treated the tool like an intern, took time to explain the context, the job, and the expectations, and let it get better over time.
The women in technology conversation that takes up the back half of this episode deserves its own mention because it does not happen from the usual angle. Shawn and the host approach it as two fathers of daughters who are going into tech, which grounds the conversation in something personal before it becomes systemic. Shawn is direct that the problem is not women needing to do more. The system is not set up to provide an equal playing field, and the organizations still fighting with one arm tied behind their back because they are not drawing on the full talent available to them are making a strategic mistake. He has built a team where 30% of the IT technical staff is female, he actively targets his nieces for tech conversations, and he talks about Girls Who Code with the kind of firsthand familiarity that comes from a daughter who attended the program. What makes this section work is that Shawn keeps the focus exactly where he says it belongs: not on how women can adapt to a broken system, but on what the men in the room need to do differently.
Resources mentioned in this episode
Matthew Connor on LinkedIn
CyberLynx Website
Shawn Hamm on LinkedIn
The Cyber Business Podcast Website
This episode is brought to you by CyberLynx.com
CyberL-Y-N-X.com.
CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.
The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.
Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied.
To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.
Why Machine Learning Is the Unsung Hero of the AI Era with Ben Wilcox - Ep 212
Defending Critical Infrastructure in the Age of AI Attacks with Sean Murphy - Ep 211
Why Insecure AI Is Just as Dangerous as No AI with Shannon Brewster - Ep 210
Cyber Business Podcast
Guest: Shawn Hamm, Cybersecurity Director transitioning to CIO
Matthew Connor: Matthew Connor here, host of the Cyber Business Podcast. Today we're joined by Shawn Hamm, who is transitioning from Director of Cybersecurity to CIO. Shawn, welcome to the show.
Shawn Hamm: Thank you, Matt. Thank you for having me.
Matthew Connor: Before we get started — thank you for your service.
Shawn Hamm: Hey, you caught me off guard with that one. My pleasure.
Matthew Connor: Before we get too far in, a quick word from our sponsors. Hackers are getting smarter — is your security keeping up? Cyberlynx sells industry-leading, AI-powered cybersecurity solutions that detect threats in real time, so you know about an attack before the damage is done, not after. Learn more at cyberlynx.com. And now back to our show.
Shawn, let's talk about transitioning from Director of Cybersecurity to CIO. What drove that move?
Shawn Hamm: It was really just the next evolution — moving to the next level of leadership. The opportunity presented itself at a smaller company, but it comes with the authority and accountability to do the job right. Both of those things were big sellers for me, so I decided to make the move.
Matthew Connor: I think for a lot of people, that transition from the security side to CIO — where you're now responsible for both security and IT broadly — can feel a bit intimidating, especially if you've built a real comfort zone on the security side. And now with AI accelerating everything, both sides of the house are moving faster than ever. How do you propose people keep up with that pace?
Shawn Hamm: You have to start with a solid foundation. If you don't understand the basics, you shouldn't be trying the more advanced stuff. Most organizations have a Microsoft tenant with Copilot built in, and it's fairly secure out of the box — but you really need to make sure everything is configured properly for your environment. Don't give regular workers global admin access to their Copilot. Make sure everyone is going through the available training. If you're a Microsoft partner, that training is free and built in — just go do it.
Personally, the last couple of weeks I've been running OpenAI's open-source tools at home just to have something to experiment with. I've learned a lot — I've crashed it, overloaded it, started on a small HP mini PC and ended up migrating it to a full build with an i9, 128 gigs of RAM, four terabytes of SSD, and a GTX 5090. It's got some real horsepower now.
But that's actually how you learn. I once asked it to review a document on my internal NAS drive, worked through that task, and eventually went to bed. Woke up the next morning and discovered it had indexed every file on every computer in the house in anticipation of me asking it something else. It kind of got away from me. But I don't see that as a failure — I see it as a learning experience. With any new tool, you have to go through the failures to understand how to set the right boundaries.
I highly recommend watching YouTube tutorials, talking to others who are working with the technology, and just getting your hands on it. When I started looking around my own organization at who actually had Copilot licenses and who was really using them, I got varied responses. One person said they just used it for email. Another — an older gentleman I honestly expected to be at that same level — shared his screen and showed me 32 agents he'd built, each doing something different. He said three-quarters of his day used to be repetitive tasks. Now he shows up at 6 AM, there's a PDF in his inbox with a dashboard summary of everything he needs to start his day, and agents send him updates throughout the day. He'd been doing this for about a year. He said getting started was hard, but he found the free Microsoft learning path in the tenant, worked through beginner, then intermediate, then expert, and was just starting the developer-level courses.
That inspired me to start an AI council — at least a monthly discussion where someone showcases an agent they've built or something interesting they're doing. A lot of people didn't even know you could build an agent and share it with others, or that you could push useful agents out to other teams. Once you have something that works well, you can replicate it across departments. The sales team, the field teams — a lot of their repetitive tasks are the same. There's a lot of opportunity there that people don't even realize exists.
Matthew Connor: That's a fantastic story, and a great illustration of why you shouldn't assume who is and isn't engaging with this technology. The guy you expected to be the least tech-forward turned out to be the power user. And I think this gets at something really interesting — the Microsoft Copilot approach is actually a great model for how to think about AI adoption more broadly. It's already baked into the tenant with solid data governance, your information stays within your environment, and it doesn't end up training external models. What's your overall take on how organizations should be thinking about the Microsoft AI ecosystem versus the more open, bleeding-edge options out there?
Shawn Hamm: The Copilot environment was designed from the ground up to keep your data within your tenant. Nobody outside your environment is going to read your financial reports, because they're not going to leak out the way they might if you uploaded those documents to a public model. If you upload sensitive documents to a consumer AI product, that information can be mined and potentially found by anyone who knows how to look. Copilot is purpose-built to prevent that.
The downside is accessibility. There isn't really a free version for individuals or students to learn on — you need to spin up a tenant, pay for licensing, and pay for usage. That's a significant barrier for people early in their careers who want to develop skills. If I were advising Microsoft, I'd find a way to offer a free or near-free version so people can build those skills before they're in a live enterprise environment. The other AI platforms at $20 to $40 a month are much more accessible for personal learning.
As for the more open, bleeding-edge tools — I've been running those at home for exactly that reason. It's a sandbox. I can experiment freely, break things, learn from it, and apply those lessons without any risk to a production environment. The genie-in-the-lamp analogy is a good one: if you tell a genie you want to be rich and he robs a bank on your behalf, that's on you for not being specific. You have to be precise with your instructions. That's how you build good controls. When I set up Copilot for my organization, one of the first things I did was upload all our policy manuals to a central SharePoint location and instruct the Copilot to review them and behave within those parameters. Is it configured perfectly? Not yet. But we're building toward it incrementally.
Matthew Connor: That's great. And your point about every company's tech stack being unique — like a fingerprint — is so true. No CIO candidate is going to be an expert in all 40 technologies on your job posting, and that's fine. What matters increasingly is the human side. Can this person integrate into the culture? Can they lead, communicate, build trust with the team? I think AI is actually accelerating the importance of those durable skills. The Microsoft Copilot adoption data you referenced is a perfect example — the power users weren't the most technically advanced people, they were the ones who treated the AI like a new team member that needed to be onboarded, trained, and given clear direction. That's a management skill, not a tech skill.
Shawn Hamm: Exactly. And intern is probably the right label for it. It's not quite like treating it as a child, because in many ways AI is extraordinarily capable — it's more like a brilliant intern who is highly educated and eager to please, but has no context about your specific company or what you actually need. You have to provide that context clearly. The 15% who became power users at Microsoft were the ones with the people skills and management instincts to do that naturally.
I think the org structure of the future looks like this: you still have your CEO, your C-suite, your VPs and directors — but each of them has a collection of agents working around them. Maybe a half-dozen, maybe a dozen. The humans are there to make the decisions that actually matter. Jeff Bezos made the point that on any given day, even at the top of the organization, you might make one or two truly important decisions. AI handles everything else, so when that decision moment comes, you're not suffering from decision fatigue. You're clear, you're rested, you have full context. That's the real productivity gain.
Matthew Connor: I agree. And there's a human wellness dimension to all of this too. The pace of technology can become genuinely exhausting if you don't create boundaries. I think actively unplugging — real unplugging, not just switching from work apps to Instagram — becomes more important, not less, as AI accelerates everything around us. What does that look like for you personally?
Shawn Hamm: I started noticing my memory getting foggy and my thinking getting slower, and I assumed it was just getting older. Got the blood work done — everything was fine. What I eventually figured out was that the constant digital stimulation was the problem. The moment I started taking real breaks — genuinely unplugging, getting bored the way you used to get bored as a kid waiting for your parents — my memory came back. My thinking sharpened.
My answer is jet skiing. I go out on the water near me, sometimes at 6 AM with my daughters, and we're gone for hours. You can't scroll on a jet ski. That forced disconnection is exactly what my brain needed. I've done the trip to the Bahamas a few times. Last Christmas we took the family to Jamaica and I confiscated everyone's devices — mine included — for the first four days. No TV, no tablets, no phones. And what I found was I learned more about my kids in that week than I had in the entire year before it. Real conversations. Real presence. It was remarkable.
We've actually made it a family tradition now — every year at Christmas we take a trip instead of exchanging presents. The gift is being present together. Whether it's an international trip or a local campground, we unplug and spend real time with each other. And Dad picks the destination.
Matthew Connor: I love that. Now — I want to shift to a topic I think is really important, and one we haven't explored enough on this show from the male perspective. Women in IT. We've had several women CIOs and CISOs on to talk about their experiences, but we haven't had two guys sit down and talk about our role in making this industry more equitable. And as fathers of daughters who are interested in tech, this hits close to home for both of us. Where do you start?
Shawn Hamm: Start in your own environment. Talk to your daughters, your nieces, your neighbor's kids. Teach them about technology. When my oldest was young I used to build PCs as a side business, and she would sit on the bench next to me and watch. Eventually she was building them herself. When her friends would come over I'd try to show them something interesting I was working on, see if I could spark some curiosity. I make myself available to any young person in my extended family who has questions about tech — and I specifically target my nieces. Ask them what they're thinking about for their future, whether tech might be interesting to them.
On the hiring side, I've been in positions to hire for about fifteen or sixteen years now. I've made it a consistent practice to hire female candidates over male ones when the choice presents itself, and I'll tell you — my track record hiring women has been significantly better. They tend to bring more focus, more drive to sharpen their skills, more care in how they approach their work. And part of that, let's be honest, is because the system has made them work harder to prove themselves. A man can be average and get by. A woman often has to be exceptional just to be seen as equal. That's not a compliment to the system — it's an indictment of it.
Matthew Connor: I want to push back on that slightly — not the reality of it, but the framing. Because I think the way we need to start talking about it to other guys isn't just "women work harder." It's that if you're only seeing the world through one lens, you're making worse decisions. You're fighting with one eye closed. The female perspective doesn't just add diversity for its own sake — it fills in the half of the picture you literally cannot see from where you're standing. No single human perceives the world accurately; we all filter it through our own experience. So if your leadership team is all one gender, you are systematically missing half the available insight. It's not a fairness argument — it's a strategic one.
Shawn Hamm: One hundred percent. And if you look at other male-dominated industries — construction, oil rigs, deep-sea fishing — you could maybe argue there's a physical dimension to those roles. But what does it take to lift a keyboard? The capacity to learn, to think, to solve problems — that's all in the mind. If someone is capable, they should have the opportunity, full stop.
My older daughter is really into gaming, and we've been careful to build her an online persona that doesn't identify her gender because of how female gamers get treated. That's exactly the problem — gaming is often the entry point into tech, and for a lot of young women, what they encounter there turns them off the whole field. The anonymity of online spaces is the enabler. Put a real name and face behind those interactions and most of that behavior evaporates overnight. Gaming platforms could force that issue — verify identity, and the moment someone says something racist or sexist, that's public. Their employer knows. That accountability changes behavior fast.
But the deeper issue is cultural. We encourage boys to be aggressive and competitive from a very early age, and we don't do the same for girls. And then we put women in a workplace where that same competitive energy is received negatively when they display it. That's a system failure, and it starts early. Girls Who Code is a great example of how you can intervene at the system level. Reshma Saujani started it because she recognized that it wasn't that girls weren't technically inclined — it was that there was no space designed to encourage and support them. The results have been remarkable. Tens of thousands of young women redirected into careers in tech who wouldn't have been otherwise.
My daughter was actually nominated for a Google coding camp at 14 — a teacher submitted her name based on project work she'd done. The acceptance letter arrived at the house, the first piece of mail she'd ever received addressed to her. She was thrilled. When we called to enroll, they told us the minimum age was 16 for insurance reasons. She was heartbroken. But we found a local community college Girls Who Code program, signed her up without even asking — I just told her we were doing it — and on day one she was downstairs before the alarm, dressed, fed, and standing at the door asking if we could leave. She's now heading to college for biomedical engineering with a minor in quantum computing. I found that out literally yesterday. I couldn't be more proud.
Matthew Connor: That is a fantastic story. And quantum computing with biomedical engineering — that is a combination that is going to matter enormously in the next decade. She's thinking ahead of most adults in the field right now.
Back to the systemic piece: I think what you're describing is exactly right. It's not about asking women to do more or be more. They're already doing more to get the same recognition. The work is on us as men — as fathers, as hiring managers, as team leaders — to change how we see things, how we build our teams, how we respond when we see the system failing. It's not heavy lifting. It's just being fair. Seeing things clearly.
Shawn Hamm: That's exactly it. And it starts with getting those perspectives into the room. I've made a point in my current role — about 30% of my IT technical staff is female, and I'm proud of that. Not because I'm checking a box, but because that team is sharper for it. One of the first changes I made when I came in was making sure everyone knew about the free Microsoft training resources available through the tenant. Nobody on the team even knew they existed. That's a failure of the previous system. So now I'm building a structured training program — a minimum number of training hours per quarter, tracked as part of performance reviews. And I'm not lowering the bar for anyone. I want to see everyone pushing to learn, and I fully expect the people who start clicking through those courses to get a little obsessed about it. That's fine. That's what great technical teams look like.
Eventually I'd like to push for funded off-site training — a week of focused, intensive learning for everyone, every year. I did that at a previous employer and the impact on the team was significant. It's in my budget request for 2027.
Matthew Connor: Shawn, this has been an absolute pleasure. I think we could do this all day. Before we go, can you tell everyone where they can find out more about you?
Shawn Hamm: I'll pass my LinkedIn information to Matthew and the team to link in the show notes — that's the best place to find me. I'm also blogging this year with a goal of covering at least 50 cybersecurity and manufacturing topics, so look for those as well.
Matthew Connor: Fantastic. Shawn, thanks so much for coming on. Until next time.
Shawn Hamm: Appreciate it. Thank you, Matt.