Inside the episode: What I learned from speaking with Larry Tampkins
I recently had the opportunity to sit down with Larry Tampkins, IT and Information Systems Director at Aspen Pumps Group, for the latest episode of the Communicating Cyber series. With more than twenty years’ experience leading digital transformation across sectors as diverse as food and beverage, telecoms, utilities, and government, Larry has built a reputation for turning complex technology into clear business value. His career has spanned consulting, software vendors, and senior in-house roles, giving him a wide perspective on the challenges of our industry.
Here are some of my reflections and key takeaways from our discussion.
Making cyber security make sense
One of the things I love most about hosting Communicating Cyber is getting the chance to step into someone else’s world for an hour and see how they think, how they’ve learned, and what they’ve picked up along the way. My conversation with Larry Tampkins was exactly that – a deep dive into how a seasoned technology leader navigates the tricky business of making cyber security make sense.
Larry’s career spans over 20 years, cutting across consulting, software vendors, and leadership roles in a range of sectors – from food and beverage to telecoms, utilities, and government. What struck me early in our chat was how deliberate he’s been in keeping one foot firmly in the business camp and one in technology. His degree was split 50/50 between IT and business, and that mix has clearly shaped how he thinks about delivering value.
As Larry put it, “We weren’t building systems for flashing lights on the wall’s sake. It was all about how we delivered value into business.” That’s a refreshing north star in a world that sometimes chases tech for tech’s sake.
Starting simple and building up
When I asked Larry how he explains complex cyber risk to non-technical audiences, he laughed and said that cyber is “just delivering complex technology with bells on.” His approach is to start with the business challenge, put it in a context the audience understands, and then “slowly ratchet up the level of technical information.”
It’s not a one-and-done conversation. In his words, “You have to establish the basics and then you can start to talk in more detail.” That steady layering matters, especially in high-stakes contexts like mergers and acquisitions. At Aspen, where Larry is IT and information systems director, they target multiple acquisitions each year. From day one of ownership, the cyber security risk – GDPR included – becomes a group-wide exposure. That reality led him to change their approach so that cyber is involved immediately, not 180 days later.
Balancing severity and reassurance
Talking to senior leaders about cyber security is a balancing act. You need them to understand the seriousness without sending them into a tailspin.
Larry shared how he uses SOC reporting to give that balance. Every month, he starts with the total number of security events detected – usually in the hundreds of millions – before breaking it down to the handful that mattered. “Big number, but we’re in a really good place,” he tells them, putting it into context.
That reassurance builds trust so that when there is a serious risk to discuss, the board is ready to engage. “Don’t cry wolf,” as Larry puts it. Keep it unemotional, keep it relevant, and always connect it back to the business impact.
The power of ‘why’, ‘so what’, and ‘what haven’t I told you’
One of Larry’s most valuable communication tools is a set of three deceptively simple questions:
Why? So what? What haven’t I told you?
If your audience can still ask “so what?” after you’ve presented, the message hasn’t landed. The same goes for “why?” – you haven’t fully explained the context. And being conscious about “what haven’t I told you?” forces you to think about what’s relevant, what’s appropriate to share now, and what might open up distracting rabbit holes.
I think this is brilliant advice for any cyber leader. As Larry said, “The core of your message has to be consistent; the little bit that brings it to life in their world is the bit you change.”
Fifty audiences of one
One of my favourite parts of our conversation was Larry’s reflection on treating a big audience as “fifty audiences of one.” He first used this approach in the early days of COVID-19, when uncertainty and emotion were running high.
You might tweak your intro or examples for different groups – marketing might get a story about risky e-signatures, while finance hears about dodgy macros – but the core message stays the same. That consistency matters because people talk. If two teams compare notes and find conflicting guidance, you risk confusion and mistrust.
Lessons from getting it wrong
Larry was refreshingly honest about the times it’s gone wrong. “The list of things that failed versus the list of things that have gone well is probably disproportionately longer,” he admitted. The main culprit? Falling into rabbit holes by mentioning something in passing that sparks questions you’re not ready to answer.
Self-awareness is key here. It’s easy to leave a meeting and blame the audience for not listening. The harder – but more productive – step is asking, “What do I need to do differently to help them understand me?” Sometimes that means a peer review before you present. Sometimes it’s buying a coffee for a friendly board member afterwards and asking, “What went wrong?”
Drawing clarity
Larry always carries whiteboard pens. Drawing, he says, helps him structure his thinking and take people along step by step. “The act of drawing forces you into constraints” he explained. It stops the “big reveal” from overwhelming people and lets you control the pace of the conversation.
Data plays a role too, but he’s selective. “There’s tons of data out there… but how much of that is actually useful?” If you can’t explain the source and meaning of a number with absolute confidence, don’t use it. That’s a discipline that avoids rabbit holes and protects your credibility.
Listening first, speaking second
Perhaps the simplest – and hardest – lesson from our conversation is this: listen before you present. Know your audience, adapt on the fly if you can, and keep it simple if you’re meeting them for the first time.
For Larry, everything comes back to those three questions: why, so what, and what haven’t I told you? They’re a practical framework you can take into your next board meeting, town hall, or M&A briefing. As he reminded me, “If you can replay your message and think, ‘What could they possibly ask me about those three things?’ and there aren’t any massive obvious gaps, then you’ll be in a good place.”
Final thoughts
Cyber security is complex. People are busy. We don’t get unlimited opportunities to make our point. My conversation with Larry was a reminder that clarity is a craft – part empathy, part discipline, and part storytelling.
Start with the business problem. Build from simple to complex. Keep your message consistent. And always, always ask yourself: why, so what, and what haven’t I told you?