On the 3rd episode of the Behave Podcast, Molly McLain Sterling joins Munya Hoto, VP of Marketing, CybSafe, to discuss the importance of trust in security awareness. Molly is a passionate security culture leader who has successfully built and continues to mature a dynamic and impactful Global Security Awareness Program with a cybersecurity and physical security focus in 150+ countries for 100K+ staff of the world-leading medical technology company Medtronic.
Guest profile
Name: Molly McLain Sterling
Profession: Molly is currently the Global Security Culture Leader of Medtronic. Medtronic is a billion-dollar, global leader in medical technology, offering medical devices to more than 72 million people across 150+ countries. It is also a global producer of medical therapies, such as insulin pumps, pacemakers, and diabetes therapies.
Having been in the industry for more than 15 years and within the Medtronic team since the very beginning, Molly has accumulated an in-depth experience in security awareness while also adding a Master of Science degree in Cybersecurity Management under her belt. She started as a project coordinator to climb her career ladder to where she is now and is currently working diligently on improving her creation, the Engagement Coordination Program, which focuses on managing demand and caring for stakeholders. She has also developed a Security Optimization Program to drive process improvements and build a centralized metrics foundation.
Find Molly on LinkedIn
Episode's key tips
The foundational core of security awareness is trust
Molly, without hesitation, names trust as the foundational core of security awareness. For her, what is of utmost importance to creating and maturing security awareness is the trust built between humans. " On the human-to-human level, when we have the same goal, mission, and vision, when we share the idea that everyone deserves to be secure, and we put that in the forefront at all times."
Molly argues that when life is led with such a common goal, the sense of security provided for people is more potent than when they are put through phishing simulations and exposed to communication guidelines conveyed with funny content to get the message through. For Molly, trust is the pillar of bringing change to society.
Trick & train & entertain shouldn’t Be the only model to create change
"Although some departments in companies can work with that, the “trick, train, and entertain” model shouldn't be the only path to create behaviour change," says Molly.
Molly believes that, when in action, tried and true methods shouldn't be disregarded and left behind, but providing a higher quality of security awareness can be achieved by adding new ways of doing things to what was done in the past. She adds that the world is just getting familiar with behaviour measurement, and this unique ability will provide exciting opportunities for further growth in security awareness.
The biggest indicator of success in the field is behaviour change
Despite the typical approach of measuring engagement rates, Molly says that what deems a security awareness program as "successful" comes down to its effectiveness in creating behaviour change.
"If a program changes behaviour and the changed behaviour reduces risks, that is when we call it a success."
Risk vs. engagement should be the first focus for growth
When sharing how her team grew from one person to many, Molly recalls how moderately funded her department was initially.
"There will be teams and certain companies ready to jump into the next phase in this field. They are going to be excited, and they will have all the funding and support. I feel for the people, starting as a team of one and trying to truck along with this thing. I started the same way, and I have a well-funded team now which worked up over the years. But those who start as one person: You can still do this. If you focus on risk vs. engagement, you will come along this journey we are all going on."
Words and names shouldn’t be a distraction from the ultimate goal
"Naming what we do isn't the most important thing in what is being done. People are concerned about what we should call what we are doing. They say, "should we call it "human risks" or should we not?". Yes, words are important, but we should not let this be a distraction from our ultimate goal, which is to reduce risks to provide safety and security." says Molly.
Molly believes that what security awareness is and how it is defined shouldn't deter those fighting for it from providing people with safer environments.
The pandemic created a world where those without physical presence are taken care of
Although the Covid-19 pandemic had a massively negative impact on the security awareness field and departments that operated in it, Molly noted that it created a sense of empathy and understanding about the circumstances' people physically far away were facing.
Molly says that despite the downfalls the new world pandemic created, it provided new perspectives in her field and taught her how to work within a remote environment with others.
Top quotes from this episode
"What, I think, is foundational to security awareness and security, in general, is trust."
"For some groups or some cultures or some areas in the company, “trick & train and entertain” might be what they just want. I think that not abandoning the things we learned, tried, and done from the past, but bringing along those lessons and just adding them too is what should be done."
"Consistency and habits actually end up getting you to good results, but knowledge alone is what makes you feel bad.”
“As long as you focus on risk vs. engagement, even if you start as a team of one, you are going to come along this journey we are all going on.”
What is Cybsafe?
It is a cloud-based platform focusing on cybersecurity awareness and behavioural security. To know more, visit CybSafe's website, or you can read their blog here.
