# #

November 9, 2022

Engaging The Human, Managing the Risk with Medtronic

Molly McLain Sterling, Global Security Culture Leader for Medtronic, sat down with Living Security CEO Ashley Rose for a great conversation about how the cybersecurity team at Medtronic engages employees as the last line of defense against potential breaches. 

Read the full transcript here. 

Ashley Rose (00:03): I'm really excited to kick off this client day with this particular session, Molly McLain Sterling, as Rachel mentioned, she is the global security culture leader at Medtronic. This is going to be fireside chat style. And over the last few months, I've had a really amazing opportunity to get to know Molly better, to understand her program, understand her challenges, her strategic goals for her company, her human risk program, but also for her own career. And so I really believe that this is going to be a really exciting and valuable session for everyone here as we think about this paradigm shift and moving into the future to human risk management. So, welcome, Molly. I'm glad you're here.

Molly McLain Sterling (00:52): Thank you so much. Thanks for having me.

Ashley Rose (00:55): Awesome. So, Molly, I'd love for you to just kind of kick us off, give us a little bit of background. I specifically love every time I get to know anyone new that I meet, I love trying to find out how you got into security. And much like myself, you entered the cybersecurity space in a really non-traditional way. So, give us some background. Who are you, where'd you come from, and what do you do today?

Molly McLain Sterling (01:19): Yeah, well, I was a musical theater major in college. So, after college, I was an actress for a hot minute. Some of my credits could be seen as girl holding a melon in a grocery store commercial, really top shelf things like that and then the natural progression into IT, just like all musical theater majors do, but entry level it at Medtronic and worked my way up with some amazing opportunities and things that people let me try out. And me being really inquisitive about, "Well, how does this work? What if we did that?" this kind of thing got me to the global security office about nine years ago, nine or 10 years ago. I started as a team of one doing the security awareness program, among a bunch of other things, and thankfully have grown it to a security culture organization with a team of eight, and that includes metrics and analytics, stakeholder engagement, and then the traditional security awareness.

Ashley Rose (02:33): And the reason I love that you are sharing that story is because it actually gives us a pretty unique view into how many of us probably got into our current positions. I think the cybersecurity team traditionally has... People in cybersecurity careers have oftentimes come from IT backgrounds. And so upon recognition that there was this need to focus on the people side, they said, "Okay, well, maybe we don't know how to do that. We need to find... We need to add some diversity. We need to add some background that is a little outside of the traditional IT type checkbox backgrounds." And so I think a lot of us on this call and clients that we've met with have come from... Musical theater is interesting, but whether it's marketing or comms or psychology or something that had to do with behavior, I think this really was a unique opportunity to bring people into cyber to start applying some difference in mindset, in understanding, in thought processes and kind of a passion for people.

Ashley Rose(03:51): And so here we are today at another kind of pivotal moment. And so I'd love to maybe just kick us off with, based on your background, based on the work that you've done, how do you define human risk management? You came into a security awareness role, but we're looking ahead right now. So, what does that mean to you?

Molly McLain Sterling (04:12): Yeah, I think it means. For our program it's the ability to measure and analyze behavioral risks to address vulnerabilities. I mean, obviously, it's in the name, the human piece, but it's really focusing on the people and how they behave.

Ashley Rose (04:30): Absolutely. Yeah, I mean the behavior component is so important, and we're going to talk a lot about analyzing those risks. So, living security, when we came out with human risk management, and this was a lot of back and forth because we knew we needed something or knew we needed something that could help us take that next step from what has for the last few decades been defined really from an activity standpoint of security awareness and training. And so when we thought about this, we obviously needed to be able to capture the need to identify, respond, and report on human initiated risk, but it was really for us, that convergence of the granular management of human behavior induced cyber risk with the relevant and engaging content for people. So, what do you think about the human side of this? The engagement, the training, How does that fit, in your mind, to the human risk management kind of overall strategic objective?

Molly McLain Sterling (05:34): Yeah, I think it's just the next evolution. So, it's not one or the other. It's not traditional security awareness and all the content and all the material or human risk management. It has to be a really holistic approach. And the human risk management piece just allows us to do better at the traditional security awareness piece. Before, we were guessing. We were doing our best guess. And I will hold my traditional security awareness team up against any in the industry. I think they're absolutely fantastic. And we were still guessing, and a lot of times we guess wrong in terms of what people need and why they need it. And so with human risk management, it gives us that data that we're able to then zoom in on the areas that need it the most, because ultimately behind all of our technical vulnerabilities, there is a human behavior or decision, and that's ultimately what we need to get down to, is that human behavior decision and why that's happening or why it's not happening.

Ashley Rose (06:37): Absolutely. So, maybe you could give us all some background on what best guests look like at Medtronic. You're a pretty large organization. I know you do have a sizable team, but I'm pretty sure most people on the call can probably resonate with, even at the size that you are having small team, large population to engage with. So, give us some background. What did your program look like, and where are you now? Where are you today in your journey on HRM?

Molly McLain Sterling (07:11): Yeah, I think we have all the great components of what I would consider a traditional security awareness program. We have our phishing simulations, we have our annual all employee training. I hate to say check the box, but yes, it's a check the box piece for all of our regulations out there. We have a phenomenal ambassadors program. We do all different kinds of communications within our ambassadors and fun channels that talk about beating the bad guys, and on and on and on. We do all kinds of different things. And a lot of times, we would base those off of the generic risks that we all talk about. And that's still great. I mean, I think those are foundational. You're always probably going to have phishing risks, you're always going to have risks that somebody's going to stick a USB in their computer if they find one laying around those.

Those are things that exist,, but what we really need to do to get to the next level is figure out what risks are specific to us Medtronic, and then go a step further what risks are specific to different areas and different people, different personas. And so that's where we don't want to rely on guessing. We don't want to guess why people are not reporting security incidents. We really want to know why. So, we need to figure out who are the ones that aren't reporting, and then we'll be able to have conversations and do cognitive reviews and all kinds of different ways to figure out why they're doing what they're doing to then give them the best intervention possible, because there's different methods depending on whether somebody is burnt out, whether somebody is new, whether somebody is confused. There's going to be different interventions depending on what the why is, and that's ultimately where we want to get to.

Ashley Rose (09:11): Absolutely. And you are a [inaudible 00:09:15] so we're among friends here. You did a pretty in depth sort of market analysis kind of competitively on the different vendors that were approaching human risk management. Without naming names, can you give us a little bit of background on what that comparison looked like? What really stood out to you about living security. And what are you excited about you doing with us in the future?

Molly McLain Sterling (09:40): Sure, yeah. So, for those that don't know, we're in the hopeful progress of partnering up with Living Security here. Just need to dot the I'S and cross the T's and things like that. But one of the reasons that we are very interested in Living Security is because you want the data and the tech side first. So, a lot of companies are doing, or some companies are doing some of the behavioral analysis or the awareness piece. My team can do that already, and they do a great job at it. So, we just need that data. And the data already exists within our company. I think that's the great thing. And you have these really quick API connections that we can just set up with and start getting all of that data in to do the insights, to see the insights that we need and discover the insights that we need, so that... We wanted to go the tech route first. We think that's the most valuable.

Ashley Rose (10:41): And we're going to come back to that because I know that probably a few of us on the call or many of us might be thinking, how do I access that data? And I think you have a really unique program and security organization. Unique might not be the right word. You have a very supported program and you have really strong alignment at the CISO level and across the business. So, I really want to touch on that momentarily, but you said something earlier that I really wanted to dive into a little bit deeper. So, you talked about visibility, right? We're moving from sort of a best guess, and I think that's what all of us can do with the data and the understanding that we have, is we do the best we can with what we have. And so this conversation is really about how we can partner with you, with other teams, with other clients here to give them more than they have today, right?

And I think that shows up absolutely in visibility, for many other reasons. But tell the group here what other opportunities do you believe this data and the clarity provides for security teams? And I think we can talk about human risk teams, but then even more broadly across the security organization.

Molly McLain Sterling (11:56): Sure, yeah, we have a really strong... I mean it kind of ties into your other statement too about the support that we have, but we have a great relationship with our CSIRT team. So, for those that don't know, that's the security incident response team. And those are the frontline folks that are fighting off the bad guys if anybody gets in and making sure that they don't get far in the kill chain. And so if you think about some of the most technical people, that's that group. And to me, everybody should be best friends. Any human risk or security awareness people should... Go be best friends with your CSIRT. They're going to bring so much value. And we are going to share the data that we have with them because we think it'll help them down the road too and prevent more false positives and be able to hopefully not to get too pie in the sky, but really sort of stop issues before they start.

So, stop crimes almost before they happen in terms of, if we can give that education, the right education to the right people or the right interventions, then we're hoping that it will also benefit our CSIRT teams as well, that there'll be less incidents for them to deal with.

Ashley Rose (13:13): I couldn't agree more. We talk a lot about alert fatigue in the security organization. And I heard a stat the other day, there is a lot of technology, a lot of things trying to work together in a concentrated effort. I also saw an email the other day, why has security gotten so complicated? But what's happened is that every time there's a change in the industry, new risk, new threat, we see new tech come to the market, and then of course, our security programs need to adopt that. And so what we have is a lot of product platforms that, to your point, are looking for an incident after it happened, either while it's happening or afterwards.

And then we're sending alerts and we're trying to clean that up as quickly as possible. We want to reduce our time to respond. So, what the goal of HRM is, and you think about before they start, we talk about this left of boom. How do we find things or find behaviors or people that could present risk for our organizations before an incident occurs, and then use that opportunity to reach out to empower them with training or policy adjustments, and communicate to them in a way that ultimately drives risk production down. And to your point, when things work in that concentrated effort, the people process and the technology, they can work together to actually stop that, a lot of those alerts. If we're not seeing a lot of those incidents occurring, we're going to see reduction in alerts, a reduction in incidents, and ultimately our sock should be able to focus on our CSIRT team, should be able to focus on the things that matter most.

So, I absolutely appreciate you sharing that. And I think now it's a good time to maybe transition. A lot of us may be wondering how you build such a strong relationship with the rest of the security organization? So, you talked about your CISO, you talked about your CSIRT. We'll also talk later, specifically in our human risk management maturity model, we've incorporated a very specific category on security organization maturity. And that was intentional, right? Because it's very hard to have a progressive or an innovative human risk program if we don't have the business alignment and the security organizational support across the business. So, how did you do that, Molly? What did it look like when you first came in, and how did you build rapport and start building those bridges, those connections?

Molly McLain Sterling (16:07): Sure. Great question. I think it does take time, but one of the main things that I did coming in with security awareness is just went to the global security office, and the people within it and said, "Where do you need help?" And so if you can build those relationships and build where they lack, or not necessarily lack but it's not their main skill in terms of how to communicate something in a basic way or why it's important or why it's a benefit to the employee base. So, I think just starting there and building that rapport and building that trust and helping where you can then starts to get you involved in the programs that are going on within the security office or your security office, and also then helps you understand the data that's starting to be used and generated. And ultimately, that's what you're going to need to be able to start running your human risk management platform.

Ashley Rose (17:11): Absolutely. So, yeah, any tactics? Do you go to lunch? Give the team some tactical ways that they can do what you've done.

Molly McLain Sterling (17:23): I think one of the ways we did it early on with my colleague who leads our CSIRT is, whenever I would write an article for Medtronic, I would ask him for a quote, and so I'd quote him. So, then Medtronic's a very large organization, we have about a hundred thousand people in 150 countries, so getting your name quoted in something or having that exposure early on in your career, which is where we both were at the time, is really helpful. And so that was one way just to help each other out, build each other up. And if you can continue to do that, make your security team look good to the rest of the organization, that's really going to build that trust and that value.

Ashley Rose (18:08): I love that. And I'll shout out. Jenny Kinney is one of our client success managers here. She and I talk a lot about the idea of influence, and I think what you just had shared was how do you build your influence in the organization? Not only does that help in getting accomplished what you need to get done, whether it's access to data or budget, in that sense, to be able to accomplish your program goals, but it also helps you in your career development. So, I'm going to take a quick pivot. And I know we have some more questions here. How has your career progressed at Medtronic as you've built the program? Can you talk a little bit about maybe your team size, who you have working under you? I know it's been an incredible journey, so I'd love to just touch on that here briefly.

Molly McLain Sterling (19:01): So much of what goes into storytelling, I think at the foundation of everything, ends up in my group. And also just a while back... You'll find yourself, I'm sure a lot of people can relate to, the rest of your organization might look at the security team as the office of no or some negative kind of connotation. Our CISO did a really great job with this in focusing on our desire to have stakeholder engagement. So, created a group within my security culture team that's really just focused on building relationships and helping people through the security organization. And I do consider that part of security awareness because it's really helping people understand why certain processes are important, whether it be a risk assessment or using secure design requirements in the beginning of your architecture journey kind of things. All of those things build in to that security awareness space.

And then as things grew and people could see the benefit and the tone of security changing, my career excelled as well. And I'm really thankful to be reporting directly to our CISO and on the leadership team within Medtronic for security. They get it. Our CISO and our leadership team really gets that security awareness and the people side of everything needs to be foundational and a part of the conversations at the top. So, I'm lucky in a lot of senses, and then also really just continue to push that relationship piece and how can I help the security organization as a whole.

Ashley Rose (20:57): Molly, did you interview for that when you were looking at this role? Did you know to ask whether or not there was going to be support for the program, or was that something, as you said, you were lucky to find?

Molly McLain Sterling (21:08): So, when I came into... My first job within the global security office was doing a little bit of security awareness, a little bit of vendor risk management, and then a little bit of data loss prevention. So, no, I definitely didn't have any sense to say, "Are you going to support me?" I've just been really lucky in having some really great leaders that say, "Go try stuff. Let us know how it goes. Work with us, communicate with us ,and let us know how we can support you." And I'm happy to help anybody with that message within your organization as well, because it's so pivotal. I can't imagine trying to run a program when you don't have that support. So, if I can help in that sense, I would love to be able to give back in that way.

Ashley Rose (22:02): I love that. I love that you offered that up. And this may seem like a little bit of a sidetrack, but I really want to bring it back into what's going on in the day to day, what's going on in our industry? I talk to so many program owners on a pretty consistent basis that are struggling with this. They're struggling because they aren't getting the support and the budget, and they don't have that strong leadership alignment to being able to move the needle, be like... There's classifications. We talk about this sort of transformational CISO, these CISOs that understand that the way that we've done things is not going to help us get to where we need to go, and so we need to start thinking outside of the box and looking at creative ways.

And unfortunately, I'm going to share here, sometimes I see that program owners feel a little bit defeated in the way that they're viewed as part of the security organization, the engagement team or just the security fund team, or I heard somebody say the rah rah team at some point. And I think all of us here, we wouldn't be here unless we truly believe that there was an opportunity for us to make an impact and that we felt good and there was a sense of mission behind what we do day in and day out. I think that there's a lot of jobs that people can choose. And so especially, if you're engaged with Living Security, that's been our mission and belief that we can create a more secure world by focusing on people. And so it really is exciting for me.

It's something that gets me up in the morning, to know that not only are we going to be able to affect our employees and our world, but actually each individual program owner. I have a really strong belief that we can, with the right data, with the right visibility, we can actually change the way our teams are viewed, and then hence ourselves and our careers and opportunities there. So, how do you think data will change the way that... And I'll say the human risk program is viewed as part of security. And then even more broadly, how can we impact how security is viewed and measured across the organization?

Molly McLain Sterling (24:24): Yeah, I think that your statements just resonate so much in terms of being seen as the fluff board, nice to have, or we're really important, but it's "just communications" kind of thing, or education. And what human risk management allows us to do is go from measuring engagement to proving that we're reducing risk. And that's ultimate... That's what I keep reminding my team and my team continues to remind me, to focus on the risk, focus on the risk, focus on the risk. And without the data, we can't. That is where we get into the guessing. So having that data is just such a huge difference. Some engagement measurement is good, but you can't prove whether you're actually making a difference there. You can prove whether somebody's showing up, but you can't prove if their behavior is changing based on that engagement data.

And so that's where I also am really excited to see that shift into being able to prove out that we are reducing risk and we're a really integral part. And then in terms of the good we're doing too is really exciting, to be able to empower people. I believe that everybody deserves the chance to be secure. And if they don't know the things that are putting them at risk, it's really hard for them to do that. And so this will allow us to help so much more. And we're using this tool for good. We're not using it to penalize somebody or anything like that. It's really how can we empower people to help us more in fighting back against the cyber criminals.

Ashley Rose (26:14): I love that. I talk a lot about... And I've done some board level presentations, and we talk a lot about at the board level, every board member knows how to read a P&L, right? They have a level of financial literacy. And so I think what we're working on now is trying to up level our cyber literacy at the board level, where every board member has a foundational understanding of risk and at least questions to be able to ask to make sure that we are doing our due diligence as a board and as an executive team in managing cyber risk. But I want to bring that down to the employee level, because you said everybody has... I think you said everyone deserves the opportunity to be secure. I might be mixing that up. So, I think about that and I think about where we are from a workforce perspective, right? We have the macro trends around work from home and the great resignation or the great reshuffle.

These are primary business issues that executives teams face on a daily basis. We all want to retain our top performers. We're concerned about attrition and the costs to the business. And so I think about, is there an opportunity... And I think in some of your programs, you've been able to tap into this, but is there an opportunity to make security an employee benefit, right? Could the human risk program be a reason that people culturally fit within your organization and they get excited about helping the business to succeed? So, I think there's an opportunity for us with the right program, with the right data, with making things contextually relevant to really add value in that way. And that's just another one of those business outcomes that we can drive with the data, with the visibility, with the understanding.

So, you shared a quote with me when we were prepping for this, so I'd love for you to share it here, and maybe give us a little bit of insight. And I'll add some commentary because I've been seeing some really interesting articles lately. We all are aware of ransomware as a service. Phishing as a service is something that came across inbox the other day. This particular service essentially was an online signup app. You could go on and you could just sign up and pay for X dollars per month, you could get so many emails, so many phishing emails that would go out for you. So, there is a lot of tech right on the other side of the table when we think about this battle that we're fighting. So, how do you think about what we can do as the good guys, the good team up to win that battle?

Molly McLain Sterling (29:11): Right. Yeah, the quote specifically, we have some really great intelligence partners at Medtronic. And again, because I have a great relationship with the CSIRT, I'm able to see a lot of the intelligence that they get and they're so great about sharing it. The [inaudible 00:29:26] group supposedly has since disbanded, but was a big ransomware group, and we have some intelligence from internal communications that they said we can't win the technology war because on the ground we compete with billion dollar companies, but we can win the human factor. And if you go back to a quote also that Lance Spitzner from SANS has said that we've become so good at securing our technology that we're actually driving criminals to attack people, it's all about the people, it's all about the human factor, it's all about the social engineering that we're seeing just so much of, and a technology isn't necessarily going to prevent all of that.

So, we do have to have just that relational piece. Again, like I said before, behind all of our technical vulnerabilities is a human behavior decision. And again, human risk management where we need that data, we need that to be able to go to people and give them the best opportunities to fight back. I mean, crime as a service is essentially what you were talking about, and it's huge and it's crazy and scary. And I think people don't realize... The average person in our company probably doesn't realize that these are very organized criminal organizations, to be redundant, but these criminal organizations are well funded and run well-oiled machines. So, we have to be so empowered, we have to empower so many of our people to be involved in the fight and be proactive about pushing back against this. Otherwise, we're just going to get devoured.

Ashley Rose (31:09): Molly, do you think that... Because these are so organized, they're criminal organizations, as you said, they have quotas, they have retention metrics, they have all the things that we measure as part of the business, do you think there's going to be dark side awareness training, making sure that their competition doesn't get their list of people they need to go phish first? I don't know. I was thinking about that the other day. There could be something there. Maybe a new business opportunity. But just to circle back around, so digging into why, providing the best intervention to make the most change, I really think about this as leveling the playing field. I mentioned earlier, background in business marketing before getting into cybersecurity. And I can tell you, as a CEO, there is no other part of the business that is run without data.

And we use data all day long to make decisions. And so when we came into this particular part of security with a combination of my background and Drew's, when we co-founded the company, it was actually really eye-opening to me recognize that with all of the tech that's out there, we were still, as you said, kind of taking best guess and using what we had. Not by any fault of the program owners or the people running the program, but really because the security community, the vendor community hadn't stepped up at that point. There was this over investment in securing our technology, which drove people to the humans, as you said. But I see this as our time was quoted in an article that we released on our human risk management maturity model. I see people as that last frontier of cyber. And so yeah, it's really an exciting time for me.

It's an exciting time for the company. I think it's an exciting time for all of us here in the call and that we're finally going to have what we need to get our jobs done, do what we need to do. So, I'm going to shift again, and I've had a lot of calls lately. We have clients that are in North America, we have international clients, clients over in the UK, people that have different privacy regulations. So, I'd like to talk a little bit about some of the challenges that we may foresee moving towards more visibility. Without calling out any names, I talked to a CISO, and this particular CISO said, "I don't want that data because then I'm responsible for it." So, it's something that we need to think about. And so what pushback do you think that, or what pushback either did you get, maybe you didn't, or what pushback could we imagine may happen internally while we're trying to take this next step?

Molly McLain Sterling (34:11): Sure. Sure. I think the privacy piece is a big one. An interesting comment by that CISO, not knowing their organization, but for sure, our organization, our security organization already has the data. These are all things that all our other teams are collecting. Our CSIRT teams, our forensics teams, our vulnerability management teams, our vendor risk teams, everybody, we have the data, and this is just aggregating it to be able to address the human vulnerability in a proactive and helpful educational way versus having it be some type of investigation later on. And I think with the privacy piece, you just have to do your due diligence, make sure that you're limiting the amount of people that have access to the aggregated data, if you are going down to the individual level and you're not anonymizing it. Yeah, you just want to make sure that you're not allowing too many people, so the fewest people.

And then collecting minimum necessaries, so collect things that you don't need. And then also just make sure that you're talking to your privacy partners within your company. This really isn't that much different to me than all of the conversations we had when we first implemented phishing simulations, because that's that whole concept of, are you going to use this to penalize individuals? Are you going to monitor employees? It's really not any of that. Again, we're using it for good. We're using it to educate. We're using it to be able to help people fight back and protect themselves because they deserve that.

Ashley Rose (36:08): Yes, I mean you touched on all the points. So, I'll kind of recap a few of those. Bringing privacy partners in early, getting them engaged, helping them to understand the benefits of this to the employee, as well as to the organization, is critical. And I think that some of this could be... Creating that business alignment could be new for some of our teams. And the reason being is we've had a specific job to do for some time. We need to send training and make sure that we're engaging people. And obviously, the best case scenario is that we have business engagement and business support, but it wasn't necessarily a true requirement to get the job done previously. But now, as we think about the futures, we think about aligning and moving away from activities to business outcomes, the only way that we actually bring the outcomes into fruition, that we execute on them is through a partnership with our business.

We need to understand, from the business perspective, what risk is acceptable, what's not. How do we want to mitigate this? How do we best engage our teams? And so that requires a lot of upfront foundational work. And I would say making sure, as you mentioned, engaging privacy early is going to be critical. And then the next piece, how we're using that data. We need to make sure that we're very clear in describing how this can show up as that employee benefit. How can we empower people with data to be more secure? And how does that help the company? We look at vigilant behavior, not just risky. And to your point, the same CISO that I had the conversation with had actually just started passing the phishing simulation end user view into their production environment and allowing people to do that. 

Everyone's at different stages of maturity, and we'll look at the maturity model momentarily, and then we'll go to questions, but it's important to think across the business, across alignment, across culture, across technology, across our program, how do we take the next right step? There's not going to be a completely one size fits all approach. We certainly wanted to make it as easy as possible for people to have a roadmap, but how you get to where we're trying to go, which is aligning to business outcomes, leveraging data drive results, and reducing risk, it's going to be a winding road for so many people and so many companies. So, I just want to encourage everyone that, as Molly shared, I think again, somewhat of a unique or certainly a lucky situation that you've been able to build a program into with the support and alignment, but this has been extremely helpful. So, from there, we're going to take questions momentarily. I did want to just share, as I mentioned, we did today actually launch a maturity model.

And so this has been something our team has been working on for months. It's been something we've been thinking about since we first came out with the terminology around human risk management. So, I'm going to hopefully share my screen. Oh, great, I can do that. Awesome. And so you have gotten an email, should have gotten an email from our team. If you haven't, that will be coming out shortly. But this launched today. So, Living Security, alongside our CISO advisors and alongside some other vendors in the space, decided to launch an open comment draft of a human risk management maturity model. And so if you follow the link... I know we put it in the chat and Rachel mentioned it, this is available right now. We already have had some commentary. And essentially, you can come in here and read through what is human risk management? The perspective on this? And then we actually walk through the paradigm shift and we walk through... Let me go over here to our categories.

We walk through the different pieces that were mentioned today, right? What does alignment look like across the team? What does the maturity of the security organization, the CISO's organization within the broader company? What tools and integrations are going to be important as we kind of walk through the different levels of maturity? And then from a process perspective, what does our functional structure? That is our human risk program. What are the pieces of the program? So, you should be able to relate to some of these. And then what are the metrics look like? We have some example of those as well. So, you'll see at the start of the model that we describe all of these categories, why we chose them, and how they show up. But what we're really looking for is we're really looking for your input, clients. We believe we have a really amazing approach to this, and so do all of you because you've joined us on this mission and have been super supportive.

But we know in order to take the next step and get this to a widely adopted stage across organizations where a lot of that friction that you may be feeling today or the selling that you're doing internally, the business case that you have to create, which I know Mark and Dan and everyone will be touching on later, we can do that collectively, right? So, there's many other maternity models out there. We've adopted some of the language there to make sure that it resonates with everybody in the organization or as part of the CISO organization, from the CSO down. And so I'm really looking forward to reading your comments. If you go to the link, it's very easy. You just click anywhere that you want to add commentary. And then what we're doing is we're going to collect that feedback over the next three weeks. And at the end of the month, myself, some other vendors and some of the other analysts that are covering the space, we're going to get together as a group and read through the commentary, and then actually publish a first official draft in December.

So, really excited about that. Molly, thank you so much. I want you to stay. Please don't go anywhere.

Molly McLain Sterling (42:38): Okay.

Ashley Rose (42:38): Because I've seen some questions come up in the chat, and I know that many of the people here have questions they haven't chatted yet. So, I just want to take a few minutes. I think we have about 10 minutes right now to answer some questions. And again, thank you so much for sharing your experience and the journey. I'm very excited about continuing to partner on this with. You're kind of in the beginning stages of this next phase for yourself and Medtronic, and I just appreciate your support as well and your passion behind what we're trying to do. So, appreciate your time.

Molly McLain Sterling (43:15): Absolutely.

Ashley Rose (43:15): So, yeah, let's go over to the chat. I'm going to scroll through, and we'll take some time for questions. All right. I'm going back up. So, somebody asked, how many people are in your team today? I think we may have glossed over that. Who do you have working with you?

Molly McLain Sterling (43:34): I have eight folks, three that are doing the traditional security awareness, two that are doing metrics and analytics, and three that are doing the stakeholder engagement type of work, which is really awareness about our processes and helping customers through.

Ashley Rose (43:56): Can you give us a little bit of an insight on the order of hire? Where'd you start? And who have been your most recent hires? What are they covering?

Molly McLain Sterling (44:04): Security awareness was, for sure, my longest standing team. I'm trying to think. Kind of grow the teams as they go along. Security awareness, and then my metrics and analytics team was one person I inherited. Then the stakeholder engagement, and then just sort added on as we went along. So, yeah.

Ashley Rose (44:29): Awesome. Okay, so I see another one here. And [inaudible 00:44:33] a question, but I'm going to turn a comment into a question. So, Robin talked about the challenge of engaging employees. It can be a battle. It can feel like a battle. And so I talked about how we do this at work, but also how we make it more personal? How do we engage people at home? Do you have any examples of this at Medtronic that you could share?

Molly McLain Sterling (44:54): Yeah, absolutely. So, on our intranet site, we have resources for families, for sure. And I think an important thing to think about when you're creating resources for people's families, not just kids, think about our elder family members that might need some support in terms of recognizing social engineering and scams and things like that. And then also, we do a weekly series called Beat the Bad Guys on our [inaudible 00:45:24] platform. And that might talk... It talks about a range of things, but it involves things that are not only specific to Medtronic, but it might be something that impacts Medtronic employees. Like if there's a... I don't know what gaming things are out there, I'm not a gamer, but if there's some kind of hack within gaming somewhere in there, we do different education like that or stuff about Bitcoin. Medtronic's not into Bitcoin, but if there are people out there that are interested in it, then we talk about the risks and ways that people can be secure with it. So, there is that additional piece that goes beyond our business walls and into their personal lives.

Ashley Rose (46:14): That makes a lot of sense. And Robin had also shared that they've been able to negotiate a discount for home password management usage. So, I think that's a really great way of providing benefits, right? So, think about employee benefits that expand outside of the corporate walls. So, another question I saw here, I think you answered it, but I want to make sure that we were clear. It was, you're a formal part of security, which I know that's true, but you said you report directly to the CISO, is that right?

Molly McLain Sterling (46:43): Yep, I do. I report directly to the CISO and have for a couple of years. We would view security awareness as one of the foundational pieces within the global security office.

Ashley Rose (46:55): Yeah, I think that's fantastic. And we can talk all day about support and alignment, but when you structure your organization in a way where the human side of cyber sits right next to devices, applications, data, network, everyone that's managing the other parts of our cyber security program, that's putting money where your mouth is, and so that's fantastic. But so you said a couple years ago, would you tell us where you sat within the org before you moved under your CISO?

Molly McLain Sterling (47:26): I kind of bounced around a little bit within the security organization. I think I've had 14 managers in 15 years or something like that. So, I've bounced around a little bit. And then I think a little bit of pushing or saying, "Okay, I want to get into a good spot." It does matter where... For the most part, you can make it work wherever you report, but it does really help when you're positioned in the right spot. And so I was very thankful that our CISO saw that as well, and our deputy CISO saw that as well.

Ashley Rose (47:59): Love that. All right, so we have another question. How do you inspire others to be passionate about cyber? Specifically, how do you encourage people not in cyber to practice cyber?

Molly McLain Sterling (48:09): Yeah, so we've seen some great light bulb moments. Light bulb moments and aha moments are one of my favorite things in life. It sounds really nerdy, but it is true. In our ambassador awareness program, that could be a whole nother show, a whole nother podcast, whole nother presentation. I'm super passionate about that group. The ways that we've really inspired all of them to just be these amazing evangelists for our company is, again, made personal. We do ours virtually. I mean, I'll try to do the super brief because I could talk forever about this, but we do a year long program. There's episodes that drop, and they're kind of in a YouTube format each month.

And then we have a teams channel where people are doing challenges and cyber scavenger hunts and things like that. So, we make it really fun. We give them pieces they can share with their teams to make them look really good, and then also things that they can use with their families at home. And it's just ignited this whole grassroots thing that's kind of just taken off. And we're like, "Hey, look at that. That worked. Cool."

Ashley Rose (49:32): That's great. And yeah, we'll have to give you a follow up on the Champions program, but... So, I know that some of our next sessions as part of client day, Matt's going to talk about our roadmap, he's going to talk about some of the things that we have coming out in the product, specifically on our unified product. So, Living Security, one of our biggest differentiators in the market is the fact that we believe end to end human risk management has to be the data and the end user experience, and that shows up with quantifying risk, leveraging data, engaging people, engaging the business, engaging the employees, and then being able to measure behavior change. You can't have the data without the engagement. You can't have the engagement without the data. It doesn't work, right? We've tried it. It has to go hand in hand. And so a couple of the ways that we help to engage people... And I'll bring this back around to the Champions program.

So, there's a couple things. So, upcoming... And Matt will... I don't want to steal the thunder, but we are going to be launching our scorecards this quarter. And so these scorecards are opportunities to engage your employees, but also your managers. And so we talk a lot about it, and I've actually heard employees say, "I hear about security one time a year. We say it's important, but I don't hear about it again. Where's that feedback loop?" And so these scorecards allow for you and your program to provide feedback to the employee and let them know what are we doing well on? Where can we improve? So, that can drive engagement. People love learning about themselves and love to see how they are compared to others. And when we think about empowerment, we're actually empowering these people with data to take the right decisions, make the right decisions.

And the same thing at the manager level. How do we empower our managers? We know that individuals, employees respond at a much higher percentage in getting something done if they're asked by a direct manager versus even the CEO of the company, if they know they're going to be held accountable to it. So, if you can empower the managers with information that they can take to their team, the same way, we're going to drive much better behavior change and much more stronger security behavior. And then I'll put one more thing out there, because I do think champions are so important to programs, especially when you're widespread, when you have a large organization, an eight person team, a hundred thousand people all over the world. Culturally, you need to understand what's going on at that ground level. And you want those people who are evangelizing for the program. And so one of the things that our unified product allows for you to do is not just look at risky users, but also be vigilant.

And so we've seen success where you can actually identify those champions based on the category of vigilant behavior. These people that are already bought into the cybersecurity program, that are engaged in optional training, that are using their password manager, that are taking the right actions day in and day out. So, these are the prime people to reach out to and let them know, give them positive feedback, say, "We really appreciate how you've been able to be a security champion at Medtronic. We'd love to invite you to become part of the Champions program and help spread that message and awareness." So, that's something that we certainly are excited about. And so Molly, hopefully we can embed even further into the amazing program that you've built. And it sounds like there's widespread interest on this chat of digging in a little bit more to how you're running and how you're engaging with those champions.

Molly McLain Sterling (53:20): Sure, yeah. I'm so excited to bring the HRM data to the champions that we have in the alumni network that we have it. It'll be really exciting to see what they do with it.

Ashley Rose (53:30): All right, Molly. So, outside of HRM, which is huge, of course, it's going to be a big initiative. What is the one thing that you are most excited about for your program next year? Now, HRM first, obviously, but after that, what's the next thing?

Molly McLain Sterling (53:47): The next thing, expanding ambassadors even more. I think we're just getting... It's one of those things where I'll go to an event at Medtronic or whatever, and since there's a hundred thousand people, you're always meeting somebody new. And I'll have people say, "Oh, Molly, the ambassador program, I was a part of it two years ago, or I'm a part of it now." And I'm like, "Oh, it's so great." And so that's really cool. So, I'm always excited about growing that. And then also we are working on an overall risk accountability dashboard for our entire security organization to help our team members hold people accountable in a different kind of tone than it would be with human risk management. So, human risk management and the unified tool would be more of an educational, let's work together type of thing, the accountability pieces, you have these 10 things you gotta get done. This is an IT manager, you need to go and do those. So, we're working on that. That's a ton of data and a lot of work, and building that from scratch, really.

Ashley Rose (54:57): All right. Well, I just made a note to make sure that we cover some of the work that we're doing alongside some GRC tools.

Molly McLain Sterling (55:03): There you go.

Ashley Rose (55:04): We think that there's some interesting opportunities for integration and automating workflows there. So, we'll chat about that offline, because I know we're at time here at 10:30. Again, thank you, Molly, for coming in and kind of representing the voice of the client, for sharing about your program. I'm very excited about the future. I know you are as well. And it looks like you're going to have many new friends and connections on LinkedIn.

Molly McLain Sterling (55:26): Awesome.

Ashley Rose (55:27): So, I know you'll, you'll be happy to connect offline there as well. So, thank you.

Molly McLain Sterling (55:32): Thank you so much. I really appreciate it.


# # # # # # # # # # # #