Where passion meets purpose: exploring security as a universal value

31st Oct, 2023#35

The world has seen many transformations in the workspace during the last few years; some of them stuck, some didn't. Workers prioritizing personal relationships over economic benefits, for instance, is not considered a fad anymore; it is the norm.  

The relationship people developed with their jobs has radically changed, and empathy played a major role in that transformation. Slowly but surely, we are witnessing how cybersecurity detaches from the old and cold "it's just business" approach. 

Today, Molly McLain Sterling joins us to share her thoughts on empathy and the role of connection in cybersecurity, while exploring communication techniques in cybersecurity, leadership, and more. 

Molly is the Director of Global Security Culture at Medtronic, CISO Advisor, Top Rated SANS Speaker, Security Evangelist, and Behavioral Science Human Risk Management Leader. 

Molly has a Bachelor's degree in Fine Arts (B.F.A in Music Theater), which is a testament to how fertile the cybersecurity space is. People with virtually any background can repurpose their skills and flourish in cybersecurity. 

Throughout this episode, you'll hear about Molly's journey into cybersecurity and the acting techniques she adapted to her leadership role to improve her communication skills. Molly also talks about how she transformed Security Awareness into Security Empowerment and grew it into a security culture that now supports over 100000 people in 150 countries. This also led to discuss how scalable empathy really is, the power of delivering a consistent message, bringing leadership's attention to the importance of cybersecurity, and more examples from Molly’s fantastic work. 

Tune into this episode to learn:

  • Why building a security culture is a job we can do alone (3:30)

  • What you need to bring people together around a topic that’s not their primary job (12:10)

  • How to scale the use of empathy within an organization (16:50)

  • Acting tips and advice for improving how you communicate (23:40)

  • How to get leadership to take an interest in cybersecurity (32:40)


Photography of Molly McLain Sterling.

Molly McLain Sterling

Molly McLain Sterling is a cybersecurity culture expert focused on building and elevating security in global organizations. Her work has influenced over 100,000 people in 150+ countries, creating psychological safety and shared accountability for them.

Specializing in human and insider risk, Molly's programs consistently outperform NIST industry ratings.

A recognized voice in cybersecurity, Molly has spoken at conferences and holds positions on several advisory boards, including the SANS Security Awareness Summit and Twin Cities Privacy Network. She also co-founded the Midwest Security Awareness Group and serves as the Communication and Marketing Chair for Medtronic Women in IT.


[00:00:57] Andra Zaharia: The need for empathy is extremely physical. In the way people are evolving their relationship with their work, what we see now is a clear departure from the cold “It’s just business” approach. It’s really not “just business,” and it’s not only young people who want to change. This is one of the topics I touched on with Molly McLain Sterling in a spirited conversation that left me energized and really optimistic about the change-makers in our community. Molly’s studied musical theater, and, while pursuing a career as an actress,took a small detour that turned into a thriving career in cybersecurity. She told me how she got over 100,000 people in 150 countries to take an interest in cybersecurity education and how she helped them bring that into their lives at work and at home. I also learned why we should replace the term “security securements” with “security empowerment”,and how she created a shared experience for her colleagues on topics related to cybersecurity.

[00:02:08] Andra Zaharia: This episode is sprinkled with stories of failure, which are stories of growth, and successful milestones that gave Molly fuel for her ambitious plans and perhaps for ours as well.There are plenty of examples for you to draw inspiration from, and I can’t wait for you to meet and learn about Molly. So let’s just dive right into it.

[00:02:42] Andra Zaharia: Molly, thank you so much for being a guest on the Cyber Empathy podcast, and for just making the time to share with us many, many of your lessons and your experiences in what is an amazing career and journey so far.

[00:02:59] Molly McLain Sterling: Well, thank you so much. It’s an absolute pleasure to be here!

[00:03:03] Andra Zaharia: As I was following you on LInkedIn and as I was diving deeper into your work and the type of message and education you bring forward, one thing that really stood out for me, and this is a message that I’ve seen you integrate over and over, is that as hard as we try we can do little alone. What does that mean for you and how has that influenced how you do the work that you do and perhaps even your life outside of work

[00:03:33] Molly McLain Sterling: For sure. It means breaking down silos within your organization, starting within your security organization,your colleagues, making sure you’re partnering in any way that you can and supporting each other and not fighting for credit. Just having a healthy culture just starting at home and then growing it out from there. Then expanding that to your IT colleagues, to your business colleagues, that cyber criminals are well-educated, well-informed, well-funded. They’re there in masses, and so we really can’t afford to be trying to do it alone. We need everyone in the organization to be a part of it and to be accountable, and  you have to get them there with empathy, which is why I love your podcast and the message that you send too. When I saw Cyber Empathy, I thought, “Wow. This is exactly what’s been in my brain.” I’m so fascinated for somebody that focuses on this totally. Awesome. Again, thanks for having me here.

[00:04:33] Andra Zaharia: Thank you. Yeah, this is one of the things that you and a couple of other people that I follow do constantly. You create a shared vocabulary. You give physicality to some abstract ideas that perhaps people are thinking of but that they don’t know how to express it, they don’t know how to go about it. I feel there’s still somewhere in the corner of this industry. Perhaps not exactly in the corner, but there’s still this misconception that the IT or the security specialist is this misunderstood figure. This person that has so much wisdom and knowledge, which they do, but they are the loner type both physically, but also emotionally removed from the rest of the company. Is that in your experience still true, and if it is, to what extent? I feel that we’re carrying over this stereotype with us, and it’s not doing us any good.

[00:05:35] Molly McLain Sterling: I think a lot of that is tied to folks that are really, really skilled technically and a lot of times have an engineering background. It isn’t necessarily specific to security; it can be engineering all over the board that have that perception of being experts, being frustrated when other people question their methods and things like that. I don’t necessarily think that that’s true. I think that there’s a very wide range of people and personalities and skill sets, and weaknesses too, things that people want to work on in every space. So yeah, I wouldn't necessarily stick that with just security.

[00:06:13] Andra Zaharia: That is true. And one of the things that you do in your work is that you bring together all of these people, the business people, the engineers, the security people, people from all kinds of teams. How did you start to do that? What does that really look like in a day to day scenario in a very practical way, because it sounds like such a lofty goal, it sounds like such a big project that it can feel a bit overwhelming. What does that look like? Be real.

[00:06:44] Molly McLain Sterling: That's a great question. I have learned from the best. So I have to give credit to you know, my leadership team and my colleagues that I've seen and been able to model their behavior as well. But it starts with listening. That seems so silly and simple to talk about, but just going to your stakeholders and letting them talk and letting them get things off of their chest without kind of battling and trying to prove them wrong or or push your own agenda, it really is shaping the message so that it fits into their goals. And they can see that they can accomplish the things that they want to accomplish and so can we. Ultimately, I think for anybody that's listening that's sort of not on board with the whole empathy piece, and it's just business and wants to be a little bit more cut-and-dry, using empathy in your methodology and in your day to day gets you what you want. Ultimately, if you want to get what you want, and you want to accomplish those things that you have in your lofty goals, use this. This will get you there. It's not just kind of like a touchy feely, nice thing to have. It moves the business forward.

[00:07:50] Andra Zaharia: Thank you for pointing that out because, yes, I still get that a lot. I think we're still going to get that alone for a long time when we talk about emotional maturity and emotional development and all of those things that seem like you should be doing in your private life, not in your professional life, which is so absurd to consider them separate. Thankfully, I see younger generations not carry this very strange, very kind of why is it here division with them, which is something that I really, really appreciate. I just wanted to mention a couple of your achievements,because the scale of the work that you do now is just huge to me/ Just being able to orchestrate all of these things together, being able to do like 200 campaigns a year. Being able to achieve this huge level of involvement throughout the organization. Just making sure that also everyone who works in a hybrid workplace is on board and feels connected. And especially putting together your global Security Ambassadors Program, which is really something that I want to find out more about. How did that start and how did that make you feel differently about the work that you do?

[00:09:12] Molly McLain Sterling: It's near and dear to my heart. I'm very much somebody that likes to experiment and just give it a try. Thankfully, the environment that I'm in and the leadership that I've had allows me to try things and fail a little bit. I would definitely say the first few years of me doing the Ambassador Awareness program failed. We still did it, but when I look back, I’m like, “Oh man, those were rough.” That was not providing that much value. But of course it grew and it matured as we went along. We kept at it and we kept going back to okay, what didn't work there? How can we tweak it? How can we make it better? Where can we bring the value? 

There was a really big turning point for us in one year where we had some folks that would try to steal the stage when we would be doing our calls. They’d try to be pushing their own agenda about something completely other than security and arguing with our CISO in some of the calls, it was just like, “Whoah, we’ve got to rein this. What’s going on?”That happened to be around the time of the pandemic as well. I told my team, “Go out to social media. Go out to YouTube. Watch every video that you possibly can on anything. Don't watch any security videos.” We watched things on makeup tutorials, on how to change the oil in your car, on how to cook pasta, whatever it was, to try and to just spark some of that creativity. The team came back to me with the idea that we would drop episodes. And so there's these interactive videos essentially, that they're creating and episodes that they’re creating once a month so that we can really be timezone inclusive. We have a focus on 150 countries, 100,000 people, so asking people to wake up at three in the morning to do a call is ridiculous. This is great because they can come in at any time that they want. There's interactive challenges. There’s scavenger hunts. There's tips and tricks they can take home to bring to their family. So they learn about things at Medtronic, and then they also learn about things that they can bring home, and it's in bite sized chunks. Then the other just amazing thing that I learned through the process is the power of social proof. We have a team's channel sounds. Basic, but once people started using it and commenting and talking and sharing of all the ways that they either got scammed or avoided a scam or avoided something and helped their family, then it just snowballed. It was amazing. So that is a really rich community.I think the Ambassadors took hold of that and made it what it was. We brought them the dish, and then they got in there and really spice it up for us, so it was pretty cool.

[00:11:48] Andra Zaharia: What do they all have in common? Again, just like you mentioned, 150 countries, people with all sorts of backgrounds and experiences, what's one thing that you've seen that really brings them together as a group? Is that the thing that made them resonate with cybersecurity and the values and principles behind it?

[00:12:08] Molly McLain Sterling: Yeah, I think that I'm so fortunate to work for a company that has a very strong mission. We are very mission focused, very much about the patients and improving people's lives and their health. The idea that we can work to protect the mission, protect the people, is a big driver for a lot of people and why people stay at Medtronic Then that other driver of can I take that home, can I go protect my family, my loved ones, my neighbors, my friends myself, from this kind of big confusing thing that can be really scary. There's a very large difference in their skill level and their knowledge about security, which is really cool to see that people that are just learning about fishing and people that can code like magic and have it be secure. Everybody's in there together because they have this drive to be secure.

[00:13:00] Andra Zaharia: I love this. I love that it creates a common and shared experience. This shared experience, the sense of camaraderie, the sense of we have this thing in common. I feel like this is such a fundamental thing to human nature. It's so rewarding, and it's so memorable in such a positive way that it changes people's perception towards security from something negative,anxiety-inducing, coercive, to something that feels empowering, that makes us feel stronger and more self-reliant and just more comfortable in the world, I guess.

[00:13:38] Molly McLain Sterling: Lately, I've been sort of wishing that instead of security awareness, it was called security empowerment because I just really feel like once you get to that place, it's so cool to see the power that people hold, then to share in how it grows. That's a reason to get out of bed in the morning.

[00:13:54] Andra Zaharia: I love that, and you should definitely write about that or just create something about that. Again, it's giving people the words. For instance, going to therapy really helped me improve my emotional vocabulary. Security can help us improve our vocabulary with concepts that may be felt foreign or too abstract or just not for us. It can start to break down those limiting beliefs, and, just like you mentioned, maybe give us a hint of other things that we might do that perhaps we didn't think we were quite capable of. 

[00:14:29] Molly McLain Sterling: When we think about these abstract concepts, bringing them into reality and making them practical and doable, little things can make a big difference. It's not like you have to change your whole program or change your whole way of life if you want to go this route.I think in one of the first conversations, we talked about the line I have on the bottom of my email that says, “We all work in different time zones. If you're getting this message outside of your normal work hours, I don't expect you to respond.” A lot of us have those at Medtronic, just working in a global company. If there's something really urgent, I'll pick up the phone and I'll call you. Little stuff like that, just changing the tone of email that you write to be less authoritarian and more in a partnership fashion, can make a really huge difference. Those are tangible things that can improve empathy. 

[00:15:20] Andra Zaharia: It really does. You have a lot of experience with coaching people at all stages of their development.  What's the, let's say, the most difficult category to coach, I don't think “category is the proper word, but what was the most challenging role that you've had to interact with in this way?

[00:15:40] Molly McLain Sterling: Gosh, that's a great question. Different roles or different backgrounds present different challenges. I don't think one is more challenging than the next. Probably, at a high level, the biggest challenge is those that are seeing us as a barrier. We can't just come in and start talking about solutions or figuring out what's going to drive the business, we have to build that foundational trust first. It's not necessarily challenging, but it just takes more time. Trust takes time. When you're talking about terms, there's another one that I use: trust debt. There's tons of talk about technical debt and not updating your systems, you’re like leaving it, you're not investing in it. Trust, I would say, is the same, just as important, same thing. You need to invest in your relationships and take that time to nurture those relationships. Then you're not going to have a ton of work to do when it's really time to get something done. You already have that good healthy foundation.

[00:16:36] Andra Zaharia: What most people object to when it comes to trust or empathy or, again, things that are very relationship and emotion focused is that it's not scalable. How did you manage to scale it because you managed? You and your team and your colleagues, you've managed to scale this? So what does scale mean, in this realm of building security culture?

[00:17:00] Molly McLain Sterling: I certainly don't think we're perfect; we always will have work to do and more people to bring into the fold. I think just having the consistency with how you speak so that in your communications, in your emails, in your items, in your presentations, in your meetings that you're having, that consistency of approachable language, that you're approachable, that you're leading with empathy and those types of things, if you can be consistent through all of those, I think it spreads naturally. Then others start to see the benefit and then they start doing it. It's just again that social proof piece. When there's 100,000 people to convince of something, it can be hard, but it's so much easier to do it that way than it is to try and force somebody. I joked that before the Ambassador Program, we were force-feeding people. After the Ambassador Program, they're coming back for seconds. It's like when you start doing that, they'll start coming to you and you don't have to work as hard.

[00:18:01] Andra Zaharia: I really, really love that. Again, the mental image. Just putting this in terms that are so relatable and that are so evocative, I feel like that helps a lot. It helps people visualize things. It helps them feel like, “Oh yeah, I know this territory. This is a space where I can grow and explore and then be curious about.” I've seen people in security culture roles that come from communications background and HR background. However, you first started in this company as an IT analyst. I was really curious to understand what was the inflection point that led you to use your skills and your experience on this path, and perhaps if there's any kind of particular experience that led to that.

[00:18:54] Molly McLain Sterling: Funny enough, my first experience with this company was actually picking parts in the warehouse. I have a musical theater degree, I was an actress after college,and in between acting gigs, you do temp jobs. You're doing anything basically to make sure that you can survive. I randomly got this temp job picking parts in the warehouse. That helped me get a temp job in the office, and then the office led to IT analyst and that snowballed and went from there. 

[00:19:25] Molly McLain Sterling: I've always had this creative background and I am not necessarily afraid of a challenge. I was a musical theater major coming into it, and they taught me how to code and all that kind of stuff. I think that always asking for more and asking what else can I learn or what else can I do helped propel my career and finding my niche of what are things that other people don't want to do that I could do that I'm strong at. If that's creating training, if that's helping create a process that's easier for stakeholders or something like that, that's where or you can kind of go in and bring your value. 

[00:20:03] Molly McLain Sterling: Then the other fun and super challenging part, at least when I first started doing security, was being a translator. Taking a really technical speak and translating it, so that I would understand it. I think that that was a skill that wasn't necessarily present within our group, and that ended up bringing a lot of value because people started understanding why we were doing what we were doing.

[00:20:27] Andra Zaharia: One of the things that I love about cybersecurity is just the diversity and background and the flexibility that people have. Flexibility that's related to the growth mindset, but just to explore things, this curiosity that never stops. That doesn't stop at the boundaries of this field. It goes, it overflows beyond its borders. One of the things that I'm really curious to find out is how have you seen people have those self awareness moments as you're changing the language, as you're changing the tone of voice, as you're changing the energy that's in the room when you talk about security? What I've seen in bits and pieces from my experience is that people start to think about their own behavior more when they engage with this thought process, with this exploration. Have you seen something similar happen to your colleagues? 

[00:21:31] Molly McLain Sterling: Oh yeah. There's certain people that are early adopters. They'll go in and start using that language right away. They might have already been using it, they'll just be a little bit louder about it in terms of sharing their experiences with others. I think for those people, again, just people seeing how successful they are, that they're able to accomplish things that they want to accomplish. They're able to have one person that just never seems to like security and always comes down on us. They're able to have a decent conversation with them because of the way that they're saying YesAnd  instead of “No, you can't.” I want to be clear too: having empathy. establishing trust, doesn't mean you can't disagree with people. You can disagree, you can still push for what you want. It's just in how you shape the message. You can still be passionate. It definitely isn't like going in and coddling someone, but it's just taking the time to look at things from their perspective and being respectful enough to shape the message so that it helps them.

[00:22:37] Andra Zaharia: It's not people pleasing, it’s respect. It's creating that space

Yeah, I love that. I really, really love that, and I love how you carried, besides the “Yes, and” tactic, which, if you have a minute, I’d love it if you could explain it to people who perhaps haven't come across it. What other techniques from acting have you carried over from your background to this role?

[00:23:01] Molly McLain Sterling: Yeah.YesAnd is an improv game, it's a tactic in improv. When you're doing an improv game and somebody's creating a new world, you can't disagree with the world. You have to just say, “Yes,  and.” Then you kind of shape the thing. If somebody says, “You're an octopus,” “ Yes, I'm an octopus, and I'm going to squiggle over here.” I don't know, this is the weirdest example ever in a cybersecurity conversation. I'm going to listen back to this and be like, “What was I talking about?”

[00:23:31] Andra Zaharia: You might have seen a book cover with a purple squid that is about OSINT that you might have seen and I have read. Maybe it was that.

[00:23:40] Molly McLain Sterling: May I got that, yeah. Essentially, it's when somebody comes to you with something they want to do like a project in security, you're not just saying, “No, you can't do that.” You're saying, “Yes, you can do that, and you'll need to do this penetration test, and you'll need to then mitigate the risks that are here, and we can help you on that journey.” It's just trying to be instead of l, “No, that's never going to work, and I know, you're never going to pay for the penetration test, and I know that you're not going to mitigate the things like that.”  Let them figure out if they want to invest the money and mitigate the risk and take the time. 

[00:24:15] Molly McLain Sterling: Some other things from acting. I think that you have to have thick skin when you're an actor. You're constantly auditioning and you can't take things personally. If somebody's mad about something that they have to do within security like I have to take this training or you're making me do this or this is messing up my work, don't take it personally. Take the emotion out of it and realize that it's not really about you. It's about what that person is experiencing.

[00:24:48] Andra Zaharia: And just getting to know that experience. Diving into that experience then creates the setup for empathy and helps us just understand what things are about, and not just get stuck on our own agenda and pattern of thinking and just our automation systems, the automation systems inside our head, which can be really powerful unless someone manages to kind of snap you out of it. Just a little bit.

[00:25:14] Molly McLain Sterling: I would say too all the things that I'm talking about are lifelong things. There are definitely times where I'm like, “Whoop. I'm taking that personally. Oh, I got to take some emotion out of this.” it's not a destination that you're going to get to where you're like magically, perfectly empathetic and can handle all things. It's always going to be that refining journey over your entire life. I think that's fun and interesting, and presents a challenge that energizes me rather than depletes me.

[00:25:44] Andra Zaharia: I love that spirit. I feel like there's a lot of self-compassion in that as well, having this idea that this is a skill like many others that we can nurture, that we can cultivate, and that we're not inherently the masters of. Just having these high expectations of ourselves that I should be able to do this, I should be able to do that, we transfer that to other people as well. When we become a bit more self-empathetic, we're able to do that with other people as well because we know it feels good and it actually helps us instead of putting us down. 

[00:26:19] Molly McLain Sterling: Yeah, you can accomplish so much more. 

[00:26:21] Andra Zaharia: Definitely. As your role of director of global security culture, what does that role entail? Again, it sounds so big. It sounds like it's such a huge responsibility. What does it look like in practice for people who might want to start building towards that because being head of security culture is a feel a role that's still emerging. Many people don't know that it's a thing, they don't know how to access it, they don't know how to prepare for it or just how to ask for more responsibilities in this direction, if that's a place they want to be in someday.

[00:27:00] Molly McLain Sterling: It started with Security Awareness. I started as a team of one and slowly got more people, got more people. Then we grew to include metrics and analytics, a core function across our global security office. Instead of having all these separate instances of metrics, every group still owns their own metrics, but we're that main one where everything floats up into. Then the third piece that we grew was into stakeholder engagement. That piece is really interesting because probably four years ago, we had a not great reputation within our company. People didn't like working with us. We had some really rough comments in the annual survey that said, “The global security office is the worst, and we don't like working with them” and all those things. My CISO was masterful with this. He didn't push back against it, he put everything in a slide and went to his colleagues and said, “Okay. This is what you all think of us, we're going to address this.” It's not to say that we necessarily agreed with the perception of us, but we were going to address the perception of us. 

[00:28:10] Molly McLain Sterling: Then he came to me and said, “We're going to create a stakeholder engagement group, you're going to report to me and my leadership team. You have to help figure out what this means. We're going to start with listening sessions. Go to all the IT leaders and just start having conversations with them.” So I did, and I just let them vent, I started the start of the meeting with, “This is a half an hour where you get to just vent, and I'm not going to fight against you.” Some people would laugh and be like, “What? This is not what we're used to.” When I would start to hear common pain points, then I would bring it back to the security leadership team and say, “These are some of the things I'm hearing. Maybe we can address a few of these.” Then our team would work on a few process improvements to try and address some of those things. Again, this is that time when we really started changing our messaging, using YesAnd. That wasn't me driving it. It was like everyone within the security office realizing that we can get more done if we start tweaking our delivery and our messaging.

[00:29:10] Molly McLain Sterling: One day after a SANS conference, I was looking at the journey of how we grew. I was like, “Ah, this is security culture. We're at the point of security culture now. We’ve grown.” I went and talked to my CISO about it. I said, “I think we're past awareness, we're past engagement. We're into a culture where we want to embed ourselves in the day-to-day. People are coming to us to work with us. Can we do that?” He said, “Yeah, let's  do it. I like that message, I like  that thought process.” And here we are.

[00:29:43] Andra Zaharia: That is so energizing. It's so energizing that you can see these results and that perseverance pays off, and, just like you mentioned at the beginning, being heard, being listened to is so deeply therapeutic. Honestly, it just feels like a therapy session. That finally you feel like someone's really listening to you and giving you the space to just express what you need to get off your chest.

[00:30:12] Molly McLain Sterling: It was really funny to go through those conversations. I also should say too as we grew, we got more resources.  I certainly can't do all the things that I do with a team of one, I have a team of eight. One of the ways that is really beneficial that I would recommend people taking a look at is seeing if you can take talent from your IT support center. That's where a ton of my folks have come from where they were doing just calls, calls, calls all day. They're hungry to get out of that environment and try something new, and they have incredible knowledge of all groups across the company because they speak to everyone. They can handle high pressure situations and a lot of them are really ready to learn. I have been very fortunate with having some incredible talent, diamonds in the rough that have been able to come out of that area.

[00:30:59] Andra Zaharia: That's so nice to listen to, that's so nice to hear. It’s something that you often hear from people with experience, like looking at people in this group and listen to them, give them a chance. Seeing the success that you've had with this. I feel like that's really, really encouraging. Again, try to look for people that do not fit the regular resume thing that's usually such a barrier in cybersecurity recruitment and such a big issue in the industry. 

[00:31:34] Molly McLain Sterling: If a musical theater major can do security, anybody can do security. You just have to give them time and attention.

[00:31:40] Andra Zaharia: And trust.

[00:31:42] Molly McLain Sterling: Trust, yeah.

[00:31:43] Andra Zaharia: Definitely trust.

[00:31:44] Molly McLain Sterling: Bring somebody along the journey. I know that's not right, for every single role. You need to have some people coming in that hit the ground running and be super technical, and that's definitely needed and great, but there's so much space in cybersecurity for so many different types of people and so many different types of skill sets. I think if anybody takes anything from this episode, I hope that's what they hear, that there's space for everyone.

[00:32:12] Andra Zaharia: How do we make space? Are there any kind of preconditions to create this space? You said, obviously, leadership. That's what shapes a company, the decisions, the way they communicate decisions, the way that they present themselves, the investments they make, the people they advocate for, and they support and promote, and so on, and so forth. If you're a change-maker inside a company, let's say you have the support of your manager, but leadership is still in a different mindspace, in a different headspace. How do you reach them? How do you start making security work to their advantage and turn it from not just an expense, but turn it into an investment and growth lever for the company even?

[00:33:01] Molly McLain Sterling: Right. I think you have to figure out how you can show that security can be a differentiator for your company. How does it set your company apart from your competitors? How can it help you gain market share? I think the other thing, if you're having a really hard time with your leadership investing in what you're talking about, not necessarily monetarily, but either way, mentally or monetarily, bring in outside experts. They will say the exact same thing as you, but the leadership might hear it completely different because it's somebody from the outside saying it. So if you can engage speakers, like the FBI will very willingly come in and speak to a lot of big corporations, and you can hire a consulting group to do a security assessment to give you a grade and show you where your strengths and weaknesses are, that is really helpful. Then doing that over time to show how you've improved. Those are just some of the simple ways, I think.  Not necessarily simple, but those are some of the basic things that you probably want to do if you're trying to influence at the very top..

[00:34:08] Andra Zaharia: And they still work. I feel like these are things that perhaps we all know and that work in other areas of the business, but perhaps that people haven't tried directly with security or just haven't stuck to them for long enough. Just like you mentioned, perseverance and consistency. Such big things, such hugely important things to just keep track of. One of the things that's especially impressive about your career is that you've been with this company for almost 16 years, which is absolutely amazing. How big of an advantage is it to have this continuity? What has that been like for you and can you imagine what would have happened if you had switched roles or just had a different, let's say, journey?

[00:34:57] Molly McLain Sterling: I think that there's benefits and there's downsides to it. Not necessarily downsides, there's benefits to both. There's benefits to working in a number of different companies because then you can experience a number of different challenges and a number of different environments. I think there's benefits to staying in a company for a long time because you really start to learn the culture, and you know the culture like the back of your hand, and that plays so much into influence and motivation with security. I think anybody that's starting in a new role has a bit of that challenge of just figuring out what the culture is and getting their feet under them, and then being able to make a change. It's not necessarily who you know because there's turnover throughout the years, but it's just a matter of how things work and knowing the general sort of appetite for growth and security mindset within the company.

[00:35:50] Andra Zaharia: Given that you've been here, you've seen people come and go, you've seen so many things change and evolve, what do you want to explore further? What do you feel is still something that you want to a challenge that you want to address? 

[00:36:04] Molly McLain Sterling: Great question. How long do we have? I’m hungry. I love learning, I love trying new things. I have found this beautiful marriage between cybersecurity and theater. I really love talking about security. I love talking about security culture. The more that I can do that on the bigger stage, the better. It’s something that I want to continue to explore because I think I learned so much each time I put together a talk. Then I hear the comments afterwards of somebody saying, “That totally wouldn't work in my environment.” “Oh, man, Okay, tell me about it. That's something I didn't know.” That's a light bulb moment for me. For anybody listening out there, that’s definitely something I'm interested to–  I don't really like the term “evangelist,” but I love the the evangelist type of work within security culture.

[00:37:02] Andra Zaharia: You certainly have not just the experience, but also the energy and even the background to do all of this. I can't wait to be first row at one of your talks in the future. That is going to happen. To round this up this conversation: I see it like such a big puzzle that's really working so well together. You've helped to see things from different angles, but see how they make this entire work whole and how this work actually makes you whole, which is really awesome to see. What's something that's particularly special to you about this job, whether it's a value that you want to continue to uphold or to inspire people with, or a principle that leads you or just the way it makes you feel about yourself? That's really important in our work.

[00:38:02] Molly McLain Sterling: I think the idea that it applies to everyone. Everyone deserves to be secure. We do spend a great deal of time with technology. Even in the physical world, we have physical security in our domain to within our company. If we can help somebody feel more empowered, feel safe, feel secure, what a blessing to be able to do that.

[00:38:34] Andra Zaharia:  It really is, and such a generous act too. Thank you so so much for everything that you've shared and for everything that you post and for everything that you're talking about and will talk about on stages, hopefully bigger and bigger. It's been such a pleasure. You've energized me so, so much, and I bet that that's going to happen for every listener that goes through this episode and gives himself the time to soak in your enthusiasm and just everything that you've shared. So thank you so much for that.

[00:39:04] Molly McLain Sterling: Likewise. I mean, you are the ultimate cup-filler. You have all of us overflowing up with joy when we come and speak to you and listen to you. Please keep up the amazing work that you're doing as well.

[00:39:18] Andra Zaharia: I appreciate that so, so much!