With more than 20 years of cyber security leadership, Lena Smart is Chief Security Information Officer (CISO) at MongoDB, the leading modern, general-purpose database platform. A founding partner of Cybersecurity at MIT Sloan (CAMS), Lena has a history of building out security teams for global enterprises and is a recognized security industry leader.
Here, Lena tells us more about why growing her team, increasing visibility of endpoints and ghost software, and foreign travel management are some of her top priorities for the next calendar year.
Growing the team
As MongoDB's first CISO, Lena has brought their security system under one umbrella over the past two-and-a-half years. She is now eager to grow her team and believes the COVID-19 pandemic hasn't impacted her ability to hire a diverse range of the best-qualified people.
She explains: "In some ways, it made it easier because now you can work from anywhere. We have people in London, and we're going to be looking for folks in Dublin or anywhere in Ireland, so growing the team is one of our top priorities.
"We have a very good and transparent policy regarding working from home. Given our global workforce, MongoDB has excelled at enabling our employees to work in both remote and hybrid environments while prioritizing employee communications to make sure everyone feels safe and supported.
"I'm on our diversity and inclusion committee, and I'm a big proponent of hiring the best-qualified person for the job, and if it happens to be a woman, that's awesome! Just under 50% of my team are female. We have a diversity pledge that works because the wording is very clear. We make sure we are actively and proactively interviewing underrepresented groups for roles above a certain level."
Greater visibility of endpoints and ghost software
During Covid, Lena and her team pushed through some of the endpoint applications that employees wanted to use more quickly than usual, which helped productivity. It was a big lift for her team, but they are determined to maintain and manage that lift next year by undertaking the difficult task of auditing all of the software in their network.
Lena says: "I want to create a heatmap of every application someone is using in the company; I want to understand who is using what and for what reason, and then do a risk analysis. We're probably going to find software we don't even know about because any CISO who tells you they know every piece of software in their network is being economical with the truth. There is always stuff out there. It is very hard to lock that down, especially in a tech company, because we need to have that openness and availability of new tools to help us be more productive. But there is no such thing as a one-way path for network traffic. All of these different entry points also become exit points. It's a big project to undertake, but we've seen different companies hacked because they didn't know about different software or access on their network. So, it's not just all through phishing and ransomware emails; it's also taking advantage of that weaker third-party you're using."
Foreign travel management
Lena is also seeking to improve MongoDB's foreign travel management to reduce the security risks associated with employees working remotely and better support the company's work from anywhere culture.
She explains: "Companies are starting to open up travel again, but I think people forget that it's not always simple to go to different countries. That's something I'm really focused on just now. So, where are people going? Are they going to work there? Will they take company equipment with them? What does that mean for us as a company? And can that be a pivot point for the bad guy? Globally, this should be what CISOs are thinking about, not just the sexy stuff, like pen testing, etc. Even something as innocuous as wearing a company-branded T-shirt or what stickers are on your laptop can potentially make you a target. We're looking to engage a third-party company to help us manage the associated risks our employees may take on as a result of traveling."
Key learnings
Lena's key learnings over the past year include patience is a virtue, the importance of camera-free meetings, and that working from home is nice for a while, but in-person meetings are great!
Lena's advice for choosing a new security tool:
Do the technical work: "You can't just buy something because someone else bought it. If you're a developer, find a developer at the vendor and talk to them."
Trust is essential: "You need to build relationships, and that makes purchasing software so much easier."
Utilize the experience of your team members, no matter how junior: "Everyone will have good and bad experiences with software, and it's important to learn from them. As a CISO, I'm not just talking to my deputy or a couple of lead developers. I'll go right down the food chain and put a message in the Slack channel for the whole team to see."
Talk to your Board of Directors: "Check if they are also on the board of companies we're interested in working with because that's how you get the inside track."
Stay tuned for more cybersecurity forecasting and insights from the world's leading CISOs and security teams.