CISOs should build a security-focused culture: MongoDB’s Lena Smart
As cybersecurity threats continue to rise, every organization is looking at ways to combat the menace. In an interview, Lena Smart, Chief Information Security Officer (CISO) at MongoDB, tells TechCircle that while it is important to invest in technologies for safety and security within the company, the need of the hour is to build a culture of cyber trust and a strong cybersecurity policy to ensure the entire organization moves in the right direction. Smart, who is also a founding partner of cybersecurity at MIT Sloan (CAMS), talks about the CISO's changing role in response to the increasing threats, bringing more women in cyber security and more. Edited excerpts.
What are the emerging areas you see in cybersecurity today?
The top three evolving areas in cyber security according to me are - the use of AI, increasing regulations, and continuous monitoring. Generative AI is clearly big and has the potential to revolutionize many aspects of our lives. However, it also poses some security risks, such as data security, model security, bias and privacy. Organizations can mitigate these risks by following the best practices to ensure that generative AI is used in a safe and responsible manner.
Secondly, for securing critical infrastructure, global regulations and standards around cybersecurity should be prioritized. In the US, we've got new rules for the Securities and Exchange Commission (SEC) on cybersecurity governance and disclosure. The Indian government recently passed the Digital Personal Data Protection Act (DPDP). All these initiatives aim to protect data principles and restrict the activities of data fiduciaries. We can expect more regulations to come in the coming months, which means that we have to be almost continuously monitoring our security posture. By 'continuously monitoring' an organization’s network and systems, I mean, detecting cyber threats and proactively responding to minimize damage from a data breach or other security incidents.
What percentage of the overall tech budget goes to cyber security in your organization?
Cyber security is something we absolutely prioritise and it forms around 10-15% of our overall tech budget. The MongoDB leadership understands the need for investing in a strong security posture and in technologies that can help us stay secure in a changing world. With the role of the CISO carrying enormous responsibility, the management has realised that cyber security has a seat at the table, and we're meeting frequently with leadership to ensure we have the appropriate investments to help keep our products, employees, and customers safe and secure.
Technologies like cloud and network security as well as generative AI require a lot of skilling, and re-skilling. Given the huge skills gap in cybersecurity, how are you addressing this challenge?
So, rather than try and find rare experts from outside, we look internally to fill some of those gaps in skills. We have a Security Champions program here where we have over 120 members globally, including India. And we give training to people to become a cyber-security pro. The best part is, they need not be part of the cyber security team. We help them understand and give them training in areas like phishing exercises, penetration testing of AI models to see if they can do things like prompt injection attacks to get the model to behave in unintended or unsafe ways. We conduct monthly training classes for all employees on things like how to secure your home Wi-Fi and obviously we're doing a lot of training on AI now too. Just building that culture of trust has been super important to us and we now have a completion level of over 98% for our training, for our security training, which is almost unheard of. So definitely a good culture of security here.
How has the CISO's role evolved or changed in response to the increasing threat, especially in the last 2-3 years?
One area that has changed in the last few years is that the CISO’s role has become more outward-facing. You don’t just invest in a technology, you need to build relationships, and that makes purchasing software so much easier. When it comes to security risks, the key questions the CISO should pose are - what are you trying to protect, how, and why and not just invest in a software that is trending. Also in our organization, we prioritised bringing the entire security system under one umbrella over the past three years. And no matter where you are working, it is important to build a broader culture of security. So, the role has definitely evolved from being focused only on guardrails, policy, and risk management to being more of an outward-facing role to help change how people think about and prioritize security. As a service provider, for example, you need to give more freedom and flexibility to customers. Like, our MongoDB Atlas has best in class security, and we give our customers many choices when it comes to securing their applications. Finally, not just the security teams, but the top management at MongoDB believes in continuously learning and encouraging new ways to protect revenues, reputation and regulatory compliance – which in turn helps security get a seat in the boardroom.
As someone championing the cause of diversity in cybersecurity, how do you get more women leaders in the field?
We have many focus groups in MongoDB that work on getting more women in leadership positions. We help them stay up to date with the latest trends, technologies and processes through our workshops and training programmes. We also have a strong 'returnship' programme for women especially, and we make sure that they've got the support that they need to fit into the team when back. We have a very good and transparent policy regarding working from home. Given our global workforce, MongoDB has excelled at enabling our employees to work in both remote and hybrid environments while prioritizing employee communications to make sure everyone feels safe and supported. Just under 50% of my team are female and we make sure we are actively and proactively recruiting underrepresented groups for roles above a certain level.