In Conversation with Lena Smart
We were thrilled to be able to speak with Lena Smart, Chief Information Security Officer at MongoDB. We were deeply inspired by her unique professional journey and her commitment to being a lifelong learner. Lena’s dedication to her work and drive to lift others up with her is something we all strive for. We’re sure you’ll enjoy her insights on cybersecurity, diversity, and change just as much as we did.
Tell us a little bit about your journey and how you came to be where you are now.
My mum raised three girls on her own, and I knew that the sooner I earned money the easier life would be. So I left school when I was sixteen and I got a job. I’d always enjoyed computers, there was one very old computer at my school and not many were allowed to touch it. When I was about eighteen, I started to save up for my own computer. I loved teaching myself how things worked, I taught myself how modems worked and I used to try to put old computers together. In the days before the internet it was dialup and bulletin boards and it was fun, there wasn’t quite as much destructiveness as there is now online. It was a good place to learn and people were always willing to teach, I’ve tried to keep that going in my life. At the beginning of my career I landed a couple of really good jobs as a secretary, because that’s what women did in Scotland at the time. You were a secretary or a mother. I had some incredible mentors in those first few jobs, some of whom are still friends today. They would teach me about computers at night, or invite me in on a weekend if they were doing something new on the network, and I was all over that. I couldn’t get enough.
There was nothing like cybersecurity at the time. There was almost no need for it, it wasn’t like everyone knew everyone but your clique was small enough that you knew who was on your bulletin board. Around twenty or so years ago, cybersecurity started to creep into our vocabulary. There was more chatter around buying firewalls, monitoring your network, etc. All at once there was a huge proliferation of firewall companies and antivirus companies and it was all very exciting. I worked for a fintech company for some time and eventually MongoDB approached me and offered me a role. I took one look at them, their cultural values and the ways they live up to them and I accepted.
What kind of work are you doing now? What are the main emerging areas you’re seeing in Cybersecurity?
I am MongoDB’s first Chief Information Security Officer. This is the third time I've been the first CISO at a company, which is always exciting. I was the first CISO at the New York Power Authority, and the first at Tradeweb. In some ways, it can be easier to be the first because there are no shoes to fill. My main focus at MongoDB has been growing the team. MongoDB was already a very secure company, they just wanted to organize the function under one person. I gathered up some of the people who were doing security around the company, and was given free rein to hire who I needed to help grow the team. Eventually I was asked to take on Governance Risk and Compliance because I have experience in that area as well. We’ve been growing both teams rapidly. We have grown from a small in-house team to over thirty employees globally, in our Security and GRC teams. The leadership here has allowed me to do what I needed to do to get the team up to speed quickly. This year we're also looking at supply chain risk management. We work with the IT SCC, the IT Sector Coordinating Council. It's a group that interacts with public and private industries. We’re working with all these different agencies to try to make a supply chain risk management framework so that people can understand what risk is involved in using third parties. It’s really important work because at the end of the day, you either use a third party, you are a third party, or both. It’s important to understand the risks on all ends of the equation.
With most companies being forced to work remotely this year, the conversation around cybersecurity has definitely deepened. How has COVID-19 shaped your field, and do you think this change will be enduring?
I think this change will be enduring. From a practical standpoint, we’ve discovered that people can work from home. Not just that, they can be very productive with the flexibility it allows and the elimination of commute time. I’d like the remote work options to endure. In terms of managing security with a remote workforce, it’s definitely a big topic. MongoDB was very well prepared to work from home. We’d done a couple of table exercises, as a part of our overall playbook for cybersecurity. One of the exercises was, what if everyone was sick? We didn't call it a pandemic, but we theorized what would happen if everyone was sick and couldn’t come in. So we were lucky in that we’d already tested our remote bandwidth. That allowed us to pivot quickly, along with our incredible IT support team. They were deeply attentive to our work from home needs. As was our executive staff. In the beginning, they sent out pulse surveys to get a feel for how people were doing. It started out as more to get a picture of how everyone was coping, how they were feeling. Once it was clear though that remote work would last quite a while, we switched to asking people what they needed to work from home. MongoDB provided stipends for desks, monitors, chairs, anything people needed to really set up a space to work at home. Now, a year on, we’re starting to see light at the end of the tunnel and we’re asking who wants to go back. Full time, part time. We’re trying to make accommodations for those who have moved. As a company, MongoDB has just been so attentive to what we need as individuals and as human beings to get through this crazy time. I do think that a lot of companies will keep these changes. There is so much benefit to having a happy workforce that wants to be at home and have some flexibility. Those that want to go into the office, can.
Within tech, cybersecurity especially has abysmally low numbers of women, what do you think is driving this lack of diversity and what do you think companies can be doing to ensure more women stay?
Honestly, If I knew the answer to this, I would be running the most successful company ever right now. Seriously though, cybersecurity does have a bit of a bad rap, in the technology hiring world especially. Cybersecurity is often seen as geeky or uninteresting, I've even seen the word “boring” in job descriptions. People don't want to be seen as geeky or working in a boring, dead end job. That could not be further from the truth. Cybersecurity is one of the most exciting fields to work in. That is starting to show now just by the sheer amount of unfilled jobs that there are. There are 314,000 unfilled cybersecurity jobs in the U.S. alone. Cybersecurity is truly anything but boring. You don't have to be a code junkie digging through thousands of lines of code, it doesn't have to be repetitive. You can be part of a red team or a blue team in hack or defense, you can be doing cybersecurity training. One of the most gratifying things I’ve gotten to do is set up our Security Champions program at MongoDB. We have over eighty members now. These folks are all people who have an interest in cybersecurity, but they probably don't interact with it much in their normal working lives. They could be executive assistants, or work in finance or legal. All these people are now giving us up to two hours a week of their time to learn, to work on projects, to let us know if cybersecurity is perhaps lacking in their department. We’re starting to get a lot of good feedback to analyze and act upon.
In terms of helping women stay in cybersecurity, it can be hard to keep anyone in cybersecurity sometimes because there is such a high global demand. The way we encourage people to stay here is by living up to the cultural values that we have. MongoDB is an inclusive, positive place to work. I also try to make work fun. Especially working from home, where we can sometimes feel so far apart. This year, we’ve had pub quiz nights, painting nights, we send cookies out to employees, it just allows people to relax, feel connected, seen and appreciated. I think having such a high level of empathy from the CEO down to each team leader helps people stay here. In a broader sense, beyond working from home, I think there should be a lot more opportunities for women to have key management and individual contributor roles. Women are sometimes seen as empathetic and sympathetic and end up in project management or other coordinating roles and miss out on opportunities to work on crucial business issues. I also firmly believe that there should be ample time to take time off if you want to start a family, and there should be some reassurance that your job will still be there for you should you return from your maternity leave. There should be no worry about your career prospects when you make a decision to start a family.
What has your experience been as a female executive in a heavily male dominated sector of tech?
My experience has been wide and varied. I've worked in many different male dominated sectors, in shipyards, on trading floors, power plants, and in technology. I've generally had good experiences. My biggest advice is to not get too caught up in the disparity when you’re in the middle of it. Give people a chance. When I first stepped onto a nuclear power plant floor, people were just so gracious. They could probably see that I was terrified. Just how incredibly gracious the men and women working this dangerous job were to me has stayed with me, it was a real eye opener. Of course, I’ve been in other situations where there is obvious sexism going on and you just have to rise above it. Don't get involved in the pettiness, it's never worth it. Some people just want to get a rise out of you sometimes, and if you don't give them it, they get bored and move on. One thing I never tolerate though, is bullying. I always step up and say something in that case. In private, of course. You can praise in public and criticize in private, that's what I've always tried to do.
What are some opportunities you see in cybersecurity for non-technical people?
Dawn Charles, my right hand woman was an executive assistant for many years and when I joined MongoDB I was lucky enough to have her as my EA. I realized quite quickly that she had a lot to offer. Being an executive assistant is a really demanding job, but there's not much tech involved and I saw that she really wanted to learn. She was one of a few people that I approached to see if they’d be interested in working in cybersecurity full time. One of our other employees came over from the education department, and is now running our fantastic security education and training system. All of these people had unique skill-sets. Ones you wouldn't even necessarily advertise for because they’re specialized or unique. I have a hard time deciding what defines a technical person. Do they have a degree in computer science? Does that make them technical? Because I've worked with many people with degrees in computer science and they're not necessarily technical. What we've found with introducing the security champions program, is that people are interested. They want to learn. Now, they're giving us so much back from their side of the house. We’re holding training, coding classes, challenges, and people are just loving it. So, I think it’s important to not get too boxed into being a “technical” person, or a “non-technical” one. Everyone is technical up to a point and people will explore different avenues if you just give them a chance.
How do you hire?
In an ideal world, I'd like to hire blind. I play cello and I'm so inspired by how professional orchestras hire. They do blind auditions, you play behind a big screen and they put carpet down so you can’t hear if someone is wearing high heels or not. It's a totally blind process. Since it started, the number of women in orchestras has increased fivefold. I’d love to do that, but it is a lot harder in technology. What I tend to do, when I look at a resume, is look for keywords to see if a candidate is really interested in what they’re doing. I look for that passion. Skills are great, but you don’t need to know how to code in ten different languages to be a good employee. At the end of the day, if there's no passion, you're just coding. I look for people who have good ideas that they’ve been able to translate into something that helps make their company more secure. That's what interests me. I obviously care about the diversity breakdown of our team, but I didn't wake up one morning and decide that I wanted certain percentages. I’ve looked for people who are passionate, interested, and I try to give everyone a fair chance. I think MongoDB is seen as a company that encourages underrepresented groups to apply and to be treated fairly. Which is crucial. Beyond that, when applying for jobs, it is just really important that people don't pigeon hole themselves. Because it is so easy to do. I was told when I was fifteen that I should be a secretary and that I'd be lucky to be one. I realized pretty quickly that it wasn't for me, and I had to pick myself up and train myself, move to different countries and not be scared to say no whenever anyone asked me if I wanted a new opportunity. I always put my hand up, didn't matter what it was.