Tell us a little bit about your journey and how you came to be where you are now.
My mum raised three girls on her own, and I knew that the sooner I earned money, the easier life would be. So I left school when I was sixteen and got a job. I’ve always enjoyed computers, there was one very old computer at my school, and not many were allowed to touch it. When I was about eighteen, I started saving up for my own computer. I loved teaching myself how things worked. I taught myself how modems worked, and I used to try to put old computers together. In the days before the internet, it was dial-up and bulletin boards, and it was fun. There wasn’t quite as much destructiveness as there is now online. It was a good place to learn, and people were always willing to teach. I’ve tried to keep that going in my life. At the beginning of my career, I landed a couple of really good jobs as a secretary because that’s what women did in Scotland at the time. You were a secretary or a mother. I had some incredible mentors in those first few jobs, some of whom are still friends today. They would teach me about computers at night or invite me in on a weekend if they were doing something new on the network, and I was all over that. I couldn’t get enough.
There was nothing like cybersecurity at the time. There was almost no need for it. It wasn’t like everyone knew everyone, but your clique was small enough that you knew who was on your bulletin board. Around twenty or so years ago, cybersecurity started to creep into our vocabulary. There was more chatter around buying firewalls, monitoring your network, etc. All at once, there was a huge proliferation of firewall and antivirus companies, which was very exciting. I worked for a fintech company for some time, and eventually, MongoDB approached me and offered me a role. I looked at them, their cultural values, and how they lived up to them and accepted the position.
What kind of work are you doing now? What are the main emerging areas you see in Cybersecurity?
I am MongoDB's first Chief Information Security Officer. It is the third time I've been the first CISO at a company, which is always exciting. I was the first CISO at the New York Power Authority and the first at Tradeweb. In some ways, it can be easier to be the first because there are no shoes to fill. My main focus at MongoDB has been growing the team. MongoDB was already a very secure company; they just wanted to organize the function under one person. I gathered some people doing security around the company and was given free rein to hire who I needed to help grow the team. Eventually, I was asked to take on Governance Risk and Compliance because I also have experience in that area. We've been growing both teams rapidly. We have grown from a small in-house team to over thirty employees globally in our Security and GRC teams. The leadership here has allowed me to do what I needed to get the team up to speed quickly. This year we're also looking at supply chain risk management. We work with the IT SCC, the IT Sector Coordinating Council. It's a group that interacts with public and private industries. We're working with all these different agencies to try to make a supply chain risk management framework so that people can understand what risk is involved in using third parties. It's really important to work because, at the end of the day, you either use a third party, you are a third party, or both. It's important to understand the risks on all ends of the equation.
With most companies being forced to work remotely this year, the conversation around cybersecurity has definitely deepened. How has COVID-19 shaped your field, and do you think this change will be enduring?
I think this change will be enduring. From a practical standpoint, we've discovered that people can work from home. Not just that, they can be very productive with the flexibility it allows and the elimination of commute time. I'd like the remote work options to endure. In terms of managing security with a remote workforce, it's definitely a big topic. MongoDB was well prepared to work from home. We'd done a couple of table exercises as a part of our overall playbook for cybersecurity. One of the exercises was, what if everyone was sick? We didn't call it a pandemic, but we theorized what would happen if everyone was sick and couldn't come in. So we were lucky in that we'd already tested our remote bandwidth. That allowed us to pivot quickly, along with our incredible IT support team. They were deeply attentive to our work-from-home needs, as was our executive staff. Initially, they sent out pulse surveys to get a feel for how people were doing. It started more to get a picture of how everyone was coping and how they were feeling. Once it was clear that remote work would last quite a while, we switched to asking people what they needed to work from home. MongoDB provided stipends for desks, monitors, chairs, and anything people needed to set up a space to work at home. Now, a year on, we're starting to see the light at the end of the tunnel, and we're asking who wants to go back—Full-time, part-time. We're trying to make accommodations for those who have moved. As a company, MongoDB has just been so attentive to what we need as individuals and as human beings to get through this crazy time. I do think that a lot of companies will keep these changes. There are so many benefits to having a happy workforce that wants to be at home and have some flexibility.
Within tech, cybersecurity especially has abysmally low numbers of women. What do you think is driving this lack of diversity, and what do you think companies can do to ensure more women stay?
Honestly, If I knew the answer to this, I would be running the most successful company ever right now. Seriously though, cybersecurity does have a bit of a bad rep in the technology hiring world especially. Cybersecurity is often seen as geeky or uninteresting. I've even seen the word "boring" in job descriptions. People don't want to be seen as geeky or working in a boring, dead-end job. That could not be further from the truth. Cybersecurity is one of the most exciting fields to work in. That is starting to show now just by the sheer number of unfilled jobs. There are 314,000 unfilled cybersecurity jobs in the U.S. alone. Cybersecurity is truly anything but boring. You don't have to be a code junkie digging through thousands of lines of code. It doesn't have to be repetitive. You can be part of a red or blue team in hack or defense. You can be doing cybersecurity training. One of the most gratifying things I've gotten to do is set up our Security Champions program at MongoDB. We have over eighty members now. These folks are all interested in cybersecurity, but they probably don't interact with it much in their normal working lives. They could be executive assistants or work in finance or legal. All these people are now giving us about two hours a week of their time to learn, work on projects, and let us know if cybersecurity is perhaps lacking in their department. We're starting to get a lot of good feedback to analyze and act upon.
In terms of helping women stay in cybersecurity, it can be hard to keep anyone in cybersecurity because there is such high global demand. The way we encourage people to stay here is by living up to the cultural values that we have. MongoDB is an inclusive, positive place to work. I also try to make work fun. Especially working from home, where we can sometimes feel so far apart. This year, we've had pub quiz nights and painting nights, and we send cookies out to employees. It just allows people to relax, feel connected, seen, and appreciated. I think having such a high level of empathy from the CEO to each team leader helps people stay here. In a broader sense, beyond working from home, I think there should be many more opportunities for women to have key management and individual contributor roles. Women are sometimes seen as empathetic and sympathetic and end up in project management or other coordinating roles and miss out on opportunities to work on crucial business issues. I also firmly believe that there should be ample time to take time off if you want to start a family, and there should be some reassurance that your job will still be there for you should you return from your maternity leave. There should be no worry about your career prospects when you decide to start a family.
What has your experience been as a female executive in a heavily male-dominated sector of tech?
My experience has been wide and varied. I've worked in many different male-dominated sectors, in shipyards, trading floors, power plants, and technology, and I've generally had good experiences. My biggest advice is not to get too caught up in the disparity when you're in the middle of it. Give people a chance. When I first stepped onto a nuclear power plant floor, people were just so gracious. They could probably see that I was terrified. Just how incredibly gracious the men and women working this dangerous job was to me has stayed with me, it was a real eye-opener. Of course, I've been in other situations where there is obvious sexism, and you just have to rise above it. Don't get involved in the pettiness. It's never worth it. Some people just want to get a rise out of you sometimes, and if you don't give it to them, they get bored and move on. One thing I never tolerate though is bullying. I always step up and say something in that case. In private, of course. You can praise in public and criticize in private. That's what I've always tried to do.
What are some opportunities you see in cybersecurity for non-technical people?
Dawn Charles, my right-hand woman, was an executive assistant for many years, and when I joined MongoDB, I was lucky enough to have her as my EA. I realized pretty quickly that she had a lot to offer. Being an executive assistant is a really demanding job, but there's not much tech involved, and I saw that she wanted to learn. She was one of a few people that I approached to see if they'd be interested in working in cybersecurity full time. One of our other employees came over from the education department and is now running our fantastic security education and training system. All of these people had unique skill-sets. Ones you wouldn't even necessarily advertise for because they're specialized or unique. I have a hard time deciding what defines a technical person. Do they have a degree in computer science? Does that make them technical? Because I've worked with many people with degrees in computer science, and they're not necessarily technical. What we've found with introducing the security champions program is that people are interested. They want to learn. Now, they're giving us so much back from their side of the house. We're holding training, coding classes, and challenges, and people love it. So, I think it's important not to get too boxed into being a "technical" or a "non-technical" person. Everyone is technical up to a point, and people will explore different avenues if you give them a chance.
How do you hire?
In an ideal world, I'd like to hire blind. I play the cello and am so inspired by how professional orchestras hire. They do blind auditions, you play behind a big screen, and they put a carpet down so you can't hear if someone is wearing high heels or not. It's a totally blind process. Since it started, the number of women in orchestras has increased fivefold. I'd love to do that, but it is a lot harder in technology. What I tend to do when I look at a resume is look for keywords to see if a candidate is really interested in what they're doing. I look for that passion. Skills are great, but you don't need to know how to code in ten different languages to be a good employee. At the end of the day, if there's no passion, you're just coding. I look for people with good ideas that they've been able to translate into something that helps make their company more secure. That's what interests me. I obviously care about the diversity breakdown of our team, but I didn't wake up one morning and decide that I wanted certain percentages. I've looked for passionate and interested people, and I try to give everyone a fair chance. I think MongoDB is seen as a company that encourages underrepresented groups to apply and be treated fairly, which is crucial. Beyond that, when applying for jobs, people mustn't pigeonhole themselves because it is so easy to do. I was told when I was fifteen that I should be a secretary and that I'd be lucky to be one. I realized pretty quickly that it wasn't for me, and I had to pick myself up and train myself, move to different countries, and not be scared to say no whenever anyone asked me if I wanted a new opportunity. I always put my hand up. It didn't matter what it was.