Executive Orders And Being The First CISO At A Company With Lena Smart

ANNOUNCER: Hi. You’re listening to The Secure Developer. It’s part of the DevSecCon community, a platform for developers, operators and security people to share their views and practices on DevSecOps, dev and sec collaboration, cloud security and more. Check out devseccon.com to join the community and find other great resources.

This podcast is sponsored by Snyk. Snyk’s developer security platform helps developers both secure applications without slowing down, fixing vulnerabilities in code, open-source containers and infrastructure as code. To learn more, visit snyk.io/tsd. That’s S-N-Y-K.IO/TSD.

On today's episode, Guy Podjarny, Founder of Snyk, talks to Lena Smart, Chief Information Security Officer at MongoDB. Lena has more than 20 years of cybersecurity experience. Before joining MongoDB, she was the Global Chief Information Security Officer for the international fintech company Tradeweb, where she was responsible for all aspects of cybersecurity.

She's also served as the CIO and Chief Security Officer for the New York Power Authority, the largest state power organization in the country. Lena is a founding member of Cybersecurity at MIT Sloan, formerly the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, which allows security leaders in academia and the private sector to collaborate on tackling the most challenging security issues.

We hope you enjoy the conversation, and don't forget to leave us a review on iTunes if you enjoy today's episode.

[INTERVIEW]

[00:02:17] Guy Podjarny Hello, everybody. Welcome back to The Secure Developer. Today, we have a really exciting guest. We'll talk about bigger and broader and industry-wide views from her broad purview here on the chats. I mean, no pressure here at the expectation setting. We have Lena Smart, who is the Chief Information Security Officer at MongoDB. Lena, welcome to the show.

[00:02:38] Lena Smart Thank you, guys. Wonderful to be here.

[00:02:41] Guy Podjarny Lena, before we dig in over here, tell us a little bit about what you do and maybe a little bit of your journey into security and your current position.

[00:02:50] Lena Smart As you mentioned, I’m CISO. I'm also responsible for governance, risk and compliance. It's some auditing and things in my past life, and when I started the job, my first day, actually, the then CTO, Elliot Horowitz, kind of walked by and said, “You know about governance risk and compliance stuff, right?” I'm like, “Yeah, I’d bet. Yeah.” He goes, “Okay, good. Because you're in charge of that as well.” I go, “Okay.” So that was fun.

He was amazing. He's one of the reasons I came here. I was quite happy. I quite liked having even more responsibility, three hours into the job. I didn't have the usual path, although I'm yet to find the usual path into becoming a CISO. I guess, generally people, especially in this country, you leave school, you go to university, you do a degree, blah, blah, blah. I left school at 16. You can tell by my accent I'm not from America. I’m Scottish. In Scotland, you can leave school on your 16th birthday, which I did. Because I had to go get a job and help my mom and help support my family, my mom's family. I don't like to say that I’m self taught, because that always seems to a bit smug. I prefer to see that I had lots of teachers mentors along the way and I've been very fortunate in that respect.

Also, I've worked long hours and I've read a lot of books and I've been in training classes and I love doing exams. I think, there's something wrong with me, but I absolutely love doing exams.

[00:04:14] Guy Podjarny It is unusual. I will grant you that. What was the impetus a little bit for joining MongoDB, or what was the role you've moved from to this one?

[00:04:28] Lena Smart I've been in America for 25 years, and about 17 or 18 of those years were spent working in the power industry. I moved up from being in the Help Desk in the power company that I worked for, and I eventually became their CISO and then I became CIO. I really enjoyed that. To be honest, I was too comfortable and I got – I just had a role and I thought, I always told myself, every week and up and I don't want to do the job anymore, I'm not going to do the job anymore.

I started to look around and I found some people and said, “Hey, I'm thinking of making a move.” At first, they were like, “Oh, my God. You've been there forever. Why do you want to leave?” I'm like, “Because I've been there forever. I want to change.” My friend in fintech Tradeweb, he said, “Oh, we’re looking for that, a CISO.” It’s their first CISO. I felt, “Oh, that would be interesting.” Because I was at the pilot, and I worked for the New York Pilot Authority. I was their first CISO. Then getting the opportunity to become the first CISO again at Tradeweb. I took that opportunity and I had a lot of fun there. Set up a really good team.

After about three years, MongoDB approached me and said, “Hey, we're looking for our first CISO.” I thought, “Oh, this is a third chance to do something.” I thought, I love being the first. I like not stepping into someone else's shoes, because probably you as CEO don’t come up with this either, but you know how when someone gets a job and someone else has done it? It was so, well, Jim did it that way. Jermaine did that way. Why are you not doing the same as they did? It's like, well, they don’t work here anymore. I really liked being the first CISO, because I could create my own team. I could create my own rules, in effect, and just bring to light 25 years of experience, basically.

I came to MongoDB, because I was given that opportunity again to be the first CISO. I just really, really enjoy that, setting up the team and setting policies, looking at what's in place already, seeing can we improve on it? Well, you can always improve on security. I never went to empire building. I don't see the point of that. I made sure that when I started, I was very clear on what my roles and responsibilities would be, and then how other teams would have dotted lines and to me, or I've just had a really close working relationship with them. That's how it's happened. Just over the past three years now, we've really developed some excellent working relationships with all of the teams. So it’s really good.

[00:07:06] Guy Podjarny That's awesome. Definitely a great and very valuable competency here. I relate to the fact I like to say that if you're comfortable, you're not growing. Sounds like, you share a bit of that perspective. If you're comfortable, it means you're comfy. There's nothing new that you’re really challenging yourself. You figured out as much.

[00:07:23] Lena Smart I've not heard that, before that. Yeah, I mean, that definitely speaks to me, I think. You know what it's like. I'll tell you how old I am. I’m 55. I'm an old lady. I don't think I act – I just ran a marathon last October, which amazed me that I actually finished it. Anyway, that aside, I think that when you get comfortable, you tend to start cutting corners and you get – you're bored, you're not giving the best that you can give.

One of the other reasons that I joined MongoDB was because of their cultural values. Just a couple of these, be intellectually honest and own what you do. I love those two in particular. I also think, I've got a seventh one and I don't want to seem like Pollyanna or anything. To me, if you can't give your best every day, always, don't come to work. Phone in sick. Take a mental health day. Recharge, regroup, re-energize, whatever you have to do.

If you're coming to work and you just doing it half-assed, you’re just, “Oh, I’m just going to turn up for the paycheck.” It's obvious to people around you, even though you think it might not be. It's also catching. It can be infectious. Good stuff's infectious. Bad stuff is probably more infectious. It's more insidious. I was starting to notice when I was just looking for that other opportunity that I just wasn't bringing my A-game. I thought, “No, I'm not going to do that.” It didn't last very long, to be perfectly honest. It was days. I just wanted to get out and just start doing something more fun. MongoDB was it.

[00:08:57] Guy Podjarny That makes a lot of sense to me. I imagine a lot of devs in my journey. Lena, we have a whole bunch of things that I want to pick your brain on and get some of your learnings. The first one I want to dig into is on supply chain security. We've had several conversations about it. You're outspoken around it. Just to get us going, can you give us a little bit of your definition of what supply chain security is?

[00:09:20] Lena Smart Yeah. Obviously, because I like to prepare for these things because I'm a person who prepares. I saw your questions, I'm like, “Oh, my goodness. How do I answer this? This is a huge question.” Then when I broke it down, you know that saying, how do you eat an elephant? One chunk at a time. This is me, one chunk at a time. I actually wanted to make sure that I was answering this as honestly as possible. To be intellectually honest, there's so many different definitions out there that what I tend to do is I go back to my government roots and I went back to Nest, because I love their definitions of things.

Really, I took what they had defined as supply chain security and distilled it into the elevator pitch version. Processes that protect and secure the efficient integration of suppliers to allow commodities to produce, to be produced and distributed as planned. I mean, there's a lot of big words and it's a bit of a word salad. If you actually look at it and digest it, to me that's exactly what supply chain security is.

If you don't have policies in place, it's not going to be efficient. If it's not efficient, you're not going to be able to integrate anything, because if there's inefficiencies, people don't want anything to do with that process. If you don't have any efficiencies, you don't have any suppliers, you have no supply chain. It falls apart very quickly. Also, I think the important work there is to allow commodities to be produced and distributed as planned. There has to be a plan in place. I don't know what, these sound all very matter of fact and common sense, but that sentence, that elevator pitch probably took me maybe an hour or two of just actually thinking and drawing out and writing and having a clear understanding.

I don't know if you've ever heard any of Richard Feynman’s books, the physicist, but he had this whole thing about where you can choose a topic and you can study it. The first step is explain the topic to a child. I wanted to try and explain supply chain security to my mom, who's not a child, obviously, but she's not in security. I told her this. I said, “Do you understand what I'm talking about here?” She's like, “Yeah, I do, actually. Yeah.”

[00:11:41] Guy Podjarny That's definitely an achievement on that, not knowing your mom's background, but it's definitely – it's a good definition there. I like the notion of the plan and the importance of the policies, the words that you're emphasizing. You chose a bunch of the words, actually. You didn't scrutinize the suppliers, for instance, or providers. I didn't quite catch the exact wording. How do you think about that in the context of software? Do you see a difference between those lines as it applies to software that you consume, or sold, versus physical goods?

[00:12:16] Lena Smart Yeah. Because what I was taking was, supply chain security to me is I go back to my power industry days, where and that supply chain visibility would be a subset of supply chain security. An example of that would be having built in transparency in our processes, if you're going to allow buyers, I don't know, to see all stages of the supply chain. Think of, as I say, I worked for a power company. We used to build power turbines and we used to have to buy metal from different countries. We would send their engineers to China, or wherever we were buying the steel from. They would actually go and look at the steel that was going to come into our plants, and they would mark it. Then we could follow the actual supply chain of that steel from China to America. That to me is supply chain security.

I mean, software supply chain security, I don't think it's a subset of supply chain security. I think, it's a different thing altogether, because it's a different bunch of people looking after. You don't generally have developers going to China looking at metal. You don't usually have engineers on a turbine looking at code. I guess, you could do both if you want to. To my mind, they are separate. Again, I went back to Nest and I looked to be executive order 14028, where supply chain security is defined many times. The government actually defined, there's a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely and as intended. My definition of software supply chain security would be involving the implementation of rigorous and predictable mechanisms to ensure that software products function securely and as intended. It's almost mimicking the supply chain security, but for software, if that makes sense.

[00:14:16] Guy Podjarny That makes a lot of sense. Because I think the concepts of it are similar. You're consuming it. You need to know the plan of it, and I guess to an extent, the pedigree as well, right? The software equivalent of the of those access on the metal bars.

[00:14:28] Lena Smart Exactly. One of the reasons we use Snyk is because, it's to my mind, a predictable mechanism. I know what I'm going to get at the end of the day from Snyk, there's no guesswork. It's very clear. It's not too complex to use, and it ensures that the products function securely and as intended. It gets back to when we go back to the supply chain security, and it's hardware in the physical world, allowing commodities produce and distributed as planned. At that point, it's the same thing. One is a bit of metal from China and one as a piece of software from MongoDB.

[00:15:06] Guy Podjarny Yeah, yeah. No, absolutely. I love the analogies. I guess, maybe another play of words here a little bit is the difference between supply chain security, or even maybe software supply chain security, and software supply chain risk. As I know, you do GRC as well. Do you see a distinction over there?

[00:15:24] Lena Smart Yeah. You really made me think. I don't normally get asked questions on this. I get asked 40 questions. You’re really doing great.

[00:15:30] Guy Podjarny It's all about philosophy here is that well, we try to get it down to the practical, but you have to start from the meta to understand the topic.

[00:15:37] Lena Smart Exactly. I do. You’re the CEO, I'm a CISO. It's rare that someone is going to ask us, I don't know, a question where you really have to sit and think about it. Because the people who work with us, for us, just assume we know what we're talking about. Sometimes when you're asked something, really as basic as what is a security versus risk. You're so used to talking at such a high-level, when you have to start in a – a deep dive is good, because your brain's getting used. It's like, this is why I'm doing this job.

Again, back to the whole Richard Feynman thing, I keep looking up at my role here, because I've got the four steps of how to learn something new. My assistant called me, is actually starting to go through some security training, and I'm going to be teaching her the difference between risk and all this stuff. This is interesting. What I've said here, to answer your question is, and this is just my opinion, risk is derived from an analysis of your software supply chain. I mean, that's the fundamental of it. Because I think, your question was, how do I see the distinction between software supply chain security and so forth? Supply chain risk is one a subset of the other.

I've responded with, to my mind, risk is derived from the analysis of this supply chain. You should have performed an in-depth analysis of who does what, when, and then where the risks may arise, and then having identified those risks and basically, having created your heatmap, you can then apply a risk rating to them. That's the usual likelihood teams and particles risk level. To my mind, they are different. I mean, security is what's built around the product and risk is what comes out of it if, you don't build your security properly. Yeah, it could be a subset.

[00:17:36] Guy Podjarny Yeah. Just in a different lens. Yeah. I think, I'm tempted to get here if you could, but I like your definition and I've got a whole bunch of other things to ask you further, so I'll proceed. I think that makes sense. It's about that view stuff it and, I guess, we get into the notion of the almost the risks of not using a component in the process of it.

[00:17:54] Lena Smart Yeah. Yeah. Maybe.

[00:17:57] Guy Podjarny You've mentioned the executive order from Biden as well, and I know you're also quite active with the IT-ISAC stack. That group, or that organization has done a bunch of work triggered by the Biden executive order. Can you tell us just maybe a little bit of context about IT-ISAC, what it is? I don't know if everybody knows what it is. What is the type of work that you're doing around the supply chain management and the executive order?

[00:18:22] Lena Smart The ITS-ISAC, and they describe themselves as a force multiplier. They are this amazing group of people. It’s been around for about 21 years now. They actually enable collaboration between public and private industry. I had a lot of, and there's ISACS, so there's 16 critical infrastructure groups defined by the federal government. IT-ISAC is the information sharing and analysis center. That’s what the ISAC stands for, for IT. I used to be a member of the E-ISAC which was the electric sector. Again, it's to do with information-sharing.

It just brings people together who maybe normally wouldn't sit at the same table. It’s recognized by DHS. Some of the most amazing speakers. I mean, Jane Easterly came to speak to us, head of CISA. We’ve had a couple of her deputies come and chat with us. I think, Deputy Director Roof when he was in the position. We had Direct Krebs come and speak to us. I mean, we just get some of the top people in government come chat with us about what they're working on and how we can help.

You know that Jane Easterly set up, or she's set up so many things, but she's set up the security commission, basically, to not oversee, but I think just be part of some of the policy and fundamental decision-making processes when it comes to cybersecurity for the USE. There's some members of the IT-ISAC who have joined that commissioner. She’s really important. The private industry and public industry can work together in a trusted environment. Obviously, before the pandemic, we were meeting in person and I've just made so many contacts of using the IT-ISAC. It's an amazing resource.

They have little working groups that I'm a member of the supply chain risk management working group. No surprise there. Then, we're also working on some other stuff as well; some special interest groups are called, or SIGs.

[00:20:28] Guy Podjarny Yeah, sounds like super helpful conversations and interesting talks on it. I guess, the Log4j conversation is also curious, but are there some highlights that happened when it came to the after, I guess, the conversations that ensued after the Biden executive order came out, and this is content fill supplier management?

[00:20:47] Lena Smart Yeah. This goes back to probably my early days as a secretary. I like to take things and put them in spreadsheets and work out how these things work and how they're all linked. I recently deconstructed the executive order. I sorted into work that MongoDB could do and work that the government would have to do. S forms, where it’s just one thing that can elect me as I view the opportunity for MongoDB. Not just as a company, but to help the American government remain and become more secure, because that can only help everybody.

I think, in terms of where we are with executive order and the IT-ISAC, we’ve split up, if you like, there's little special interest groups working on specific portions of the executive order, where appropriate, so that we can start to look at policy and look at the existing policies that are there. Mark them to things like 800 nest state 100-53 in terms of security. Again, where something already exists, don't reinvent the wheel. Share the information with government and away we go. We don't have to spend hours and hours writing policy.

[00:21:59] Guy Podjarny Yeah. I think I've had the pleasure of seeing some of that thinking and work and I think there's a lot of gaps in it. I know that we spoke about Snyk and MongoDB. I know where we can collaborate and play a role to help, whether it's a guide, or provide some help around this. A lot of that component talks about the importance of storing the SBOM, these softer bills of materials. Can you talk a little bit around digging into that a bit? How do you see that flow and the importance of capturing, or having that data exchange around this response?

[00:22:32] Lena Smart I think, one of the biggest things to understand from this executive order, if you don't take anything else away from it, is the government wants to move into the world of automation. They want continuous monitoring and they want automation. They know that having terabytes, zettabytes, whatever bytes you want to call it, of data and logs that no one is looking at is a waste of time and money. That's the main thing that I got from that EO was, not only does the government want to move into the cloud, so they're going to have to start expediting the fedRAMP process, but they also want to make sure that they're going to do it right. They're going to look at zero trust. They're going to look at the SBOM process.

Then, I think stepping back and looking just at the SBOMs, which is something that is just fascinating to me. I think that if we were to collaborate, if Snyk and MongoDB was to collaborate, you would basically be the front end, because you are providing our SBOM already. We've run Snyk through our software. We have what I would call a software bill of materials that was presented from you, and we would store that information securely in a MongoDB backend and a database. That to me is the perfect marriage of product.

Just as because we're talking today and it's very well-timed, we actually have a webinar coming up on April 19th at 1 pm. We're going to actually have a speaker from OASP to talk about their framework around SBOMs. Also, a speaker from Nest. Then also, we're going to have Clinton Herget from Snyk. Quite a panel. These three gentlemen very kindly gave up some of their time, a couple of months ago at Homeland Security Week, which is a big government conference in DC. Unfortunately, we had some issues, some technical issues, and so we've decided to redo this SBOMs. Really, it's about utilizing SBOMs to enhance software supply chain security. All the buzz words are in there. It's basically showing how we, MongoDB can offer the back-end, Snyk can offer the front-end. Then, of course, Nest and OASP have different frameworks.

Because people are going to want choice. The government is not going to dictate. You must use one framework over the other. I think, we're going to find that we as companies, who are let's be blunt, we're here to make a profit and make money. We're going to have to make sure that we're agile enough to look at any framework that's thrown at us.

Also, to my mind, the perfect SBOM would be one that takes almost a real-time snapshot of the way that your software, your shopping list of software to switch effectively from the SBOM is, it’s a shopping list of all of your software that's in your product. The floor is constant. If there's a change, someone has to be notified somewhere. What is that flaw? What does that look like? I think, that's where these frameworks are going to become very helpful. We're also looking at utilizing Voice Cal, which is from Nest as well. It's an automation language.

I think, we've got so many ideas flowing around. Just now, say we are working with your product folks at Snyk to see where the best collaboration would be. I think, the first thing is going to be building and showing what we as two companies are doing to create our own SBOMs, restoring them and overshooting that data.

Then, I think further on, there's going to be a need and a request, I believe, from the government of continuous monitoring of a response, because they want companies and government agencies want to know immediately when something has changed that could make their security posture less strong.

[00:26:32] Guy Podjarny Yeah. No, absolutely. Thanks for the both. It's exciting to be working together, but also, to on the description. What I love about the supply chain security world is the different lenses that people bring to it. I think above and beyond. I think, it's oftentimes the lenses around the discovery and uncovering of what is it that is in your software. Then there is the notion of management that continuous locally. I think, what you really rightfully point out and what supply chain security as a topic and including this executive order to really bring to bear is the need for exchanges of information. The needs of taking that information. That used to be, I don't know if it was legitimately good enough, but people have made to do with it being at the best locally stored and having it be something that is much more exchangeable, which in turn creates all this need that you talked about interchange, formats and the ability to work with it and creates even more pressure than the typical DevOps fragmentation requires around different solutions to interoperate and take different phases of the process, to combine to something that is at the end of the day, automatable and fast. When you hear about a problem, you can respond to it quickly.

[00:27:44] Lena Smart Well, I think, I mean, you raise a good point as well. Then my brain is just on fire, because I'm thinking, this is a great opportunity for us as companies to look and see how we can better supply SBOM information for the government. Also, there should be a way. We should always be looking to streamline this process and keep them as clean as possible. Because my worst nightmare is that just for talking sake, we've got a 100 government agencies and there's going to be a 100 versions of our SBOM because every one of them want a separate one.

Whereas, the perfect world would be there's one storage space, and it's secured and the 100 government agencies have a log and they just say, “Oh, I want to see the SBOM for MongoDB, and I want to automate it by doing blah, blah, by this API.” You've got your one source of truth.  You've got your one SBOM, pair company and this secure MongoDB repository being created, continually monitored by Snyk. I mean, that’s where go just solve the SBOM in 2 minutes. Only if it was that easy.

[00:28:55] Guy Podjarny No. Now, we just need to build that.

[00:28:58] Lena Smart Are you free Saturday, because you know.

[00:29:02] Guy Podjarny I think, first of all, to the audience, thanks. We dug into probably a little bit more product stock that we typically do. I do think that this exchange between the companies is maybe a useful lens as well to understand the problem space and understand what needs to happen in the ecosystem.

I'd like to switch out. We can probably talk for hours about supply chain security. It's a big meaty topic and definitely a mindful. I'd like to move you maybe back a little bit into MongoDB’s program, security programs that you run. There’s a couple of topics that I think are especially worth raising over here. One is a bit about the org structures. We talked about how you run, how you're the CISO, including GRC. I believe that in MongoDB, the product and the security team is separate. It's not a part of your organization. It's more part of the technology part of the org. Can you tell us a little bit about, first of all, just the lay of the land? How do the responsibilities split roughly? Then, just talk a little bit about how do you interact between the groups, given they are two lenses on security in some respects? Do you align? How do you collaborate?

[00:30:03] Lena Smart Sure. I mean, first, let me be absolutely clear. All aspects of security are my ultimate responsibility, up to and including physical security. Even though we have product security rolling up into the chief product officer’s house, as the CISO, I take full responsibility for our security programs, products and posture. Maybe that's different from other CISOs, but that's what I signed up for. I actually enjoy that responsibility. It's that one throughout the shop, is what the board expects, it’s what I expect. Just to clarify that.

[00:30:37] Guy Podjarny Yeah. Very important clarification. Yeah.

[00:30:39] Lena Smart The lay of the land, basically, is our product security team, led by the amazing Ben [inaudible 00:30:44] folds up into the Chief Product Officer who is Sahir Azam. We meet daily, probably. I mean, Ben, I think is on an airplane, or on vacation or something. Because otherwise, I would be talking to him every day. We are absolutely not siloed, even though we're separate groups. We have a great collaborative relationship with his entire team, to the extent that he will help me interview members of my team for jobs and vice versa. We're on the same interview panels.

We've discussed systems development lifecycle and security within that, and we help each other understand the business needs. For example, for FedRAMP, we've worked absolutely hand-in-hand on our FedRAMP project. I think, and I know this is not the same for all companies. This is my opinion. I think having two separate teams that work very closely together is better in some ways for our business, because the head of product security, Ben, can focus completely on that task. He's going to report his findings to the chief product officer. We were able to shift very quickly, if a customer requires a security tweak for products, for example.

I mean, it's not to see that we're not going to have the same level of agility if that team was under me. I just feel that the product security team's focus is solely on the security of our customer-facing products, and that gives our customers the wait club attention that we expect. I wouldn't like to think that would be diminished if they did move under me. To be honest, I don't see the need. I said at the beginning, I'm not an empire builder. I never have been. I prefer if something is working, why break it? If it's not broken, you don't need to fix it.

I just really enjoy the relationship that Ben and I have. There's a whole team under him. They're just fantastic. We actually had one person move from my team into product, because we felt that would be a better fit. Ken Way, our cryptographer, another genius. We took the business decision that he would be better placed, and we probably have better career opportunities in what he was doing to move over into product. I like that as a company, MongoDB actually encourages moves like that; lateral moves, where if you're maybe stymied in what you're doing, or you just want to do something a wee bit different, there's always these opportunities to move it in teams as well.

[00:33:07] Guy Podjarny Yeah. Do you find if I go off script here for a sec, do you find the measurement changes when you think about the organizations, when you're ultimately responsible for security risk? To an extent, you need to encapsulate whatever metrics, whatever measures of security that come from product security into yours as well. Do you almost quantify, or assess security programs, security risk that's involved the same way between the groups? Do you need to?

[00:33:42] Lena Smart No. This is under the risk organization, it's a very matrixed organization. It's a very matrixed company. GRC reports and to me. Their reach is wide. They meet with our product people. I mean, we have a formal quarterly meeting. I mean, our security folks and GRC folks are talking with the product folks on a daily basis. We basically treat product security and product risk all under my umbrella.

[00:34:16] Guy Podjarny Do you think there's any downside to the split? I can see the upsides, also past conversations talked about the, maybe greater affinity that you were alluding to as well, rolls into their chief product officer, which is in charge of a variety of other aspects of the product. As you said, you can more easily adapt and build security capabilities in it. As long as the collaboration between the two of you works, do you think there's any downside? They might be outweighed by the upsides, but are there any downsides to the split?

[00:34:45] Lena Smart No. I mean, I'm really enjoying your questions. As I said, I don't want to prepare properly for these, so I haven’t given these a lot of thought. I mean, short of me being an absolute control freak, and yes, ideally, I would love everyone to report to me. No, I'm just kidding. But I am a control freak. I really couldn't think of a con. I think, we have such a good working relationship with these folks. I can see where maybe if it was a different makeup, if it was different people who wanted to just do their own thing and be left alone and not have to talk with the CISO in our team ever, yeah, that can be tricky.

I think, the fact that we've got such a culturally aware company and especially within product security, customers are first. Really, a lot of the calls that are more in with their customers and I'm sure you get brought into these as well. Our customers just want to be reassured that we're working together, that we're collaborating and that there's openness and transparency, and we have that already. I don't think there's any need for these folks to move under me.

[00:35:56] Guy Podjarny That's awesome. Super interesting on the product security split on. It sounds like, it's worked well. I guess, it always comes down to people. Let's talk about maybe some other security programs, or work that you’re doing. Specifically, one that I've been hearing more about is your Security Champions Program. We hear a lot about security champions in this podcast, but typically, it comes basically under that product security mantle, they're talking about security champions in spots that are very AppSec minded. I think, yours is a bit broader. Can you tell us a little bit, first, what is this program? Tell us a bit about its history and then we'll dig a little bit about the facts.

[00:36:33] Lena Smart This is a program that I've been running since I moved to America, since I started to work in security full-time, basically. I always had an understanding that people were fascinated with security, and it continued to be because it is one of the most fascinating fields to work in, but it's really hard to get into it. Because for some reason, it just seems difficult for people to break into security sometimes. I wanted to break that boundary. I wanted to break that body.

When I joined MongoDB, probably six months after I joined, which was two and a half years ago, I thought it would be really good to have a Security Champions Program. We did start one. We had probably 20 or 30 people join it. I think, Ben, from our communications group, I think he was one of the first people to join it, which was great, because then helped to get the word out. Then COVID hit, unfortunately, what was it? Two years ago? We put it in the back burner, and we decided, particularly look at it when things were raised up in the air.

Probably a year ago, we realized like, COVID is here to stay for a while, unfortunately. We're going to just work our way through this and we're going to start the security champion program again, SCP. We did it properly. We got buy-in from the top. I had Dev Ittycheria, our CEO announced at one of our all hands meetings that we were restarting the Security Champions Program and he was encouraging people.

Again, they're volunteers and they had to have their supervisor’s permission to join. That was the two prerequisites. You have to volunteer. Nobody can make you join it. If you do want to join it, your boss has to say it's okay. It started probably about a year ago. We hired a full-time person, and his name is Felix. He runs a program for us. We now have over 90, 9-0 volunteers in the company, about to hit a 100. We're going to have a special prize for that person.

Our volunteers, or champions spend about 2 hours a week. That's the minimum expectation to learn about security and to continue to learn. We have monthly security-related meetings. We have a whole education program around it. We have folks who are super, super-duper technical, and we have people who are learning right at the beginning of their career about security. It's quite interesting bringing those groups together, because people who live and breathe security 24/7, sometimes have a very myopic view of the world. People who are just coming in to it have got all these ideas that people have never even thought about. It’s like, wow, this is amazing. We have hackathons. We have movie nights. Basically, we see these security champions as our eyes and ears for their group and their department.

[00:39:32] Guy Podjarny It's a really compelling mindful thing, that security mindset and permeating those. Clearly, you're getting an allocation of a couple of hours. By the way, are those two hours, are they doing those two hours above and beyond their day job? Or is that where the boss approval happens of this being a –

[00:39:50] Lena Smart That is generally why we ask for approval. Because if the person is doing 40 hours a week of hardcore coding and their boss is like, “There is no way you're going to have two hours extra to give up on this.” Then, that’s setting expectations. I don't think we've had anyone who’s been told they can't join. People are either making time for it themselves, and we do try and accommodate meetings, we do try and have them at lunchtimes, or evenings, or when things are not –

[00:40:17] Guy Podjarny A little bit of. A little bit of your time, really, your point hearing. Accommodation from your manager on it. Do they have any formal, beyond thinking about it, learning about it and maybe the serendipitous insights that they would offer, do they have any actual different security responsibilities in their teams? Are they the representative of their team to the security team? Or is there some official role that they take as well?

[00:40:43] Lena Smart I wouldn't say official, because then we get into the whole HR thing. I would say, it's more a trusted source. We see the champion as a trusted source for their group. They help define and maintain our security programs. Just to give you an example, we do phishing as everyone does. The first couple of phishing emails we sent out, they were rubbish. It was so obvious they were phishing. Some people clicked on them, because some people click on everything. What we did for is we wanted to use the champion program to define phishing emails that would be harder to detect, but not annoying, and not those where two weeks before Christmas, ‘Click here to find out what your Christmas bonus is.’ It’s like, “No.,”

We want it to be culturally sensitive, and for people to have an awareness that if they clicked on the email, bad things could have happened. We didn't want to talk down to people. We didn't want to make it too technical, or too simple. To get that balance, we basically said, “Okay, it's a competition. Security champions, whoever comes up with the best idea for the phishing email, we give them an Amazon gift voucher or something.” We got some brilliant suggestions. We ended up using two of them.

Some of the matrix that we can use are, is the click rate going down? We've found that it is, which is good. You have to very much temper that with what email have you just sent out? Is it in fact, just a slightly easier one than the last one that less people are going to click on? Or, is the champion’s program actually helping make it more obvious that people shouldn't be clicking on links? It's one of these really hard metrics. It's like, if more people click on the email, that was a really good phishing example, and if less people click on the email, was it just too simple? Or are people actually getting the message not to click on things? Really, we could do a whole talk on phishing as well.

[00:42:49] Guy Podjarny Yeah, no doubt. Then measuring security, which is its own can of worms of what would’ve happened. It sounds really compelling, I guess, as just sort of engaging people in the journey. I love the crowdsourcing creativity there on security. I've got this warm spot in my heart for schwag. Do you have any dedicated schwag before the security champions? Do they get a t-shirt or something on that?

[00:43:14] Lena Smart We do. I've actually got my security t-shirt on, which is I don't know if this has been videoed. Anyway, we've got the MongoDB leaf feed, but it's a thumbprint. Then we also have a smaller version of that, which just says SCP, Security Champions Program. Yeah, we've got swag. Of course, we do.

[00:43:30] Guy Podjarny That’s awesome. We had that all the way back, one of the early episodes talked about sort of a swag-driven security, and motivation that you can do for it.

[00:43:39] Lena Smart It’s not just swag. I mean, this is actually enabled. I think, it's two or three people now have actually moved from their job within MongoDB into the security team, or into the governance risk and compliance team. Because they really enjoyed what the program was doing. They had a good understanding of the business. For me to take a person who's got five years’ experience of working in MongoDB, and understands their area of the business, for me to teach them security, or GRC is going to be an awful lot easier than bringing someone from the outside. We are using this also as a feeder program for people who want to work in security, or GRC within MongoDB.

[00:44:22] Guy Podjarny Yeah, that's amazing. It sounds super practical and helpful, and drives diversity and other goodness on it. Thanks. There's probably, again, I could probably kind of pick your brain here for a long while, but I think we're kind of running out of time. I have one final question that I like to ask every guest joining in my open-ended question, which is, say you had unlimited budget and resources to tackle one sort of industry problem, so security, presumably, what would that be? I guess, if you have it and you want to share, which direction would you take it on?

[00:44:55] Lena Smart I mean, I think the biggest bugbear for me is passwords for everybody in the world, not just for people in security. An identity receptionist. I want to find is a wearable that holds all my passwords securely, and it can be scanned or used to be an app. But it's not a big ugly NFC ring, because I've looked at those rings and they’re ugly. I don’t like them. Something elegant that will hold my passwords.

[00:45:25] Guy Podjarny Very pragmatic and the problem that we can all relate to is they explode in quantity.

[00:45:31] Lena Smart Yeah. I don't know. I mean, obviously, if we could have solved the passwords thing, we’d bajillionaires and we’d be lying in a beach somewhere.

[00:45:39] Guy Podjarny I love that. It's all good. It's always good to point to a problem. The very least, maybe there's some good product ideas that come out of it. Lena, thanks for coming onto the show and sharing all these great learnings and insights.

[00:45:50] Lena Smart Thank you.

[00:45:51] Guy Podjarny Thanks, everybody, for tuning in. I hope you join us for the next one.

[END OF INTERVIEW]

[00:45:59] ANNOUNCER: Thanks for listening to The Secure Developer. That's all we have time for today. To find additional episodes and full transcriptions, visit thesecuredeveloper.com. If you'd like to be a guest on the show, or get involved in the community, find us on Twitter at @DevSecCon. Don't forget to leave us a review on iTunes if you enjoyed today's episode. Bye for now.

[END]