(electronic music) >> Hello everybody, welcome back to Boston. This is Dave Vellante and you're watching theCUBE's continuous coverage of AWS re:Inforce 2022. We're here at the convention center in Boston where theCUBE got started in May of 2010. I'm really excited. Lena Smart is here, she's the chief information security officer at MongoDB rocket ship company We covered MongoDB World earlier this year, June, down in New York. Lena, thanks for coming to theCUBE. >> Thank you for having me. >> You're very welcome, I enjoyed your keynote yesterday. You had a big audience, I mean, this is a big deal. >> Yeah. >> This is the cloud security conference, AWS, putting its mark in the sand back in 2019. Of course, a couple of years of virtual, now back in Boston. You talked in your keynote about security, how it used to be an afterthought, used to be the responsibility of a small group of people. >> Yeah. >> You know, it used to be a bolt on. >> Yep. >> That's changed dramatically and that change has really accelerated through the pandemic. >> Yep. >> Just describe that change from your perspective. >> So when I started at MongoDB about three and a half years ago, we had a very strong security program, but it wasn't under one person. So I was their first CISO that they employed. And I brought together people who were already doing security and we employed people from outside the company as well. The person that I employed as my deputy is actually a third time returnee, I guess? So he's worked for, MongoDB be twice before, his name is Chris Sandalo, and having someone of that stature in the company is really helpful to build the security culture that I wanted. That's why I really wanted Chris to come back. He's technically brilliant, but he also knew all the people who'd been there for a while and having that person as a trusted second in command really, really helped me grow the team very quickly. I've already got a reputation as a strong female leader. He had a reputation as a strong technical leader. So us combined is like indestructible, we we're a great team. >> Is your scope of responsibility, obviously you're protecting Mongo, >> Yeah. >> How much of your role extends into the product? >> So we have a product security team that report into Sahir Azam, our chief product officer. I think you even spoke to him. >> Yeah, he's amazing. >> He's awesome, isn't he? He's just fabulous. And so his team, they've got security experts on our product side who are really kind of the customer facing. I'm also to a certain extent customer facing, but the product folks are the absolute experts. They will listen to what our customers need, what they want, and together we can then work out and translate that. I'm also responsible for governance risk and compliance. So there's a large portion of our customers that give us input via that program too. So there's a lot of avenues to allow us to facilitate change in the security field. And I think that's really important. We have to listen to what our customers want, but also internally. You know, what our internal groups need as well to help them grow. >> I remember last year, Re:invent 2021, I was watching a talk on security. It was the, I forget his name, but it was the individual who responsible for data center security. And one of the things he said was, you know, look it's not at the end of the day, the technology's important but it's not the technology. It's how you apply the tools and the practices and the culture- >> Right. That you build in the organization that will ultimately determine how successful you are at decreasing the ROI for the bad guys. >> Yes. >> Let's put it that way. So talk about the challenges of building that culture, how you go about that, and how you sustain that cultural aspect. >> So, I think having the security champion program, so that's just, it's like one of my babies, that and helping underrepresented groups in MongoDB kind of get on in the tech world are both really important to me. And so the security champion program is purely voluntary. We have over a hundred members. And these are people, there's no bar to join. You don't have to be technical. If you're an executive assistant who wants to learn more about security, like my assistant does, you're more than welcome. Up to, we actually people grade themselves, when they join us, we give them a little tick box. Like five is, I walk in security water. One is, I can spell security but I'd like to learn more. Mixing those groups together has been game changing for us. We now have over a hundred people who volunteer their time, with their supervisors permission, they help us with their phishing campaigns, testing AWS tool sets, testing things like queryable encryption. I mean, we have people who have such an in-depth knowledge in other areas of the business that I could never learn, no matter how much time I had. And so to have them- And we have people from product as security champions as well, and security, and legal, and HR, and every department is recognized. And I think almost every geographical location is also recognized. So just to have that scope and depth of people with long tenure in the company, technically brilliant, really want to understand how they can apply the cultural values that we live with each day to make our security program stronger. As I say, that's been a game changer for us. We use it as a feeder program. So we've had five people transfer from other departments into the security and GRC teams through this Champions program. >> Makes a lot of sense. You take somebody who walks on water in security, mix them with somebody who really doesn't know a lot about it but wants to learn and then can ask really basic questions, and then the experts can actually understand better how to communicate. >> Absolutely. >> To that you know that 101 level. >> It's absolutely true. Like my mom lives in her iPad. She worships her iPad. Unfortunately she thinks everything on it is true. And so for me to try and dumb it down, and she's not a dumb person, but for me to try and dumb down the message of most of it's rubbish, mom, Facebook is made up. It's just people telling stories. For me to try and get that over to- So she's a one, and I might be a five, that's hard. That's really hard. And so that's what we're doing in the office as well. It's like, if you can explain to my mother how not everything on the internet is true, we're golden. >> My mom, rest her soul, when she first got a- we got her a Macintosh, this was years and years and years ago, and we were trying to train her over the phone, and said, mom, just grab the mouse. And she's like, I don't like mice. (Lena laughs) There you go. I know, I know, Lena, what that's like. Years ago, it was early last decade, we started to think about, wow, security really has to become a board level item. >> Yeah. >> And it really wasn't- 2010, you know, for certain companies. But really, and so I had the pleasure of interviewing Dr. Robert Gates, who was the defense secretary. >> Yes. >> We had this conversation, and he sits on a number, or sat on a number of boards, probably still does, but he was adamant. Oh, absolutely. Here's how you know, here. This is the criticality. Now it's totally changed. >> Right. >> I mean, it's now a board level item. But how do you communicate to the C-Suite, the board? How often do you do that? What do you recommend is the right regime? And I know there's not any perfect- there's got to be situational, but how do you approach it? >> So I am extremely lucky. We have a very technical board. Our chairman of the board is Tom Killalea. You know, Amazon alum, I mean, just genius. And he, and the rest of the board, it's not like a normal board. Like I actually have the meeting on this coming Monday. So this weekend will be me reading as much stuff as I possibly can, trying to work out what questions they're going to ask me. And it's never a gotcha kind of thing. I've been at board meetings before where you almost feel personally attacked and that's not a good thing. Where, at MongoDB, you can see they genuinely want us to grow and mature. And so I actually meet with our board four times a year, just for security. So we set up our own security meeting just with board members who are specifically interested in security, which is all of them. And so this is actually off cadence. So I actually get their attention for at least an hour once a quarter, which is almost unheard of. And we actually use the AWS memo format. People have a chance to comment and read prior to the meeting. So they know what we're going to talk about and we know what their concerns are. And so you're not going in like, oh my gosh, what what's going to happen for this hour? We come prepared. We have statistics. We can show them where we're growing. We can show them where we need more growth and maturity. And I think having that level of just development of programs, but also the ear of the board has has helped me mature my role 10 times. And then also we have the chance to ask them, well what are your other CISOs doing? You know, they're members of other boards. So I can say to Dave, for example, you know, what's so-and-so doing at Datadog? Or Tom Killelea, what's the CISO of Capital One doing? And they help me make a lot of those connections as well. I mean, the CISO world is small and me being a female in the world with a Scottish accent, I'm probably more memorable than most. So it's like, oh yeah, that's the Irish girl. Yeah. She's Scottish, thank you. But they remember me and I can use that. And so just having all those mentors from the board level down, and obviously Dev is a huge, huge fan of security and GRC. It's no longer that box ticking exercise that I used to feel security was, you know, if you heated your SOC2 type two in FinTech, oh, you were good to go. You know, if you did a HERC set for the power industry. All right, right. You know, we can move on now. It's not that anymore. >> Right. It's every single day. >> Yeah. Of course. Dev is Dev at the Chario. Dev spelled D E V. I spell Dave differently. My Dave. But, Lena, it sounds like you present a combination of metrics, so, the board, you feel like that's appropriate to dig into the metrics. But also I'm presuming you're talking strategy, potentially, you know, gaps- >> Road roadmaps, the whole nine yards. Yep. >> What's the, you know, I look at the budget scenario. At the macro level, CIOs have told us, they came into the year saying, hey we're going to grow spending at the macro, around eight percent, eight and a half percent. That's dialed down a little bit post Ukraine and the whole recession and Fed tightening. So now they're down maybe around six percent. So not dramatically lower, but still. And they tell us security is still the number one priority. >> Yes. >> That's been the case for many, many quarters, and actually years, but you don't have an unlimited budget. >> Sure >> Right. It's not like, oh, here is an open checkbook. >> Right. >> Lena, so, how does Mongo balance that with the other priorities in the organization, obviously, you know, you got to spend money on product, you got to spend money and go to market. What's the climate like now, is it, you know continuing on in 2022 despite some of the macro concerns? Is it maybe tapping the brakes? What's the general sentiment? >> We would never tap the breaks. I mean, this is something that's- So my other half works in the finance industry still. So we have, you know, interesting discussions when it comes to geopolitics and financial politics and you know, Dev, the chairman of the board, all very technical people, get that security is going to be taken advantage of if we're seeing to be tapping the brakes. So it does kind of worry me when I hear other people are saying, oh, we're, you know, we're cutting back our budget. We are not. That being said, you also have to be fiscally responsible. I'm Scottish, we're cheap, really frugal with money. And so I always tell my team: treat this money as if it's your own. As if it's my money. And so when we're buying tool sets, I want to make sure that I'm talking to the CISO, or the CISO of the company that's supplying it, and saying are you giving me the really the best value? You know, how can we maybe even partner with you as a database platform? How could we partner with you, X company, to, you know, maybe we'll give you credits on our platform. If you look to moving to us and then we could have a partnership, and I mean, that's how some of this stuff builds, and so I've been pretty good at doing that. I enjoy doing that. But then also just in terms of being fiscally responsible, yeah, I get it. There's CISOs who have every tool that's out there because it's shiny and it's new and they know the board is never going to say no, but at some point, people will get wise to that and be like, I think we need a new CISO. So it's not like we're going to stop spending it. So we're going to get someone who actually knows how to budget and get us what the best value for money. And so that's always been my view is we're always going to be financed. We're always going to be financed well. But I need to keep showing that value for money. And we do that every board meeting, every Monday when I meet with my boss. I mean, I report to the CFO but I've got a dotted line to the CTO. So I'm, you know, I'm one of the few people at this level that's got my feet in both camps. You know budgets are talked at Dev's level. So, you know, it's really important that we get the spend right. >> And that value is essentially, as I was kind of alluding to before, it's decreasing the value equation for the hackers, for the adversary. >> Hopefully, yes. >> Right? Who's the- of course they're increasingly sophisticated. I want to ask you about your relationship with AWS in this context. It feels like, when I look around here, I think back to 2019, there was a lot of talk about the shared responsibility model. >> Yes. >> You know, AWS likes to educate people and back then it was like, okay, hey, by the way, you know you got to, you know, configure the S3 bucket properly. And then, oh, by the way, there's more than just, it's not just binary. >> Right, right. >> There's other factors involved. The application access and identity and things like that, et cetera, et cetera. So that was all kind of cool. But I feel like the cloud is becoming the first line of defense for the CISO but because of the shared responsibility model, CISO is now the second line of defense >> Yes. Does that change your role? Does it make it less complicated in a way? Maybe, you know, more complicated because you now got to get your DevSecOps team? The developers are now much more involved in security? How is that shifting, specifically in the context of your relationship with AWS? >> It's honestly not been that much of a shift. I mean, these guys are very proactive when it comes to where we are from the security standpoint. They listen to their customers as much as we do. So when we sit down with them, when I meet with Steve Schmidt or CJ or you know, our account manager, its not a conversation that's a surprise to me when I tell them this is what we need. They're like, yep, we're on that already. And so I think that relationship has been very proactive rather than reactive. And then in terms of MongoDB, as a tech company, security is always at the forefront. So it's not been a huge lift for me. It's really just been my time that I've taken to understand where DevSecOps is coming from. And you know, how far are we shifting left? Are we actually shifting right now? It's like, you know, get the balance, right? You can't be too much to one side. But I think in terms of where we're teaching the developers, you know, we are a company by developers for developers. So, we get it, we understand where they're coming from, and we try and be as proactive as AWS is. >> When you obviously the SolarWinds hack was a a major mile- I think in security, there's always something in the headlines- >> Yes. But when you think of things like, you know, Stuxnet, you know, Log4J, obviously Solarwinds and the whole supply chain infiltration and the bill of materials. As I said before, the adversary is extremely capable and sophisticated and you know, much more automated. It's always been automated attacks, but you know island hopping and infiltrating and self-forming malware and really sophisticated techniques. >> Yep. >> How are you thinking about that supply chain, bill of materials from inside Mongo and ultimately externally to your customers? >> So you've picked on my third favorite topic to talk about. So I came from the power industry before, so I've got a lot of experience with critical infrastructure. And that was really, I think, where a lot of the supply chain management rules and regulations came from. If you're building a turbine and the steel's coming from China, we would send people to China to make sure that the steel we were buying was the steel we were using. And so that became the H bomb. The hardware bill of materials, bad name. But, you know, we remember what it stood for. And then fast forward: President Biden's executive order. SBOs front and center, cloud first front and center. It's like, this is perfect. And so I was actually- I actually moderated a panel earlier this year at Homeland Security Week in DC, where we had a sneak CISA, So Dr. Allen Friedman from CISA, and also Patrick Weir from OWASP for the framework, CISA for the framework as well, and just the general guidance, and Snake for the front end. That was where my head was going. And MongoDB is the back-end database. And what we've done is we've taken our work with Snake and we now have a proof of concept for SBOs. And so I'm now trying to kind of package that, if you like, as a program and get the word out that SBOs shouldn't be something to be afraid of. If you want to do business with the government you're going to have to create one. We are offering a secure repository to store that data, the government could have access to that repository and see that data. So there's one source of truth. And so I think SBOs is going to be really interesting. I know that, you know, some of my peers are like, oh, it's just another box to tick. And I think it's more than that. I definitely- I've just, there's something percolating in the back of my mind that this is going to be big and we're going to be able to use it to hopefully not stop things like another Log4j, there's always going to be another Log4j, we know that. we don't know everything, the unknown unknown, but at least if we're prepared to go find stuff quicker than we were then before Log4j, I think having SBOs on hand, having that one source of truth, that one repository, I think is going to make it so much easier to find those things. >> Last question, what's the CISO's number one challenge? Either yours or the CISO, generally. >> Keeping up with the fire hose that is security. Like, what do you pick tomorrow? And if you pick the wrong thing, what's the impact? So that's why I'm always networking and talking to my peers. And, you know, we're sometimes like meerkats, you know. there's meerkats, you see like this, it's like, what do we talk about? But there's always something to talk about. And you just have to learn and keep learning. >> Last question, part B. As a hot technology company, that's, you know, rising star, you know not withstanding the tech lash and the stock market- >> Yeah. >> But Mongo's growing, you know, wonderfully. Do you find it easier to attract talent? Like many CISOs will say, you know, lack of talent is my biggest, biggest challenge. Do you find that that's not the challenge for you? >> Not at all. I think on two fronts, one, we have the champions program. So we've got a whole internal ecosystem who love working there. So the minute one of my jobs goes on the board, they get first dibs at it. So they'd already phoning their friends. So we've got, you know, there's ripple effects out from over a hundred people internally. You know, I think just having that, that's been a game changer. >> I was so looking forward to interviewing you, Lena, thanks so much for coming. >> Thank you, this was a pleasure. >> It was really great to have you. >> Thank you so much. Thank you. >> You're really welcome. All right, keep it right there. This is Dave Villante for theCUBE. We'll be right back at AWS Re:inforce22 right after this short break.