 Hello everybody, welcome back to Boston. This is Dave Vellante and you're watching theCUBE's continuous coverage of AWS Reinforce 2022. We're here at the convention center in Boston where theCUBE got started in May of 2010. I'm really excited. Lena Smart is here. She's the Chief Information Security Officer at MongoDB Rocket Ship Company. We covered MongoDB World earlier this year, June down in New York. Lena, thanks for coming to theCUBE. Thank you for having me. You're very welcome. I enjoyed your keynote yesterday. You had a big audience. I mean, this is a big deal, right? This is the Cloud Security Conference, AWS, putting its mark in the sand back in 2019. Of course, a couple of years of virtual, now back in Boston. You talked in your keynote about security. I used to be an afterthought, used to be the responsibility of a small group of people. Used to be a bolt on. That's changed dramatically and that change has really accelerated through the pandemic. Just describe that change from your perspective. So when I started at MongoDB about three and a half years ago, we had a very strong security program, but it wasn't under one person. So I was their first CISO that they employed. And I brought together people who were already doing security and we employed people from outside the company as well. The person that I employed as my deputy is actually a third time returnee, I guess. So he's worked for MongoDB twice before. His name is Chris Sandilow and having someone of that stature in the company is really helpful to build the security culture that I wanted. That's why I really wanted Chris to come back. He's technically brilliant, but he also knew all the people who'd been there for a while. And having that person as a trusted second in command really, really helped me grow the team very quickly. I've already got a reputation as a strong female leader. He had a reputation as a strong technical leader. So as combined, it's like indestructible. We're a great team. Is your scope of responsibility, obviously you're protecting Mongo, how much of your role extends into the product? So we have a product security team that report into Sahir Azam, our Chief Product Officer. I think you even spoke to him. Yeah, he's amazing. He's awesome, isn't he? He's just fabulous. And so his team, they've got security experts on our product side who are really kind of the customer-facing. I'm also, to a certain extent, customer-facing, but the product folks are the absolute experts. They will listen to what our customers need, what they want, and together we can then work out and translate that. I'm also responsible for governance, risk, and compliance. So there's a large portion of our customers that give us input via that program too. So there's a lot of avenues to allow us to facilitate change in the security field. I think that's really important. We have to listen to what our customers want, but also internally, what our internal groups need as well to help them grow. I remember last year, re-invent, re-invent 21. I was watching a talk on security. It was the, I forget his name, it was the individual who was responsible for data center security. And one of the things he said was, you know, look, it's not, at the end of the day, the technology is important, but it's not the technology. It's how you apply the tools and the practices and the culture that you build in the organization that will ultimately determine how successful you are at decreasing the ROI for the bad guys. Let's put it that way. So talk about the challenges of building that culture, how you go about that and how you sustain that cultural aspect. So I think having the security champion program, so that's just, it's like one of my babies. That and helping underrepresented groups in MongoDB kind of get on in the tech world are both really important to me. And so the security champion program is purely voluntary. We have over a hundred members. And these are people, there's no bar to join. You don't have to be technical. If you're an executive assistant who wants to learn more about security, like my assistant does, you're more than welcome. Up to, we actually, people grade themselves when they join us. We give them a little tick box. Like five is, I walk on security water. One is, I can spell security, but I'd like to learn more. Mixing those groups together has been game-changing for us. We now have over a hundred people who volunteer at their time with their supervisor's permission. They help us with their phishing campaigns, testing AWS tool sets, testing things like queryable encryption. I mean, we have people who have such an in-depth knowledge in other areas of the business that I could never learn, no matter how much time I had. And so to have them, and we have people from product and security champions as well, and security, and legal, and HR, and every department is recognized. And I think almost every geographical location is also recognized. So just to have that scope and depth of people with long tenure in the company, technically brilliant, really want to understand how they can apply the cultural values that we live with each day to make our security programs stronger. As I say, that's been a game-changer for us. We use it as a feeder program. So we've had five people transfer from other departments into the security and GRC teams through the Champaigns program. Makes a lot of sense. You take somebody who walks on water and security, mix them with somebody who really doesn't know a lot about it, but wants to learn, and then can ask really basic questions. And then the experts can actually understand better how to communicate to that one-to-one level. It's absolutely true. My mom lives on her iPad. She worships her iPad. Unfortunately, she thinks everything on it is true. And so for me to try and dumb it down, and she's not a dumb person, but for me to try and dumb down the message of, most of it's rubbish, mom, Facebook is made up. It's just people telling stories. For me to try and get that over to, so she's a one and I might be a five, that's hard, that's really hard. And so that's what we're doing in the office as well. It's like, if you can explain to my mother how not everything on the internet is true, we're golden. My mom, Rester Sol, when she first got up, we got her a Macintosh. This is years and years and years ago. And we were trying to train her, I was over the phone. I said, mom, just grab the mouse. She's like, I don't like mice. There you go. I know, I know, Lena, what that sounds like. Years ago, it was early last decade. We started to think about, wow, security really has to become a board level item. And it really was in 2010, for certain companies, but really, and so I had the pleasure of interviewing Dr. Robert Gates, who was the defense secretary. We had this conversation and he sits on a number, or sat on a number of boards, probably still does, but he was adamant. Oh, absolutely, this is the criticality. Now it's totally changed, right? I mean, it's now a board level item, but how do you communicate to the C-suite, the board? How often do you do that? What do you recommend is the right regime? I know there's not any perfect, there's got to be situational, but how do you approach it? So I am extremely lucky. We have a very technical board. Our chairman of the board is Tom Killilay, you know, Amazon Alam, I mean, just genius. And he and the rest of the board, it's not like a normal board. Like I actually have the meeting on this coming Monday, so this weekend will be me reading as much stuff as I possibly can, trying to work out what questions they're going to ask me. And it's never a gotcha kind of thing. I've been at board meetings before where you almost feel personally attacked, and that's not a good thing, where at MongoDB, you can see they genuinely want us to grow and mature. And so I actually meet with our board four times a year, just for security. So we set up our own security meeting, just with board members who are specifically interested in security, which is all of them. And so this is actually off cadence, so I actually get their attention for at least an hour, once a quarter, which is almost unheard of. And we actually use the AWS memo format. People have a chance to comment and read prior to the meeting, so they know what we're going to talk about, and we know what their concerns are. And so you're not going in like, oh my gosh, what's going to happen for this hour? We come prepared, we have statistics, we can show them where we're growing, we can show them where we need more growth and maturity. And I think having that level of just development of programs, but also the ear of the board has helped me mature my role 10 times. And then also we have the chance to ask them, well, what are your other CSOs doing? You know, they're members of other boards. So I can say today, for example, you know, what's So-and-So doing at Datadog, or Tom Killilay, what's the CISO of Capital One doing? And they helped me make a lot of those connections as well. I mean, the CISO world is small, and me being a female in the world, with a Scottish accent, I'm probably more memorable than most. So it's like, oh yeah, that's that Irish girl. Yeah, she's saying, yeah, Scottish, thank you. But they remember me and I can use that. And so just having all those mentors from the board level down, and obviously Dave is a huge, huge fan of security and GRC, it's no longer that box-ticking exercise that I used to feel security was, you know, if you, he did your sock too tight too, and fintech, oh, you were good to go. You know, if you did an arc sip for the power industry, all right, right. You know, we can move on now. It's not that anymore, it's every single day. Yeah, of course Dave is Dave, it's a cherry, Dave spelled D-E-V. I spelled Dave differently, my Dave. But Lena, it sounds like you present a combination of metrics. So the board, you feel like that's appropriate to dig into the metrics, but also I'm presuming you're talking strategy, potentially, you know, gaps. Road maps, the whole nine yards. Where you need to find, what's the, you know, I look at the budget scenario. At the macro level, CIOs have told us they came into the year saying, hey, we're going to grow spending at the macro around 8%, 8.5%. That's dialed down a little bit post-Ukraine and the whole recession and Fed tightening. So now they're down maybe around 6%. So not dramatically lower, but still. And they tell us security is still the number one priority. That's been the case for many, many quarters and actually years. But you don't have an unlimited budget, right? It's not like, here's an open checkbook, Lena. So how does Mongo balance that with the other priorities in the organization? Obviously, you know, you got to spend money on product, you got to spend money and go to market. What's the climate like now? Is it continuing on in 2022, despite some of the macro concerns? Is it maybe tapping the brakes? What's the general sentiment? We would never tap the brakes. I mean, this is something that's, so my other half works in the finance industry still. So we have interesting discussions when it comes to geopolitics and financial politics. And Dave, the chairman of the board all very technical people get that security is going to be taken advantage of if we're seen to be tapping the brakes. So it does kind of worry me when I hear other people are saying, oh, we're, you know, we're cutting back our budget. We're not. That being said, you also have to be fiscally responsible. I'm Scottish, we're cheap, really frugal with money. And so I always tell my team, treat this money as if it's your own, as if it's my money. And so when we're buying tool sets, I want to make sure that I'm talking to the CISO or the CISO of the company that's supplying it and saying, are you giving me the really the best value? You know, how can we maybe even partner with you as a database platform? How could we partner with you ex company to, you know, maybe we'll give you credits on our platform. If you look to moving to us and then we could have a partnership. And I mean, that's how some of this stuff builds. And so I've been pretty good at doing that. I enjoy doing that. But then also just in terms of being fiscally responsible. Yeah, I get it. There's CISOs who have every tool that's out there because it's shiny and it's new. And they know the board is never going to say no. But at some point people will get wise to that and be like, I think we need a new CISO. So it's not like we're going to stop spending it. So we're going to get someone who actually knows how to budget and get us the best value for money. And so that's always been my view is we're always going to be financed. We're always going to be financed well. But I need to keep showing that value for money. And we do that every board meeting, every Monday when I meet with my boss. I mean, I report to the CFO, but I've got a dotted line to the CTO. So I'm one of the few people at this level that's got my feet in both camps. You know, budgets are talked at Dave's level. So, you know, it's really important that we get the spend right. And that value is essentially as I was kind of alluding to you before. It's decreasing the value equation for the hackers, for the adversary. Hopefully, yes. Right, who's, of course, they're increasingly sophisticated. I want to ask you about your relationship with AWS in this context. It feels like when I look around here, I think back to 2019, there was a lot of talk about the shared responsibility model. You know, AWS likes to educate people. And back then it was like, okay, hey, by the way, you know, you got to, you know, configure the S3 bucket properly. And then, oh, by the way, there's more than just, it's not just binary, right? There's other factors involved. The application access and identity and things like that, et cetera, et cetera. So that was all kind of cool. But I feel like the cloud is becoming the first line of defense for the CISO. But because of the shared responsibility model, CISO now, the second line of defense. Is that, does that change your role? Does it make it less complicated in a way maybe, you know, more complicated? Because you now got to get your DevSecOps team, the developers are now much more involved in security. How is that shifting, and specifically in the context of your relationship with AWS? It's honestly not been that much of a shift. I mean, these guys are very proactive when it comes to where we are from the security standpoint. They listen to their customers as much as we do. So when we sit down with them, when I meet with Steve Schmidt or CJ, or our account manager, it's not a conversation that's a surprise to me when I tell them this is what we need. They're like, yep, we're on that already. And so I think that relationship has been very proactive rather than reactive. And then in terms of MongoDB, as a tech company, security is always at the forefront. So it's not been a huge lift for me. It's really just been my time that I've taken to understand where DevSecOps is coming from and how far are we shifting left? Are we actually shifting right? Now it's like, get the balance right. You can't be too much to one side. But I think in terms of where we're teaching the developers, we're a company by developers for developers, so we get it. We understand where they're coming from and we try and be as proactive as AWS is. When you, obviously the SolarWinds hack was a major mile. I think security is always something in the headlines, but when you think of things like stuck to SNET, log 4J, obviously SolarWinds and the whole supply chain infiltration and the bill of materials. As I said before, the adversary is extremely capable and sophisticated and much more automated. It's always been automated attacks, but island hopping and infiltrating and self-forming malware and really sophisticated techniques. How are you thinking about that supply chain bill of materials from inside Mongo and ultimately externally for your customers? So you've picked on my third favorite topic to talk about. So I came from the power industry before, so I've got a lot of experience with critical infrastructure and that was really, I think, where a lot of the supply chain management rules and regulations came from. If you're building a turbine and the steel's coming from China, we would send people to China to make sure the steel we were buying was the steel we were using. And so that became the H-Bomb, the hardware bill of materials, bad name, but we remember where it stood for. And then fast forward, President Biden's executive order, S-Bombs front and center, Cloud First front and center, it's like, this is perfect. And so I actually moderated a panel earlier this year at Homeland Security Week in DC where we had Sneak CISA, so Dr. Alan Friedman from CISA and also Patrick Dwyer from OWASP. OWASP for the framework, CISA for the framework as well and just the general guidance and Sneak for the front end, that was where my head was going and MongoDB is the backend database. And what we've done is we've taken our work with Sneak and we now have a proof of concept for S-Bombs. And so I'm now trying to kind of package that if you like as a program and get the word out that S-Bombs shouldn't be something to be afraid of if you want to do business with the government you're going to have to create one. We're offering a secure repository to store that data. The government could have access to that repository and see that data. So there's one source of truth. And so I think S-Bombs is going to be really interesting. I know that some of my peers are like, oh, it's just another box to tick. And I think it's more than that. I definitely, there's something percolating in the back of my mind that this is going to be big and we're going to be able to use it to hopefully not stop things like another log for J. There's always going to be another log for J. We know that. We don't know everything, the unknown unknown. But at least if we're prepared to go find stuff quicker than we were than before log for J. I think having S-Bombs on hand, having that one source of truth, that one repository I think it's going to make it so much easier to find those things. Last question. What's the CISO's number one challenge? Either yours or the CISO generally? Keeping up with the fire hose that is security. Like, what do you pick tomorrow? And if you pick the wrong thing, what's the impact? So that's why I'm always networking and talking to my peers. And you know, we're sometimes like meerkats. You know, there's meerkats that you see like this. It's like, what do we talk about? But there's always something to talk about. And you just have to learn and keep learning. Last question, part B. As a hot technology company that's rising star, notwithstanding the tech lash and the stock market, Mongos growing wonderfully. Do you find it easier to attract talent? Like many CISOs will say, you know, lack of talent is my biggest challenge. Do you find that that's not the challenge for you? Not at all. I think on two fronts. One, we have the champions program. So we've got a whole internal ecosystem who love working there. So the minute one of my jobs goes on the board, they get first dibs at it. So they're already phoning their friends. So we've got, you know, there's ripple effects out from over a hundred people internally. You know, I think just having that, that's been a game changer. I was so looking forward to interviewing you, Lina. Thanks so much for coming on theCUBE. It was really great to have you. Thank you so much. You're really welcome. All right, keep it right there. This is Dave Vellante for theCUBE. We'll be right back at AWS Reinforce 22 right after this short break.