Q&A with Lena Smart: How to Handle Getting Hacked
Insights from a veteran CISO on navigating the chaos of a data breach and building a resilient cybersecurity strategy.
Lena Smart is an experienced cybersecurity leader with over 20 years in the field. She is the former Chief Information Security Officer (CISO) at MongoDB, Tradeweb, and the New York Power Authority. Lena is well-known for her innovative approach to security, emphasizing collaboration and empowering employees through programs like the Security Champions initiative. She is a founding member of Cybersecurity at MIT Sloan (CAMS), which facilitates collaboration between industry and academia to address critical infrastructure cybersecurity challenges.
It's estimated that 49% of U.S. companies have encountered a data breach at some point, while almost one-third admitted to breaches in the last year alone. For CISOs, it’s no longer a matter of if you will get hacked, but when. In 2023, MongoDB, an open-source, NoSQL database management system (DBMS), was hacked a week before Christmas. As CISO, Lena was responsible for how to handle the aftermath of the breach.
Our Q&A with Lena Smart dives into what lessons she learned from her previous experiences getting hacked, tips for handling a breach efficiently and effectively, and how CISOs can prepare their teams for the worst.
Q&A with Lena Smart
Q: Can you share a bit about your journey into the field of cybersecurity? What inspired you to become a CISO?
A: I kind of fell into the security world. Nobody was really doing much security when I worked at the New York Power Authority. The SCADA systems were on a completely separate network, no internet access whatsoever, and the corporate systems were not considered that important. However, after a DefCon visit where I saw a talk about SCADA systems being hacked, I realized that we needed to do something. I came back and told my boss. He said "you're in charge of security then" and that was it. That was over 20 years ago!
Q: What was your first experience with a data breach? What were your biggest takeaways from that experience?
A: I can't go into specifics, but I've dealt with a couple of breaches, the last one being at MongoDB. It was a horrific experience and I never want to go through it again. The incident showed me where we could improve our systems, and our Incident Response Plan worked very well. But my biggest personal takeaway is that I never want to hold the role of CISO again – there’s simply too much pressure and stress. For now, I am open to board and advisory positions.
Q: What preventive measures can companies implement to reduce the likelihood of future data breaches?
A: Preparation is key. Everyone in the organization has to understand their roles and responsibilities in the event of a breach. That includes the Board, C-Suite and every single employee. We performed lots of tabletop exercises (TTX). Our training completion rate was up to 99% when I left, due to listening to the business units and scheduling training when it was convenient for the different user groups.
Q: What is the first step organizations should take immediately after discovering a data breach?
A: Open up the Incident Response Plan and start working through it. Don't get bogged down in the details – if you follow your plan to the letter you may miss something, so make sure it's flexible enough to allow for "out of the box thinking".
Q: How can businesses assess the full scope and impact of a data breach?
A: It goes back to preparation. I use the SANS PICERL framework for breaches:
- Preparation
- Identification
- Containment
- Eradicate
- Recover
- Lessons Learned
Having had as many TTXs as we did, everyone knew of the Risk Register and there was individual accountability for the risks there. We also reviewed the register regularly, after the TTX.
Q: What common mistakes do companies make when responding to a data breach?
A: They are too eager to "get started and fix the problem, get rid of the bad actors etc". You have to remain calm, take a level headed approach to the situation, and balance the needs of the business with the needs of security. That is very difficult to achieve, and only comes with lots of practice and TTXs.
They also don't generally have a third party, like Mandiant, on retainer. You will likely need external help as your team will be overwhelmed trying to restore systems. It also helps with customer relationships if they see a trusted third party like Mandiant involved as early as possible. It shows how seriously the breach is being taken.
Q: How can security teams approach communication to streamline response procedures?
A: Use your Sales team – they have the contacts and trusted relationships. I found our Sales team to be invaluable during the MongoDB breach. They could get the right people together at their accounts. It's also imperative to include your Communications and Marketing teams. We had just completed a detailed TTX with our C&M teams, one day before the MongoDB breach.
I have a saying that I also follow: "one voice, one message." All instructions and outbound communications were written and approved by me (and Legal), so there was no ambiguity of internal or external messaging.
Q: What advice do you have for other CISOs preparing for or experiencing their first breach?
A: Be prepared for things to happen that you haven't even imagined. We had people traveling (the MongoDB hack happened one week before Christmas), laptops breaking on Christmas Eve with no way of getting a replacement for two days, and someone's wife went into labor. Just be aware that there will be elements to the event that you would never have dreamt of. Stay calm, keep your team involved in all communications, and make sure your Incident Response Plan and Risk Register are up to date.
Q: What trends do you see shaping the future of cybersecurity, and how can organizations prepare to adapt to these changes?
A: Obviously AI will play a large part in the future, but we need to flip it from "AI for security" to "security for AI". I can see a proliferation already of AI companies touting solutions for problems that AI cannot (at the moment) fix properly. The LLMs are still being trained. Companies like SecurityPal are definitely doing the right thing: using AI where appropriate, but not completely replacing all human interaction.
Q: Looking back on your career, is there anything you would have done differently?
A: I would have married a very rich man and been a lady of leisure. Seriously though, I love my career and the experience I've gained over the years. I left school at 16, as I had to work to help support my Mum and sister. I never imagined that learning about security would have led to where I am today, working with amazing companies like SecurityPal.
Q: What would you consider your biggest professional lesson?
A: Be prepared. I have a reputation of "over preparing" and it's never steered me wrong. Keep good records, know what your critical assets (or “crown jewels”) are, and who is responsible for them. Network with as many peers as you can, because you can count on other CISOs to be a shoulder to cry on, free therapy, and help if needed.
Be Prepared for a Data Breach, Before It’s Too Late
As cybersecurity threats continue to grow in complexity, Lena’s experiences offer invaluable lessons for CISOs navigating the high-stakes environment of data security. Her insights, drawn from over two decades in the field, highlight the necessity for organizations to develop robust Incident Response Plans, regularly train employees, and maintain calm during crises.
Are you prepared for a data breach? Download our guide to creating a robust Customer Assurance (CAx™) Suite to elevate your security posture, and build trust with your stakeholders, customers, prospects, and vendors.