A Successful Security Strategy Is All About Relationships. Here’s How to Build Them.
Security efforts are not limited to security teams. High impact strategies need to engage everyone from employees to the board of execs, DevOps teams and IT. Learn how how to become not just an effective partner but a trusted advisor across an organization.
Your Legacy Phishing Solution Isn’t Enough to Protect Your Organization
CISO Josh Yavor explains why legacy phishing solutions aren't effective in preventing successful attacks, and what you can do about it.
9 Things I’ve Learned Writing Phishing Emails
Ethical hacker, Craig Hays, explains why copywriting, timing, and context are all essential "ingredients" in crafting a phishing attack.
Employee Burnout Will Probably Cause Your Next Data Breach
Understanding how stress impacts cybersecurity behaviors could significantly reduce the chances of people’s mistakes compromising company’s security.
Stateful Machine Learning is Our Best (And Only) Bet
Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex.
How Easy Is It to Phish?
You don't have to be tech savvy to become a "hacker". This blog outlines how to create a phishing campaign, and was designed to help security leaders protect their organizations.

Explore Human Layer Security.

Learn About Our Mission
Subscribe to our newsletter
Explore Me
Read More
Podcast Security Culture

Q&A With Lena Smart, CISO at MongoDB: Why You Need Security Champions

Tim Sadler

Illustrations by Lisk Feng

Lena Smart is a CISO who isn’t afraid to do things differently. Since joining MongoDB in 2019, she has transformed the company’s security culture – empowering employees to have a voice and create an impact through initiatives like her ‘Security Champions’ program.

Listen to the whole episode here, or read on for the summarzied conversation. 


Q: How did you start the Security Champions program, and what does it entail?

A: Before starting a Security Champions program, I would meet up with colleagues from different departments and we would talk about cybersecurity over lunch. Even without a formal program, there were people who had an interest in security but no outlet for it. Once I started looking for these individuals, it became clear that they existed in pretty much every company I worked at. When I moved to Tradeweb we set up a Security Champions program – but it was a much smaller version of the one we see today. Later starting a MongoDB, a ‘fully’ tech company, I knew that a Security Champions program could have a huge positive impact. 

The Security Champions program that we have running now is very much employee-led.

The main aim of Security Champions is to share knowledge and help decision making. So, for example, Security Champions will help in the development of phishing campaigns, threat models, and playbooks. Teamwork is at the center of the program’s success, and we make sure to nurture that through things like a book club, Slack channels, and even games like ‘capture the flag’! 

Anyone in the company is welcome to join the program, we just get people to fill in a short questionnaire determining their level of expertise. You can also be nominated by a provider in your team. Regardless of your role in the company, I think that what it comes down to is appreciating the importance of continued learning. As long as you are on board with that, you’ll fit right in.


Q: What successes have come from the Security Champions program?

A: We have employees from all departments on the Security Champions program, with at least a few members from each global location working together to solve problems. What has quickly become apparent to me is that having a Security Champion be the voice of their department is very empowering for both the business and the individual. 

When it comes to security advice, people are more likely to listen to their own team members rather than someone from a team that they don’t interact with every day. Put it this way – you’re more likely to trust the person that you go to lunch with, than somebody in the security team that you see in the elevator once a month. Having Security Champions in each business unit also allows us to ask questions without departments feeling as though the security team is sticking their nose where it is not wanted. 

The program is less than a year old, but these positive impacts are already abundantly clear. In the longer term, we expect to see a reduction in ghost IT, increased engagement in things like our phishing campaigns, and improved scores on security assessments.



Q: How do you respond when an employee makes a mistake?

A: One thing that I am incredibly proud of at MongoDB is that there is no culture of blame here. Of course, it is important to learn from mistakes, but it is also important not to dwell on them.

Removing blame culture allows employees to have a personal vested interest in security that is not fuelled by fear. So, during security training we carefully and respectfully let people know what the outcome could have been had they clicked on a bad link. Effective education is so important.

If people are educated, they understand the result of their actions, and it makes them think twice. If on reflection they still aren’t sure, then they can talk to their Security Champion in an informal manner, without fear of ridicule or punishment.

We have the same attitude when looking at the results of our phishing campaigns – if some people are doing less well than others, they just need more training. We will make that training available, and those that need more help will eventually get up to speed. This ensures employees recognize the part they play in security, without perpetuating a culture of blame.

For more from Lena Smart and her Security Champions program, listen to our Tessian Podcast episode, here.

Share this Article