Cybersecurity professionals face one of the most challenging jobs in modern businesses, dealing with a constantly evolving threat landscape. Cybersecurity professionals must find ways to effectively navigate challenges and obstacles to get their security posture to where it needs to be. Achieving this goal requires strategic vision and the ability to balance business enablement with risk management.
In this series we will be interviewing cybersecurity professionals from a wide range of backgrounds, industries, and experiences to bring you their unique insights into cybersecurity today, what challenges they are facing currently and expect to face in the near future, the realities of what it takes to defend complex global environments, and what advice they would offer to other CISOs and cybersecurity professionals.
We spoke to Lena Smart, the former CISO at MongoDB. Lena served as Global CISO for Tradeweb, as well as CIO and Chief Security Officer for the New York Power Authority, which is the largest state power organization in the country. She is a founding member of Cybersecurity at MIT Sloan and, most recently, she has joined AIUC-1 as its first Ambassador. Lena is also an angel investor and board advisor to companies including Acium.io and Humma.ai.
What cybersecurity challenges do your teams deal with on a day-to-day basis?
As a mentor, I am still heavily involved in the CISO world. The main issue on everyone’s minds these days is AI: how to manage it; how to train employees to use it effectively and safely; how to reduce the proliferation of “shadow AI”.
How have the challenges you deal with evolved in the last few years?
The landscape has moved from “move fast and break things” to “move faster and let AI break things” in my opinion. This has to be managed in a thoughtful way. Talking to Boards who want “instant success with AI” is also a challenge. How do you balance innovation with safety? That’s why I joined AIUC-1.com as their Ambassador – to make enterprises aware of the AI risks and have them take some accountability of their actions.
How do you set yourself and your teams up for success dealing with these challenges?
Open communication is absolutely key. Let people know what they can and cannot do. Make them aware of their individual responsibilities and how these align with company values. Knowledge is NOT power – share the failures as well as the wins.
Training is absolutely critical; I used to set aside a set amount per person and made sure that every team member had at least one formal training class per year. It could be any subject, as long as it was tangentially relevant to their role and the success of the company overall.
What technologies, partners, and vendors help you when dealing with these challenges?
The ones who are honest in what they are selling or consulting on. So many snake oil merchants out there these days, it’s hard to tell!
How do you evaluate new vendors in the cybersecurity space?
There are two questions to ask any new vendor:
- How can I trust you?
- What pain point(s) are you trying to solve for me?
How do you balance security with business agility?
That’s extremely difficult, especially with AI. Keep one eye on the risk of the new shiny toy, versus the implied positive results it’s meant to bring. It boils down to “risk versus reward”.
Across your advisory and investment portfolio (browser security, human-driven training, empathetic AI, data protection) is there a common thread or thesis guiding where you put your time and capital?
I only invest in companies that, if I were still a CISO, I would have bought for my company. I need to see true value to CISOs and humanity at large in any company I invest in. It’s not all about the return for me.
It’s about “how will this company help CISOs do their job better and how will their product improve humanity in general.” It’s a big view, I know, but that’s how I roll… For example, Humma.ai wants to change the face of social media by building a privacy-first, community-owned social network, with a focus on safer online spaces and leveraging user-consented data to power B2B “Empathetic AI” models, especially in healthcare and other customer-facing sectors. That ticks both my boxes as a former CISO and now Angel Investor.
The other company I advise, Acium.io, is offering a Unified Browser Security platform, protecting sensitive data and SaaS access with policy-based controls and in-session monitoring. This will strengthen Zero Trust and insider risk programs without forcing a new, secure browser. Again, this shows thoughtfulness in trying to address real pain points that CISOs have to deal with every day.
What impact do you see new technologies like AI have on your day-to-day? Do you see AI having a long-term impact?
I use AI every day but am always aware of the security aspect of giving too much information to it. It’s tempting to take a list of questions like this and say “AI, answer these!” I am worried that at some point, original thinking will be gone, and people will be too reliant on AI answering all their questions. As AI learns from us, how can it improve if all we do is ask it to churn out AI slop based on other AI slop?
How do you see CISOs’ responsibilities expanding as AI agents become more autonomous?
Yes. Who will ultimately be held responsible if an AI agent goes “rogue” and leaks PII data? The CISO? Probably. We need guardrails and standards around AI that CISOs can use to help limit the risk of their role.
What advice would you give to fellow CISOs and other industry practitioners?
Learn all you can about the risks around AI usage, particularly feeding data into AI Agents. Set up an AI Risk Register where you have all AI usage clearly delineated, along with the risk profile for each Agent. Check what data is being mined, where is it going to,who has access to it, etc. Make sure your teams are trained to use AI SAFELY and effectively.
