Voices of Grubhub: Yolonda Smith, Head of Cybersecurity, on Protecting Grubhub and its Customers
For this edition of our Leadership Insights Series, we caught up with Yolonda Smith, Head of Cybersecurity.
The number one global risk organizations face today is the threat of a cyber-attack or data breach. Yolonda and her team serve as the gatekeepers to help protect Grubhub and its customers.
Tell us a little about your background and career before you arrived at Grubhub.
I have been in the cybersecurity space for 15 years. Before joining Grubhub, I worked at Sweetgreen, where I was the first-ever security employee. My role there involved overseeing all IT operations, security for the app and website, and the company itself. Before Sweetgreen, I had roles in product management for a cybersecurity company, as an analyst at Target, and I served in the Air Force for eight years. It was in the military where I first learned about hacking and cybersecurity, and all these experiences shaped my approach to security at Sweetgreen and now at Grubhub.
That’s impressive! So, what motivated you to join Grubhub?
Grubhub reached out to me because they were looking for someone who could apply the same kind of practical, scalable security measures that I had developed at Sweetgreen. I was excited to take on that challenge. My background allowed me to bring a unique perspective, particularly in tailoring security programs to fit a company’s specific needs and risks.
How did your military experience shape your approach to your career?
My military background had a huge impact on how I approach security. My very first assignment in the Air Force was actually in a mailroom, not in computers, which wasn’t what I expected. But that experience taught me a lot about managing complexity, solving problems quickly, and maintaining a clear mission under pressure. These lessons have been invaluable in my cybersecurity career. It also helped me understand the importance of protecting sensitive information. Later on, I was trained in cyber attacker methods, which gave me insights into how attackers think. All of these experiences combined helped me develop a strong, defense-focused approach to security.
Cybersecurity is a constantly evolving field. What keeps you motivated to stay in the industry?
The constant change keeps me going! I also had a personal experience when I was in the military. My identity was stolen, and I remember that feeling of helplessness when I realized all the money in my bank account was gone. I don’t want anyone else to feel that way. That experience drives me to ensure Grubhub’s customers and employees don’t face that kind of vulnerability.
What’s the biggest misconception people have about cybersecurity?
I think many people don’t realize how prevalent cyber threats are, or they underestimate their impact. One thing I wish people understood is how critical social engineering has become again. A lot of breaches happen because hackers manipulate people into revealing sensitive information. It’s an old threat, but it’s making a comeback, especially now that hackers are weaponizing AI to automate attacks.
What does the Grubhub cybersecurity team focus on, and how do you measure its effectiveness?
We have a dedicated team of developers, analysts, and operators who protect the Grubhub website, the app, and the overall brand. We work with engineering partners to ensure login systems are secure, monitor external threats, and maintain internal security protocols.
In terms of measuring our effectiveness, we align our security objectives with the company’s overall strategy. Every year, we set specific risk goals. This year, we aimed to reduce our risk score by more than a half point, which we accomplished. It might not sound like much, but that’s a big improvement for a small team. We also measure our success by how quickly we respond to incidents, whether we address the highest risks, and how well we communicate with the business.
What are some of the biggest cybersecurity threats the industry is currently facing?
Right now, phishing and social engineering are the major threats. Attackers often pose as company representatives and use sophisticated techniques to trick merchants into giving up sensitive information. What’s worse is that AI has made these kinds of attacks more efficient. It used to take weeks to set up a phishing campaign. Now, someone with minimal expertise can automate the entire process in a fraction of the time.
How would you describe your leadership style?
I set a high bar and expect people to hold themselves to those same standards. I focus on empowering my team to make decisions at their level and encourage pride in their work, quality of their deliverables, and their communication. My goal is to be hands-off on the details so people have a chance to come up with creative solutions, but remain close to the overall goals and objectives so I can provide guidance to get us back on track if that’s what’s needed. I think it’s important to balance between giving direction and providing autonomy.