Jaya Baloo joined KPN Telecom 6 years ago, as the Chief Information Security Officer, to build up the Cybersecurity department, which currently has over 100 employees. Jaya was recognized as one of the top 100 CISO’s globally by The CISO Platform in 2017, won the Cyber Security Executive of the Year Award in 2015 and is also a well-known speaker at security conferences across the world.
The one thing I keep telling my team that I can guarantee is we are going to get hacked. It’s because we are such a big network and also because we are an intermediate target to get to other targets. Obviously, we try to prevent as much as we can, respond as quickly as possible and verify as many actions as possible. The main challenge is to always keep thinking of new ways that we could improve our existing security measures in novel ways. We recently set up a new unit that invents new security solutions which we cannot find in the market, for example a post-quantum VPN tool.
People need to realize that security is actually sticky in that it is something very relatable to each and every role. You inherently realise that if you do not address a security issue then you will be exposing yourself to a risk. As a CISO, you should use this to your advantage, relate your cybersecurity objectives to the motives of the board and make it as relevant to them as possible. I also don’t believe that support for cybersecurity ends with the board, effective storytelling might work for senior leadership but you ultimately need every employee on your side to realise how they can best defend the company within their role in order for this to work.
A lot of companies are quite relaxed about their cybersecurity, almost too relaxed. This is usually because they are not measuring what is actually going on in their company. They tend to generally want to trust their employees, partners and vendors. The issue is that trust is ultimately just a social contract and the health of this contract needs to be checked. So only if you monitor the behavior of your employees, partners and vendors can you give your trust to them freely. This is not a well-known threat for many of the larger companies.
Human error plays a huge role in data breaches. Whenever I talk about employees being a threat, I don’t simply mean the malicious ones who want to wreak havoc across your organization. A lot of accidental actions create many of these problems. That’s why creating cybersecurity awareness across a company is so difficult to scale. All forms of attacks tend to begin with some form of targeted phishing which is very challenging because of the social engineering aspect. That’s why you need a system in place that takes these issues into account and why the best solutions a company can have is a mix of technology and user awareness.
CISOs typically come from a very technical background and tend to think that they need to develop their metaskills such as presentation or storytelling. Obviously this is not a bad thing but it does become an issue when they invest in these new skills at the detriment of those core technical skills that got them there in the first place. So I would recommend obviously investing in those metaskills but also doing a technical training session once a year with your team. Try to stay abreast of the newest technical trends as well by networking and speaking to other CISOs.