Secret CSO: Jaya Baloo, Avast

Name: Jaya Baloo

Organisation: Avast

Job title: Chief Information Security Officer (CISO)

Date started current role: October 2019

Location: Amsterdam, Netherlands

Jaya Baloo joined Avast as Chief Information Security Officer (CISO) in October 2019. Before this, she was CISO at KPN, the largest telecommunications carrier in the Netherlands. Prior to this, Baloo also held the position of Practice Lead Lawful Interception at Verizon and worked at France Telecom as a Technical Security Specialist. Baloo is formally recognised in the list of top 100 CISOs globally and ranks among the top 100 security influencers worldwide. In 2019, she was also selected as one of the fifty most inspiring women in the Netherlands by Inspiring Fifty, a non-profit aiming to raise diversity in technology by making female role models in technology more visible.

What was your first job? My first real job was 20 years ago as an internet security trainer at Bankers Trust, a leading financial institution for commercial and consumer banking services. During my time at Tufts University, I worked at Cybersmith, a cafe and virtual reality arcade that opened in Harvard Square, Massachusetts in February 1995. Think of an internet cafe, before they became popular. It was a comfortable place to gather, have a bite to eat, and get access to all the new computer technologies, perfect for anyone who wanted to explore the world of computers, just a slice of heaven in Harvard Square. 

How did you get involved in cybersecurity? I was inspired to study computers after receiving one for Christmas at the age of nine. Though I didn’t have access to the internet until I was 12, it was a Compuserve dial-up connection. After one occasion of maxing out our bill, my parents cancelled the service, meaning I had to find other avenues to get online. I found out through chat rooms about local dial-up systems and so I decided to set up a war dialling programme to try to find one, a technique to automatically scan lists of telephone numbers, usually dialing every number in a local area code to search for modems, computers, bulletin board systems (computer servers) and fax machines. I was that desperate to get back online!

What was your education? Do you hold any certifications? What are they? I studied at Tufts University in Massachusetts between 1991 and 1995. I studied political science, as at the time my parents were working for the UN. Though throughout my studies I also took a computer science course for fun, simply because I enjoyed it. I also completed a range of other technical courses when I began working, a whole slew of network as well security certifications. I started early with getting my CISSP (Certified Information Systems Security Professional) and obtained a  bunch of vendor certifications, like Checkpoint, Cisco, forensic tools training etc etc. 

Explain your career path. Did you take any detours? If so, discuss. I currently work as Avast’s Chief Information Security Officer, having joined the company in October 2019. Previously, I was CISO at KPN, the largest telecommunications carrier in the Netherlands, where I led its security team for seven years, starting after a major hack and building a team that was not just responsible for defending a telco, but most of the critical infrastructure of the Netherlands. I also worked in a bunch of different telcos, from Verizon to  France Telecom as a Technical Security Specialist. I still have a soft spot for telcos, but I thought I could assist in the hunting of global threat actors by joining Avast and defending vulnerable populations. 

Aside from being CISO at Avast, I am also Vice-Chair of the EU Quantum Flagship, a billion euro R&D program for quantum technologies and on the faculty of Singularity University. The biggest detour is all of this is my entire accidental career in security. I originally wanted to work for NASA, then wanted to follow the path of my parents who worked for the UN by studying political science. Maybe I could bring full circle by applying for a job at SpaceX, which is still a bit of a dream. ( Psst.. Elon are you out there?)

Was there anyone who has inspired or mentored you in your career? Yes, there are so many. I also get a lot of inspiration listening to other speakers at conferences. Regardless if you’re speaking to someone in ethical hacking, or day to day operations, or researchers hunting down cyber threats, there is something to learn from each and every person. Although this might sound like something out of a Hallmark card, I am actually always the most inspired by my own team, I learn a lot from listening to them and watching them carry out fantastic work everyday. This goes for my colleagues as well, unless they work in finance or audit, which honestly can get a bit depressing. ( Just kidding )

What do you feel is the most important aspect of your job? The most important aspect of my job is making security simple but accessible not just inside the company but especially outside of it– this is actually a big reason I joined Avast. Before I joined the team, I had already installed Avast on my children’s laptops - as it was an effective product at an affordable price point. As new technology emerges, we’re seeing an increasing digital divide between the “haves” and “have nots” – and not only when it comes to the elderly and younger generations. During my travels, I’ve seen such stark challenges when it comes to tech adoption across the world, so for me it is so important that security stays affordable and accessible to the most vulnerable populations.

What metrics or KPIs do you use to measure security effectiveness? The key metric of success is how quick we are to respond to security vulnerabilities and resolve an issue. Average time to respond to vulnerabilities and incidents has always been the key metric. It’s useful to look at this as a trend line, if we’re getting slower to resolve things, then that raises the alarm and suggests there is a problem with either our tools, processes or people. If we have incidents open for a long time without a resolution then it signals it’s time to examine the core problem and fundamentally change things . 

Is the security skills shortage affecting your organisation? I don’t know anyone it’s not affecting in the industry. Unfortunately, it takes a long time to fill positions for security. Diversity and inclusion is one of the reasons. We need to make sure we increase access and availability of training to help encourage women into security. I’ve said it before but one way to do this is to get women interested in STEM at a younger age, through apprenticeships, internships, where they can grow into a role and develop their skills on the job.

Cybersecurity is constantly changing - how do you keep learning? I read a lot of books, I observe discussions on social media, and listen to great researchers at conferences. Though my biggest source of knowledge is my team. An army of one is an army of none, you can't do this job alone. 

What conferences are on your must-attend list? The security industry has a packed calendar of some of the best conferences in the world. Of course there’s defcon and Blackhat, but the past few years I have followed it after rather than being there physically and now with the post covid situation it looks like this is continuing. Though I'm particularly looking forward to attending hardwear.io and Hack In The Box. 

I’m also excited to speak at Avast’s third CyberSec and AI conference in 2021. The event last year was a great success, bringing together great minds such as former chess grandmaster and AI spokesperson Garry Kasparov as well as the founder of the Tor Project Roger Dingledine, to discuss important security issues such as AI bias and adversarial AI. 

What is the best current trend in cybersecurity? The worst? It is positive to see the cybersecurity industry making waves in supply chain security. It’s been a focus for some time but the recent high-profile supply chain attacks have caused the industry to wake up and smell the coffee. 

One of the trends I’m sceptical of is seeing companies use AI to power absolutely everything. Not every business is better with AI and blockchain, and moving all operations to the cloud doesn’t always make sense. Companies shouldn’t sprinkle the newest trendiest tech on their business just because of the hype, they must ensure it aligns with their goals and is applied with common sense. 

What's the best career advice you ever received? Stay true to the thing that makes you stand out. I personally love the more technical side of cybersecurity, and when I evolved into a management role as CISO, I had a hard time not feeling that I was losing something rather than gaining a new skill. The best advice is not to let go of the part of the job you love, it’s a USP. 

What advice would you give to aspiring security leaders? Hold onto your passion. Don’t be afraid of being wrong, its the only way to learn something new. Especially in infosec, there tend to be a lot of pissing contests pitting people against each other’s relevant experience or technical merit. This scares a lot of people off and as a result bad practice persists longer than it needs to. Don’t be afraid to challenge or to be challenged and remember that curiosity is a gift that you need to splurge on regularly. 

What has been your greatest career achievement? I’m incredibly proud to be working with the EU Quantum Flagship, a billion euro R&D program for quantum technologies – where we provide insight into quantum computing developments and call for action to continue the development of solutions to mitigate security concerns. Most members are leading physicists so it really is a privilege to hold a position of Vice Chair as a security person. But, ultimately I’m there to make security accessible and to help drive innovation and  opportunities, rather than only worrying about security threats. If we allow it to, quantum computing will revolutionise fundamental science, but if we lead from only a security threat standpoint it will not progress, so my job is to ensure we stay ahead of the curve, and do not get consumed by these threats. I am proud to be able to make that case, understand the problem at stake, and take a seat with this incredible group. 

Looking back with 20:20 hindsight, what would you have done differently? I would like to have studied for a technical degree, such as physics or engineering.