Jaya Baloo, CISO at Avast Software, on cybersecurity
Published on 29/09/2021 in Tech, tips & tricks
To create a secure IT environment, you need more than a bit of software and a firewall. “Cybersecurity must be based on a strategy,” says Jaya Baloo, CISO at security specialist Avast Software. “Without a plan, you’re nowhere.”
Many companies get it wrong when it comes to cybersecurity. They think it’s enough to just purchase a few products. What do you say to them?
Jaya Baloo: “Cybersecurity is not possible without a well-thought-out strategy. You have to understand what you’re defending and who you are defending it against. That’s only possible with a strategic approach. You need to have a plan. If you fail to plan, you plan to fail. In real terms, I always start with a three-year vision, with a clear goal: to see how security contributes to letting the business do what the business wants to do. Security is not there to hinder the business, but rather to help the business move forward.”
Does that principle apply to all companies, regardless of whether they are an SME or a large multinational?
“In principle, yes, although of course you have to see everything in the right context. In a small, traditional bakery, IT is less of an issue and security will require less effort. For an SME that offers online services, security is much more important. Nevertheless, today everyone is active online, so no one can ignore the need for security. What we do see is that small organizations are often easy targets precisely because they don’t know what to do or because they’re afraid of the cost.”
Do SMEs not have the right attitude to security?
“Small companies still often don’t understand the threat base. They think they’re of no interest to cybercriminals and therefore are not at risk. Or they think their service provider will protect them. But that’s not the case. Anyone who purchases a cloud service is still responsible for its security. Those who don’t know that are using those services and assuming that they are safe. This false sense of security can also be present among the employees of a company. They assume that security is the company’s responsibility, not theirs. That lack of awareness can lead to major problems.”
Make it financial. Calculate what the impact of an incident could cost the company.
Jaya Baloo, CISO at Avast Software
Insight into the risks… and yourself
That’s right on the nail: awareness. How can a company ensure that everyone is on board?
“That too is only possible if the organization develops a security strategy. Three elements are essential: awareness, visibility, and capability. In the first place, you have to develop a security awareness that is focused on the company and its employees. Security is best served with awareness that matches the various roles of the employees.
There are different focal points for the CIO than for the production workers. Visibility and risk intelligence is the second element. There must be monitoring, you must collect logs and, more generally, gather intelligence so that you know when there are security incidents in your sector and prioritize important versus urgent. Finally, it’s about the speed and accuracy of your response, hence developing your security capability is a crucial and iterative process.”
According to Jaya Baloo, your strategy should be based on three principles: stimulating awareness, creating visibility and risk intelligence, and developing your own security capability
Logs alone are of course not enough.
“Exactly. You have to handle those logs and alerts smartly: looking at the right things, instead of looking busy, otherwise you will drown in all kinds of alarms. And when there is an incident, you also have to be able to take appropriate action. Is there an incident or a systemic problem? Then tackle it, but do it in a smart way, so that you learn something from it to prevent reoccurrence.”
The great difficulty is that the conditions in which the whole exercise takes place are constantly changing. There is a constant race between cybercriminals with new malware and security specialists with new solutions. But equally the business of a company changes over time, doesn’t it?
“True, but a company should know its own environment best. If something changes, it must make adjustments. The impact of a fire is not over when the fire is extinguished. It takes time for the burns to heal. This is also the case with a security incident.
An security breach or hacking goes unnoticed for an average of seven months. After that, there’s still a long way to go – often three to six months – to eliminate the entire impact of the incident. In other words, whatever plans the company has, they will have to change. A good strategy provides the space to do this well.”
CIO or CISO? One person must bear the ultimate responsibility. But remember that security cannot exist without good IT, while IT unfortunately does exist without good security.
Jaya Baloo, CISO at Avast Software
Calculate the costs
If the risks are constantly changing and an organization has to continually adjust its security as a result, security fatigue is lurking around the corner. How can that be avoided?
“It really is exhausting: another zero day, another patch storm, another ransomware campaign… We see cybersecurity as an arms race that is continuing to escalate. We don’t know how to de-escalate anymore. That makes it difficult sometimes. You do, in fact, have to stay cool despite everything. You know that something else is just around the corner and that as a company you must continue to provide time, people, and budget. But at the same time you can’t stand up and shout about everything, because eventually people will stop listening.”
Apart from the battle in the field, this is perhaps the biggest challenge for security specialists: how do they convince the CEO that a sustained effort is needed?
“Well, from a security point of view, there’s nothing else you can do but provide a sufficiently large buffer, because we know that something will happen sooner or later. The best way to convince management of this is to translate the impact into financial terms. Look at the possible impact on the business and calculate the costs.”
No security without IT
Companies are increasingly taking responsibility for security away from the IT department. They appoint a CISO, who is in close contact with the CIO. How do you view that evolution?
“When it comes to security, everyone is responsible. But the ultimate responsibility is at C-level – that goes without saying. It’s interesting to see that security cannot be done without good IT, while IT unfortunately does exist without good security. Above all, it’s important that one person bears responsibility for the security life cycle: from awareness and prevention, to response to an incident and the associated recovery. You can come a long way if you follow current good practices and ensure good basic hygiene.”
Many companies go a little further. Can they use their security efforts as a competitive advantage?
“Absolutely. This is especially the case when the business of the organization stands or falls on trust. We expect a bank to be highly secure. We expect a hospital to handle patient data correctly. In that context, security can grow into a competitive advantage. A company like Apple, for example, presents privacy and security as two of its main selling points.”
Compliance is the floor
Companies also often invest in obtaining certificates to demonstrate that they take security seriously.
“With a certificate you prove that you meet a standard. That’s certainly a good starting point. But I see compliance as the floor, not the ceiling. So don’t be blinded by those certificates. Hackers often strike certified companies.”
Apart from all the efforts made – whether or not documented with certificates – what we need to remember first and foremost is that managing cybersecurity remains a very fluid exercise. The work is never finished and it’s not always clearly defined. Hence the need for a sound strategy. This determines the ultimate objectives, while its concrete and daily deliverables is constantly evolving.
Improve your cybersecurity approach.
Jaya Baloo is CISO at Avast Software, a supplier of security software. She was previously CISO at KPN Telecom. Forbes included her on its list of 100 Women Founders in Europe to Follow.