CISOs at modern enterprises face more challenges than ever before as they work against a backdrop of ever-evolving cyberthreats. Jaya Baloo, CISO at Netherlands-based KPN Telecom, is uniquely placed to offer end user insight into the challenges faced by global security professionals and what the future threatscape looks like.
Driven by a desire to understand the difference between mistakes in programming and intentional malicious behaviour after receiving a computer for Christmas at the age of nine, Jaya Baloo admits that her interest in cybersecurity started young.
Fast forward a little and you’ll now find Baloo listed as a top 100 CISO and a regular guest speaker at the world’s highest-profile cybersecurity events – often speaking about quantum computing, a topic she is passionate about raising global awareness of.
Changes in the cybersecurity sector
Over two decades in the industry, Baloo has been privy to several changes, most notably that she no longer needs to convince anyone of the importance of good cybersecurity practice.
“What I do still find however is that there’s an ocean of distance between people who actually understand what they need to do versus just buying into every single vendor pitch,” she said.
“There is an overload of security vendor pitches at the moment because information security, maybe for the last two or three years, has been seen as “hot” and I think that brings about a ‘market for lemons’ with the general population not being able to understand what quality is and that is a concern.”
On cyberthreats to the telecommunications sector
The ‘goal’ of attackers is what sets telecommunications infrastructure apart from other critical infrastructure, she says.
“The target setting for state sponsored attackers is not to bring it down so much as to be hooked into crevices and intercept traffic without being discovered,” she said.
“That’s not the same for other critical infrastructure providers. Energy and water are also types of critical infrastructure, however, a state actor isn’t interested necessarily in absconding with the data that’s there so much as influencing the availability of the services of electricity and water.
“With telecommunications, availability is crucial, but what I think is preferred is the availability to allow the communication and the chatter to keep going but unobtrusively monitoring it. So, the state actor challenge, I think, is the most unique one.”
On information sharing and collaboration as a cybersecurity tool
When it comes to cybersecurity threat information sharing, there should be no competition, she says.
“We should not try to compete at all with each other in this arena. Because one day they get hacked, the next day we get hacked,” she said.
One collaborative approach to tackling specific DDoS cyberthreats – expensive and hard to defend against but easy and cheap to deploy as an attack – in the Netherlands is the Dutch Continuity Board, of which Baloo is chairman.
It sees competitors exchange live attack information in a bid to figure out where it came from.
“If we can fingerprint every site where the traffic is coming from then we should be able to take it down,” she said. “And that way we are better organised than the bad guys, who are doing the attack in the first place.”
The cybersecurity workforce shortage and how it can be tackled
“I refuse to wait. We are just too impatient – we have too many direct needs,” Baloo says frankly.
The impact of the cyberskills shortage is one felt closely by many firms. KPN is tackling this head-on with its annual ‘Greenhouse’ project.
“The idea is that we get seedlings from across the company who we train into cybersecurity professionals during a 10-month long programme.
“We don’t want to just have cybersecurity professionals within the chief information security department, we also want to have them in security consulting, we want to have them in network architecture teams and other expertise areas.”
Trainees work within the CISO security units, on projects and towards certifications – in areas such as offensive security, incident response or digital forensics.
“We make sure they are capable and even though this works on the basis of catch and release, that we would be happy hiring them for ourselves after this programme,” said Baloo. “It is an investment but it pays back so many times over for the company, so I find it really valuable.”
The biggest cyberthreat facing global organisations
Some would say ‘cryptojacking’, some would say ‘ransomware’ and others would say ‘skills shortages’. But Baloo has an interesting perspective and looks instead to the geographical ‘digital divide’.
“I think it’s the inequality and distribution of assets when it comes to being able to get good security for us all,” she says.
“Look at it this way, there’s no inequality of asset distribution when it comes to the platforms we use. We are all using the same stuff everywhere.
“However, when we see a vulnerability that has a global ripple, we are not equally distributed in terms of our ability to detect and respond and defend.
“In general the US and Europe are a lot better at it relative to Africa or South America, or certain parts of Asia.
“And in absolute terms it’s not that we’re doing so great in the west either, it’s just that it’s significantly worse elsewhere.
“Take for example all of the work that’s happening globally around things like quantum computing. You see that happening at Microsoft, at Google, at IBM, the United States is investing heavily in it, China has billions of dollars in it.
“But the rest of the world certainly doesn’t. You’re not hearing of a quantum computer or post quantum cryptography being developed in Brazil or in Kenya. What I’m worried about from an infosec point of view, is that when we have a quantum computer, it’s going to effectively render our current encryption schemes for public key cryptography moot.
“So if we see an evolution where only certain countries will be able to possess this kind of technology, all of the other countries will be in this ‘digital divide’ that the UN always talks about.
“I do quite a bit of evangelising and just try to educate CISOs about the potential quantum threat and the measures we need to take, because I think that even in Europe we don’t really understand how little time we have and how much work we’ve got in front of us.”
On the impact of quantum computing
“Think about it, governments, humans who have a bank account, we all use public key cryptography regularly and the reason we use it is because it is based on difficult maths problems that our current computing architectures cannot solve in a reasonable amount of time,” said Baloo.
“However, a quantum computer which has a completely different architecture than a classical computer is capable of solving these inherently difficult cryptographic challenges in exponentially shorter amount of time. As a result, will be able to potentially compromise the security of not only everything that we will encrypt, but also have encrypted, and transferred between each other.
“So if you have an attacker in the background just capturing all of this communication, even the encrypted traffic, it’s just a matter of time before the quantum computer arrives and they can decrypt that traffic at will.”
There are three specific things which businesses and organisations can do to prepare themselves, she says.
First is to increase the key length of current algorithms, second is to use quantum key distribution in specific parts of the network and third is to look at new post quantum cryptographic algorithms.
Advice to aspiring CISOs or security professionals
“I know there’s a lot of people that eventually become security generalists and have let go of some of the technical background that they originally had because of a strong desire to be a CISO, but I think it’s something you should never completely let go of,” said Baloo.
“The thing that makes a good CISO unique and competent is a fundamental ability to grasp the underlying technology and potential risk behind the thing that you’re trying to secure. The ideal CISO is T-shaped. They have a core competency and can go very deep into one technical area, then have one arm with a permanent link to the business and another intrinsic link to their team of security specialists.
“But keeping that core competence sharp and adding to the knowledge base is essential.”