Q&A With New Avast CISO Jaya Baloo | Avast

Jeff Elder, 6 November 2019

Avast’s new CISO opens up about the mission that drives her, responding to threats and swimming with sharks

Jaya Baloo, a 20-year veteran in the field of information security, joined Avast last month as its chief information security officer (CISO). She most recently worked as CISO of KPN, the largest telecommunications carrier in the Netherlands. She has been formally recognized on the list of the top 100 CISOs globally and ranks among the top 100 security influencers worldwide. The Avast Blog spoke with her for this Q&A interview.

Avast Blog: What does the CISO of a cybersecurity company do?

Jaya Baloo: Remind staff how important best practices are and coach them to stay on top of passwords, VPN use, and secure networks best practices. Security should be in the DNA of everyone who works in our industry. In another type of company, a CISO might need to explain why they ask employees to take certain precautions. That said, In the cybersecurity business, we don’t just have to worry about our own company, we have to worry about our role in all of our customers’ companies, as well. There’s plenty of work to do there. The fact is, we security companies have very attractive attack surfaces for criminals to target. 

Photo_Jaya_BalooAB: Does watching out for other companies mean you can sort of be the CISO our customers might wish they could have for their company or even to help keep their home secure? 

JB: I hope so. The fact is, the tech industry has not made it easy for people to get their security in order. Security has been an afterthought, after a product is built. The makers of hardware and software products have made it a practice to not address security issues at the beginning of their design process, which means that their customers end up having to deal with a burden down the road. 

AB: How do you change that situation and empower people?

JB: By making security simple for people. That’s actually a big reason I joined Avast. I love the mission – that cybersecurity is a fundamental right. It’s not just for people who can afford to pay for a product – it’s for everyone. That’s right in line with my own beliefs. The first step of that democratization is often demystifying lingering and problematic issues that people don’t know how to address. 

Passwords are like underwear. The longer the better, change them often, don’t leave them lying around.

AB: What’s an example of keeping security simple for people?

JB: I tell people and small businesses owners to do five things:

  1. Know what you have on your network and where your data is. We tend to forget about old devices with sensitive data. Is an old phone or storage device in a desk drawer somewhere? Round everything up and use it or wipe it clean.
  2. Update or upgrade all those devices and software. 
  3. Passwords. The road to hell is paved with bad passwords. Use a password manager. (Avast has a great one.) I heard someone say one time that passwords are like underwear. The longer the better, change them often, don’t leave them lying around.
  4. Back up everything, offline and online. That’s the only real, fool-proof solution for ransomware. Although I love nomoreransom.org, attackers can’t lock you out if you have another copy of everything. 
  5. Use a virtual private network (VPN) and an antivirus.

A big part of our responsibility is talking people through it until they understand.

AB: What do you tell other CISOs when you speak at events?

JB: Most CISOs are on the same wavelength and know that you have to constantly improve and stay agile to keep up with new threats. It’s easy to think you should dig in and just get better at your approach, but that’s dangerous. And you can’t just consume industry data in a generic way and feel like you’re up-to-date. You have to apply data specifically if you want to really learn. 

AB: What is the right way to respond when your company suffers a data breach or other cybersecurity incident? Transparency and full disclosure right away?

JB: Transparency, yes. Absolutely. Own it, take responsibility for it, and tell customers what they need to know. Full disclosure shouldn’t be rushed – for a very important reason: accuracy. That often needs to wait until you know all the facts. The last thing you want to do is give people bad information, and you may not have everything verified and nailed down for a little while. When you do, step up and be transparent. 

AB: Like many areas of tech, cybersecurity is not always diverse. Do young women who want to work in cybersecurity seek you out and ask your advice? What do you tell them? 

JB: Hold onto your passion. Don’t be afraid of being wrong. Other people may try to shut you up, but don’t do that to yourself. How many times have I been in a meeting in which there are one or two women who say nothing because they’re afraid of saying something dumb? That sure doesn’t stop some men from talking! Hold onto your passion, and don’t shut yourself down. We need you in this industry. Help us keep the world safe.    

AB: What do you do in your spare time?

JB: I have three kids – 13, 11, and 7 – so I’m either at work or with them. And sometimes the worlds blend. I recruited YouTube star Enzo Knol to come to my kids’ school for a cybersecurity clinic, got them involved in the Hack in the Box conference, and took apart a hard drive with my daughter and made jewelry from the parts. They take tech for granted. Things are different than when I was a kid. My parents wanted me off the video games. Today some parents pay tutors to train their kids on Fortnight! I don’t even know what to think about that.

AB: Do you have any hobbies?

JB: I went diving at the Great Barrier Reef off Australia a month ago. I did my nitrox course and got that certification too, in case I want to give up security and become a dive instructor. It was amazing. We saw lots of sharks, rays, turtles, and tiny little nudibranchs. I love being in that world, when you go down 12-15 meters and can already see so many fascinating things. 

IMG_0618

AB: What does it feel like to see a great white shark in the water and realize it could kill and eat you?

JB: I’ve been diving in the Bahamas when we saw some really big boys. It gets your attention. If you’ve been diving for a few days and you see a big shark, it doesn’t really throw you. If you saw one the minute you went in the water, that would probably be a little disconcerting. 

I’ve come to realize that I’m drawn to what frightens me. I want to understand it. Understanding things often makes them far less scary. I’m getting my pilot’s license, and as part of it the instructor takes you up in a small plane and says, “Now we’re going to stall the engine.” And you think, “Why would we want to do that? The engine is working really well. It’s keeping us up in the air. Let’s just leave the engine alone.” But then you kill it, and feel that reality of being up in the air without the engine. You calmly follow the steps to fire it up again. And then you’ve been through that. And it will never frighten you as much ever again.