This publication uses cookies

We use functional and analytical cookies to improve our website. In addition, third parties place tracking cookies to display personalised advertisements on social media. By clicking accept you consent to the placement of these cookies.

To create a secure IT environment, you need more than a bit of software and a firewall. “Cybersecurity must be based on a strategy,” says Jaya Baloo, CISO at security specialist Avast Software.

Jaya Baloo, CISO at Avast Software

you’re nowhere”

“Without a plan,

exclusive Interview

Many companies get it wrong when it comes to cybersecurity. They think it’s enough to just purchase a few products. What do you say to them?

Jaya Baloo: “Cybersecurity is not possible without a well thought-out strategy. You have to understand what you’re defending and who you are defending it against. That’s only possible with a strategic approach. You need to have a plan. If you fail to plan, you plan to fail. In real terms, I always start with a three-year vision, with a clear goal: to see how cybersecurity contributes to letting the business do what the business wants to do. Cybersecurity is not there to hinder the business, but rather to help the business move forward.”

Does that principle apply to all companies, regardless of whether they are an SME or a large multinational?

“In principle, yes, although of course you have to see everything in the right context. In a small, traditional bakery, IT is less of an issue and cybersecurity will require less effort. For an SME that offers online services, security is much more important. Nevertheless, today everyone is active online, so no one can ignore the need for security. What we do see is that small organizations are often easy targets precisely because they don’t know what to do or because they’re afraid of the cost.”

Do SMEs not have the right attitude to cybersecurity?

“Small companies still often don’t understand the threat base. They think they’re of no interest to cybercriminals and therefore are not at risk. Or they think their service provider will protect them. But that’s not the case. Anyone who purchases a cloud service is still responsible for its security. Those who don’t know that are using those services and assuming that they are safe. This false sense of security can also be present among the employees of a company. They assume that cybersecurity is the company’s responsibility, not theirs. That lack of awareness can lead to major problems.”

is CISO at Avast Software, a supplier of security software. She was previously CISO at KPN Telecom. Forbes included her on its list of 100 Women Founders in Europe to Follow.

Jaya Baloo

“Make it financial. Calculate what the impact of an incident could cost the company.”

Insight into the risks… and yourself

That’s right on the nail: awareness.
How can a company ensure that everyone is on board?

“That too is only possible if the organization develops a cybersecurity strategy. Three elements are essential: awareness, visibility, and capability. In the first place, you have to develop a security awareness that is focused on the company and its employees. Cybersecurity is best served with awareness that matches the various roles of the employees. There are different focal points for the CIO than for the production workers. Visibility and risk intelligence is the second element. There must be monitoring, you must collect logs and, more generally, gather intelligence so that you know when there are cybersecurity incidents in your sector and prioritize important versus urgent. Finally, it’s about the speed and accuracy of your response, hence developing your cybersecurity capability is a crucial and iterative process.”

If the risks are constantly changing and an organization has to continually adjust its cybersecurity as a result, then security fatigue is lurking around the corner. How can that be avoided?

“It really is exhausting: another zero day, another patch storm, another ransomware campaign… We see cybersecurity as an arms race that is continuing to escalate. We don’t know how to de-escalate anymore. That makes it difficult sometimes. You do, in fact, have to stay cool despite everything. You know that something else is just around the corner and that as a company you must continue to provide time, people, and budget. But at the same time you can’t stand up and shout about everything, because eventually people will stop listening.”

Apart from the battle in the field, this is perhaps the biggest challenge for cybersecurity specialists: how do they convince the CEO that a sustained effort is needed?

“Well, from a cybersecurity point of view, there’s nothing else you can do but provide a sufficiently large buffer, because we know that something will happen sooner or later. The best way to convince Management of this is to translate the impact into financial terms. Look at the possible impact on the business and calculate the costs.”

The great difficulty is that the conditions in which the whole exercise takes place are constantly changing. There is a constant race between cybercriminals with new malware and cybersecurity specialists with new solutions. But equally, the business of a company changes over time, doesn’t it?

“True, but a company should know its own environment best. If something changes, it must make adjustments. The impact of a fire is not over when the fire is extinguished. It takes time for the burns to heal. This is also the case with a cybersecurity incident. A security breach or hacking goes unnoticed for an average of seven months. After that, there’s still a long way to go – often three to six months – to eliminate the entire impact of the incident. In other words, whatever plans the company has, they will have to change. A good strategy provides the space to do this well.”

Jaya Baloo, CISO at Avast Software

“CIO or CISO?
One person must bear the ultimate responsibility. But remember that cybersecurity cannot exist without good IT, while IT unfortunately does exist without good cybersecurity.”

Jaya Baloo
CISO at Avast Software

Companies are increasingly taking responsibility for cybersecurity away from the IT department. They appoint a CISO, who is in close contact with the CIO. What is your view on that evolution?

“When it comes to cybersecurity, everyone is responsible. But the ultimate responsibility is at C-level – that goes without saying. It’s interesting to see that security cannot be done without good IT, while IT unfortunately does exist without good cybersecurity. Above all, it’s important that one person bears responsibility for the security life cycle: from awareness and prevention, to response to an incident and the associated recovery. You can come a long way if you follow current good practices and ensure good basic data hygiene.”

Calculate the costs

No cybersecurity without IT

Competitive edge

Many companies go a little further. Can they use their cybersecurity efforts as a competitive advantage?

“Absolutely. This is especially the case when the business of the organization stands or falls on trust. We expect a bank to be highly secure. We expect a hospital to handle patient data correctly. In that context, cybersecurity can grow into a competitive advantage. A company like Apple, for example, presents privacy and cybersecurity as two of its main selling points.”

Companies also often invest in obtaining certificates to demonstrate that they take cybersecurity seriously.

“With a certificate you prove that you meet a standard. That’s certainly a good starting point. But I see compliance as the floor, not the ceiling. So don’t be blinded by those certificates. Hackers often strike certified companies.”

Apart from all the efforts made – whether or not documented with certificates – what we need to remember first and foremost is that managing cybersecurity remains a very fluid exercise. The work is never finished and it’s not always clearly defined. Hence the need for a sound strategy. This determines the ultimate objectives, while its concrete and daily deliverables are constantly evolving.


Compliance is the floor

what is your cybersecurity strategy these days?

What kinds of questions or problems have you encountered this last year? Which cybersecurity areas would you like to improve? Share your experience and fill out our annual survey.

We will then collect the results and insights so that we can provide you with an even better service.

Jaya Baloo
CISO at Avast Software

“Your cyberstrategy should be based on three principles: stimulating awareness, creating visibility and risk intelligence, and developing your own cybersecurity capability.”

Logs alone are of course not enough.

“Exactly. You have to handle those logs and alerts smartly: looking at the right things, instead of looking busy, otherwise you will drown in all kinds of alarms. And when there is an incident, you also have to be able to take appropriate action. Is there an incident or a systemic problem? Then tackle it, but do it in a smart way, so that you learn something from it to prevent reoccurrence.”

exclusive Interview

“Without a plan,

you’re nowhere”

To create a secure IT environment, you need more than a bit of software and a firewall. “Cybersecurity must be based on a strategy,” says Jaya Baloo, CISO at security specialist Avast Software.

Jaya Baloo, CISO bij Avast Software

is CISO at Avast Software, a supplier of security software. She was previously CISO at KPN Telecom. Forbes included her on its list of 100 Women Founders in Europe to Follow.

Jaya Baloo

“CIO or CISO?
One person must bear the ultimate responsibility. But remember that cybersecurity cannot exist without good IT, while IT unfortunately does exist without good cybersecurity.”

Jaya Baloo
CISO at Avast Software

Many companies get it wrong when it comes to cybersecurity. They think it’s enough to just purchase a few products. What do you say to them?

Jaya Baloo: “Cybersecurity is not possible without a well thought-out strategy. You have to understand what you’re defending and who you are defending it against. That’s only possible with a strategic approach. You need to have a plan. If you fail to plan, you plan to fail. In real terms, I always start with a three-year vision, with a clear goal: to see how cybersecurity contributes to letting the business do what the business wants to do. Cybersecurity is not there to hinder the business, but rather to help the business move forward.”

Does that principle apply to all companies, regardless of whether they are an SME or a large multinational?

“In principle, yes, although of course you have to see everything in the right context. In a small, traditional bakery, IT is less of an issue and cybersecurity will require less effort. For an SME that offers online services, security is much more important. Nevertheless, today everyone is active online, so no one can ignore the need for security. What we do see is that small organizations are often easy targets precisely because they don’t know what to do or because they’re afraid of the cost.”

Do SMEs not have the right attitude to cybersecurity?

“Small companies still often don’t understand the threat base. They think they’re of no interest to cybercriminals and therefore are not at risk. Or they think their service provider will protect them. But that’s not the case. Anyone who purchases a cloud service is still responsible for its security. Those who don’t know that are using those services and assuming that they are safe. This false sense of security can also be present among the employees of a company. They assume that cybersecurity is the company’s responsibility, not theirs. That lack of awareness can lead to major problems.”

Insight into the risks… and yourself

That’s right on the nail: awareness.
How can a company ensure that everyone is on board?

“That too is only possible if the organization develops a cybersecurity strategy. Three elements are essential: awareness, visibility, and capability. In the first place, you have to develop a security awareness that is focused on the company and its employees. Cybersecurity is best served with awareness that matches the various roles of the employees. There are different focal points for the CIO than for the production workers. Visibility and risk intelligence is the second element. There must be monitoring, you must collect logs and, more generally, gather intelligence so that you know when there are cybersecurity incidents in your sector and prioritize important versus urgent. Finally, it’s about the speed and accuracy of your response, hence developing your cybersecurity capability is a crucial and iterative process.”

“Make it financial. Calculate what the impact of an incident could cost the company.”

Jaya Baloo, CISO at Avast Software

Logs alone are of course not enough.

“Exactly. You have to handle those logs and alerts smartly: looking at the right things, instead of looking busy, otherwise you will drown in all kinds of alarms. And when there is an incident, you also have to be able to take appropriate action. Is there an incident or a systemic problem? Then tackle it, but do it in a smart way, so that you learn something from it to prevent reoccurrence.”

The great difficulty is that the conditions in which the whole exercise takes place are constantly changing. There is a constant race between cybercriminals with new malware and cybersecurity specialists with new solutions. But equally, the business of a company changes over time, doesn’t it?

“True, but a company should know its own environment best. If something changes, it must make adjustments. The impact of a fire is not over when the fire is extinguished. It takes time for the burns to heal. This is also the case with a cybersecurity incident. A security breach or hacking goes unnoticed for an average of seven months. After that, there’s still a long way to go – often three to six months – to eliminate the entire impact of the incident. In other words, whatever plans the company has, they will have to change. A good strategy provides the space to do this well.”

Bereken de kosten

If the risks are constantly changing and an organization has to continually adjust its cybersecurity as a result, then security fatigue is lurking around the corner. How can that be avoided?

“It really is exhausting: another zero day, another patch storm, another ransomware campaign… We see cybersecurity as an arms race that is continuing to escalate. We don’t know how to de-escalate anymore. That makes it difficult sometimes. You do, in fact, have to stay cool despite everything. You know that something else is just around the corner and that as a company you must continue to provide time, people, and budget. But at the same time you can’t stand up and shout about everything, because eventually people will stop listening.”

Apart from the battle in the field, this is perhaps the biggest challenge for cybersecurity specialists: how do they convince the CEO that a sustained effort is needed?

“Well, from a cybersecurity point of view, there’s nothing else you can do but provide a sufficiently large buffer, because we know that something will happen sooner or later. The best way to convince Management of this is to translate the impact into financial terms. Look at the possible impact on the business and calculate the costs.”

what is your cybersecurity strategy these days?

What kinds of questions or problems have you encountered this last year? Which cybersecurity areas would you like to improve? Share your experience and fill out our annual survey.

We will then collect the results and insights so that we can provide you with an even better service.

“Your cyberstrategy should be based on three principles: stimulating awareness, creating visibility and risk intelligence, and developing your own cybersecurity capability.”

Jaya Baloo
CISO at Avast Software

Competitive edge

Many companies go a little further. Can they use their cybersecurity efforts as a competitive advantage?

“Absolutely. This is especially the case when the business of the organization stands or falls on trust. We expect a bank to be highly secure. We expect a hospital to handle patient data correctly. In that context, cybersecurity can grow into a competitive advantage. A company like Apple, for example, presents privacy and cybersecurity as two of its main selling points.”

Compliance is the floor

Companies also often invest in obtaining certificates to demonstrate that they take cybersecurity seriously.

“With a certificate you prove that you meet a standard. That’s certainly a good starting point. But I see compliance as the floor, not the ceiling. So don’t be blinded by those certificates. Hackers often strike certified companies.”

Apart from all the efforts made – whether or not documented with certificates – what we need to remember first and foremost is that managing cybersecurity remains a very fluid exercise. The work is never finished and it’s not always clearly defined. Hence the need for a sound strategy. This determines the ultimate objectives, while its concrete and daily deliverables are constantly evolving.


No cybersecurity without IT

Companies are increasingly taking responsibility for cybersecurity away from the IT department. They appoint a CISO, who is in close contact with the CIO. What is your view on that evolution?

“When it comes to cybersecurity, everyone is responsible. But the ultimate responsibility is at C-level – that goes without saying. It’s interesting to see that security cannot be done without good IT, while IT unfortunately does exist without good cybersecurity. Above all, it’s important that one person bears responsibility for the security life cycle: from awareness and prevention, to response to an incident and the associated recovery. You can come a long way if you follow current good practices and ensure good basic data hygiene.”