Being the CISO of such a huge and diverse company as KPN, the Netherlands’ largest telecom and ISP provider, requires great determination, and the current holder of the position fits the bill on that score.
Jaya Baloo was brought in after the company was breached in 2012 by a teenage Dutch hacker, who managed to gain access to some 300 systems. Such a hack required nothing less than a thorough audit of the (failed) defenses, the will to realise and say: “It’s our own fault,” and a sincere determination to do better.
Jaya Baloo on stage at FSec 2017
KPN’s approach to security
It helped that Baloo was granted a lot of leeway to make the decisions she considered to be the right ones to improve security, and that she knew that a shift in perception was crucial: the security department needs to be always viewed as one that adds to the company’s bottom line.
She achieved the latter by making sure that the impact for every vulnerability and incident is measured, and potential loss calculated (conservatively). This information makes extremely clear to the CEO and the board of directors the value of what they do, i.e. that they save the company much more money that they cost.
KPN has teams for each phase of the greater security plan. After a security strategy and policies are decided on, its red team is there to probe its networks and systems to expose the cracks open to attackers, the security operations center (SOC) does the reactive security monitoring (but also hunts for intruders), and the CERT manages incident response and resolution.
Each business sector has its own senior security officer, who reports directly to her and not to the head of that particular department, so that he or she does not have an incentive to make the situation seem better than it is.
Not getting hacked, ever, is an unrealistic expectation, she told the audience at this year’s edition of the FSec security symposium, held last week in Varazdin, Croatia. But, you have to be ready to minimize the impact of attacks that do succeed.
And the only security metric that the CEO needs to know is how fast does it take for us to prevent a situation from turning into a problem, she added.
Another way to keep management appraised of the current security situation is to do a weekly status report that shows the current DEFCON state of the organization, current risks, problem areas and teams.
All for one, and one for all
One of KPN’s informal mandates is to be a thought leader when it comes to security. Baloo fulfils that mandate by sharing the company’s knowledge with infosec professionals attending security conferences around the world.
The company regularly calls in cyber security experts to share their knowledge with their employees, continuously educates management (through the aforementioned unfiltered risk reports), and provides security tools and open sources policies so that other organizations can use them to improve their security stance.
It also shares IOCs in trusted communities, and tries to keep pace with technological progress (e.g. they implemented end-to-end quantum key distribution in its network between KPN datacenters in The Hague and Rotterdam, provided easy encryption tools through a partnership with Silent Circle).
She made sure to hammer the following messages home:
- We must learn from others (and encourage others to learn from us)
- We must know how to fail gracefully, and learn from it
- We should not blame attackers for our own failings, but work to fix them.
Security is a continuous process that doesn’t have an end, she says. And you should not make the mistake of believing that if an incident does not affect you directly, it’s not important. We’re all in this together, and helping everybody helps us, she noted.
Some more tips for every CISO
She considers security awareness, visibility and risk intelligence, and security capability to be crucial for organizational security.
The former must be customized to each employee’s position in the company, and the latter must be continually improved. And when it comes to visibility, you need to know how to get to the negatives and not drown in data.
All in all, she believes that all organizations should work on getting the trust of their customers – and just compliance won’t do it. “If your CEO says that your security bar is set by legal requirements, you’re in deep trouble,” she pointed out.