From One CISO to Another, Get Back to the Basics - An Interview with Jaya Baloo CISO of KPN


Interview with Jaya Baloo, CISO of KPN:

Cyber Security Dispatch: Season 2, Episode 02

Show Notes:
Today on the show, we welcome Jaya Baloo, the Chief Information Security Officer of KPN in the Netherlands. Jaya has held this position since 2012 and has been in the information security arena for the past 18 years prior. Today Jaya works with an amazing information security team of highly driven specialists at KPN. She is also a frequent speaker at security conferences around the globe on subjects around lawful interception, mass surveillance and cryptography and in 2015 she won the Cyber Security Executive of the Year Award. In this episode, Jaya shares her experience, knowledge, insights and good humor around the topic of cyber security. Jaya shares what she means by the term “Riding the Security Rollercoaster” and why security companies need to work to end this cycle in order to sustainably manage vulnerabilities and incidents. KPN’s mission is to keep KPN reliable, secure and trusted for customers, partners and society and in this episode, we hear with refreshing honesty, how they are doing just that. 

Key Points From This Episode:

  • Learn more about the 2012 KPN hack and its impacts on cyber security today.
  • Riding the security rollercoaster: How to sustainably manage vulnerabilities and incidents.
  • Dealing with the known knowns, the known unknowns and the unknown unknowns…
  • How KPN works to reduce the window of opportunity for a potential hack to take place.
  • How does KPN ensure that security becomes embedded in different organizations.
  • Jaya shares more about the impact of cyber security when it comes to saving lives.
  • Why companies need to get their basics right before adding on more security services.
  • KPN’s risk mitigation strategies and why Jaya believes that risk acceptance is pretty evil.
  • Learn more about KPN’s “dumb” tool and the information they decided to make open source.
  • Jaya shares more about the KPN CISO app and where you can download it for free.
  • Jaya’s candid advice to fellow CISO’s and cyber-security product buyers out there today.
  • And much more! 

Links Mentioned in Today’s Episode:
Jaya Baloo on Twitter –
Jaya Baloo on LinkedIn –
KPN CISO app on Github –
RSA Conference –
Eelco Blok –
The 2012 KPN Hack –

Welcome to another edition of Cyber Security Dispatch. This is your host Ashwin Krishnan. In this episode, From One CISO to Another, Get Back to the Basics, we talk with Jaya Baloo the CISO of KPN, government service provider in the Netherlands, about how the 2012 hack organized the company to action and her advice to fellow CISO's trying to get back to the basics of security awareness, visibility in risk monitoring , and finally security capabilities assessments. 

[0:00:04.2] Ashwin Krishnan: Welcome everybody to another edition of Cyber Security Dispatch. As previous listeners know, this is a podcast series where we bring in essentially name-makers, as well as movers and shakers in the security space who are actually taking security to a new level and looking for ways to not just check the box for compliance purposes, but really embrace security and privacy in this new age.
With that, I have the pleasure of extending today's host to you as the host I want to talk about, who we have on the panel today, we have Jaya Baloo, who is the CISO of KPN, who's one of the leading telecom vendors based out of Netherlands, but they have footprints worldwide, I believe.
Without further ado, I'm going to hand it over to Jaya to introduce herself and then we can get going.
[0:01:02.6] Jaya Baloo: Hi there. Yup, my name is Jaya Baloo, and I'm the Chief Information Security Officer of KPN since 2012 for the last six years. I like to joke that I'm one of the longest-standing CISOs around. Yeah.
[0:01:17.4] AK: That's an interesting comment that you made, because yeah, the joke/I guess, part reality is CISO’s average tenure is somewhere between 18 months to two years. You've clearly broken ground in terms of extending that averages way past what’s typical.
That actually leads to a really interesting question is back in 2012, KPN actually came in under attack and what looks like history right now, but clearly that must have shaken up how KPN looks at security and privacy. Maybe you can use that as an example to say, okay, so what happened over there and what are some of the learnings that you had from that as KPN and how is that translated into today's view of security and privacy as KPN sees it?
[0:02:11.1] JB: Maybe to kind of do a refresh over what exactly the KPN hack was, it was a couple of things. First and foremost, there was a kid, actually who was 15-years-old at the time, who hacked KPN by finding one vulnerability that was unpatched on the external perimeter, and then used that vulnerability basically to have lateral movement across the network and pivot from one vulnerability to the next vulnerability and hop through. Eventually, he managed to get about 300 different vulnerable systems, which were all underneath his control at the at the time of the hack.
Luckily, for KPN he didn't really want to do anything else, except gain control and establish presence on each of the systems. Had he wanted to do something destructive, you know be a very different situation today for the company and the CEO of the company, Eelco Blok, then CEO, actually said, and goes too far to thank the hacker, but he actually did open our eyes to how bad the information security operationally was and it gave them enough information to actually start improving.
[0:03:21.8] AK: Wow, so this is actually a benign hacker who did some good without actually using the land and expand that he did inside. From KPN’s perspective, this is what you would want to be the kind of attack, if any, that any organization is affected, this is what you would want.
[0:03:42.2] JB: Yeah. I think, to be fair, like the impact of it was because KPN is always under regulatory supervision as all telecom operators around the world, but our regulator didn’t find it so benign. The fact that it could take place still meant that there was regulatory issues that we had with our duty of care and inspecting how good we were filling in the duty of care, so it became clear that as part of the license to operate information security, absolutely had to be higher on the agenda and better in terms of operational capability. That that was very good. It wasn't completely benign to put it fairly.

In general in information security, we tend to do something which I call ‘riding the security rollercoaster’. ...You have an incident... what happens to the information security team is they start riding the roller coaster up. Suddenly, there’s no end to the amount of budget they have... at a certain point in time, they lose the board attention... and we start riding the roller coaster back down before they focus their attention on some other issue.
— Jaya Baloo

[0:04:22.6] AK: Actually, that that leads into a really interesting question, which is so once this happened, and like you're saying clearly the regulatory authorities took it seriously and obviously things were put in place to make sure that such things don't happen in the future, but also does – has that led to a much higher bar in terms of how KPN looks at security and data privacy in general? If so, what keeps you up at night in making sure that people don't get complacent and go back to the way they were doing stuff? How do you keep the fire burning, if you will, of ensuring that this level of transparency, as well as heightened awareness continues to persist?
[0:05:03.8] JB: I talk about this quite a bit, because I think in general in information security, we tend to do something which I call 'riding the security rollercoaster'. What you do is you have an incident like we had in 2012, it's pretty bleak and what happens to the information security team is they start riding the roller coaster up. Suddenly, there's no end to the amount of budget they have, they can hire people, they can start programs that are company-wide, they do all kind of awareness training, and there's a very clear ascendancy of that information security position.
Then what happens is at a certain point in time, they lose the board attention, the company realizes what a pain in the ass it is to actually get security operationally equipped so that it actually can work, so that becomes a real issue. Then after that, then they also figure out, okay well, it's not just a matter of you know getting a couple of things right, there's actually a consistent program that needs to be followed up, so the sexiness wears away and we start riding the roller coaster back down before they focus their attention on some other issue.
We're just basically waiting for the next incident, so that we can all collectively ride the roller coaster back up again. I think that's a really stupid focus. In order to get out of that, we need to understand that there needs to be a continuous focus on information security that isn't propelled by the next incident, which means that I think that there should be a pragmatic way of looking at this and continuously understanding on what is the sense of urgency. Not that there necessarily is one, but just understanding how good are we, or aren't we.
For me, that's all about managing vulnerabilities and incidents. It sounds pretty short-term, but I think it says a lot about our maturity. Imagine, we all know that it's Patch Tuesday and depending on the organization, they may or may not see the amount of patches that are coming out and depending on their agility of their IT organization are rolling it out in 24 hours, or 2 weeks, or you know 20 weeks depending on how clued in they are and what the sense of urgency is to kind of roll it out.
I really want to focus on, okay that's from an IT-based thinking, like if there's a patch you put it in for functionality, but if we really look from a security perspective and we really see are we vulnerable or not, how long does it take us to remediate? The same thing for incidents, the longer we keep an incident, a security incident open and running, the longer we know that there are still potentially things wrong; there's the known knowns and there's also the known unknowns and then there's the unknown unknowns.
All of those things are present during the security incident phase, and I would rather that we understand exactly what we're dealing with as much as possible and to be able to close down incidents by doing that for vulnerabilities and incidents, we reduce the window of opportunity there is for a potential hack to take place. That's all I care about is our state of readiness at any given time.
[0:08:06.4] AK: Yeah, and this is this is really refreshing to hear the CISO at your level talk about this rollercoaster, because usually it's really about like you’re saying, “Hey, let's ride the wave and let's get past this and then brace yourself for another day.” The other interesting question about this is, I know as a CISO, this this is what you live and breathe every single day.
If you're talking to lines of businesses, if you’re talking to marketing, if you're talking to customer service, they have different objectives and they have different targets. How do you make sure security becomes something that is embedded in all of these different organizations who have seemingly different charters?
[0:08:49.8] JB: Yes. I think, there's a couple of ways to do this. First of all, I need to tell you about our mission which is to keep KPN reliable security and trusted but for customers, partners and society. I think, fundamentally marketing, or finance, or whoever, we're kind of doing it for the same end-goal, where I think as long as we can align those angles of like who are we really working for and why are we really doing this.
Fundamentally, marketing also doesn't wake up one morning and say, “I'm going to call the security incident.” What they do is say, I would rather bypass a pen test and get this thing live, because of other things that usually don't relate to having a secure and comfortable customer experience. There's other motivation to do that; it's either ignorant, or inability to plan, or and this is all very negative marketing, I understand that I'm saying now that they're ignorant and don't plan stuff. That’s not what I mean to say.
I'm saying that those are the things that wind up happening. Because they didn't take into account the amount of time the pen test would take, or the time that the remediation would have to be then placed on all of the findings, or that they would still have luck in finding where they couldn't go live and they hate us for it forever, those things are really like things if you build them in and they're not surprise at the end of your development game, because that's what winds up happening usually. That's not the case. They usually, they're absolutely a partner instead of someone who's moaning about the security being a pain. I think that’s how you couch it.
[0:10:25.7]  AK: Correct and then you made a really interesting – the comment on it's a value statement over there before, in terms of who your target is, it’s customers, partners in society. That's very powerful, right? I mean, that that permeates much beyond saying, “Hey, how much customer data do we have? Do we encrypt it or not?” This is a much larger mission saying, “Hey, we have we have an obligation not just to our organization, but to the society at large, as well as our customers and partners.” I think that that's very important.
Switching gears a little – Yeah, go ahead. Go ahead.
[0:10:56.2] JB: Sorry, go ahead. No, I just wanted to say, I think an operator and an ISP, they have different goals but fundamentally, they're also charged with making sure that the 9-1-1 service is available when people need it. For KPN specifically, an incumbent telecom operator, I mean planes don't take off at the airport without our network. Oil rigs offshore don't operate without our network. Emergency services, if it's even – we have a one missed call, it could mean that someone died. It becomes a very different game for why you do secure – our sense of purpose is extremely strong.
[0:11:33.4] AK: That that's really interesting to hear, because you don't hear very many companies talk about the impact of security when it comes to saving lives, or ensuring businesses stay afloat. Just talking about KPN as it relates to providing services to enterprises, what – in your mind, have you seen a similar awareness, or importance that enterprises are starting to assign to security and privacy in general, or are they also riding the same roller coaster?
If so, how does KPN as a service where it will go and educate these customers so that what you offer and I looked at your impressive set of security offerings that you have, how does how does that manifest itself into actual buying patterns when it comes to enterprises who may be clueless, or who may be riding the same rollercoaster analogy that you had?

I find that very often, companies are not always capable of fixing those basics. Allowing us to provide clean services for connectivity would already be great, to fix the things that we already see. If those things aren’t accomplishable, I think adding on a layer of security to assuage some sort of risk scenario, that that’s not very smart. If you can’t get the basics right, there’s no point in trying to pay off your conscience by adding a security service on top.
— Jaya Baloo

[0:12:23.0] JB: Well, I don't think it's always shared. I think it depends on the size of the enterprise, by the way, rather than necessarily what type of business they're in. What you'll see is within the same sector of company, a large enterprise somehow it feels more keenly the edge of the sword of security, than a medium or small enterprise in the same sector. We're looking at transport, or banking, or healthcare, or whatever, you'll see that it’s really a precise issue and size does matter. Sometimes it's good with certain companies, it's much easier to explain both the need to do a patching of some generic services on Windows and that that needs to happen really quickly to lower their own exposure, but it doesn't always work so well when it really is a company that can have any downtime under any circumstances and doesn't always speak the language of security, and that tends to be a problem.
By the way, as for the commercial buying, I think you don't have to buy our services ever if you just have the basics in order, because that's all really information security should ever be. I find that very often, companies are not always capable of fixing those basics. Allowing us to provide clean services for connectivity would already be great, to fix the things that we already see.
If those things aren't accomplishable, I think adding on a layer of security to assuage some sort of risk scenario, that that's not very smart. If you can't get the basics right, there's no point in trying to pay off your conscience by adding a security service on top.
[0:14:09.0] AK:  I’m going to say, this is the first time I'm hearing a service provider actually talk about, "Hey, if you can get your basics right, you don't need us. But since you can't get your basics right typically, that's where we come in.” I mean, that's a very important distinction, versus trying to sell the next intrusion deception, or what.
[0:14:27.0] JB: Yeah, exactly. I think, what we tend to do is we tend to throw oil on the fire by adding a lot of fear, uncertainty and doubt, you don't know what you have so isn't it better to just do all of this stuff? No, it isn't. If you don't know what you have, maybe we should first figure that out before we fill you all these things on top of it.
I honestly think that if an organization doesn't have vulnerability and management in place and they suddenly start buying like threat detection and APT detection platforms, then they're swimming completely in the wrong stream. They're trying to look cool, but seriously they have massive incontinence problems. If you can't take control of your stuff literally, then it's pointless trying to dress it up nicely.
[0:15:19.0] AK: Okay. I'm still stuck in massive incontinence problems. I need to remember that. Let me ask you this. I mean, you see your shared vision about, “Hey, get the basics right,” and you need to make sure that if you don't, like you said, basic patch management, basic vulnerability management, you're going to be exposed. Is that something that's shared across other service providers, or is KPN leading a –
[0:15:43.6] JB: No. I think our tendency, our appetite tends to run towards short-term, both in terms of fixes and revenue priorities and long-term. I think we have a history of that. I also think that for some reason, it's easier for not only companies to sell that, but for customers to buy it.
It looks a lot better, it feels a lot easier to just add another platform that gives you meaningless with information and how small also that aggregate is rather than doing the really difficult, hard, almost monk's work, to inventorise everything you've got, all your assets, understand it well, understand what the exposure is, understand the difference between functional patching and security patching and understand when and how to apply.
Things like risk acceptance for me are evil. I don't believe that people who have no understanding of security, or of their risk should be able to do that ever, but they see that we have a culture of that. You have an IT manager that says I will accept the risk. If they cannot understand it, probably it's way above their procuration budget. Like, if they have a budget of 8 million and the risk is 25 million, how on earth are they ever allowed to accept that?
Usually they can't quantify their risk, so they should never be in place just to write that off. We see that happening all the time. As I've actually like said in KPN, that no unit, or business unit, or business manager is ever allowed to accept the risk, first and foremost because they are also not able to quantify it always.
As a result of which only the CISO team is allowed to talk about what the risk mitigation and risk acceptance strategies are, and if we think that there's no mitigation strategy possible has to be escalated to the Board of Management. It's either our way, or you have to escalate beyond us to the CEO.
[0:17:52.2] AK: Well, and again, that I believe is very atypical of many enterprises or service providers. What you are talking about over here is really empowerment that the CISO and your team has, but basically also to talk about risk quantification and mitigation, which is something that as you said, it's very hard to put your finger on it and therefore you need to have the expertise to push through with it.
[0:18:14.9] JB: Actually it's not that hard. It starts by doing really dumb simple things, to be very honest with you. There's no like great science. What we did, we just wanted to be able to have a conversation with the business about how to quantify that risk, because I don't believe that we can do it on our own without any business knowledge, and the business can do it on their own without any security knowledge.
In order to start that dialogue, we actually made a really simple, kind of dumb, tool, and we made it open source. We also put all of our security policies and our beliefs, we made that open source too, and it's all free and there's no information collection nothing. It's just a static simple tool. We're also bringing out a new version of it, but it's called the KPN CISO app. It's in the App Store and it's on Github, by the way. I recommend the Github version if you don't have an iPad, but if you have an iPad, you can get the app.
We're coming out with a brand new version, but it’s being pen tested now. It's already been developed. We've also redone our policies and everything. Anyway, it's free if you guys feel like it, just Google for it Github, or the iPad store.
[0:19:20.6] AK: Very cool. I want to wrap it up by asking you, given that this is the start of the RSA week, arguably one of the most important security conferences on the planet is what advice would you have to fellow CISO is number one and what advice would you have to vendors peddling their products?
[0:19:41.1] JB: Well again, I guess to CISOs is to be careful to window address with snake oil. I think, because there's such pressure to keep on top of the newest threat that we feel bullied like, “Oh, you don't have this tool.” It feels like there's a sort of peer pressure, to buy all the things. I really think that again, asset in inventory management, understanding of business risks and appropriate and rapid response to both vulnerabilities and incidents, that's it. Security awareness, visibility in risk intel and security capability, if we can do those three things really, really well, we don't need all the other stuff.
[0:20:30.0] AK: Very cool. What do you say to vendors who are looking for the next big exit and then trying to outdo the competition with all the marketing lingos you can go?
[0:20:38.4] JB: Don't call me. I’ll call you.
[0:20:40.9] AK: Okay. Yeah, this has been extremely entertaining, valuable, as well as insightful, so I thank you for your time. Our listeners would feel the same as well. Again, big thanks to you for taking the time. I know we've had some scheduling challenges getting this online, but finally we did, so I'm really glad that we had this great conversation. Thanks for your time Jaya.
[0:21:02.4] JB: Thank you so much. Thank you.