COVER STORY
and water are also types of critical
infrastructure; however, a state
actor isn’t interested necessarily in
absconding with the data that’s there so
much as influencing the availability of
the services of electricity and water.
“With telecommunications, availability
is crucial, but what I think is preferred
is the availability to allow the
communication and the chatter to keep
going but unobtrusively monitoring it. So,
the state actor challenge, I think, is the
most unique one.”
On information sharing
and collaboration as a
cybersecurity tool
When it comes to cybersecurity threat
information sharing, there should be no
competition, she says. “We should not
try to compete at all with each other in
this arena. Because one day they get
hacked, the next day we get hacked,”
she said.
professionals during a 10-month long
programme. We don’t want to just have
cybersecurity professionals within the
chief information security department,
we also want to have them in security
consulting, we want to have them in
network architecture teams and other
expertise areas.”
Trainees work within the CISO security
units, on projects and towards
certifications, in areas such as
offensive security, incident response
or digital forensics.
“We make sure they are capable and
even though this works on the basis of
catch and release, that we would be
happy hiring them for ourselves after
this programme,” said Baloo. “It is an
investment but it pays back so many
times over for the company, so I find it
really valuable.”
The biggest cyberthreat facing
global organisations
One collaborative approach to tackling
specific DDoS cyberthreats – expensive
and hard to defend against but easy
and cheap to deploy as an attack – in
the Netherlands is the Dutch Continuity
Board, of which Baloo is chairman. It
sees competitors exchange live attack
information in a bid to figure out where it
came from. Some would say ‘cryptojacking’, some
would say ‘ransomware’ and others would
say ‘skills shortages’. But Baloo has an
interesting perspective and looks instead
to the geographical ‘digital divide’.
“If we can fingerprint every site where
the traffic is coming from then we should
be able to take it down,” she said. “And
that way we are better organised than
the bad guys, who are doing the attack
in the first place.” “Look at it this way, there’s no inequality
of asset distribution when it comes to the
platforms we use. We are all using the
same stuff everywhere.
The cybersecurity workforce
shortage and how it can
be tackled
“I refuse to wait. We are just too
impatient – we have too many direct
needs,” Baloo says frankly.
The impact of the cyberskills shortage
is one felt closely by many firms. KPN
is tackling this head-on with its annual
‘Greenhouse’ project. “The idea is
that we get seedlings from across the
company who we train into cybersecurity
52
“I think it’s the inequality and distribution
of assets when it comes to being able to
get good security for us all,” she says.
“However, when we see a vulnerability
that has a global ripple, we are not
equally distributed in terms of our ability
to detect and respond and defend.
“In general the US and Europe are a
lot better at it relative to Africa or South
America, or certain parts of Asia.
“And in absolute terms it’s not that we’re
doing so great in the west either, it’s just
that it’s significantly worse elsewhere.
“Take for example all of the work that’s
happening globally around things like
quantum computing. You see that
We should not try
to compete at all
with each other in
this arena. Because
one day they get
hacked, the next
day we get hacked.
happening at Microsoft, at Google,
at IBM; the United States is investing
heavily in it; China has billions of
dollars in it. But the rest of the world
certainly doesn’t. You’re not hearing of
a quantum computer or post quantum
cryptography being developed in Brazil
or in Kenya. What I’m worried about
from an infosec point of view, is that
Issue 07
|
www.intelligentciso.com