Rapid7’s new CSO Jaya Baloo on her cybersecurity philosophy

Jaya Baloo wasn’t planning on going into cybersecurity—but in hindsight, it makes sense that she did.

“I’ve always kind of been security-minded and interested in how to defeat some of the systems that we build,” Baloo told IT Brew.

Baloo, cybersecurity platform provider Rapid7’s new CSO, joined the company in March after a three-year stint at Avast as CISO, which followed seven years doing the same at Dutch telecom giant KPN. Rapid7, which provides a cloud platform for clients to manage IT teams, security, and other tech solutions, employs over 2,500 people around the world.

Born in India and raised in New York, Baloo has lived in the Netherlands for 25 years. She started her career working with network systems, she told IT Brew, and never expected to end up in security.

“I never really thought of myself on the track of management or any of that,” Baloo said. “I just wanted to make things, or fix them and make them better.”

Forward thinker. IT leaders need to be proactive in order to get the maximum value out of security, Baloo believes. It’s a necessary way of adjusting to the challenges of the cybersecurity landscape, where threat actors can often be five months ahead.

Compliance with established regulations and rules is part of the battle, but in order to build up to a stronger security posture, you need to aim higher, according to Baloo.

“Compliance is the floor and security is the ceiling,” Baloo said, adding that in order to get to the ceiling, “your policies and everything should be focused on innovation, not on maintaining legacy.”

Sleep with one eye open. Baloo attributes some of her success to a natural instinct for making sure things are locked in—a sort of paranoia, as she put it.

“There is a professional paranoia to everyone who works in security,” Baloo said. “This is a good thing.”

One great way of dealing with that professional paranoia? Pentesting, like “peer review in cryptography,” is a way of thinking in the attacker’s mindset in order to build a stronger product. That means a stronger product overall, too—for Baloo, the emphasis on one problem at a time from developers in the pursuit of performance is a mistake.

“This industry grew up without actually taking in privacy and security attacks and considerations at the get go, we were focused on functionality,” Baloo said. “It gives us a lot of explanation to how we got where we are today, which is kind of scrambling to recover some of those past mistakes.”