Not many chief security officers will point out not one but two times they took a job while their companies were under attack. But this is what happened to Jaya Baloo, who is now chief security officer at cybersecurity provider Rapid7 Inc.

Even more interesting, she considers both times — which happened at two different companies — career highlights.

When I first met her, four years ago, she was the chief information security officer for another security provider, Avast, now part of GenDigital. There, she came into her first week on the job having to deal with an attack on their software supply chain that had been happening inside its systems for several months. Those first few weeks were certainly a scramble as she worked through what happened, how to fix things and most important, how to prevent another breach from happening.

But that was the second time she was dealing with an active breach. She had been working for only three months at the Dutch mobile operator KPN in 2012 when the company was attacked by a 15-year-old hacker who found a flaw that affected a couple hundred of its machines.

“This kid moved the needle on how we saw our security, and he made an impact on our self-confidence,” she recalled. “It was a reality and sanity check on how good we thought we were.” But it forced changes in security practices that have informed her thinking ever since.

The reason she considers both events career highlights is the way they helped her break down silos among different tribes and getting these teams to work together toward improving security. “Breaking down silos in the name of security is critical,” she said. “Both at KPN and at Avast, our leadership took it well and upped their security game.”

Now, 11 years later, she’s chief security officer at Rapid7 Inc., which she joined earlier this year. Fortunately, she hasn’t had to deal with an insider threat yet there.

But there are new obstacles: She now has to navigate not only ever-evolving cybersecurity challenges but also business challenges. Indeed, Rapid7 itself has run into a rough patch despite continuing growth. On Aug. 8, it said it will lay off more than 400 people worldwide, 18% of its staff, in a restructuring. And it reportedly is the subject of a potential takeover by a private-equity firm.

As a longtime security manager, Baloo can afford to take the long view. Baloo spoke at the SiliconANGLE’s Supercloud 3 conference last month as well as doing a follow-up interview this week with me, providing insights for how to improve cybersecurity.

When she compared what she was worried about a decade ago to what is on her plate now, she told me, “Everyone struggles with the same stuff, just the threats are different. It is a lot like looking at Pantone color shades: there is plenty of red to look at.” This was something she mentioned at Supercloud: “It seems we’ve had this concept of zero trust, or principles of least privilege, seemingly forever, at least since Cro-Magnon man,” she quipped.

Baloo spoke at Supercloud about having a security operations center that wasn’t a movie set but an actual functional entity. “Having a working SOC is table stakes for us. Our SOC is used by both our customers and internally,” she explained. “We use our own tool sets, we test on ourselves first to ensure that we are always making continuous improvements. Our SOC is not just a demo environment but it has real data.”

One example of that is how Rapid7 reacted to the MOVEit attacks, since its own threat intelligence staff was seeing them across its networks in real time and was able to prepare a quick response. “Any good threat intelligence should start with what is there to learn about your own security posture,” she said at the Supercloud conference.

Another example of her real-world orientation is how she views phishing awareness training. “There is always a need for some improvement,” she said. “There has to be a continuous effort to ensure appropriate security education. Doing annual training isn’t the right way, we have to make it more tangible to our users.”

And then there was the supply chain issues she dealt with at Avast. She admitted that software supply chain attacks are difficult, “because we threaten our best customers who have been diligent about doing patches and updates. We have to jealously guard and protecting these supply lines.”

During the Supercloud conference, Baloo emphasized three things that every business should focus on: to better understand their risks, figure out their visibility and then act as quickly as possible. She also pointed out that having multiple clouds is a feature, not a bug.

“It helps you as a vendor understand the various pitfalls and problems and have a better conversation with customers,” she said. “This diversity is critical because customers don’t have vanilla environments.” And the diversity of situations helps inform inform her daily decision-making.

Photo: SiliconANGLE