After a whirlwind week keynoting at ISF in Prague and Atlantic Convergence in Lisbon, CISO Jaya Baloo sat down with revel8 to talk about the real levers that move cybersecurity outcomes.
Jaya’s career spans some of the most demanding environments in global infrastructure security - from France Télécom (now Orange) and Verizon, to leading the security function as CISO at KPN, the Netherlands’ largest telecom provider, and later as CISO of Avast. Her leadership has been recognised widely, earning her titles such as Cyber Security Executive of the Year in 2015 and a place among the List of the Top 100 CISOs globally. Today, Jaya is focused on AISLE, the company she founded that uses AI to autonomously identify and remediate software vulnerabilities at scale.
In our conversation, she cuts through the noise to highlight today’s real cybersecurity priorities, how AI is reshaping both attacks and defenses, and what boards must understand to steer security effectively - drawing directly from her own experience.
“I got my first computer at nine and taught myself BASIC. One of my first programs dialed numbers to find local bulletin board systems, and I was fascinated by how a tiny entry point could open up an entire network. It showed me what a hacker mindset could uncover, but also that I wanted to use that curiosity responsibly. With parents who worked at the UN, I grew up with a strong sense of public purpose, so protecting people and systems felt like a natural path. What keeps me in cybersecurity today is the urgency: we’re layering AI, robotics, and automation on top of a foundation full of technical debt. I stay because we need to fix that foundation, so innovation remains safe as technology evolves.”
“When we talk about the most urgent cybersecurity topics today, I always name the same three. Identity, strong vulnerability management, and phishing resilience are the core, because that’s where most attacks begin. Strong MFA, fast remediation of critical vulnerabilities, and continuous awareness against phishing and deepfakes close off the majority of initial access points. I like to apply the Pareto principle here: if you focus 20% of your effort on these three areas, you already get about 80% of your risk reduction. They’re the foundation.”
“AI is changing vulnerability management because attackers can now find and exploit weaknesses much faster. CISOs need to treat AI as a shared risk area across the organisation, with clear roles for e.g. legal, compliance, and engineering. It’s essential to know where AI is used and to protect against issues like data leakage, misuse, or prompt manipulation through isolation, monitoring, and pre-deployment testing. At the same time, AI can help us defend better by spotting unusual activity earlier, supporting analysts, and automating routine tasks. So it’s about securing AI while also using it to strengthen cybersecurity overall.“
“AI greatly enhances defense by working at machine speed: finding vulnerabilities faster, supporting detection and response, and helping reduce long-standing technical issues. The strongest approach is a human-plus-AI model, where AI accelerates the technical work and humans apply judgment and context. That human element is exactly where awareness training comes in. Even the best AI can’t prevent attacks caused by human error. So while identity protection and patching deliver the biggest immediate impact, awareness is essential to strengthen human decision-making and reduce the openings attackers rely on.“
“To truly engage boards, CISOs need to speak in financial terms. When you quantify risk and show the return on security investment - especially comparing the cost of an incident to the cost of prevention - the value becomes obvious. Tie security metrics to business outcomes: MFA coverage, critical vulnerability backlog, mean-time-to-remediation, phishing report rates. Boards understand these numbers, especially as new European compliance regulations increase their accountability. To support this, I open-sourced my CISO policies and a cost/ROSI calculator in the KPN CISO app. It helps quantify risk, align expectations, and show the value of losses avoided - a practical tool CISOs can use to secure ongoing investment.”
“Gaps are that coordination across member states can be slow, and execution is often uneven. The EU can sometimes feel like an oil tanker - slow to turn, but once it does, it shifts the global direction. The introduction of GDPR proved that, and the upcoming waves of for example the Cyber Resilience Act will do the same. Europe’s real strength is its ability to set global norms and drive market change through regulation. “
“It’s still not easy for women in the cybersecurity field. Biases (both conscious and unconscious) are very much still there. And in this field, success isn’t only about technical depth; communication, leadership, and business understanding are just as critical, especially in public companies where regulatory pressure is high.
Representation truly matters. When more women hold visible leadership roles, it broadens the talent pipeline and brings perspectives that strengthen security outcomes. Building inclusive teams isn’t about charity or box-ticking. It’s about reducing blind spots, improving decision-making, and ultimately building more resilient organisations. Diversity is a security control.“
Co-Founder and CEO at revel8 and a recognized expert in cybersecurity go-to-market strategy. Julius specializes in positioning enterprise solutions against AI-driven phishing, deepfakes, and advanced social engineering threats. He has a proven track record in scaling B2B SaaS, building high-impact sales motions, and aligning product-market fit with evolving security challenges.
