ADAM EVANS – Vice-President, Cyber Operations & Chief Information Security Officer at RBC
As VP of Cyber Operations and Chief Security Officer at RBC, Adam Evans had a chat with CanadianSME to discuss the importance of cybersecurity and his tips and advice on how to effectively implement protective measures to allow your business to succeed in today’s digital age.
Adam Evans is VP, Cyber Operations and Chief Information Security Officer (CISO). As CISO, Adam is responsible for establishing and executing RBC’s cybersecurity vision and strategy to ensure RBC assets and technologies are protected. In his role as VP, Cyber Operations, Adam is responsible for Security Operations, Threat Intelligence, Defensive Threat Operations, Application Resiliency, Data Protection, and Vulnerability & Endpoint Management operations for RBC globally. Adam has over 16 years of experience in the financial services industry as a security professional, developing cybersecurity talent and directing multi-million-dollar projects and cybersecurity operations initiatives.
As Vice-President, Cyber Operations and Chief Information Security Officer at RBC, can you tell us a little bit about your role to give our readers a better understanding of your responsibilities?
As Vice-President of Cyber Operations, my role is focused on RBC’s security program and operations. We have a Security Operations Centre that monitors, tracks and responds to any threat against the organization.
My team runs the operational and network security tools, and we can customize those tools to ensure they remain adaptive and can address the threats we face on a daily basis. I’m also responsible for red teaming and penetration testing, which are proactive techniques used to identify any possible cyber vulnerabilities, and making sure those programs are operationally effective.
The other side of my job is the Chief Information Security Officer role. This involves speaking to employees, clients and the public, meeting with different government bodies and academic institutions, and speaking at industry conferences. I also meet with clients and regulatory bodies to educate them on the programs we operate and how to protect themselves online.
What are some of the strategies and initiatives that RBC has implemented to help its clients against fraud situations?
Our main initiatives have been around educating and building programs that help protect our clients from threats. The resources are posted on our cybersecurity online portal, and they allow us to educate Canadians about common tools and tactics that threat actors use, including social engineering, phishing attacks, malicious emails, and personal information collected through social media.
We try to educate consumers on the best ways to protect themselves online and how to have good cyber hygiene. We advise Canadians to do things like operate from a safe and secure email account, use devices that are properly updated with security software, and to maintain the best possible cybersecurity practices. In addition to the education programs for our clients, my team is responsible for the security of RBC’s digital platforms and systems, which ensures that all transactions and interactions between us and our customers are as secure as possible. The preparation needed for cyber events that target us and the broader financial industry involves robust testing plans and figuring out scenarios that ensure we have the right strategies in place to combat the threats. Our partnership with the Canadian Cyber Threat Exchange (CCTX) is an important part of our overall strategy and making sure we’re prepared if attackers are targeting us, and how to deal with it in order to protect the organization.
In your expert opinion, what is the most important aspect of cybersecurity and how can it impact the success of a business?
The most important part of cybersecurity is the human factor, and every organization deals with a few fundamental issues. The first one is the proliferation and adoption of technology. Every organization ¬¬¬– whether small, medium or large – is going through a digital transformation in some way, shape or form by offering more services online, and our objective is to ensure that those services are protected by educating the person in charge.
The second part is understanding the organizations that are targeting those online business services. Threat actors are commoditizing crime, so it’s important to understand the tactics and methods they use to target organizations like RBC and others.
Talent is the third component. You need to acquire the right cyber talent to help you with any problems that might arise. You also have to educate your workforce by making sure they understand their role in protecting the enterprise. Lastly, your customer base also plays an important role as they should understand the part they play in protecting themselves and your business.
What would you say is the biggest challenge that owners face?
The biggest challenge is understanding the risks that you need to manage as an organization. With small and medium businesses, you need to understand what your crown jewel assets and services are, like customer data and intellectual property. This will allow you to identify and understand what the main risks to your overall business are, and it will ultimately allow you to build and implement programs that can manage and protect those assets.
Cybersecurity is no different than any other business risk that a business owner manages. It’s just that this one is less understood than other business risks, and for that reason, management’s understanding of this risk isn’t as mature as it could be. It also comes down to preparedness and knowing who to call in a time of crisis.
With cybersecurity, it’s not a matter of if businesses get hit, it’s when they get hit. So businesses need to be able to mobilize themselves very quickly so they can protect their crown jewel assets (e.g. customer data). Then it’s about understanding what that impact might look like. Do they have contracts set up with breach service providers, law enforcement agencies and cyber consultants? These arrangements can help them through that process and respond to the issue. Cyber-attacks are not something that will happen every day, so being prepared is equally as important as understanding the risks to your business.
What advice can you give to business owners when it comes to applying security measures against cyber-attacks and fraud?
My advice would be to sit down with the stakeholders and decision-makers of their organizations and understand what their crown jewel assets are. If data gets compromised, they need to make sure they build a plan to understand who needs to be there, the immediate actions that need to happen, and how best to respond to the issue in order to protect their important assets.
On a final note, can you tell us about any future projects and strategies that you’re hoping to put in place?
Over the next five years, we’re implementing a strategic investment with a Catalyst platform at Ryerson University in Brampton. We’re helping to build a curriculum that will allow us to deliver relevant educational capabilities, and help educate students and organizations like ours. We’re doing this in order to upskill the workforce and inspire students, whether the students become cyber professionals or not. By investing in the talent pool across different organizations, either by bringing in new graduates or upskilling existing staff, we hope to raise overall cyber hygiene and build more resiliency across sectors to deal with threats that are targeting Canadian businesses.