Adam Evans
VP, Cyber Operations & CISO
Royal Bank of Canada
June 2020
In the five-and-a-half years Adam Evans has been with Royal Bank of Canada, he has never seen anything that so broadly impacts the enterprise as COVID-19 has. In this interview, Evans reflects on how he has embraced agility to keep the workforce moving during these uncertain times.
How has your organization responded to the new environment forced upon all of us by COVID-19?
As far as the organization goes, there are clearly people, processes, and technology changes that have happened. In the first four weeks, it was about reacting to COVID-19 and making sure that the enterprise was able to function and that we were able to keep our people safe. That forced us to create a new style of working that has us interacting with new technology that we hadn't had to use before. We ramped up our technology stack to deal with a large work-from-home workforce.
This has created a cultural transformation inside RBC. We have never had a sustained work-from-home arrangement before, and it has caused the staff to consume technology they haven’t used before and create a new style of work. As we came out of the initial four-week period, people started to really figure out how to effectively work from home, and there has been a demand for technology that will allow them to collaborate and work effectively together.
From a security operations standpoint, we were challenged with figuring out how to keep folks collaborating and innovating while protecting the organization in this new environment. We had to decentralize some of our security and put some of the risk decisions into the lines of business. They need to understand what risks they're taking on now that we are working remotely, whether it be printing at home, secure document destruction, things like that.
Additionally, the threat landscape is changing rapidly due to the anxiety associated with COVID-19. We have seen threat actors building campaigns that target the collaboration platforms organizations are leveraging. I have been thinking about sectors that are less mature but are critical services. Members of that group need insights into how the threat landscape is changing, but they don’t have access to that information. I am working with the Canadian Cyber Threat Exchange (CCTX) and other organizations on how to get critical information to industries that need it most.
When it comes to your organization's response to the COVID-19 crisis, what is one thing that surprised you and what did you learn from that?
The agility was most surprising. For the last 15 years, security has had a very structured way of thinking about and approaching risk management from a cyber point of view. What COVID-19 taught me is that, when required, we can move through the assessment process faster and implement the solution(s) without necessarily introducing more risk to the organization.
It has also shown the enterprise how intertwined security is in all the digital business services we are currently operating. Threat actors are continuously looking for opportunities to compromise applications, infrastructure, and remote workers, so being agile has been critically important as business and technology demands have required us to move with speed.
The strategic investments we have been making in technology and operations over the last five years is what has allowed us to be agile. We are seeing the wisdom of the investments we have made pay off. By investing in the technology and platforms, we have been able to react with agility and not take on additional risks that make us uncomfortable.
It is interesting to see the increase of agility due to this crisis. Prior to COVID-19, what do you think was standing in the way of security being more agile?
Typically, in the security environment, we are trying to design things to reduce risk to almost zero. What we have learned in this new environment is that cyber risk is like any other business risk, it needs to be considered in context. When you are faced with something like COVID-19 that will have an economic impact on the organization and the broader economy, you need to figure out what the residual risks are, how you want to manage those risks, and what the likelihood is of those risks manifesting. You need to make smart decisions on what risks you want to manage.
As security leaders, we're now sitting at the table with the heads of the business, and they are looking at us to make very informed decisions about what risk we will take on and to educate the business as to why we made those decisions and why they are critical at a time like this. The last thing we want to do is introduce cyber issues into an organization that is already dealing with rapid technology change, rapid workforce change, and rapid process change.
One of the lessons that I've learned coming out of this is that if you are able to move an organization quickly, it can be a business differentiator that will allow us to take advantage of opportunities without necessarily taking on additional risk that makes us uncomfortable. To me, that is a significant change that COVID-19 has brought.
Once the situation is over, do you think the organization will go back to how it was before or keep moving in this new decentralized direction?
I think a crisis like this will spawn innovation, whether it's innovation as to how people work, innovation in technology, or innovation in process. This is going to force our organization to start to look at how we can operate differently. If remote work becomes the norm, how will our recruitment strategies change if we are no longer confined by geography? What new technologies will our workforce need to continue to support our clients? We need to ask ourselves questions like that.
There is going to be a lot of innovation that comes out of this, and I think the companies that embrace change will be the companies that accelerate out of this. How organizations handle COVID-19, and accelerate out of this issue, will set the stage for how their business will operate over the next few years. COVID-19 has become a catalyst for change and it has gotten us over some hurdles we had prior to the crisis and I don’t think we are going to go back. I think we are going to take this change and run with it.
Special thanks to Adam Evans and Royal Bank of Canada.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.