Adam Evans
VP, Cyber Operations & CISO
Royal Bank of Canada
JUNE 2020
As stated in a recent 2020 Planning Guide released by Gartner, “Advanced technologies enable quicker detection of and response to incidents. However, they cannot compensate for immature practices or a lack of skilled personnel. These technologies often demand advanced skills — in-house or outsourced — to use and manage them.”
Adam Evans, VP, Cyber Operations & CISO at the Royal Bank of Canada asked himself as he started his security operations journey, “What are the skills that you need to build out a security operations centre?”
People, process and technology. One of the biggest takeaways for me over the past five years is that as we start to deploy security operations centers, you cannot have one of these things outpace the other," advises Evans.
Building Talent
The future of the cyber workforce has three forces of change: the pace of digitization, volume of security events and combating the cyber skills shortage. RBC is upskilling talent and partnering with academia to build future-ready skills that synchronize with advances in technology protection.
Building talent for the SOC consists of:
- Developers to code the future of secure transactions
- Architects to secure apps and data in the cloud
- Engineers to design secure network solutions
- Data scientists to use AI to combat cyber crime
- A Red Team to conduct real-world cyberattack simulations
- Risk management to monitor and ensure sound security posture
- Analysts for process improvement
The SOC of the future is going to be data-driven and will have multiple inputs of information. Think of this as business intelligence, not threat intelligence. What we want to be able to drive out is an analytics-led, intelligence-driven security organization.
People, Process and Technology
For RBC, continuous improvement is key to maturing across all the pillars; however, not one of these things can outpace the other or it will truncate the ability to mature. Operating models provide structure for day-to-day activities, and structure enables expected outcomes.
Focus a lot of your energy on sound use case development processes.
Analytics and Insights
Analytics and insights provide much needed intelligence to operations teams on how capabilities are performing.
Analytics should:
- Start small and force operations teams and control owners to understand their capabilities and outputs
- Identify common threat vectors and profile controls by introducing basic measurements, then review and ask better questions
Policy creation should be anchored to empirical data and intelligence.
Services and Outcomes
We actually created a separate function in our security operations centre that just builds policy. The reason that we did that is when you look at technology operations it's about availability, it's not necessarily about ROI on the tools that you are deploying. What we had to do was abstract that function and start working with our technology officer, engineers, solution architects and be able to create custom content for the tools that we operate to make sure we are getting the ROI we intended to get and that we are extending these tools to do best of breed threat detection and response activity.
When you get into this proactive security posture, what you're going to find is you can get it wrong, and when you get it wrong, it will break things and you get a lot of unwanted visibility and attention. If you get it right, it builds momentum and allows you to move through the enterprise and deploy more complex controls, work with the business, build a trust relationship with the people, and that will enable you to push your program across the enterprise.
Business Alignment
Adam Evans states that the key to success at RBC and creating a security operations roadmap is to develop relationships with the business heads.
- Create a risk register for the business lines in your enterprise
- Educate the business on the security plan
- Align risks to controls
- Determine maturity and coverage gaps
When you go to your executives in your next fiscal planning cycle, you can say, ‘I don't have a technology problem; we have all of the right tools. What we are lacking is process and people. We know where we are going to spend the money and where we are going to end up moving the dial because we are investing in the right places.
- Build out capabilities and patterns that enable risk mitigation and metrics
- Make informed decisions
- Design and build capabilities to enable the business and mitigate their risks
This roadmap is taking us into nontraditional security places where we are having to align with the business far more closely and start to become more business-savvy and figure out how we enable our business partners and lines of business.
Content adapted from the 2019 Toronto CISO Executive Summit. Special thanks to Adam Evans and Royal Bank of Canada.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.