June 7, 2022

EP 4 – How Diversity Can Help Combat Cyber Attacker Innovation w/ Royal Bank of Canada’s Melissa Carvalho

Fighting attacker innovation requires a level of innovation that can only be achieved through a collaborative approach. One that brings diverse backgrounds, perspectives and solutions together to strengthen cyber resilience from every angle. Melissa Carvalho, Vice President of Identity and Access Management at Royal Bank of Canada, speaks with host David Puner on the importance of diversity and inclusion in cybersecurity and how it has factored into the evolution of her role.  

[00:00:00.310] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security. Digital innovation is advancing society in countless ways. But justice innovation is force for good, it’s also helping cyber criminals catch even the most prepared organizations off guard.

[00:00:35.210] – David Puner
Fighting attacker innovation requires a level of innovation that can only be achieved through a collaborative approach, one that brings diverse backgrounds, perspectives, and solutions together to strengthen cyber resilience from every angle.

[00:00:49.530] – David Puner
A lack of diversity across cybersecurity teams, approaches, and solution sets can create bias-driven blind spots, hindering our collective ability to see what’s ahead, adapt with agility and creativity, and solve some of today’s biggest challenges.

[00:01:05.090] – David Puner
We need more diversity across every facet of cybersecurity and have much to learn from those who are breaking down barriers and driving change in their own organizations and across the industry. They’re demonstrating how diversity can become a powerful tool for cyber defenders. And that’s the focus of today’s episode of Trust Issues.

[00:01:30.970] – David Puner
Today, I talk with Melissa Carvalho. She’s the Vice President of Identity and Access Management at Royal Bank of Canada. It’s an interesting conversation, and we cover a wide range of topics, including her perspective on the importance of diversity and inclusion in cybersecurity.

[00:01:47.640] – David Puner
This is really interesting considering her perch is at a large financial institution where identity is always top of mind. Thanks for listening. I hope you enjoy it.

[00:02:05.210] – David Puner
One of the things I thought was really interesting when we were hoping to get you on the podcast and started digging around a little bit and putting some pieces of the puzzle together is really how foundational identity seems to be for you.

[00:02:17.710] – David Puner
You’ve talked a lot about identity being foundational to digital transformation, but you also have a passion for workforce identity inclusion. Is that intersection a coincidence?

[00:02:28.620] – Melissa Carvalho
It’s funny, David, because until you asked me that question, I didn’t really think about it. I don’t think it’s a coincidence, but it’s not intentional because it just matches two of my passions. So learning more about people, the psychology of everything, and then the logical aspect I have, the efficiencies, the working to provide solutions to individuals, and the two just marry nicely. My sense of fairness as well and wanting rules to be put in place.

[00:02:57.110] – David Puner
Interesting. So let’s go into workforce identity inclusion a little bit. How much is it a part of your day-to-day now?

[00:03:06.130] – Melissa Carvalho
I think what you mean when you talk about workforce identity is the traditional identity and access management. For me, that started just with being a consultant and putting solutions in place. I couldn’t tell you 20 years ago how many organizations did not have processes to have or onboard an employee into the organization and get them access.

[00:03:27.430] – Melissa Carvalho
So I became a consultant across North America providing solutions. No one solution was the same. Every organization I entered had a different need or a different problem. I went from putting onboarding solutions in place to start looking at what type of access people had privileged access or things like too many passwords, single sign-on.

[00:03:52.780] – Melissa Carvalho
The opportunities just kept coming and the solutions were just there to cross-section them and just to be innovative about it. I just haven’t found the time to take a break in the identity space because it just keeps growing.

[00:04:07.290] – David Puner
Your team at Royal Bank of Canada looks like you’ve got 250 plus, and you’ve got 86,000 employees and 17 million clients. If there is a way to pinpoint the biggest challenge in advancing enterprise security there and maybe it’s not just one, what’s top of mind?

[00:04:30.460] – Melissa Carvalho
I think we’ve gone up slightly, right now 88,000 employees. So it’s changed ever so slightly. But I would say there are four areas; I wouldn’t say there’s just one, and it speaks to the complexity of the cybersecurity landscape. If I were to summarize just quickly, the four, one is the skill shortage in cyber.

[00:04:51.470] – Melissa Carvalho
Our talent is our differentiator in the cyber workforce or in the cybersecurity landscape, and we have a skill shortage globally for cyber talent. That coupled with the fact that our attack surface has increased. If you look at things like the fact that we had to virtualize our workforce during the pandemic, we had the race.

[00:05:10.880] – Melissa Carvalho
In many organizations, if you think of restaurants and grocery stores, they had to push out digital technologies because otherwise they couldn’t operate during the pandemic. Then you look at all the increase of tech options, cloud, SAS apps, many identity technologies, that adds to the complexity.

[00:05:30.900] – Melissa Carvalho
Then if you look at two other areas. So the fact that cyber is no longer just a cyber team, it’s from your board of directors to your customers. We have to educate all of those individuals to help us build this solution.

[00:05:43.840] – Melissa Carvalho
Then finally trying to prioritize all of this. So whether we prioritize incidents versus a possible threat versus the regulatory landscape and the business drivers. All of these things add to the complicated landscape of trying to deliver a cyber solution.

[00:06:00.530] – David Puner
So that’s a pretty big puzzle right there. How do you prioritize? How do you educate?

[00:06:05.480] – Melissa Carvalho
I think you have to be agile, number one, and change as the times change. You need to actively listen to the people and the business and the marketplace. But education is a really unique area. Having a teaching degree, it’s even more unique to me. When I think about education, I think of tackling different learners and different audiences.

[00:06:29.480] – Melissa Carvalho
I think about things like media and video type training, whether it be longer sessions or even one of the things RBC did was something called a six-second rule that we offer to our customers because from an attention span perspective, it would be something really quick that they could watch to help educate them on cyber.

[00:06:50.400] – Melissa Carvalho
But then it’s also getting to universities and traditional forms of education and offering that as well as some people learn better if they teach instead of just listening. And so as they’re teaching people, they are also educating themselves.

[00:07:05.880] – Melissa Carvalho
If all of those carets don’t work, then you have the stick. So when the violations occur, there has to be a consequence for a violation. And sometimes, unfortunately, that’s the best teaching for individuals because no matter how much you say something and offer material, sometimes the best learning is when you make a mistake and then learning from that mistake.

[00:07:26.260] – David Puner
It’s interesting that you mentioned both employee and customer education. How do your efforts to educate both employees and customers differ? And is one or the other more difficult?

[00:07:39.500] – Melissa Carvalho
I don’t know that they differ. The method in which we educate both of them are very similar. I guess for customers we don’t put a consequence in place. I think we would lose the customer if we ended up trying to put a policy violation or a consequence in place, so maybe that’s one of the differences.

[00:07:56.450] – Melissa Carvalho
I think we spend more time educating our employees, and I’m not sure that’s as helpful as educating customers, so you see a shift in our recent focus. We’re now starting to educate the customers because when our employees especially who are educating the customers, they’re also learning in the process. They’re learning how to address questions, and they are educating themselves in the process.

[00:08:19.540] – Melissa Carvalho
I think you’re seeing a shift not only in our organization at RBC, but at organizations across the industry because we started to realize that if our customers understood cyber better, then they’re helping us in this mission as well.

[00:08:35.310] – David Puner
How far along is that shift and how much further does it need to go?

[00:08:39.610] – Melissa Carvalho
I don’t know if I could speak to the industry, but I could speak to RBC. I would say that if I looked at the last year, a lot of our focus is on educating our customers. Where we put our spend is on educating customers, building videos, building material, working with our customer, facing portions of our business, and educating them to then educate the customer.

[00:09:01.610] – Melissa Carvalho
I would say we’re pretty far along our journey. We still do continue to educate our employees. Then something else we spend time doing is trying to build the next degree of talent. So looking at universities and other educational institutes because we do have a cyber shortage or skills gap.

[00:09:21.240] – David Puner
You mentioned that a couple of times. How, from your perch, are you helping to or attempt to address that situation?

[00:09:30.240] – Melissa Carvalho
I think in this case it marries my desire for fairness and diversity and inclusion. If I were to look at it, it’s a couple of areas. Number one, women and gender. When we look at that, getting more women into the workforce.

[00:09:47.630] – Melissa Carvalho
I’ve always been a woman and always loved IT, been in cyber for as long as I’ve had a career, but I didn’t really appreciate it until I was being asked to speak at keynotes and other venues because I was a woman. It was really frustrating to me because I thought, “I don’t understand this. It’s what I’ve always been.”

[00:10:08.250] – Melissa Carvalho
But on my journey, I’ve learned that representation matters. Just standing up there on a stage and speaking made a difference to people. That created something in me, a desire to make change, not only in what I was doing, but across the teams I worked with.

[00:10:24.330] – Melissa Carvalho
Because many women were being turned away from cyber because they had a bad experience, or being turned away from tech because of a bad experience. Not only in my experience, but a whole slew of other experiences, but leading to RBC founding a program at a local university here. It’s now the Toronto Metropolitan University.

[00:10:44.820] – Melissa Carvalho
But it was really focused on trying to get more diversity, bridge the skills gap, and start putting out more content out there for people to grow in the space. Even people who had a career and are moving to another area, just to get them into the cyber workforce.

[00:11:01.910] – Melissa Carvalho
Another very important part of this was active listening, because during the pandemic, many women left the workforce. It was trying to get our teams to start listening to the needs, changing the work hours, accommodating if they had young kids at home, allowing that to happen because many women felt uncomfortable having children in the background when they put their camera on. Just a lot in that space.

[00:11:26.690] – David Puner
Touching upon your work for the Women in Identity organization, for which you’re a Canadian ambassador, how does that come into play within where you sit, within Royal Bank of Canada? Is it strictly a side passion project? How do they merge?

[00:11:43.850] – Melissa Carvalho
Well, I met Women in Identity a number of months before the pandemic. I was at a conference, heard a number of things they had to say, and it just made so much sense to me. I’ll give you some examples of that. Things like our favorite Alexa or Siri or Google, what we were finding was they were coding biases into that tech.

[00:12:07.740] – Melissa Carvalho
We talk a lot about artificial intelligence, machine learning, but if we’re naturally, as humans, biased, and we code that into the tech, then the tech will also be biased. Another thing they mentioned was something as simple as facial recognition.

[00:12:19.910] – Melissa Carvalho
Things like the phone that I had, I had to change the phone because for the color of skin that I had, it didn’t work in dark lighting for me to unlock my phone. It became a frustrating thing being in cyber and have to always be connected to have to worry about a biometric issue.

[00:12:37.000] – Melissa Carvalho
These things made so much sense to me that after the conference, I came back to the organization as RBC and I was just talking on and on until somehow the two have just merged together. But the Women in Identity org is something I’m deeply passionate about. It’s a group of individuals who are passionate about getting rid of bias.

[00:12:57.660] – Melissa Carvalho
One of the recent projects they have is what we call a code of conduct. It’s looking at globally setting the minimum standard for identity, whether it be government or financial organization, to try to ensure that solutions that are built for everyone are built by everyone. It’s opened so many doors for me to learn about other things, because diversity and inclusion is not just gender and race, there’s so many other areas.

[00:13:25.010] – David Puner
How does that potentially factor into your day to day purview when it comes to security within a large financial institution?

[00:13:33.950] – Melissa Carvalho
When you think about diversity and inclusion, it’s really not just gender and race, it’s things like creed, sexual orientation, socioeconomic status, ability. So when you find those real life examples and then you bridge the gap to security, it becomes easier because a lot of the threats and attacks in cybersecurity are exploiting vulnerabilities.

[00:13:57.110] – Melissa Carvalho
One example I talk often about is, it was in the news in 2019, that the UK government issued biometric passports, which is a great idea, extra security coming into the country, except it didn’t work for people of color, specifically women of color.

[00:14:14.560] – Melissa Carvalho
When you think about that example of trying to get into a country, and people of color or women of color, it’s not working for them, think about what the bad actors can do to exploit that situation to get in. Now, they subsequently fixed it. I’m not highlighting anything that’s open to create more attacks, but those are the type of real-life examples that show how the two intersect, diversity and inclusion and cybersecurity.

[00:14:38.210] – David Puner
What’s something crucial that you have learned from working at a large financial institution, that might be valuable for somebody working at a smaller organization that probably has nothing to do with being a financial institution?

[00:14:51.710] – Melissa Carvalho
That’s interesting. I’ve had both small organizations and large organizations, whether it be financial or not. I’ve worked in various industries, and I can tell you that one of the valuable things of working at a large organization is you don’t need to be an expert in everything. Sometimes you can rely and collaborate with other people, and it helps you just deliver faster because you have different people to work with and they can each take a portion of a solution and implement it.

[00:15:19.610] – Melissa Carvalho
It’s a double-edged sword, though. Because when you have a lot of people, then you have to communicate better, align better, and everybody has different competing priorities. If you’re in a small organization, it’s not something that necessarily you have to feel bad about, because sometimes what happens is we get lost with too many people and too many competing priorities, and so it’s a double-edged sword.

[00:15:42.870] – David Puner
With financial institutions, there are lots of regulations. With smaller organizations, there may not be those regulations. How do the regulations play into your day-to-day cyber security hurdles to overcome, and how do they potentially help get over those hurdles?

[00:16:04.670] – Melissa Carvalho
I’m not sure the regulations impact the size of the workforce as much as the size of the customer base you’re offering. You could be a small organization but deliver a solution globally. From a regulatory landscape, it depends on the region you’re operating.

[00:16:22.630] – Melissa Carvalho
The complexities around regulation come in from all the different regions you’re operating because they might be in conflict or to become experts in each of those spaces. For RBC, we’re a global organization, and so learning all the different regulatory requirements in each of the regions and trying to offer a solution that meets all of those can be challenging at times.

[00:16:45.460] – Melissa Carvalho
We try to offer the highest level of security, and so that’s one solution to trying to bridge the gap with all of these complex solutions, but there’s different regulatory bodies and different groups you have to answer to and different information. We have a whole regulatory division just to deal with those things, and then we’re experts in the identity space and we often cross and work together.

[00:17:08.430] – David Puner
You seem very calm for somebody who has a big role like this. What keeps you calm, and I guess counterpoint to that, what keeps you up at night?

[00:17:21.690] – Melissa Carvalho
I don’t have caffeine. I don’t drink coffee or pop or tea, it’s only water. I’m just naturally energized by all the different work that goes on. But I think the answer to both those questions is the same, and it’s my team. It’s the team of individuals I work with.

[00:17:40.520] – Melissa Carvalho
They keep me calm because I trust in them, and I feel like I have the best team in the world. I’m sure everybody answers the question the same way, but I really feel like I have the best team in the world, and so they keep me calm. I don’t worry about them and their ability to deliver.

[00:17:56.550] – Melissa Carvalho
I worry about them and what keeps them up at night, and I have to tell you, the pandemic had me worrying a lot about them. Because it wasn’t about their ability to deliver, but about how all the external factors were impacting them mentally.

[00:18:10.370] – Melissa Carvalho
Mental health is a big concern for me when I think of the team, and just all the things that were going on, whether they had family members that were first line responders or family members that were sick, whether they had additional pressures, financial pressures due to the pandemic. There was just a lot going on, and so trying to adjust for my team and take care of my team, because they do so much work to take care of us, is the thing that kept me up at night.

[00:18:35.290] – David Puner
What do you think a boon potentially to have come from the pandemic is, when it comes to your role in cyber security?

[00:18:42.800] – Melissa Carvalho
I believe from an RBC perspective, we’re already on the journey for innovation, and everything we did, we had a bold ambition, curiosity mindset. We were encouraging our people to be more innovative.

[00:18:57.460] – Melissa Carvalho
I think the positives that came out of the pandemic was it forced us to work together because we would not be able to survive if we worked independently. So it forced us to collaborate together. It build long lasting relationship, form bonds. It helped us figure out a way to accelerate the market. So that’s one positive that came out of everything that we were doing.

[00:19:21.270] – Melissa Carvalho
Another positive that came out of that is our innovation was more around efficiency and automations. We ended up focusing in that way because we just could not tackle all the problems that were occurring.

[00:19:34.880] – Melissa Carvalho
Then maybe lastly, another positive that came out of the pandemic was we started to look at all the data we were gathering. We have logs, incident reports, other metrics, bridge the gap to become proactive about cybersecurity. So looking at things like data analytics and out of the analytics, drawing insights out of that.

[00:19:56.640] – Melissa Carvalho
A perfect example of something that we accelerated is just our implementation of CyberArk’s PTA, the threat analytics and accelerating that and bringing that up because we just needed to be able to tackle these things faster.

[00:20:12.110] – David Puner
What’s an example of a great question you’ve been asked by someone on your team recently that’s led to organizational innovation?

[00:20:19.160] – Melissa Carvalho
What your team might have discovered is I run what we call an Ask Me Anything every week. Every week, I sit down through a video conferencing facility with my entire org, whoever wants to dial in, and I get about 150, 200 people every week, which gives me anxiety. Then they fire questions through this anonymous web app, where they just ask me the questions so they can hide behind it and I answer them as honestly as I know. I couch it by saying it’s not official, it’s just the answers, but it’s provided a sense of stability.

[00:20:52.160] – Melissa Carvalho
One of the things that I learned through one of these questions was the use of pronouns. The team asked me why through video conferencing facilities that we have in the bank and through our emails and our exchange, we weren’t leveraging pronouns. For me, it was a curious question. I needed to learn a little bit about it. I always thought if I put my pronoun forward, it was further ostracizing or discriminating towards LGBTQ Plus community. That’s what I felt. And through education in this journey, I’ve realized it’s actually quite the opposite.

[00:21:26.120] – Melissa Carvalho
So coming back to another AMA session, I informed my team of it and said, the tech companies don’t actually have a solution. This about a year back. They don’t have a solution to automate or put these things in place. So our fabulous team got together, partnered with other groups and said, this is how identity can help, because we keep that data, we can gather that data, and then we can inject it into the video conferencing facilities, the emails.

[00:21:53.170] – Melissa Carvalho
So we put pronouns in place before the tech companies figured out a way to do it. In fact, whenever I log into facilities, I always add my pronouns now to my name when I’m adding it. But just a cross section that’s showing how the work we do in identity and the passion for diversity inclusion married together to offer a solution.

[00:22:12.780] – David Puner
Is it true, aside from the questions that you’re getting here today, that there is no such thing as a bad question?

[00:22:19.950] – Melissa Carvalho
Absolutely. Being in teaching, I can tell you there’s no such thing as a bad question. If somebody has that question, chances are somebody else has that question. I get repeat questions often in my AMA sessions, but I always tackle it with, I haven’t answered the question properly and so it’s up to me to then take that time to explain it maybe in a different way.

[00:22:45.710] – David Puner
How does that help you move forward in your role?

[00:22:49.280] – Melissa Carvalho
Before the pandemic, I was very active and I have teams in all different regions. I would travel to the region to meet people. I really wanted to understand what they were interested in, what would make them happy.

[00:23:01.860] – Melissa Carvalho
I firmly believe healthy and happy teams make for stronger teams. But with the pandemic, it’s been hard because if I want to meet with 250 people, I have to have individual or smaller group sessions. It just makes it so much harder. You can’t have the water cooler chat or just informally see people. And some of the body language that you see in people when you pass by them, you don’t get out of just seeing a small screenshot on a video.

[00:23:28.930] – Melissa Carvalho
So the question period in the AMAs have really helped understand what people are thinking. Letting them hide behind an anonymous question application allows me to hear that and let them feel comfortable, so that psychological safety, not wondering if there’s going to be a consequence for their question.

[00:23:48.220] – Melissa Carvalho
I think it’s made me a better leader. It’s caused me to adapt in a different way. My management team has also learned from this experience because they get frustrated with the repeat questions.

[00:23:59.600] – Melissa Carvalho
So one of the things that we started exploring was neurodiversity and the whole aspect of different people learn in different ways and gather data in different ways. It’s really caused us to look at how we communicate to people. Some people like being on camera, some people like myself, I’ve hated being on camera. And so how do you adapt to the different situations and the different people’s needs? It’s just been an interesting experience.

[00:24:24.390] – David Puner
Wondering what’s something on your to-do list that maybe has been there for a while and might be there for a while and it’s going to be weighing on you going into the weekend but has a relevance to identity or digital transformation or both?

[00:24:42.860] – Melissa Carvalho
What’s weighing on me right now is the retention struggle that most organizations are having with their talent and their practice, their team. I have a set of data points as I go into this weekend looking at different things: compensation, education for the team, where they want to grow, development plan to really try and hear the latest questions the team has been asking.

[00:25:06.330] – Melissa Carvalho
In some cases, the team is not even asking me those questions but I see it in the industry. So what I plan on doing this weekend is pulling some of those data points together and really trying to be proactive.

[00:25:16.510] – Melissa Carvalho
I want to make sure if the team works really hard to be taking care of the bank and us, that I’m working equally as hard before they ask themselves that question to take care of them. So that’s what’s keeping me up at night and the homework I have over the weekend.

[00:25:32.800] – David Puner
Is there anything that we didn’t discuss here this afternoon that you have a burning urge to discuss?

[00:25:41.310] – Melissa Carvalho
No, I think we talked on a lot of different topics to cover a wider range of things. If everybody takes away just one thing from this discussion, It would be the women and identity vision, which just talks about the fact that solutions for everyone should be built by everyone.

[00:25:58.420] – David Puner
I think that’s a great ending note. Thank you so much for talking with us today. Really excited to have you on the podcast and look forward to talking to you again sometime in the future. Thanks so much, Melissa.

[00:26:08.340] – Melissa Carvalho
Perfect. Thank you for having me.

[00:26:16.390] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment, constructive comment preferably, but it’s up to you, or an episode suggestion, please drop us an email at [email protected] and makes you’re following us wherever you listen to podcasts.