CISO Q&A with Banco Credibom’s Flavio Carvalho

Flavio Carvalho, CISO, at Portugal-based Banco Credibom, is an accomplished cybersecurity and privacy executive, with considerable experience building large-scale information and cybersecurity programs within many different types of businesses and markets. With his career beginning in networking and infrastructure management, Carvalho gained experience working in cybersecurity as a security services provider, which helped him gain the experience necessary to become CISO.

Today, as CISO at Banco Credibom, Carvalho is responsible for shaping the security architecture and managing its execution at the bank. A substantial part of those identity management efforts has proven to streamline the bank’s identity and access management program. In our conversation, we discuss Carvalho’s career and the recent steps the bank has taken to improve its identity management efforts.

Thank you for speaking with us, Flavio. Can you begin by telling us how you got started in IT, and what attracted you to the IT industry?

That goes back many years. As an engineering student, I became interested in computers and computer engineering. Starting out, I had the opportunity to be a network analyst. I enjoyed that quite a bit. I also worked for internet service providers as a network administrator for a number of years. An important transition for me was becoming a manager. I took that management experience, years later, and accepted a position in security. Now, that’s about eight years ago. And, about that time, I started earning security certifications and moved professionally into security. I’ve been in security for nearly nine years now, with a significant background in networks and infrastructure.

After you moved from IT to security, was there anything about security that most surprised you?

Yes. A lot of it has to do with how I started out. I began at a company that provided security services to other companies. But back when I started, there was not really a strong need for someone who would look at a company’s security processes. Someone who would analyze their processes and see if an organization was improving their risk posture over time. But all they wanted was someone to operate their security devices. They wanted us to supply rules at their demand. We were not supposed to think and suggest, “This rule you are requesting could actually get you in a worse position than you are in now. You are getting worse, not better, by doing this.” Too many businesses just wanted checkboxes checked.

Still, it was interesting to see different solutions applied within companies. I appreciated the opportunity to see different industries and how each approached security, and why they use certain kinds of solutions. That made it a good experience to prepare me for the CISO role. Today, I am responsible for the security of my company, so I am in charge of security strategy. And, because of my experience, I am clear on what I need.

What kind of security challenges did you experience in your first role as a security decision-maker?

Match Group was my first experience as a decision-maker. Match Group was responsible for the dating apps. They were popular in the market. For me, it was a great, great experience. I reported directly to the global CSO, who was based in the U.S. At Match Group, I started as Latin-America infrastructure and security director.

The kind of security issues that arose at Match were also interesting. It was my first experience trying to protect my company from fraud, data leaks, and identity theft. Lots of tricky problems to cover. This was my first experience building security solutions for my own company rather than providing such services to others.

In your current position, what are some of the challenges you face when it comes to identity management?

Solving access and identity management is quite the challenge across different systems and different countries. When I arrived at the bank, SailPoint was already selected, but they hadn’t advanced with their deployment. Getting SailPoint up and running was my first top priority.

What were your initial goals with SailPoint?

As a bank, we have tight control over our information systems. I know exactly where our information systems are and what’s on them. I know their infrastructure. They have their business and IT owners defined. All of that meant I already had good control over what I needed to get done to be effective with SailPoint.

My first initiative was to reorganize and update our HR software. Our HR software wasn’t well organized in a way that would benefit SailPoint or our identity efforts.

In order to succeed, we needed that HR software to re-think around job functions, departments, and role owners and refining the definitions of those classifications. Employees had to be classified into their functional areas, departments, and directors. Their direct leader had to be clearly appointed, approval levels defined. We looked at everything related to how the company is organized in terms of human resources.

It was important that all of that be validated before we started anything with SailPoint. It sounds like a lot, but it only took about a month or so to work this through. We also relied on external development to enable human resources to easily enter new employee information, job changes, and terminations. We took that information and then selected six of our information systems, six out of our 70 applications, and mapped functions in HR with a user profile that was validated with the business owner.

Following that, HR adds employees to the system. SailPoint now pulls the data from this HR database every day. When SailPoint sees that there is a new employee, it provisions this employee into the information system to a specific role. That’s what we are building now.

With that accomplished, what are your goals now for the year ahead?

For 2020, we were expanding our first seven applications to additional strategic applications. While 2019 was the year to prove the concept behind our identity governance plan, this year it’s time to expand into our strategic information systems.

Other initiatives that will be a focus for us is this year include the streamlining of our day-one permissions. When new hires arrive on their start date, they will now have all of the basic access they need to get to work right away. We are also building a process to enable changes in permissions, such as when an employee is given a project and needs special access for a certain period of time. We want to use SailPoint to help us build better workflows for such situations. The same goes for external consultants and others who come here and work for short periods of time. We need to manage their profiles better and will rely on SailPoint to help us there. We’ve come a long way in the past year, but there is still much more to be done. When it comes to identity management, the work is never really completed. You are always looking for areas to improve.