InfoSec People Profile: Talkdesk’s Rui Melo Biscaia

By Roy Urrico

Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security (infosec), cybersecurity and/or information governance to protect data and transactions at credit unions, other financial institutions, and fintechs serving the financial services industry.

Rui Melo Biscaia, vice president of product, platform and product-led growth, at Palo Alto, Calif.-based Talkdesk, a provider of artificial intelligence (AI)-powered customer experience (CX) technology, describes himself as “passionate about security. I really am. That's where I live and breathe.”

“I know I have this American accent because of two things: One, I'm 6 feet, 6 inches tall, which means that I play basketball and interact a lot with U.S. basketball players; and since almost the beginning, I've worked for U.S. based companies,” Biscaia — born, raised and residing in Portugal — told Finopotamus.

Infosec Journey Begins

Biscaia’s information security journey developed as the founder and CEO of cybersecurity company, Watchful Software, in 2012. That company was later acquired by Symantec. “I joined Symantec and was leading their identity and access management business unit. In that time, we were dealing with single sign on, multifactor authentication, cloud access, security brokering. It was a really good tenure.”

After Broadcom acquired Symantec's enterprise security business in 2019, Biscaia went to work at Broadcom as their senior director of product, information security group for Europe, the Middle East, and Africa, (EMEA) and Asia Pacific and Japan (APJ)). “It was more of an outbound relationship model in which I was talking with and helping customers understand and reason with the entire security portfolio of Broadcom, which at the time was already pretty substantial.”

He joined Talkdesk in 2020 as senior director of the product, information security group for EMEA and APJ. “Basically, the idea was to leverage AI to handle security related questions. This was the time of COVID. This was the time where everyone was working from home. How do you make sure that those people working from home are who they say they are, and are doing things right.”

Biscaia explained Talkdesk was leveraging features like voice biometrics, fraud detection, spoofing detection, predictive behavioral analysis “in order to understand behaviors without actually being a surveillance tool, without actually turning on the camera.”

Current Infosec Role

“I lead everything that relates to platform and product-led growth,” Biscaia told Finopotamus He described Talkdesk’s go-to-market (GTM) motion platform, a software solution that helps companies outline, implement, and enhance how they launch, sell, and deliver products to accountholders.

“It is something that relates to stuff that you should not see. If you do see or hear about it, that's because they're not working as expected,” said Biscaia. He mentioned “governance risk and compliance mandates and how do you implement them. We are talking about horizontal and vertical scalability of the systems so that we can cater to bigger loads of data, loads of integrations (aka customers and enterprises). And, of course, there is the security side of things, the single sign-on side of things, the accessibility side of things.”

The other part of Biscaia’s responsibility centers on product-led growth. He said Talkdesk recognized the importance of contact center agents trying to offer a positive member experience, while also recognizing any possible fraudulent intentions.

“That is how you make sure that you turn Talkdesk into something that just works out of the box. You push a button and you have a contact center with customer experience automation, built and ready to go in less than a minute, a minute and a half or something like that,” he said. “So, in my current role, I do manage the responsibilities around governance, risk and compliance, which encapsulates stuff that is related to security.”

Talkdesk's Cybersecurity Operations

These days, especially in the financial services world, creating platforms requires fortification, he noted. “We think of security as something that needs to be built from the ground up and not as an afterthought,” Biscaia said,

“We build it with that security-by-design mentality. That means that we embed into our systems everything that it needs to include in terms of security related to access, role-based access control, zero trust (strategies), and shift left mentalities. The shift left mentality is a method that changes testing, security, from reactive, post-development repairing to proactive, nonstop, and integrated authentication.”

Biscaia provided examples. “Whenever you are using APIs (application programming interfaces) in order to extract and to deploy workflows and whatnot, you need to make sure that you have the entitlement for those APIs. You also need to make sure that whenever you're leveraging artificial intelligence, it has built in security protocols to ensure that you're leveraging the way it was intently made available for you to use.”

AI capability, depending on what licensing allows, he noted, might limit its incorporation in certain areas. However, fraud-fighting capabilities such as voice and behavioral biometrics, fraud and spoofing detection, and deepfake analysis are incorporated in Talkdesk’s platform from the start.

Threats Causing Sleepless Nights

At the top of his sleepless night reasons, Biscaia puts deep fakes. “Everyone is using AI, (it) can be used to do good or it also can be used to do harm.ˮ He elaborated, “you can get a sample of someone else's voice; you can (then) make whatever you want that person to say. That means that you need to be very careful when you trust single factor authentication mechanism.ˮ

Biscaia continued, “So when you trust voice biometrics, for example, as the single factor or authentication in a contact center, when you are dealing with a voice channel, that does not cut it anymore.”

For financial institutions, he recommended the safest strategy is to use multiple layers of security, not just one. For credit unions, that means asking members to confirm their identity using a combination of factors, like a PIN, a code sent to their phone, or a biometric identifier, such as a fingerprint or voice, which highly reduces fraudulent access.

He also admitted concern over the threat of social engineering. “Getting access to data and systems has been exploding with all of that AI. That is also something that  keeps me up at night. We need to be right  100% of the time in defending those things, and the fraudster only needs to be right one time. That's just the nature of the game.ˮ

Besides deepfakes, and social engineering, there are other concerns. Such as fraudsters who “create (stolen) digital identities out of sometimes very little information about a person.ˮ

Top Cybersecurity Dangers to Credit Unions

“Credit unions don't have the deep pockets that other [larger] financial institutions have in order to be as secure as possible. Nonetheless they have become aware that although you're trying to provide the best service possible to your (members), you also need to balance that with the security element,” Biscaia explained. He added that credit unions need to walk that wary balance between providing great service and not granting access to information to someone that should not have access.

“It's never  100% certain the likelihood of a person being a fraudster. And then you need to balance that with (the credit unionʼs) risk appetite. Management of the risk score, the risk appetite dynamically, that's something that we have been working tirelessly in order to make available to credit unions and at a cost that is not that much,ˮ Biscaia explained.

“When you have a credit union that trusts their knowledge-based authentication: So, asking you questions, ‘who you are,ʼ ‘can I have your social security number?ʼ ‘Can I have your date of birth?ʼ That is fundamentally not enough. All of that data is available as a Google search,ˮ said Biscaia. He recommended, “So just use an OTP (one-time password), and that is something that it does not cost any money. Those little things, they're not silver bullets, but they are stepping stones towards having a better security posture. By compounding all of those elements you are in a much better place from a security perspective.ˮ

“The contact center is a well sought attack surface because it has the data. Attacking that data and extracting that data means data has become the new currency,ˮ he said.