How to be a force in security
Deloitte’s Peter Koo is looking for highly qualified, aggressive and competitive risk management talent
Peter Koo is the James Bond of risk management. When asked questions he considers too sensitive to respond to, Deloitte’s national leader of security, privacy and resiliency services for Greater China Region and one of the practice builders of its enterprise risk services in mainland China and Hong Kong, jokes: “I could tell you, but then I would have to kill you.”
That is because confidentiality and discretion are crucial in his industry, and he is at the top of his game as a partner in Deloitte – one of the world’s top four professional services firms specialising in cyber-security. “There has been an increasing need for risk management over the past 30 years, which includes strategy, physical, financial, security, operational and project risk. Whenever anybody has to make a decision, whether to turn left or turn right, there’s always a risk,” says Koo.
Deloitte was launched in 1845 as an auditing firm and has since become a globally renowned company offering tax, consulting, enterprise risk and financial advisory services. For many years, it was in the Big Eight of firms in its industry and has been in the Big Four since a number of its competitors folded or were taken over.
When tragedies, crises and disasters struck, such as 9/11, the Enron scandal in 2002 and Sars in 2003, Deloitte and other survivors of the risk management industry were forced to raise their game by offering further services, which included business process consulting and risk control and creating a top-down approach called GRC (governance, risk and control). That meant developing strategies, notably the “hot area” of risk management in emerging technology, specifically, cyber-risk, which has been Deloitte’s focus for the past year.
Today the focus is on two industries in particular: financial services and technology, media and telecommunications (TMT).
Some universities now offer risk science as a major specialisation, but when Koo and his peers were learning the ropes, they were taught on the job. Deloitte still prefers to do its own training and has built an in-house education institute in Austin, Texas where candidates from every region of the global company go to focus and develop specific skills after learning a range of disciplines.
Individuals who join the industry may not necessarily have exceptional academic results, but they must be smart, capable, enthusiastic, mobile, flexible and resilient.
“We like them to be like a blank piece of paper, which we can draw on,” says Koo. “People do not necessarily need to be extraordinarily strong academically, but they must be sharp and willing to learn with good soft skills, such as communication, and also able to take hardship.”
Having an in-house programme means it is easier and faster for companies to shape individuals and for the employees themselves to progress according to their abilities.
Success in this industry means continuous learning and employees are often required to obtain two or more professional qualification, such as a certified public accountant (CPA), which usually takes three years, then a certified internal auditor (CIA) or a certified information systems auditor (CISA) if you want to work in IT auditing.
If employees choose cloud computing or another specialisation, they will need to acquire further qualifications for that. Senior employees are expected to have three or more professional qualifications.
“It’s like a milestone: you keep improving and strengthening, and each year – even every day – there’s something new to learn. You must be hungry for knowledge.”
In return for commitment and hard work, Koo says, the industry offers an unrivalled experience, especially with Deloitte. “We’re an international company with a global reputation … training you receive from us, as one of the world’s top four companies in the industry, is unrivalled.”
Ultimately, to succeed in the risk management market you have to be aggressive and always ahead of the competition, Koo says.