Originally from Brazil and now based in Australia, Luiz talks about the misconceptions of working in tech, his past experience working with Big Four firms, and shares his advice to those who are curious about following a similar career path.
What initially kindled your interest in technology risk? What opportunities did you see?
While I’ve always been interested in technology and related gadgets and services, I like to say that I landed in technology risk by accident. I have worked on many different projects in several sectors, and over time, I noticed that while there were some striking similarities in the risks, there were also industry specific risks and regulations. As high-profile data breaches became public knowledge and resonated in the news, I saw an opportunity to really help businesses understand these risks and what actions can be taken to mitigate these risks. I’ve never had to chase the opportunities; they make themselves known to me. The current hot topic for us is ransomware, driven by the high-profile ransomware attacks earlier this year.
How did your masters at Queen Mary allow you to explore this interest?
My masters gave me a baseline understanding of how businesses operate, and how that happens on a global scale. It also gave me a foundation for understanding how businesses change and innovate in different ways to ensure their growth over time. Completing the masters in the tail end of the great recession was a remarkable experience because we saw first-hand how industries were making major structural changes in response to years of economic contraction. To top it off, I was witnessing all of this from London, one of the world’s main economic centres. This also coincided with the time that we as a general public were really starting to understand the value of data and witnessing an increase in the accumulation of data by organisations across all industries. When I started working in technology risk, a lot of my courses, especially one about ERP and corporate governance, became very relevant, and having that baggage gave me a starting point from which to grow.
Having studied and worked in several countries including Brazil and Australia, how would you describe the global opportunity for technology risk professionals?
Technology risk is everywhere, unhindered by borders. There are a multitude of different rules and regulations for each country across each industry. Furthermore, individuals and businesses continue to rely on more technology, leading to greater risk exposure at both an individual and a corporate level. In addition to that, technology is also constantly changing; there are always new risks we need to account for. Seven to eight years ago, we were not considering the risks related to blockchain or AI. In the past year, ransomware has really come to the forefront from a risk perspective. GDPR and other similar legislation has changed the way we frame and address risk.
Businesses need to be intelligent, adaptable, and build strong risk practices. There are so many opportunities for technology risk professionals because even though we are aware that there are risks related to technology, the level of maturity tends to be low. Having said that, different countries tend to be at different places in that journey. In the US, I saw fairly robust risk practices and controls, whereas in Australia and Brazil we see less mature environments. Regardless of location, we need to take a more proactive risk approach and try to foresee emerging technology risks and address them ahead of time. A robust environment today does not translate to an equivalent one tomorrow.
You currently work as a Controls Assurance Manager at AMP. Could you tell us about your work and provide some insights into any projects you are currently working on?
AMP is one of the oldest Australian banks, having been founding in the 1800’s. It has recently created a risk practice to identify and address technology risks across its systems. This includes operational risks, strategic risks, and customer risks, amongst others. We not only address risks because we want to comply with regulation and legislation, but because we want our business, customer, and employee data to be secured.
I joined AMP because, as Controls Assurance Manager, I have an opportunity to shape which controls we should have to address our key technology risks for the entire AMP group. At the same time, this is very much an educator’s role. I sit down with different application and platform owners across the business to discuss a multitude of different risks, where they are exposed and how we can work together to address the risks, such that we not only achieve our objectives but is also practical for us as a business.
What is the best thing about your work?
The best thing about my work is seeing that I’m having a real, lasting impact on an organisation. Not only because we are managing our risks more effectively, but because we are changing the culture and the mindset of people so that they understand risk and the importance of mitigating these risks. In my role, I frequently talk to people at all levels across the business and I am recognised as someone who is here to help and drive positive change. In addition to that, I work with a strong team of risk managers who have extensive experience and it is humbling to be able to learn from them and use that to refine my own knowledge.
In your career to date, what achievements are you most proud of?
Prior to AMP I was at EY in consulting. I did some work in 2019 for a major Australian airline where I developed a methodology and framework to quantify risk and a process to use this value to drive funding for technological assets in the airline to address the risks. In consulting, we don’t usually see what happens to our output after we finish the job. However, in 2021, I was asked to return to the airline for another project. In my return, I was able to see how the work I delivered in 2019 was being used and how it was valued by the client. I was often introduced as the person who had developed the methodology and framework. My deliverable was something well known and well received by different individuals. It was incredible to see how the work I had built for a household name was being used. This was my mark on a major global brand. I am very proud of having had that impact on something that is much bigger than me.
What are the greatest misconceptions that people have about careers in tech or tech-related fields?
A good attitude and willingness to learn is a viable path to success even if the learning curve is steeper.
I think the biggest misconception is that you need to have a strong technical background and knowledge of coding to succeed in tech. Almost everything I know of technology risk I learned on the job. I also couldn’t code if my life depended on it. It’s not to say that having a tech background doesn’t help, but I don’t think it’s strictly necessary. A good attitude and willingness to learn is a viable path to success even if the learning curve is steeper. Given how tech is always changing and evolving, anyone working in tech needs to take an active role in ensuring their knowledge is updated. Thus, I am always learning and studying and researching as part of being someone working in tech.
What advice do you have for students interested in pursuing a similar career?
For anyone who wants to pursue a career in tech, and specifically technology risk, I would recommend starting in a relevant consulting company. I was in Big 4 consulting and would highly recommend it, however I recognise that there are other incredible consulting firms and specialised firms as well.
The exposure to different industries, IT environments and types of risk gained through consulting will ensure an in-depth understanding of the subject matter, as well as being able to choose which industry or area within risk you would like to specialise in. I would also say to any students wanting to pursue this career path to try to understand risk now, especially as it relates to technology. That sounds like a tall order, but it really isn’t. Everyone is a risk practitioner. We consistently evaluate risk before we make decisions related to the most banal things in our lives. We weigh the benefits and risks in every decision. To make that jump to technology risk isn’t really difficult, it’s an extension of something we already do naturally and on a daily basis.
Outside of your work, what are your other passions and interests?
I’m an avid musician and I can play guitar, bass, and piano. I also collect vinyl records. Music has always been a very grounding experience for me and can serve a wide range of purposes. In addition to that, I consider myself a foodie and like to go out of my way to try new foods and restaurants, as well as attempting complex cooking techniques and dishes. I’m fascinated by what we can do with ingredients, how we can manipulate them to extract different flavours and textures, and how we can combine them in order to build incredible plates of food. Food not only tastes good, but reminds us of eras in our lives, or specific experiences and I enjoy the process of recreating that (or trying to).
What are your fondest memories of your time at Queen Mary?
My time at Queen Mary is marked by the friendships that I made and the academic rigour to which I was subjected. It was a challenging course, but I made good friends, some of which carry over to this day, and we supported each other and got through it together. It was also a time where I was still understanding who I was and the person I was to become. Being able to pursue my academic interests was a big step in that journey and I strongly associate my time at Queen Mary with that step.
If you would like to get in touch with Luiz or engage him in your work, please contact Nathalie at n.grey@qmul.ac.uk.