TPG Telecom’s head of risk on data privacy, cybersecurity, AI and the regulatory landscape

TPG Telecom’s head of risk on data privacy, cybersecurity, AI and the regulatory landscape

Joe Kornik: Welcome to the VISION by Protiviti podcast. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and we welcome Malcolm Eng, Head of Risk, Business Partnering at TPG Telecom in Australia, where he and his team lead enterprises risk management for the company. Malcolm has spent the past decade working with some of Australia’s leading organizations, navigating the complexities of data privacy, risk and the regulatory landscape. Sitting down with Malcolm today is my colleague, Ruby Chen, a director with Protiviti Australia. Ruby, I’ll turn it over to you to begin.

Ruby Chen: All right. Thank you so much, Joe, for the introduction. Today, I’m so excited to have Malcolm here on the podcast. I’ve known Malcolm since—that seems to be so long ago, pre-COVID era. We both used to work at the banking industry. I still remember we were saying our goodbyes and I’ll meet you on the other side, hopefully. [Laughter] I’m glad that we both made it. Since then, Malcolm has pivoted away from the banking industry into technology, and now more recently into telecommunications. I’m really keen to hear Malcolm’s insights around latest in the telecom industry. So, thank you so much for joining us, Malcolm.

Malcolm Eng: Thank you for having me, Ruby. Times have definitely changed since we’ve known each other, and I do recall saying goodbye before COVID, and I think through COVID I was wondering when I will actually see Ruby again, so I’m glad we’ve gotten in touch and had a lot of very interesting conversations. I’m very excited to be here, looking forward to sharing some of my thoughts on the topic.

Chen: Fantastic. Thank you. All right, before we dive into the serious questions, I have a fundamental question for you, Malcolm. Do you think you could actually live without all the technology gadgets we’re surrounded by?

Eng: I like that we’re starting with a light question. I might start with a little bit of a story. I remember when I got my first smart light, it was a cheap smart light I got from Kmart. I was so amazed when I got home by the convenience and flexibility of it, and especially the multiple colors, that I changed all my lights at home. A little while later, I got home one evening and none of my lights would turn on. My wi-fi wasn’t working. I couldn’t figure how to turn the lights on and I had removed all my non-smart lights. So, I ended up putting up some candles. It was very romantic and I ended up re-reading Dune. Three things come to mind for me. Firstly, the I forgot how much I enjoyed those books, and I thought I should actually do that more. Secondly, as someone whose home is still filled with smart lights, though ones that I can now turn on without connectivity, I cannot imagine living without all the gadgets that I rely on. It’s really amazing to think how technology has become such a big part of our daily lives. Lastly, there’s so much potential with technology and value to people’s lives. I think there’s something to be said about finding that balance where they work for us and not against us.

Chen: As your example illustrates, right, connectivity is such a critical part for all the technology that we rely on these days, and telecommunications industry plays a very important role in providing us with that capability. And with the pace of technological changes and the increasingly unpredictable nature of the business environment, it seems that organizations are facing more unexpected disruptions. I’m keen to hear your thoughts around how is TPG Telecom addressing these challenges?

Eng: At TPG Telecom, is one of the Australia’s largest telecommunication providers, Ensuring that we can provide a robust ongoing supply of critical products and services to our customers, our people, and the broader community is a responsibility that we take very seriously. I think resilience starts with preparation. We start with our networks, which are built with resiliency in mind. What does that mean? Our architecture is designed with physical and logical separation to enhance robustness, routing protocols, separation of product layers are used to improve our ability to withstand disruption.

Chen: I totally agree. I think resiliency is so high in the radar. Something that comes into mind is actually a recent outage which impacted many of us, including myself. So, the CrowdStrike outage, right? It was such a high-profile outage that had a wide-ranging impact across Australia as well as globally. Are there any lessons to be learned and how has TPG reassessed its risk management strategies and practices since then?

Eng: CrowdStrike is the one that comes to my mind, too. I was actually at the airport when the outage happened. I remember being stuck in the road just outside the airport for two hours wondering what was happening. Let’s say, it wasn’t the best travel experience I’ve had and I might leave it there.

Chen: Right.

Eng: Recent incidents have definitely brought operation resilience to the front of mind of a lot of people when it comes to risk management. A few key considerations stand out for me when thinking about resiliency. Firstly, reemphasizing the point that resilience starts with preparation, recognizing that disruptions are a possibility and we should be ready to respond, to recover, to continue to operate. We shouldn’t assume that things will always go perfectly. Instead, we should be prepared for the unexpected, to ensure that we can react quickly and get back on track without too much disruption.

Secondly, while it was great to focus on pursuing the latest and greatest, whether it’s technology, innovation, or even risk management and resilience practices, getting the basics right, I think, is just as important. Things like change management, testing and controled deployment of changes, heightened monitoring during change windows, third-party management, incident management and response, user awareness and training. Scenario planning simulations for emergency and crisis situations are also critical. You probably do not want an actual incident to be the first time you respond.

Chen: I want to pivot a little bit now moving into emerging tech and risk, and talking about artificial intelligence, which is such a hot topic everywhere I go, no matter what conference or webinar that I attend. I was curious to know, with the rapid evolution of AI technologies and the unique privacy challenges posed by 5G and other emerging technologies, how is TPG addressing potential risks associated with these advancements?

Eng: There’s definitely a lot of excitement around AI recently. A lot of attention has largely been driven by generative AI, or gen AI,  tools like ChatGPT, Dall-E have kindled the fire in people’s imagination. That’s made AI much more visible, more interactive and more relevant for the average person. There’s one school of thought that the challenge facing the technology now is one of demonstrating outcomes, that the application of the technology is not enough. It’s about delivering results, with the real measure of success being the value that it can actually bring. I think this can be illustrated with the Gartner Hype Cycle, which accordingly has gen AI passing the peak of inflated expectations this year, heading into the trough of disillusionment. I’m always amused by those terms. It’s a phase that is somewhat of a make-or-break period for technology where the initial hype will fade and the technology must prove its real value.

There’s another viewpoint, which argues that gen AI represents a fundamental shift, that it will bring transformational impact, with use cases that are not yet fully understood, that the classification as a standalone innovation is too narrow. Instead, it should be looked at as foundational technology, a platform for a new generation of AI-driven solutions.

Regardless of the side of the court that you take, a key driver for the hype around AI is this seemingly huge potential for innovation and transformation that it brings, but at the same time, we should still remember that the technology also brings new challenges that we need to manage carefully, and this is the recognition that we have in TPG Telecom. Technology, emerging technologies, are inherently dual use, double-edged, bi-faceted. They provide real opportunities, but they will also bring along real risk. It’s important that we understand both the threats and opportunities of any innovation so we can better adapt the technologies for positive advancement while mitigating the harms.

Some examples, 5G and internet of things, or IoT. 5G offers unprecedented connectivity and speed. The convergence with the technology with IoT provides us much more opportunities for significant increases in connected devices, flow of information, and new use cases. At the same time, they vastly increased the surface area for threats, for vulnerabilities, for risk. The increase in volume and complexity of data and systems brings more potential for failure points and inefficiencies. We’ve talked about AI and machine learning. These technologies can help improve automation, operational efficiency, allowing more proactive security measures, such as anticipating potential threats faster and more accurately. At the same time, they can be used to scale up capabilities, complexities, and automation of cyberattacks.

Chen: So, Malcom, I want to move into the next line of questioning, which is around cyber security. Emerging technologies and AI that we’ve talked about bring transformative potential, but with that comes an evolving risk landscape, and cybersecurity in particular is becoming more sophisticated. How is TPG tackling this growing challenge?

Eng: Persistent, unrelenting cyberattacks on individuals and organizations. I think that’s a good way to describe the landscape today. I’ve also heard people use the word insidious, which I think is quite apt. Here in Australia and globally as well, we’ve seen a surge in incidents, from data breaches to ransomware attacks. Some statistics, according to the ACCC, or the Australian Competition and Consumer Commission, in 2022, the combined losses to scams alone were at least $3.1 billion, which is an 80% increase on the total recorded from ‘21. Losses reduced somewhat in ‘23, but Australians still reported $2.7 billion lost to scams. Some people may give themselves a pat on the back for an improvement, but I think it’s still a staggering amount of money.

The use of AI has made this problem worse. At the beginning of the year, we saw a 300% increase in scams as a result of use of crime GPTs. AI is making cybercrime easier, more accessible for less technically capable cybercriminals. Cybersecurity at TPG Telecom is at the forefront of our risk management strategy. The maturity of our capabilities is critical to all that we do. We are investing heavily in our people, our systems, our controls, key areas that we’ve be focused on over the last years. Vulnerability remediation, expanding security capabilities, transforming our IT infrastructure, and standardizing policies and controls. In ‘23, we increased the security technology budget significantly. We’ve more than doubled the size of the team.

An innovative approach that we’ve adopted is the creation of internal red and blue security teams, or as I like to call them, hackers and catchers. The red team would act as an adversary, simulating cyberattacks and probing weaknesses, while the blue team would defend against it, responding to these simulated threats with the goal to seek out and fix vulnerabilities before external parties can take advantage of them. Fun idea? I wish I had thought of it, but unfortunately, I can’t take credit. It’s a concept that originated from military strategy and exercises.

Cross industry collaboration is something we believe that’s very important. To collaborate across industries or peers, government and academia to come together and share knowledge so we can proactively and collectively enhance the security of the nation. We recently cohosted with the University of New South Wales the 21st Annual International Conference on Privacy, Security and Trust. The conference brought together professionals, researchers, academics, and government with the view to shake the future of privacy and security. TPG Telecom presented two papers at the conference, one showing the benefits of having an internal red team and the other on the value of understanding how AI optimization can be applied to support cybersecurity practices. As most leading organizations in Australia, we’ve begun investigating the use AI for enhancing security support and as a tool to bolster our defenses.

With government, we are a member of the Joint Cybersecurity Center where we collaborate with government agencies and industry partners on national threat intelligence and cyber incidents. Similar to our approach to resilience and emerging technologies, we work to keep on top of the evolving landscape. We work on our adaptability and continued improvement; at the same time, we pursue innovation with a focus on getting the foundations right. I believe we cannot stop the progress of technological innovation. We can aim to participate and contribute in a positive way to better serve all Australians and to protect the security of customers, people, and the broader community.       

Chen: Thanks for sharing that, Malcolm, and I think it’s fantastic to see so much investment being placed into this part of the business, which comes to show how much attention and seriousness TPG places into this area in particular, looking forward to the future. It’s a good segue into our last question. Looking ahead, how do you envision the landscape of privacy risks of the next five years, and how should organizations address the emerging threats while maintaining customer trust?

Eng: It’s a big question. Complex and multifaceted is how I would describe the future landscape of privacy risk. In recent years, there has been a noticeable shift towards the harmonization of data privacy standards and regulations globally. I think as data flows increasingly across borders, more consistent frameworks can help facilitate these transfers, and it also helps ensure data protection across jurisdictions. In this regard, the EU’s general data protection regulation, or GDPR, has had quite a significant impact on practices globally. It set a high benchmark for data privacy and protection. Its extraterritorial scope prompted many businesses outside of Europe to align their practices to GDPR standards. With data breaches becoming a global concern, it has also guided regulatory change in many countries, and so there’s an increased focus on data protection and more changing regulations worldwide. I think it’s also fair to say that GDPR has affected public’s awareness regarding the importance of privacy rights and the value of personal data.

Stricter regulations, global harmonization of data privacy standards I think is a trend that we will continue to see for the years ahead. Similarly in Australia the ongoing reforms of the Australian Privacy Act have indicated an appetite for a GDPR aligned regime.

The way that I like to think about regulations is that regulations are designed to solve a problem. Oftentimes, it’s easy to focus on what we need to do to comply with requirements, but instead of solving solely for regulations, we should also ask ourselves, how can we solve the problems that the regulation is aimed at, this framing I find can help solve for the regulation and help ensure that the approach taken is what looks best for the organization.     

Another trend that we’re seeing that I believe will continue to accelerate is the increased digitization driven by faster connectivity and emerging technologies. Organizations will need to be prepared to deal with an increasing volume and diversity of data. Coupled with increasing regulation, this will significantly increase the complexity of data protection. Technologies that we’ve touched on like AI, machine learning, automation, will accelerate the changes. The sophistication of cyber threats will increase, and so will security measures and defense capabilities.

The management of unstructured data will become critical. As analytics and AI advance, it will enable more insights to be extracted from unstructured data. With a lack of inherent structure to the data, the increase in volume and use will introduce more complexities with management, things like storage and scalability, data integration for analysis, data quality, in addition to protection and security.

Quantum computing, it has the potential to break traditional encryption methods, making a lot of today’s models vulnerable. There’s a practice called, “Store now, decrypt later,” which is about collecting currently unreadable encrypted data with the expectation that can be decrypted in the future. Something to keep in mind is that cyber criminals and threat actors don’t just target companies from time to time. They target companies 24/7. They are patient and very, very persistent.

Focus on privacy by design. Ensure that privacy is embedded in products and services, rather than bolt on as an afterthought. Data minimalization: only collect what is necessary. Continue to invest in and improve technological capabilities, innovate and iterate and foster a culture that puts privacy and security first with ongoing education, awareness, and leadership.      

Chen: That’s fantastic, Malcolm. Thank you so much for at least leaving those wise words with us and I just want to thank you so much for being on this podcast.

Eng: Thank you, Ruby. It’s been a pleasure speaking to you today. I’ve very much enjoyed the discussion.

Chen: Thanks, Malcolm. All right. Then, Joe, we’ll hand it back to you.

Kornik: Thanks, Ruby, and thanks Malcolm, and thank you for listening to the VISION by Protiviti Podcast. Please rate and subscribe wherever you listen to podcast and be sure to visit vision.protivity.com to view all of our latest content. Until next time, I’m Joe Kornik.