Meet the expert: Barry Lombarts to speak at #RISK Amsterdam

Taking place at RAI Amsterdam on September 27 and 28, #RISK Amsterdam examines the trends and best practices organisations are employing to navigate today’s rapidly evolving risk landscape.

Barry Lombarts is Data Protection Officer and Corporate IT Compliance Director of Howmet Aerospace Inc. Before moving into the privacy and compliance area, he worked for many years in the field of IT infrastructure. 

In recent years, Barry has lead an EURASIA deskside support team, supporting over 10,000 customers. The role has seen him run several intercontinental projects, such as OS Upgrades, site migrations, site acquisitions and site divestitures.

Barry will be at #RISK Amsterdam to discuss the pitfalls and opportunities of cloud-based infrastructures. Alongside a panel of fellow experts, Barry will also look at strategies companies can employ to maximise digital defences.

We spoke with Barry about his professional journey and for an introduction into the themes on the table at his #RISK Amsterdam session.

Could you briefly outline your career so far?

I have worked for the same company for almost 25 years, although organisational changes have resulted in the company name changes. From Alcoa, to Arconic, and now Howmet Aerospace.

I started in IT support as a helpdesk agent and then in infrastructure support, eventually moving into a leadership role for 8 years supporting computers across multiple locations in the Netherlands, Germany, Belgium, Norway, and Iceland.

I was then presented the opportunity to manage the EURASIA deskside support team, supporting over 7,000 users across 70 locations in 17 countries and in 6 different languages!

Following a discussion in 2017 with our CIO regarding the new privacy regulations in Europe, I was asked to further educate myself on this topic and assume a new Data Protection Officer (DPO) role, in addition to my role as IT manager.

In 2020 DPO became my primary job, with as secondary role to lead the corporate IT Compliance organisation.

Within my privacy role my team is responsible for ensuring Howmet Aerospace complies with all privacy regulations applicable, while my compliance team coordinates the compliance activities for the corporate IT group, focusing on Sarbanes-Oxley (SOX) and Cyber Maturity Model Certification (CMMC).

What are the primary challenges and opportunities of cybersecurity in the cloud?

With the trend of the past decades to outsource non-core activities, more and more data has been stored on vendor systems. This first started with non-business critical information but in the past years many more companies have also been outsourcing activities that contribute to their core business.

By doing this your vendors hold some of your business-critical information, which can harm you when this gets disclosed in a data breach. From a vendor perspective, they will try to have one common infrastructure with a common security posture, in order to limit cost. 

This drive to standardisation, and the volume of data they hold from all their customers might result in a much better protection against cyber-threats than when you try to protect your ‘small’ environment. Vendors could use their benefit of scale in order to efficiently protect data.

The challenge is to assess with the vendor if their security measures meet your requirements and agree how you as customer can assess whether they actually meet such requirements. If your vendor is too focused on reducing costs, cybersecurity might be a victim, and with that your business-critical data might be at risk.

The number of data breaches increasing in recent years has made companies aware that it is not guaranteed that your vendors protect your data according to your expectations. Reaching an agreement about this prior to transferring data to your vendor’s system is crucial.

What are the leading strategies and tools organisations are employing to optimise cybersecurity when using the cloud?

In my view, cybersecurity when using the cloud is twofold. First, you have to ensure that your employees are not accessing malicious websites in order to prevent cybercriminals to get access to your data. 

Second, you need to ensure your employees only share sensitive data with (cloud) vendors where you have a commercial agreement in place. To achieve both of these ends, start with educating your user community; they should be trained to recognise risks, and understand the good practice of managing data in addition to understanding and executing pre-requisites prior to sharing data. This should include high-level information to raise awareness and/or training materials about export control. Privacy regulations would reduce risk significantly.

To catch ‘mistakes’, cloud access security broker (CASB) and data loss prevention (DLP) tools are valuable, they can prevent your user community to make mistakes. So far, the focus has been on how to protect our data from an employee perspective. However, as mentioned above, there is also a need to consider how to protect data stored at your vendors. 

First of all, you need to ensure you have signed agreements, including contractually binding requirements, on how the data should be protected, and what the vendor should do when it becomes victim of a breach. It should be clear where liabilities lay, who will report to authorities when required and in what way you as customer can assess if the vendor meets the agreed requirements.

The second approach is to segment the data of your intellectual property (IP). You should ensure that none of your vendors have full information about your IP, but segment the information and spread it across your vendors.

It is worth mentioning that some companies make a conscious decision not to outsource any information about their IP and keep it in-house. In the end, it is all related to the risk appetite of the company, which often is based on commercial, reputational, legal and financial consequences.