Five Minutes With: A Global Data Governance Officer

Jakub Lewandowski is a lawyer with a passion for things that are tangible and binary. A large chunk of his working life is consumed by DORA and NIS2, but he dreams, one day, of switching regulation acronyms for artefacts and biofacts…

Tell me about your role

I wear two hats: legal director and data regulator, and then compliance. I focus on our internal compliance, and about 60-70% of my time is spent on DORA and NIS2.

What was your route into cyber?

I studied Law in Warsaw, specialising in public law, policies, data privacy, and data regulation. The latter was a natural entry into the IT world. I wrote my thesis on the digitalisation of public administration. That was 18 years ago, though, and a lot has changed. In my summer vacations, I worked at Microsoft as an intern.

I was exposed to something completely different and loved switching from theory to practical and binary. I preferred the concrete material.

Are you a techie?

Yes, absolutely. After Uni, I worked at HP for over ten years before joining Commvault four years ago. I was attracted to Commvault’s decision to enter the SaaS market – that was one of the critical elements for me.

What’s the best thing about your job?

Being at the forefront of technological changes and the constant exposure I have to international regions, jurisdictions, and problems. It’s fascinating.

And what about the worst?

Time zones mean that I’m always on. I live in Poland, but speak with our global teams around the clock.

What’s the biggest as-yet unresolved challenge in cyber?

Getting various teams to speak to each other. You have to bring people from various departments and roles around the same table – especially when it’s legal. How do you get those people talking the same language? That’s the biggest unresolved challenge.

Throughout your career, which regulation has evolved the industry the most?

GDPR for sure. But the biggest shift has been moving from simple checklist compliance to managing risks. Awareness and how much businesses are prepared to spend on compliance have made the difference. Again, we find ourselves at the forefront of a tsunami wave of legislation, which will further evolve risk management.

What’s the biggest misunderstanding about DORA?

The biggest correction that needs to be made is posing the right questions. We hear customers simply asking if they’re compliant. That’s valid, but it doesn’t address the real concerns beneath it. We need to focus on assisting organisations in complying with DORA and helping them understand that there’s no single solution to making them 100% compliant.

What one thing should businesses be doing between now and DORA?

Understand your business. Figure out the data and assets you have and the associated risks. Understand what the impact on your environment would be if there were an incident. Set security objectives and understand your risk appetite. Talk with vendors who understand your complexity and requirements.

What industry can cybersecurity learn from?

It’s more about learning from our customers and the sectors they serve. You can find somewhere to learn from everywhere.

What’s your dream job?

I like tangible results, which I think is a natural fetish for most people in this industry. I’d like to be an archaeologist. With new technologies, there’s so much to discover.

What advice would you give to industry n00bies?

Brace yourself for a fun ride. Cybersecurity reminds me of the fashion industry – certain things are rediscovered time and time again, and you see renewed interest in old terms, like business continuity. So be ready to look back.

How much of your working hours are spent on DORA?

DORA and NIS2 take up around 70% of my time.