As a prelude to the ITnation Round table on April 24th we interviewed Marius to gain his insights drawn from working with highly regulated sectors such as finance, insurance, and public institutions.

1. How can we label and classify our data to ensure visibility?

Data classification is foundational to any information protection strategy. Without it, organisations have little visibility into what data is critical, where it resides, and who has access to it.
“Our focus is on the most critical data of our customer. To implement effective protection, it is essential that you understand where it is, how it is being used, and how it is being shared.”

In Luxembourg’s regulated sectors—especially finance and insurance—data is often processed in an unstructured form and dispersed. Banks generate extensive data lakes and reports from core banking systems but often lack oversight into how these reports are used or shared internally and externally.

“Clients’ data is also processed in an unstructured way… if you have ownership, how can you know what this data is being used for? How can you control who sees it within and outside the organization?”

Symantec recommends adopting a strategy around Data Security Posture Management (DSPM) to bring structure and clarity. With DSPM, CISOs gain a clear view of their data assets, allowing classification by sensitivity and risk, and paving the way for effective Data Loss Prevention (DLP).

2. How can we ensure that internal and external AI tools do not enable sharing of sensitive data?

The rise of generative AI tools like ChatGPT and Copilot creates new challenges for data protection. AI models can inadvertently absorb and redistribute sensitive information unless controls are firmly in place.

“We focus on enabling CISOs to control what data is uploaded and downloaded to programs such as ChatGPT.”

AI tools trained on internal company data—like private LLMs—introduce an additional layer of complexity. Not all internal data should be fed into such systems, especially if it’s confidential or client-specific.

“Internal AI based on your own data can be an extremely useful tool… but not all data internally should be available to feed the knowledge base.”

Labeling and classification again become vital—without them, AI tools may unintentionally expose regulated and critical information. CISOs must combine policy, education, and technical enforcement to keep sensitive data out of large language models.

3. How do we achieve a secure environment when transforming from on-premise to cloud solutions?

Many Luxembourg companies still run on-prem systems. However, cloud transformation is well underway—and with it comes new security concerns. “Data is flowing to different environments… It’s more and more important that people have an overall security strategy that includes Cloud adoption.” The transition to cloud-based platforms often introduces a risk of oversharing. For example, platforms like Microsoft 365 or Google workspace are designed around collaboration—sometimes too much so. “Customers could be sharing more than they realise—sharing confidential data outside the walls of people that need to know of or even their organization.”

“We offer solutions that show exactly what data is shared outside the organisation. This visibility helps CISOs take control before data leaves the building—or the cloud.”

Securing this transition also requires encryption, identity management, and zero trust principles. But above all, it requires governance: knowing what data is moving, and ensuring it’s protected wherever it goes.

4. In the current wave of multiple regulations, how can CISOs minimize the risk of non-compliance?

Luxembourg’s regulatory landscape is being shaped by European frameworks like DORA and NIS2, next to local branch specific regulations like those from the CSSF and BCL. Each comes with its own reporting and operational requirements—and non-compliance is not an option.

To stay compliant, CISOs must automate where possible—leveraging DSPM, GRC (Governance, Risk, and Compliance) platforms, and continuous monitoring tools to map obligations to controls. Symantec’s approach integrates compliance needs with technical implementation, helping clients meet obligations without overwhelming internal teams.

5. For systems to function, they require the trust of users. How can trust be earned?

At the heart of information security is trust. If end-users or customers don’t believe in a company’s ability to protect their data, they will look elsewhere. “Building trust begins with transparency, continues with awareness, education, and solidifies through action”. This means clear privacy, classification and information protection policies, proactive communication, and swift response to incidents.

“But trust is also earned internally. Employees must feel confident using company systems without accidentally leaking sensitive information. This is why a guiding and user-friendly DLP, intuitive data classification, and real-time monitoring are critical.”

Symantec’s tools help reduce human error—ensuring that data isn’t accidentally shared in the wrong team site or uploaded to the wrong platform.

Final Thoughts

CISOs in Luxembourg are navigating a perfect storm: rapid digital transformation, evolving regulations, and new technologies like AI. But with the right strategy, it’s possible not only to stay compliant—but to lead the way.

Symantec’s long-standing presence in Luxembourg’s highly regulated sectors—especially finance, insurance, and public services—means they understand the challenges intimately. Their focus on data-first, inside-out security offers CISOs the clarity and control they need in a fast-changing world.

“Come to our event to share your own experiences and hear about first-hand case examples, including from our Swiss based CEO, Thomas Fürling.”