LCL
Seeing what doesn’t belong
Our Chief Information Officer, Nicolas Coppée, is clear that in a data center environment where digital systems and physical infrastructure are tightly connected.
In 2025, we took a further step in professionalising this domain by appointing Géraud de Neve as Cyber Security Expert.
Data governance is a core operational concern at LCL
Coppée and de Neve agree that “You cannot govern what you don’t actively observe. Once you start correlating signals across systems, risks that were previously invisible become tangible.”
Why is data governance such a critical topic for LCL today?
Nicolas Coppée: “Because if governance fails, it can affect safety, uptime, and customer operations. Governance is therefore inseparable from continuity, audits, certifications, and customer trust. Regulatory expectations are also increasing. Customers expect us to demonstrate control, not just claim it. That requires traceability, documentation, and the ability to prove how systems, access, and data flows are governed.”
Géraud, you joined LCL in 2025 as Cyber Security Expert. Why was this role created?
Géraud de Neve: “Many controls already existed at LCL, but oversight was fragmented. Firewalls were generating logs, systems were producing alerts, yet there was progress to be made in structurally looking at them end-to-end. By actively looking, you see what’s happening and avoid creating blind spots. There is a big difference between having security tools and actually using them as a governance instrument. My role is to observe, correlate, and challenge what is happening across systems.”
Nicolas Coppée: “We now separate security oversight from day-to-day IT operations. Operational teams need to move fast and keep systems running. Security needs someone who can slow things down when necessary, challenge decisions, and continuously look at risks across systems.”
What do you see as LCL’s most important actions to ensure strong data governance, compliance and system security?
Nicolas Coppée: “The foundation is visibility. Over the past year, we implemented centralised log collection and correlation. Instead of isolated logs per device, we now analyse events across endpoints, networks, and applications together. That allows us to recognise patterns rather than isolated incidents and detect long-running or low-intensity attacks.”
Géraud de Neve: “That change is fundamental, because external security attacks rarely consist of a single event. Small signals that look harmless on their own can form a clear pattern when correlated. Cybersecurity today is closer to counterintelligence than to traditional defence: we are continuously observing behaviour and looking for what does not belong.”
Which systems, user groups, or types of data do these measures apply to?
Nicolas Coppée: “They apply to all of them, since governance cannot be selective. Corporate IT, operational technology, customer interfaces, and supplier connections are all in scope. That includes so-called shadow IT: tools that are adopted locally or informally, often with good intentions, can create blind spots if they fall outside governance frameworks. We address this through identity management, monitoring, and clear usage policies. Supervisory Control and Data Acquisition (SCADA) deserves special attention, because it actively controls physical systems. That makes it a direct bridge between cyber risk and physical risk.”

What actions are ongoing, and which were newly implemented or expanded during this reporting year?
Géraud de Neve: “The biggest step in 2025 was the move from having logs to actively analysing them. Continuous monitoring, correlation rules, and alerting are now part of daily operations.”
Nicolas Coppée: “We also professionalised change management. Requests, incidents, problems and changes are now handled through structured processes. That reduces the risk of multiple changes interacting in unpredictable ways.”
Géraud de Neve: “In parallel, we reinforced independent testing. External specialists perform penetration tests and reviews. Suppliers no longer test their own systems, ensuring greater objectivity and reliability.”
How do these actions mitigate the risks of non-compliance, data breaches, or physical security incidents?
Géraud de Neve: “Attackers try to stay inside networks for a long time. They observe behaviour, learn routines, and build trust before acting. Detection shortens that dwell time. Where phishing emails once gave themselves away through poor language or sloppy design, AI now removes those signals almost entirely, making attacks harder to recognise.”
Nicolas Coppée: “Encryption is therefore another essential layer. Data must be protected whenever it moves, including internally. Fiber tapping typically happens outside the data center, which makes data in transit a critical risk. That’s why we treat encryption as a default setting. On the physical side, we apply layered security. Access is granted based on clearance levels, and sensitive actions require validation by more than one authorised person. The four-eyes principle is embedded because human error remains the biggest risk.”
What improvements have you observed compared with previous years?
Géraud de Neve: “The biggest improvement is visibility. Now we see what is happening, and when people know that activity is monitored, they become more careful and more disciplined.”
Nicolas Coppée: “There is also a clear cultural shift, a shift in mindset. Security and data protection are now discussed at the start of projects, during architecture design and supplier selection, rather than afterwards.”
What organisational resources support these data governance and security measures?
Nicolas Coppée: “It’s a combination of technology, people, and external expertise. Internally, we invest in skills around architecture, operations and security. Externally, we deliberately work with independent partners for testing and audits. Independence matters: external eyes see things internal teams might overlook.”
Géraud de Neve: “Having dedicated roles matters as well. Someone needs the mandate and the time to continuously monitor, analyse, and challenge. Without that, governance quickly becomes a paper exercise.”
How is LCL preparing for future threats?
Géraud de Neve: “Threats will continue to evolve. AI will make attacks more convincing and more targeted. Defensive technologies will evolve as well, but they will never fully replace human judgement. Technology can support detection, but awareness, discipline, and critical thinking are what ultimately prevent incidents.”
Nicolas Coppée: “Our focus is long-term resilience. That means diversification of systems and suppliers, sovereignty, and governance structures that can adapt. Choices about suppliers, architectures, and data flows are strategic decisions that affect resilience over the long term.”