Luc Lefebvre

Author, speaker and privacy advocate. Also an organ donor circa 2011.

20 years of experience.

Profile: Passionate humanist. Interested in technology, international affairs and human issues.

Skills: security analysis, security architecture, risk analysis, risk management, training and awareness in hostile areas (H.E.A.T.), forensic analysis, surveillance, audit, investigation, intelligence, advanced persistent threat.

Work experiences: Full resume available on-demand.

Chief Information Security Officer (CISO) and Chief Privacy Officer (CPO),,Evolia, Québec, Québec

• Governance, Risk and Compliance:
  • Lead and manage Information Security, reporting directly to the Board of Directors
  • Management of a team of infosec professionals
  • Development of an infosec control framework based on the NIST-CSF
  • Drafting of policies, processes, standards, directives, infosec and IT positioning.
  • Accountability to competent and legal authorities
  • Follow-up and management of security events and incidents 
  • Development of metrics, performance indicators and dashboards
  • Obtained SOC 2 type 2, HIPAA, GDPR, ISO 27001, and other certifications.
  • Knowledge of ISO 27001, 2700x, NIST 800-53, NIST 800-82, SOC 1, SOC 2, SOC 3, GDPR, SOX, PCI-DSS, FedRAMP, etc.
• Member of Executive Committee
  • Participate in organizational development, support other teams in their development
  • Play the role of advisor in the development of other technological projects
  • Member of the media and crisis requests management committee
  • Actively participate in responding to media requests and crisis units in the event of an event or incident
• Privacy Protection (CPO) and Data Protection Officer (DPO)
  • Ensure compliance with regulatory obligations (Law 25, GDPR)
  • Follow up on data destruction requests

2021 - 2022

Product Manager & Senior Advisor, Governance, Cybersecurity, Desjardins, Montreal, Quebec

• Governance, risk and compliance:
  • Product owner (squad leader) in governance, risk, compliance - cybersecurity
    • Management of two squads: one in accountability of 6 resources, the other in risk management and control assessment
    • Presentation of work of the squads with the BISOs/CISOs/Desjardins Head of Security
      • Capture and analysis of metrics on security posture, information security maturity, risk rating and compliance
      • Development of dashboards on PowerBI
    • Participate in the development and optimization of an internal control framework in information security, mapping with all relevant industry standards, particularly in connection with the financial community (AMF, BSIF, etc.)
    • Participate in the development of the target operational management model information security risks
    • Knowledge of ISO 27001, 2700x, NIST 800-53, NIST 800-82, SOC 1, SOC 2, SOC 3, GDPR, SOX, PCI-DSS, FedRAMP, etc.

2020 - 2021

Lead analyst, cybersecurity/infosec, Héma-Québec, Montreal, Quebec

• Governance, risk and compliance: Risk
  • analysis and management related to information security
    • Writing risk analyzes (impacts, probability, risks, threats) and recommendations
      • Software security, cloud, systems embedded systems, identity and access management, signatures, PLCs and laboratory equipment, etc.
    • Development of risk analysis, management and monitoring processes
    • Creation of business requirements, participation and evaluation of suppliers during calls for tenders and new projects
  • Compliance
    • Drafting of policies and guidelines
      • Creation and drafting of all information security / cybersecurity governance framework
    • Knowledge of ISO 27001, 2700x, NIST 800-53, NIST 800-82, SOC 1, SOC 2, SOC 3, GDPR, FedRAMP, etc.
  • Trainings and awareness
    • Initial training in information
    • security Regulatory government certification in information security
    • Crisis management - cybersecurity and reputational risk management
      • Militant groups, ransomware
    • Advanced persistent threat 

I studied in public relations.