Skip to main content
alumni testimonial banner

From IT Audit to Cybersecurity journey at Deloitte

Roland Bastin

As he approaches his retirement, we sat down with Roland Bastin, a retiring Partner at Deloitte, to discuss his remarkable career journey in IT Audit, technology risk management and IT security. Roland shared how these foundational years influenced his approach to IT risk management and led him to leadership roles in the field. Roland’s story provides a unique look into the evolution of IT audit and risk advisory services at Deloitte and offers valuable insights for those seeking a career in this ever-evolving space.

You started your career at Deloitte as a financial and IT auditor. How did this foundation shape your approach to technology risk management and IT security over the years?

 

Starting my career at Deloitte in 1990 as both a financial and IT auditor offered me a unique dual perspective that has been invaluable throughout my journey. Even back then, we utilized computer tools to analyze financial and accounting data extracted from mainframe systems, significantly enhancing the quality of our financial audits. This allowed us to address both financial and IT queries efficiently as an integrated team. By 1992, IT audit reviews had become an integral part of the Deloitte Audit methodology, focusing on understanding the design and effectiveness of IT general controls implemented by clients.

This early experience of working closely with finance, data, and systems provided me with a strong foundation and adaptability in addressing both finance and IT from a risk management perspective. The combination of IT and financial expertise opened up new opportunities for me. In 1994, I was appointed as the Financial Systems Manager for a natural resources company based in Luxembourg with operations conducted in Europe, North and South America and South East Asia. In 2001, after the reorganization of that Group and its decision to relocate to the UK, I seized the prime opportunity to return to Deloitte Luxembourg. By this time, I had gained practical operational experience in managing IT risks and financial systems, which I brought with me to further contribute to Deloitte's success.


Now, let’s go back to your time at Deloitte. What led you to choose Deloitte to start your career?


The decision to join Deloitte was somewhat serendipitous. After completing my studies in economics and IT science in 1988, I spent a year as a research assistant in econometrics at the University of Liège while waiting to fulfill my military service in Belgium. A university friend, who had joined Deloitte’s Luxembourg office, spoke highly of the firm’s dynamic, fast-growing environment and the unique opportunities it offered to learn about various industry sectors and develop diverse skills, all while being surrounded by subject matter experts. Inspired by his experience and the prospect of working on compelling projects, I decided to apply.

Deloitte Luxembourg responded swiftly and offered me a role. From the start, I appreciated the positive environment filled with young colleagues like myself. On just the second day of my job, I found myself at a client's premises, performing a financial audit with a hands-on approach to IT data analysis. This responsiveness and emphasis on technology were precisely what I was seeking, making it clear that joining Deloitte was the right move.


What inspired you to pursue a career in IT risk management? Was there a particular moment or person who influenced your path?


When I returned to Deloitte in 2001, my inspiration to pursue a career in IT risk management was driven by the clear necessity of efficiently managing IT-related risks. My academic background and previous experience played a significant role in this decision. I maintained strong relationships with my former Deloitte managers, who had become partners in the meantime, and encouraged my return by highlighting the growing impact and importance of IT in the financial sector. Furthermore, the evolving landscape of cybersecurity and its critical role in safeguarding organizational integrity fueled my passion for this field.


Thinking about your career path more generally, any advice or lesson learned that made a difference in your career development?


The best advice I can share is to choose a career that genuinely excites and inspires you. Find a path where you feel completely at ease, like a fish in water. Don’t settle for a job just because of the paycheck; seek out something that fuels your energy and passion, setting ambitious goals that ignite your dreams. When you are truly engaged, work doesn’t feel like work. Even in moments of fatigue, your motivation will carry you through, pushing your limits just like an athlete. This passion will sustain you through inevitable challenges, setbacks, and the need to rise after a fall. Pursue what drives you and keep moving forward, for this dedication will make all the difference over the course of your career. As a famous U.S. president once said, "The only thing we have to fear is fear itself."


What has been your proudest work accomplishment?


As part of the development of IT risk services, we advanced our IT Forensic and eDiscovery services starting especially in 2010. This was a time when several international banks faced the threat of OFAC country sanctions and later, European banks came under scrutiny from the U.S. tax authorities. One of the most challenging yet rewarding projects involved collaborating with a bank to review a vast number of bank instructions, encompassing hundreds of millions of Swift messages, to build a case before U.S. authorities and prosecutors, including data scientists from the FBI. The effort required years of preparation and collaboration with legal teams. It was an intense project, but successfully resolving it taught me the value of persistence, adapting to demands, and striving for impactful outcomes, no matter how complex. The success of this project not only strengthened the institution’s defenses but also demonstrated the effectiveness of our strategies, earning the client’s trust and respect.


Looking back on your career, what has been the most fulfilling aspect of your work in IT risk and security? What advice would you give to those entering the field today?


Our IT risk services also include advisory on IT regulatory compliance, primarily within the financial sector. One of the most fulfilling aspects of my career has been making a tangible impact by assisting organizations in efficiently executing their IT outsourcing projects, securing approvals from financial regulators, and protecting them from cyber threats. My advice to newcomers is to remain curious, continuously seek knowledge, and adapt to new challenges. Collaboration and a strong ethical foundation are also essential.


You’ve likely traveled extensively for work. Is there a place you’ve visited that left a lasting impression on you?


During my time with Minorco before its merger with Anglo American Corporation, I frequently visited the Latin American region, especially Brazil, where I formed strong connections that stood out. During my second time at Deloitte, I had a memorable experience working with a Luxembourg telecom company operating in Latin America and Africa. I had the opportunity to work on-site at one of their operations in Ghana. Visiting Accra was a highlight — I was deeply impressed by the warmth of the people and the country's democratic environment. Personally, Mexico holds a special place in my heart; my wife is from Guadalajara, and over the years, I’ve spent considerable time there. It's a country of contrasts with incredibly welcoming people, and each visit leaves a lasting impression.


Having led IT audit and IT risk services at Deloitte Luxembourg since 2001, how have the role of IT specialists evolved, especially with the increasing importance of cybersecurity?


The role of IT auditors and IT risk consultants has evolved dramatically since 2001, driven by the rapid advancement of technology and the increasing complexity of regulatory requirements. Initially focused on basic IT controls and compliance, these professionals now play a critical role in assessing and mitigating sophisticated cyber threats, ensuring data privacy, and navigating complex regulatory landscapes. The rise of big data, cloud computing, and artificial intelligence has further expanded their scope, requiring continuous learning and adaptation. Today, IT auditors and IT risk consultants are integral in guiding organizations through digital transformation, ensuring robust cybersecurity frameworks, and enhancing overall operational resilience.

To remain competitive in a fast-paced technological environment and a globalized economy, we don't rely solely on local teams. We leverage nearshoring and offshoring to deliver services, supported by virtual meetings instead of constant travel. This approach enables us to provide more consistent operational support to our clients worldwide. This challenge of rapid transformation is both motivating and essential — adapting to it is crucial for survival in today’s market.


You have served as a Board Member and former President of Information Systems Audit and Control Association (ISACA) Luxembourg. How has your involvement with professional organizations like ISACA shaped your views on governance and risk management?


My involvement with ISACA association has been instrumental in shaping my perspective on IT governance and risk management. It has provided a platform for knowledge exchange, networking and staying current with industry best practices, reinforcing the importance of robust IT governance frameworks and the continuous enhancement of risk management strategies.


As someone who teaches at the University of Lorraine on auditing information systems, how do you balance your professional responsibilities with academia? What lessons do you emphasize for the next generation of IT auditors?


At the University of Lorraine, I teach within the Institute of Digital Sciences, Management and Cognition (IDMC), which trains students in digital sciences, cognitive sciences, automatic language processing (ALP), innovation and IT audit. My course offers a comprehensive introduction to IT auditing, combining structured content with practical examples to help students grasp the role of an IT auditor and prepare for careers in the field. Since 2001, this course has been invaluable for students seeking insight into the profession, with several later joining Deloitte as trainees or full-time employees.

Balancing my professional responsibilities with academia is rewarding because it allows me to share real-world insights and experiences beyond the textbook, helping students envision themselves in IT auditing, risk, or security roles. It also demands effective time management and dedication. As Chairman of the IDMC board, my role involves aligning the curriculum to meet the evolving needs of the industry, ensuring students gain relevant skills. Encouraging them to stay curious and continuously explore new solutions is crucial for their development as IT auditors.


With your vast experience across IT risk and security, where do you see the most significant risks emerging in the next 5-10 years, particularly in the banking and financial sectors?


Unfortunately, the list of significant IT risks continues to expand. While not exhaustive, some of the prominent IT risks anticipated in the financial sector in the coming years include advanced cybercrime and fraud, where cyber criminals develop increasingly sophisticated techniques to infiltrate financial institutions, compromising sensitive customer data and financial assets. Additionally, third-party and supply chain attacks, as well as ransomware and malware attacks, remain significant risks. Regulatory compliance pressure, cloud security challenges, and artificial intelligence vulnerabilities are also critical components of this IT risk landscape. Workforce security awareness is particularly crucial with the rise in remote work, necessitating ongoing training in security best practices and vigilance against social engineering tactics.

Moreover, the rise of cryptocurrency and blockchain technologies introduces new risks, such as theft, fraud, and regulatory challenges, where securing digital wallets and exchanges against hacking attempts is a critical concern. Finally, the development of quantum computing poses a future risk to current encryption standards, which could be easily broken, potentially exposing sensitive financial data.


And some rapid fire:

  1. Morning or night person?
    Night person
  2. Favorite book or author?
    Biographies or classic literature
  3. What’s the best advice you’ve ever received?
    Listening more than speaking leads to better decision-making and understanding
  4. Coffee or tea?
    Coffee 200%
  5. What’s your go-to activity to de-stress?
    Creating distance from situations can be very helpful — taking a step back brings clarity and perspective. Also, walking my dog daily
  6. If you weren’t in IT, what career would you have chosen?
    Philosophy or psychology
  7. Favorite travel destination?
    Mexico
  8. What’s a skill you wish you could master?
    Playing music
  9. Favorite tech gadget you can’t live without?
    iPhone
  10. If you could have dinner with any historical figure, who would it be?
    Franklin Delano Roosevelt
  11. Where will we find you on a Saturday morning at 10 a.m.?
    Shopping or arranging things for the upcoming week

Roland Bastin, Deloitte Luxembourg

Visit our alumni page