Board looking for exceptions, not norms in cyber security, says Lloyd's CISO
'One day there will be a breach, it is about being prepared for that day,' says Marcus Alldrick
C-suite executives at insurance services provider Lloyd's of London do not want to receive reports on antivirus and malware issues, but want to be notified of cyber security "exceptions", according to the company's CISO, Marcus Alldrick.
Speaking at ISACA's World Congress Insights 2013 in Berlin today, Alldrick said that the costs of security are already laid out for the firm, but that it is the costs of insecurities that need to be measured. It is for this reason that anomalies are to be reported to the board immediately.
"Do they want to know how effective the antivirus or malware protection is? They expect that to be done. What they want to know is when there is an incident, and what the impact on the business is," he said.
He added that the organisation is revising its metrics by looking at security training provider SANS' top 20 controls, after the CIO of the organisation attended a conference and was convinced that putting the metrics in place would benefit Lloyd's.
"We are revising all our metrics to decide what is actually meaningful. At C-Suite they want exceptions reported, they don't want the mundane, that's why they have invested in firewalls etc. They want to see audits and exceptions and corrective measures for that so we're reporting more on a risk basis," Alldrick stated.
But Alldrick argued that the risks themselves haven't changed in the past 20 to 30 years.
"[If you look at the trends], how much of it is hype? We've had cyber for 20 to 30 years and it's happening at a quicker pace but actually the risks haven't changed, the probabilities within the risks have changed. Can we predict what is going to change? I find it very difficult - we just have to make sure we're moving with the right protective measures," he explained.
"We're doing far more monitoring because one day we know there will be a breach - no one is 100 per cent secure, so it is about being prepared for that day," he concluded.