Security underpins Lloyd's global ambitions

Lloyds of London takes action to prevent information leakage by segregating its network and implementing encryption and control of USB ports on all laptops.

In August last year, Marcus Alldrick took over as head of information protection and continuity at Lloyd's of London with a remit to rebuild the bank's security operation. His appointment followed a decision to bring the management of Lloyd's IT, which had previously been outsourced, back in-house. Alldrick formerly worked as CISO for Abbey Bank, and also spent 18 months at KPMG before joining Lloyd's. How would you characterise your role in Lloyd's and why is security important?

Marcus Alldrick: Reputation and heritage are very important at Lloyd's. The organisation started more than 300 years ago when merchants first met to insure their ships at Edward Lloyd's coffee house, and it has since become a global leader in pricing complex risk.

Trust is therefore of prime importance, and deals have traditionally been done on a handshake. But we are also now a global operation, and are expanding overseas in more than 30 locations, and more to come in Brazil and the Middle East. It is vital as we do that, that we protect the information we hold on behalf of our members.

What steps are you taking to strengthen security?

Alldrick: I'm making it more business focused rather than just focusing on IT. The onus now is on information protection, and on making security a business enabler. We are a non-profit mutual organisation, so we are owned by our members - the brokers, agents and underwriters who work here. We have to look after their needs, which means being flexible in our approach. It also means we have to cost-justify any initiatives we take.

Can you give us some examples?

Alldrick: Much of it is to do with managing access to systems, taking on new starters, allocating accounts and closing accounts when people leave. We have that under control. For remote users, we have dual-factor authentication. They can come in via a VPN, through Outlook Web Access or by using a remote desktop, which is very effective. However, this will change over the next year, when we introduce a global managed MPLS network to underpin the overseas expansion.

What are the challenges?

Alldrick: We do not work in a homogeneous environment. Lloyd's consists of 46 managing agents, 75 syndicates and 176 brokers and many of them use different technologies. At the same time, we are trying to encourage the market to go for further automation, such as the electronic settlement of claims.

Your role also includes business continuity. What are you doing on that front?

Alldrick: We currently have IT located at five sites - One Lime Street (the 1986 building designed by Richard Rogers), our North London IT specific site, our other office site in Chatham plus two separate and supporting contingency sites in Essex and Kent. Our data centre strategy is under review, though, because data volumes are growing, but no firm decisions have been made yet.

You say information protection is a high priority. How are you tackling that?

Alldrick: We do take information leakage very seriously and tackle it in a number of ways. We have segregated network environments for the Lloyds Corporation itself, the market and outside network, so that provides a level of protection. We also have agents deployed on each endpoint machine so that we can immediately detect if a non-Lloyds device has connected to the network.

We are also in the process of implementing encryption and control of USB ports on all laptops. And we are currently analysing what sorts of devices are currently being connected to the network, and what should be allowed. For instance, we could ban iPods and MP3 players, but we know that for some people it's useful to be able transfer recorded conversations from such devices on to their PCs. That's why we are doing the analysis. It's not about a kneejerk reaction, but about being informed of the risks.

We don't allow instant messaging at all, and we are currently looking at the use of social networking sites to see if they pose any danger.

How do you and your team maintain security awareness among the brokers and underwriters?

Alldrick: We go over security with people when they start here, and we have information on the intranet. We also try to get presentation spots at team or corporate briefings just to keep the keep the subject in people's minds. We don't go in for posters or leaflets, but we do work with the physical security teams to spot any unsafe behaviour. For instance, if they spot a laptop left on a desk, they'll tell us and we'll leave a little reminder note on the person's desk just to let them know it's not good policy.

How about standards? Are you ISO 27001 certified?

Alldrick: I'd say we use ISO 27001 and even expand on it, but we have not gone though a formal certification process. It is something we are monitoring. If it became a business requirement at any time, then it's something we would do.

On another front, we are moving to a COBIT framework because it has benefits to us and our auditors. It means that we are both singing from the same hymn sheet, and it makes the auditing process easier.

Are you expanding your team, and is it easy to find the right people?

We are expanding, and we've found the key is working with the right recruitment agency. Lloyd's is an attractive and exciting place to work, so we recently had three excellent candidates for one job. The job involves not only having the technical skills but also good communication skills to do outreach to the business. We'll also be adding to the team in the second quarter of 2008, but again we'll be looking for people who can communicate well. That is increasingly important in security.

Read more on Identity and access management products