#Infosec19 Interview: Dame Inga Beale, Former CEO, Lloyd’s of London

Written by

Dame Inga Beale served as CEO of world leading insurance market Lloyd’s of London for five years, having become the company’s first female CEO in its 333-year history in 2013. For the next five years, Dame Beale led Lloyds through a significant period of modernization and cultural change, before stepping down in 2018.

Previously to Lloyd’s, Dame Beale’s career began in 1982 at Prudential Assurance Company were she trained as an underwriter. She later moved onto the insurance division of General Electric where she worked as an underwriter before taking on various managerial and senior leadership roles, leaving in 2006 to join Swiss reinsurance firm Converium.

In 2008, Dame Beale became a member of the group management team at Zurich Insurance Group and in 2009 she was named global chief underwriting officer. Her final career stint before taking up the role of CEO of Lloyd’s was with privately held Canopius, where she served as Group CEO for a year.

In 2017, she was named Dame Commander of the Order of the British Empire (DBE) for her services to the economy.

An illustrious and renowned career indeed – and Infosecurity was delighted to have the opportunity to speak to Dame Beale at Infosecurity Europe 2019, where she was one of the headline keynote speakers sharing her knowledge of managing organizational complexity and risk.

What is the biggest challenge to managing organizational complexity and risk?

One of the key challenges is to actually get alignment throughout the whole organization on what complexity is and what leads to it. Leaders usually see complexity as something different to what managers and employees experience in their work. Top executives see the sources of complexity as external and structural factors, such as the scale and scope of their company, the organizational design, new legislation and increasing regulation. However, people two or three levels down say complexity is in such things as unclear reporting lines, vaguely worded accountabilities and inefficient internal processes. This doesn’t mean that anyone is ‘right’ or ‘wrong,’ but to manage through all of this complexity and understand all the risks – both strategic and operational – calls for the whole organization to be listened to and involved. That takes time, but it will ultimately pay off in the medium to long-term.

“One of the key challenges is to actually get alignment throughout the whole organization on what complexity is and what leads to it”

What are the key strategies for inspiring culture changes within a modern business?

Culture is all about people and culture change goes hand in hand when you’re modernizing a business – culture must go hand in hand with your strategy. It’s important to bring everyone along with you when you’re driving change. The people in the business need to be involved in designing and implementing the change effort. They will then better understand why the change is needed and they will be more invested in its success. Engaging with your employees, and as much as possible, your customers and suppliers, means they will become the drivers of change. If they understand how things really work in the business, they will have ideas on the best way to implement the changes needed to support the new culture and business strategies.

Do you think cybersecurity is enough of a widely-discussed issue at the boardroom level?

Nervousness around cybersecurity pervades through organizations, including at the boardroom level. It is being discussed more and more in the boardroom, but there still tends to be a reactive response to it – for instance, reacting to the latest media article that has just been written rather than having a deeper strategic understanding of the topic. Moving from being just ‘tech curious’ to ‘tech savvy’ to ‘tech fluent’ will enable an in-depth discussion on technology trends with an understanding of their impact on the business. This will take time, as board members who are there because of a particular skill or field of expertise, can’t escape having to understand how technology opens up a huge cyber-vulnerability because tech touches everything.

“Nervousness around cybersecurity pervades through organizations, including at the boardroom level”

Do boards and information security functions communicate/collaborate well enough, or is there still work to do in that regard?

Communicating in the same language is one of the barriers to effective collaboration between boards and information security functions. The art of communicating to a board in plain English can’t be underestimated and it is a skill that is hard to master if you regularly engage with co-workers who are just as tech fluent as you are. The new vocabulary that has arisen because of technology can make a board member feel unable to contribute and somewhat embarrassed to ask relevant questions – they don’t want to come over as dumb. There can also be some defensiveness from executives when responding to questions from board members, when actually, they are just wanting to learn and understand the issues so that they feel they can add value.

Should more companies look to invest in cyber insurance as part of their risk management?

Risk management should be seen as a kind of shadow entity that sits beside everything a company does. The chief risk officer now needs to evolve into the digital chief risk officer as technology becomes embedded in all areas of a company’s operations, and should look to the insurance sector to help identify risks and vulnerabilities, which in turn helps to mitigate the likelihood of a breach happening in the first place. Cyber insurance not only provides a financial pay-out after a cyber-attack, but also offers expert consultancy to improve security and on-the-ground support during the crisis period. While cyber-policies differ, they are likely to cover the cost of legal and forensic work to identify how a data breach happened and who is responsible, as well as customer notification and business interruption costs. By working together, we can raise cybersecurity and risk mitigation standards across the world.

What’s hot on Infosecurity Magazine?