Brit – Securing Cloud-Native Enterprises: Insights from Brit's CISO
culture
Inclusion and Diversity
Corporate Social Responsibility
Team BRIT
Environmental, Social & Governance
Insurance
accident and health
casualty
public and products liability
employers liability
environmental liability
contingency
event cancellation
non appearance
film
prize indemnity
cyber
cpr
xdr
bcap industrial
xdr pro tech
first50
cyber claims
delegated authority
commercial property
flood
financial property
homeowners
directors & officers
energy
Renewable Energy
e-trading
financial institutions
fine art and specie
healthcare liability
marine
cargo
hull and marine war
keel
marine and energy liability
political risk trade credit
political violence / terrorism
political violence/london
private client
home
motor
travel
professional liability
small north american liabilty
north american professional liability london
programs
property
north american open market property
international property
uk property
transportation
Reinsurance
casualty treaty
international casualty treaty/london
north america casualty treaty/london
casualty treaty bermuda
property treaty
property treaty
property treaty bermuda
Claims
Claims Philosophy
Claims Innovation
Cyber Claims
industries
aerospace
aquaculture, equine and livestock
architects and engineers
commercial
construction
consumer goods
education
energy
events & entertainment
farming and agriculture
financial services
healthcare
municipalities
personal lines
professional services
real estate
religious and not-for-profit
retail
technology
transportation
utilities and industrial
careers
Why join Brit?
Why work in Insurance?
our business areas - speaking for ourselves
business area - actuarial
business area - claims
business area - finance
business area - internal audit
business area - operations
business area - risk
news
Brit Group
Brit Global specialty
Brit Re
Brit India
Camargue
financials and governance
Financials
Governance
executive & board
Risk
History of Brit
Working with FinTechs and InsurTechs
Fair Value Assessments
brokers and coverholders
leadership
innovation
contact
Complaints
Privacy Notice
Modern Slavery
Terms and Conditions
The latest from Brit

Brit Re

Brit appoints Jonathan Stephenson to lead Bermuda expansion

find out more

news

find out more
Cloud Security Hero

news

An interview with Ben Trethowan,
CISO at Brit Insurance

As businesses embrace digital transformation, many are interested in cloud-native architectures to support their work. Cloud services can help with scalability and connectivity, but like any change, it comes with challenges that must be managed. 

As we are cloud-native, we thought there was no better person to talk to about the benefits and risks than our own CISO, Ben Trethowan MSc CITP CISSP CISM.

Ben is an accomplished hands-on Cyber Security leader, with extensive experience working in the Financial Services, Entertainment, Transport and Defence sectors. He has led Cyber activities at all levels, from governance and strategy to transformation and technical implementation, and continues to expand his skills through both academic and professional development.

He is also a trustee (and longstanding volunteer) for The National Museum of Computing at Bletchley Park and serves as a Police Support Volunteer within the Cyber Crime Unit of his local Police force.

As a leading figure on cloud-native services, he has spoken at many conferences including;

  • Insurance Transformation Summit
  • CISO Inspired Summit
  • e-Crime & Cybersecurity Congress’
  • Securing Financial Services

 

Q: How does being cloud-native set Brit Insurance apart?

Being cloud-native means we operate fully in the cloud. It’s relatively rare in financial services, where many organisations are hybrid or even still on-premises. Our approach offers simplicity and consistency – everything resides in one ecosystem, giving us better oversight of our software and security. 

Cloud technologies are also hugely useful for innovation, as we get access to a whole toolbelt of pre-built services. We can focus on solving business problems and staying ahead of the market, rather than building the underlying infrastructure to support our strategies.

 

Q: What are the security upsides and challenges of a cloud-native approach?

One of the biggest upsides is visibility. A unified cloud platform lets us view and manage our architecture from a single vantage point and respond to any issues, which is critical for maintaining a secure environment. Still, there are security risks that come with these technologies, even if they give a better view of how we are exposed. The pace of innovation in the cloud means developers and engineers have a great deal of autonomy and responsibility. While cloud providers secure their infrastructure, configuring their services securely falls on us.

At Brit, we believe that overcoming challenges is key to innovation. There are things organisations can do to manage the risks of going cloud-native and reap the benefits.

 

Q: How do you secure your cloud-native architecture?

My team uses two security approaches: proactive and reactive. 

On the proactive side, we focus on training and enforcement. We educate our teams on cloud security best practices, so everyone understands their role in maintaining a secure environment. Enforcement is about adding layers of automated control, meaning someone can’t make risky decisions that may breach critical security protocols without getting prior review / approval.

On the reactive side, as I’ve mentioned, visibility is a huge benefit of cloud-native architecture. Because our software is all in one place, we use tools that give us real-time insight into what is going on in the business. These tools detect unusual activity and let us know about it, which means we can respond quickly.

 

Q: How do you choose which risks are the highest priority?

It’s important to prioritise those vulnerabilities that pose significant threats to the business. We take a two-pronged approach:

  • Bottom-up:
    We assess vulnerabilities based on their potential to harm critical business functions, such as customer-facing services or core operations
  • Top-down:
    We think like attackers, identifying the vulnerabilities they’re likely to exploit to gain access

The goal is for these two perspectives to meet in the middle – the vulnerabilities that are both business-critical and targets for potential attackers. This approach lets us manage risks systematically, starting with the most pressing ones.

 

Q: Identity plays a critical role in cloud-native security. How do you manage it at Brit Insurance?

Identity is the concept that every person, machine or service accessing our system obtains a certain level of trust. Identities earn that trust – for example, by entering a password – in order to gain access and perform their tasks. 

Our identities get the minimum access needed to perform their tasks, a principle known as ‘least privilege’. That limits the potential damage if a person’s account is compromised.

Machine identities are important but often overlooked. These are the relationships between machines and services within our architecture, and if compromised, they allow attackers to move laterally within the network. Again, visibility is crucial here – our visibility tools flag if a machine or service is behaving unusually, which means we can investigate whether a security breach has occurred.

 

Q: How can automation improve an organisation’s security posture?

Automation is about making the secure way the easy way. For example, a developer who’s trying to create a machine identity – if they’re just working on a test product, they should be able to create that identity without layers of review, but if the product will be customer-facing, additional checks are triggered. 

This is a risk-based approach that allows the lowest-risk activities to be approved automatically, while higher-risk ones require more intervention. It’s a bit like the boy who cried wolf – if people trust the system to alert them in proportion with the true nature of the threat, they’re more likely to listen and follow protocol.

 

Q: What’s your advice for organisations considering a move to the cloud?

Becoming cloud-native isn’t just a technology decision; it unlocks huge potential for innovation. To reap those benefits, security must be embedded at every step in a way that’s easy for your team. 

To be agile, businesses need to be the first to market or innovate in some other way, and therefore a zero-risk approach isn’t realistic. Proportional risk-taking, backed by strong security practices, can allow you to innovate safely and stay ahead of your peers.

Adopting a cloud-native approach

Ben has outlined the opportunities and challenges of adopting a cloud-native approach, highlighting the importance of visibility, automation, and proactive security strategies. As organisations embrace digital transformation, securing their cloud environments is essential to remain agile and innovative. 

To learn more about how cyber insurance can help safeguard businesses against emerging risks that come in the wake of cloud adoptionexplore our cyber expertise here.

Brit Acclaimed in the 2025 IBUK 5-Star Cyber

12-02-2025 |Brit Group
Read more

Breach response: leave it to the experts

24-01-2025 |Cyber
Read more

Ransomware negotiation: Don’t try this at home

18-03-2024 |Cyber
Read more

Digital Forensics:
Managing a Digital Crime Scene

19-09-2024 |Cyber
Read more

Addressing The Cyber Gap With SMEs

03-01-2025 |Cyber
Read more

Operational Technology (OT): Protecting Critical Systems in a Connected World

19-06-2024 |Cyber
Read more

Why Multi-Factor Authentication (MFA) Matters

05-12-2021 |Cyber
Read more

Brit - NIS2: What does it mean for cyber security?

30-11-2023 |Cyber
Read more
London Footer White

A Fairfax Company

©2025 Brit Group Services Limited. All rights reserved.