Medibank’s chief information security officer of three years Alex Loizou has emerged as a high-profile casualty of a restructure of the insurer’s technology function at the end of last year.
Loizou announced his departure in a LinkedIn post, which coincides with the end of a cyber uplift program at Medibank that was initiated after a 2022 data breach.
A Medibank spokesperson told iTnews that Loizou’s role had been “impacted” by “some changes within our data and technology” operations that were made “in response to the evolving needs of our business.”
“During the three years he was with us, Alex’s leadership and dedication was greatly valued, with his technical knowledge, cross-industry experience and ability to spot and support the progression of internal talent contributing to the ongoing uplift of our security capabilities,” the spokesperson said.
Medibank has now hired Origin Energy CISO Christoph Strizik to lead “IT security, risk and compliance”, in addition to holding the title of CISO.
He begins his role at Medibank on March 24.
Medibank’s spokesperson said Strizik’s “experience span[ning] multiple sectors, including financial services, energy, and consulting” and membership “of a variety of security, regulatory and industry advisory groups” was looked upon favourably in the recruitment process.
“Hasn’t always been easy”
Loizou joined the health insurer from FlyBuys in January 2022, 10 months before a data breach that impacted 9.7 million existing and former customers.
Since the breach, he has overseen a major cyber uplift program at Medibank, which is expected to finish mid-2025 and cost $126 million-plus.
Loizou wrote on LinkedIn that “over the past three years, we’ve navigated complex security landscapes, built resilient systems, and cultivated a culture of continuous learning and innovation.
“While it hasn’t always been easy, it’s certainly been deeply rewarding. I’m proud to look back at some key highlights from my time here.”
These, he said, included “responding to one of Australia’s most high-profile cyber incidents; leading a comprehensive program of security transformation and growing the security team to more than double its size.”
He added that his tenure saw a shift in “conversation around security to a mindset of partnership and collaboration”.
While Medibank’s security uplift is approaching completion, the fallout from the incident continues, with the insurer currently facing a lawsuit brought by the Office of the Australian Information Commissioner.
In court filings published last year [pdf], the OAIC alleged – among other factors – that Medibank didn’t act on alerts from an endpoint detection and response (EDR) tool.