The Chief Information Security Officer role in Italy

By Roberto Obialero, CISO, S2E Business Line Manager and member of the Clusit steering committee

The Chief Information Security Officer (CISO) role is not rooted to a specific place, it can have global responsibilities or be assigned to specific areas. As a managerial role, it is unlikely to be needed in SMEs that make up the national economic fabric. In this case an outsourced support service for the role is advisable.

CISO role in a company and expertise

The ideal role is in the company management. The CISO must be familiar with the company's business and use simple, non-technical language with company stakeholders. A well-organised CISO team can have several internal and external coexisting technical roles. For this reason, the CISO must have excellent management skills. A technical background, problem solving, project management and updating on organisation’s security threats are of great help.

A key role

The CISO role involves monitoring information security and regulatory compliance issues to keep the risk arising from the continuing digitisation of business processes under control. The CISO tasks include defining a multi-year strategy ensuring the adoption of new technological initiatives under best practices and industry regulations. It is necessary to find the best compromise between the control of an acceptable ICT risk and business activities that have priority leverage. Several technical activities must be co-ordinated (e.g. detection and management of security incidents, vulnerability management, logical access authorisations, monitoring of the security provided by suppliers and partners, and the role of consultancy and planning of training on security and compliance issues). This must be managed with a budget that is generally a fraction of that allocated to the ICT function.

Main challenges

The main challenge is to improve the cybersecurity culture in the organisation. Before cybersecurity was covered in mainstream media, it was perceived as a business cost and a possible obstacle to new technologies added to the company's information system without considering if this would increase the attack surface. Several economic analyses showed that adopting "security by design" principles is an important cost-saving factor.

The time and resources available to defend corporate assets are far less than those available to criminal organisations, which have become increasingly organised and sophisticated.

In addition to cybercrime, there is a lack of user awareness of the risks involved by underestimating the implications of daily actions when handling data (according to the main reports on the causes of incidents, more than 80 per cent is due to accidental human action). There is also a high number of technical vulnerabilities, more than 20,000 in 2022, which are unintentionally introduced by hardware and software technology vendors to get ahead of the competition. There is also an unwillingness to "work as a system" by organisations. Fortunately, this behaviour is decreasing due to the creation of national and supranational CSIRT entities and the CISO industry associations.

Cybersecurity strategic management

This is done by introducing a continuous improvement process based on the periodic execution of a cybersecurity risk analysis under internationally standardised frameworks which provide an accurate picture of the existing situation and functional to the definition of action plans. Involving company management is crucial. It must allocate budgets and resources in line with the business critical issues, actions to be carried out and the organisation's risk level.

Three key points for a secure infrastructure

These involve detailed knowledge of the assets, hardware, and software based on the company's critical information. It may seem trivial, but in my professional experience few organisations are fully aware of what in the industry we call the "crown jewels" on which to focus an adequate level of protection.

A series of suitably located probes that can identify important deviations in network traffic from the normal flow and abnormal behaviour.

The availability of an automated system capable of analysing and correlating in almost real time the amount of information collected by the security systems. This must be analysed by employees in charge of monitoring.

Cooperation between CIO and CISO

In some companies the CISO is subordinate to the CIO, probably associated with the old concept where security was seen as the operational management of firewall and antivirus devices. The operational complexity due to digitisation of business processes, hybrid working modes (office and smart working) and sharing activities with partners no longer justify this relationship.

The objectives and skills required of the two roles are radically different: while the CIO must effectively oversee new technologies that can improve the effectiveness of business processes, guaranteeing the availability of services, the CISO must keep abreast of new threats that can negatively impact the business, particularly on confidentiality and integrity of information issues.

The two roles are complementary to improve the organisation's overall response to complex challenges. Their synergy must apply to the other stakeholders when their work overlaps, for example the DPO responsible for personal data processing and compliance issues.

Cooperation with other corporate functions

This is crucial to improve the security culture and bring about changes, and maintain excellent relations with all corporate functions. These include legal functions dealing with compliance and liability issues during security incidents, HR dealing training issues and good behaviour to be adopted or violations of corporate security policies, and marketing dealing with corporate communication issues.

Compliance requirements

The CISO must keep the ICT risk value below a threshold, and define corrective actions. This means playing an advisory role in assessing the adequacy of organisational and technological measures adopted by the data controller to ensure proper processing of personal data with minimisation of risks for data subjects. Expertise in assessing the security measures adopted by the ICT supply chain components, which are likely to play a key role in personal data processing is required.

Any recent changes in the role

Until about 10 years ago, organisations, except multinationals or those particularly well-structured, gladly did without a CISO. Over the last few years, the CISO has made a comeback in medium and large-sized organisations partly due to the considerable losses inflicted on companies by the increasing number of successful cyber-attacks. Several reports analysing the economic effects of cyber incidents showed that the CISO is one of the elements that contributes definitely to reducing the costs associated with a possible cybersecurity incident.