According to recent figures from Foster & Sullivan, by 2025 the global market for external attack surface management systems in the company, i.e. those technological solutions capable of accurately assessing in advance any possible cyber vulnerabilities in the corporate perimeter, will reach $2.51 billion, with a compound annual growth rate of 16.7%. An increase that, according to the latest Gartner data, will result in 20% of companies worldwide aware of the fact that 95% of their assets are vulnerable, compared to 1% today.

These data make it clear that the principle of cyber defense of the corporate perimeter, based on an in-depth knowledge of one's own radius of action and thus on a precise and opportune forecasting management of risk, is changing its perspective, moving from a reactive to a proactive plan, thus transforming and making the figure and role of the CISO within the boards of companies increasingly central.

"The main issue addressed during the Pandemic was that of the interconnection between offices - home, smart working and the factory, with non-company devices, both in companies and in other entities," comments Cyber Security evangelist, Stefano Fratepietro, in a chat realized in view of his participation in the next edition of the Cyber Security Arena, the customary meeting and discussion space on the main topics of cyber security for the business world and beyond, scheduled again this year within the spaces of SICUREZZA from 15 to 17 November 2023 at Fiera Milano (Rho). “By abusing this openness,” the expert continues, “cyber criminals have attacked personal systems, instead of corporate systems, which on the contrary, are already protected, and by hacking personal computers, they accessed sensitive corporate information. For this reason, almost all companies now do not authorize the use of non-proprietary devices, while other solutions are provided by criminology and continuous monitoring, including through protocols referred to as External Attack Surface Management, aimed at identifying a potential attack surface and the risk associated with it, not on a one-off basis, but on an ongoing basis.

It is a valuable analytical process, which takes a long time to structure correctly, but which is now underway in many companies, including in our country. Organizations that have been interpreting their defence in a different and probably more effective way for a couple of years now”. A new strategy, therefore, that relies on advanced security systems, designed to prevent the problem and no longer to cure it, to avoid damage that could jeopardise business continuity and one that offers concrete and real-time protection to every asset of the company.

Factors to be preserved through new-generation technologies and protocols that enable a real change of pace both in terms of software, thanks to emerging technologies such as AI, cloud and IoT, and in terms of hardware, thanks to increasingly complex and evolved video surveillance and all-round security systems. “These are all elements,” adds Fratepietro, “that help companies to perfect a Cyber risk culture that is becoming increasingly necessary. If, in fact, we passed through a phase in which Italian companies were at year zero and did not have adequate and cutting-edge technologies, today we must admit that investments have been made in most of the country, also thanks to the subsidies and support provided by the state.

The real critical issue now, however, is the so-called “continuous implementation”. A systematic and programmatic plan capable of forcing Italian companies (of any size) to base their decisions on a strategic Cyber risk analysis approach, in order to continue to equip themselves, where really necessary, with fundamental tools for their own protection, resilience and perimeter integrity, in favour of business continuity”. This is a very different approach than in the past, when safety was only considered after the damage had been done or an emergency had occurred, as was the case during the pandemic season. “Until a few years ago, the orientation of both Italian companies and the public administration towards the adoption of security or cyber security systems was not systemic or structured, but mostly consisted in the purchase of a tool or a technological instrument that was trendy at the time, without looking at the real long-term needs of the entity's structure,” emphasises the Cyber Security evangelist.

Today, however, people are beginning to realise the importance of risk assessment, including cyber risk. It is becoming clear that this process must be based on a careful study of one's own situation. While each entrepreneurial reality has different logics, dynamics and characteristics, in fact, vulnerabilities can be multiple and sometimes difficult to identify: from geopolitical risk to energy risk and from economic principle to the lack of cyber education, the larger a company is, even on an international level, the more it must be able to accurately assess each ecosystem that is part of its attack surface”. An increasing complexity, especially for those companies that have foreign locations in different countries and geographic areas and therefore need, first and foremost, a Gap analysis disease reduction. “Starting from the current state of the company," confirms Fratepietro, "it will therefore be necessary to develop an annual risk control plan, measured from time to time through the effectiveness of what has been done, in terms of investments, technological adoptions and wide-ranging implementations, obviously calculated through that return of investment (ROI) which, especially in a period of economic uncertainty, becomes the only real reference parameter.”

A return on investment that often, indeed, can also be realised through the activation of valuable partnerships and collaborations. “In a globalised world, where it is now clear that running alone can no longer be a solution, but instead becomes a strategic mistake,” the expert explains, “sharing skills and experience across the board is a competitive advantage that should not be underestimated. An opportunity to which the Italian market, perhaps, still makes little reference. This is a problem unfortunately rooted in the culture of our peninsula, in which, historically, there has always been little talk among competitors, so afraid of the risk of emulation that they fail to see the true potential of joint work, which is much needed right now, even more so in Europe. A real need that meetings such as the Cyber Security Arena, together with the constant work of trade associations, should promote more and more, to create a true awareness of the issue in companies and professionals who want to look forward to a successful future in this sector”.