"Companies are increasingly adopting complex technologies, such as the Internet of Things (IoT), cloud computing and artificial intelligence. These new technologies offer many advantages, but also increase the attack surface and the complexity of security management”. This was the starting point of our chat with Greta Nasi, Director of the Master of Science in Cyber Risk Strategy and Governance, Bocconi University and Politecnico di Milano, who - in view of her forthcoming participation in the   Cyber Security Arena, within the spaces of SICUREZZA, scheduled to take place at Fiera Milano-Rho from 15 to 17 November 2023 - explained to us how important cyber risk management and assessment is today in companies, also and above all, when organisations decide to implement the protection of their defence perimeter through new video surveillance devices or new tools for the preventive and predictive maintenance, updating and monitoring of their machinery. "The attacks," continued the professor," have become more sophisticated and more determined in the pursuit of their goals. The increase in ransomware attacks, phishing and other threats, which are more geared towards directly attacking hardware as well, has put a strain on the security of companies, also because the cost of accessing cybercrime tools has gone down”. The issue, however, according to Nasi lies not only in the new opportunities for access to low-cost attack tools offered by the markets, but also in an objective underestimation shown by companies on the subject of cyber security. 

“Investment in cyber security, in fact,” Nasi emphasises, “has not been carried out with the same degree of maturity by all companies and this has made many of them even more vulnerable”. This opens up the discussion to multiple issues, including the increasingly necessary development of a cyber security culture among both supply chain companies and professionals within an individual company, the increasingly important provision of state-of-the-art defence tools capable of handling the new complexity of an ever-changing scenario, and also the increase in skills in the face of technological innovation now without limits or brakes. These are all factors that pose risks and opportunities that need to be assessed accurately and wisely to avoid making the wrong decisions that, in times of great uncertainty, can mean the difference between resilience and failure.

“The elements to be considered when setting up a good cyber risk assessment strategy,” she explains, “concern investing in people not only in roles of technical cybersecurity experts. The National Recovery and Resilience Plan (NRRP) can be an important opportunity for companies to improve their cyber security through investment and funding to invest in people and tools. With regard to the identification and management of cyber risks, the key aspects to consider, in addition to investment in digital culture and people, are the systematisation of cyber tools in business processes, collaboration, and the ability to adapt the investment in prevention and resilience right from the design of the IT systems”. The so-called “by design” that is increasingly gaining ground today, both in the field of cyber security and in digital transformation more generally, is becoming a basic concept on which to lay the foundations for success. In this sense, therefore, the principle of defence and security, from the hardware and physical aspect of security to the software and digital aspect of artificial intelligence and cyber infrastructures, changes its positioning principle, going from a defensive status to a preventive role.  Where the monitoring and identification of malicious actions or criminal clues can concretely make a difference, also thanks to the skills deployed by those talents whose scarcity is strongly felt by companies in our market today. “The lack of professionals is a major challenge for companies in our country today,” the academic admits. Institutions can play a key role in promoting cyber security awareness, training and implementing effective regulations to incentivise companies to protect their data and infrastructure. Training and education are crucial for addressing the shortage of talent, and can also be promoted through government programmes and tax incentives”.

These are all essential initiatives to anticipate the gap that is already present today and that tomorrow could be a real obstacle to business continuity. Suffice it to say that in 2022 alone, cyber attacks in Italy increased by 169%, with serious or even very serious incidences, according to the latest Clusit data, which means that, if one does not have the right skills and talents, it could be extremely complex to defend one's cyber perimeter and thus one's business across the board, including one's information assets, in the coming years. Hence, it is becoming increasingly clear that in times of such great economic, labour, environmental and digital uncertainty, the figure of the Risk Manager and Chief Information Security Officer must work ever more closely together in order to guarantee the company a defence strategy that enables business continuity despite everything. “In the most advanced companies, in fact,” concludes the professor, “risk management and cyber risk management have already been integrated. This is the trend for the future. Not least because it is only through collaboration within the company, but also between companies, governments and organisations that complex cyber threats can be tackled. We need to understand the demands of the market, which are no longer only related to technical figures, but also to professionals who can support decision makers. This is why, more and more, even in the university courses we design, we try to combine technical and social science skills in order to be able to support every business sector in making strategic and operational decisions. Indeed, the question is no longer how to manage risk, be it cyber, environmental, geopolitical or economic, but how to foresee and prevent it with a broadened and shared vision. Only in this way will it be possible to maintain a solid and secure governance not only of the company, but also of the context in which it is embedded and operates”.