“The market is moving towards a simpler and more user-friendly approach when it comes to banking services. The goal is to be easier and simpler for our customers, but also taking in consideration all the security aspects. That is our main goal, keeping our systems secure.“
Insightive.tv: How do you see the role of Head of Information Security progressing? As the CISO, how is that role going to be progressing?
Leonardo: It is very important for the company to understand exactly how to create service in connection with the GDPR. For example, in Italy we are focusing in this area, we’re handling many privacy aspects so we need to understand it — we need to understand the changes being introduced by the new GDPR regulations in order to conduct the right investment to make our systems stronger and relevant. We are also working with our server company to make sure all the privacy aspects are in fulfilment to the new GDPR regulations. We are aiming to implement all the same privacy policies across Europe and achieving the same objectives.
Insightive.tv: What are the current business issues that are driving your current security program?
Leonardo: The two main issues we are currently facing are in relation to both security and feasibility. The market is moving towards a simpler and more user-friendly approach when it comes to banking services. The goal is to be easier and simpler for our customers, but also taking in consideration all the security aspects. That is our main goal, keeping our systems secure.
Insightive.tv: What recent projects has the business embarked on that you would consider to be transforming your digital business?
Leonardo: We actually have several projects that are digitally transforming the business. The first one is around our online banking services, which is called A New Digital Customer Experience. The bank is changing the way in which customers are approached, we are trying to integrate all the channels, and to promote all the channels and digital approaches to more digital technologies such as the application of digital signatures. We are starting this journey in which you can connect with us via different channels, such as mobile. The purpose of this new customer journey is to have all the channels connected, making them all digital.
On the other hand, the first big project to the digitalisation of the Bank is around the Data of the customers. We are managing the amount of information obtained from consumers, specifically on Big Data or Financial Data in an innovative way, digitally transforming the way we manage the system and the information data.
Insightive.tv: Is the shift to a digital business model creating new levels of risk to your business, and if so, in what way?
Leonardo: There are different risks. We are facing new risks and the business is taking a journey to handle these risks. For examples, one of the risks we face is related to the management of digital information on digital services projects. Now we are using some approaches that are not standard, which are quite innovative. We want to be sure that we can manage the technology.
Insightive.tv: How early do you engage or are you engage in these security projects?
Leonardo: We are quite lucky because when working with partners, we are able to get involved in specific processes right from the beginning. Our main objective is finding a solution before we even start a project. And this is a really good advantage for us. We are prepared to implement innovation in new projects and usually we are involved in the project and in the team, so we are also part of the development.
Some issues may emerge at the end of the project as some security issues may be overseen by the partner. Now, these are some aspects we take into consideration during the complete process, while at the same time focusing on maintaining the solution.
Insightive.tv: Is risk considered during the planning stage?
Leonardo: Two years ago, before the project started with the regulation of Bank of Italia, the basis of security risks were calculated on the opinion of security experts. Now, since 2014, we are part of a complete process involved in the company which estimates the risks around a proposed project and its solution in the digital risk management context, making a proper evaluation of the risk.
Insightive.tv: Is security perceived as an enabler to these projects or a necessary cost?
Leonardo: It depends. In business, commercial projects, when we talk about security compliance, security may be considered as an advantage. If we talk about regulation or compliance projects, then it is difficult to understand that it is an advantage. It would be a cost to manage, in order to comply to its terms.
Insightive.tv: How is the return obtained from mitigating risk and securing the project? How is that reported?
Leonardo: There are several ways. If you are in a business project, it would be easy to understand the Return on Investment. It would be easy to understand the advantage right from the beginning.
It is more difficult in other projects in which you are talking about implementation or changing of solutions or compliance. In these cases, it is difficult to report the Return on Investment. We are now considering in involving the Insurance on Capital for these purposes.
Insightive.tv: Have recent GDPR regulatory changes had any impact on the business’ thinking around securing digital transformation projects?
Leonardo: We are working now on changing business approaches. It is more than GDPR that it is really changing. GDPR is more changing the way in which we manage information but not really changing the way in which we conduct business.
Insightive.tv: How is GDPR an opportunity?
Leonardo: On the business, and internally as a group, it is for sure an advantage because we can now handle solutions in a better way. GDPR in Europe would be a standard practice. GDPR defines a way to be responsible on the information of the customer across different countries and will solve issues around the management of this information.
There are different departments that are affected by GDPR. Not only compliance and security, but also business. There are several tools that allow a better understanding of information management of customers. The business is trying to evolve using these analyses but at the same time, following GDPR regulations. We think that the future we will propose the customer the right product because of the analysis we’ve made from the information obtained from the customer.
Leonardo Rosa initiated his career at Intesa Sanpaolo on 2003. Since 2014, Leonardo has been responsible for Intesa Sanpaolo’s information security and the compliance of GDPR regulations.
Intesa Sanpaolo is considered Italy’s best bank due to its quality of service assessments and performance. They are ranked as a market leader in all business areas — retail, corporate, and wealth management. Intesa Sanpaolo has a strong presence in Central Eastern and Middle Europe, and North African regions, servicing 11.1 million customers.
THE GDPR AND THE GLOBAL DATA PROTECTION HORIZON