“Fifteen years ago we paid companies to test our firewalls. Ten years ago we paid companies to test applications. Now we pay companies to test our users. We do social engineering test, and we have to teach our internal user not to make mistakes. The evolution is from systems to people. Interesting, but difficult.“
Insightive.tv: How do you see the role of info-security progressing, and the position of security officers and CISOs within the sector?
Michele: Until even a few years ago, being a security officer was quite easy. You had your systems and you had to protect them. Now security is moving towards end users. So, in theory, my role is to protect my end users. But my end users are a couple of million Italian bank customers. And that is quite complicated because, at the moment, hackers have a large number of tools at their disposal. They are also strategic with their attacks — it’s easier to attack end users than bank systems. There will be a big evolution. Security will have to become less technical and more social.
Fifteen years ago we paid companies to test our firewalls. Ten years ago we paid companies to test applications. Now we pay companies to test our users. We do social engineering test, and we have to teach our internal user not to make mistakes. The evolution is from systems to people. Interesting, but difficult.
Insightive.tv: What are the largest business issues currently driving security?
Michele: What happened in the last few years is that banks, both Italian and European, suddenly came to understand that security is an issue. It is very strange to say, but until five years ago the understanding of central banks regarding information level security issues was not high. Banks were not obliged to follow strict security rules. Most did. But, for example, many small banks did not. Cedacri has about seventy customers, and most of them are small banks. The real revolution is that suddenly rules came out from the European and Italian central banks that obliged banks to be safe. This has really caused an increase in security.
From our perspective, it is not that we are doing new things, or providing significantly new services. It is that things we used to do for some of our customers, we now do for all of our customers.
Insightive.tv: Is the shift to digital business creating new risk?
Michele: Yes, of course. But we have implemented technical solutions to account for changes. For example, with increasing numbers of privileged accounts, account authentication poses a problem. Recently we began the installation of Cyberark to mitigate this. We restrict access to our system by firewall, so the only possible access point to our system which is by Cyberark.
But, internally, the point is that Cedacri has always been a digital firm. So there is not a real digital revolution within our business — it began thirty years ago. In the industry, there is a big shift. But we sell information technology, so there is no shift for us, just more customers.
Insightive.tv: How early do you engage in digital projects from a security perspective?
Michele: This has actually been a big shift. When I arrived at Cedacri four years ago, security arrived at the end. The drivers were wholly profits and functionality. Now, security is inside the project from the beginning. We have static control of the software. We have systems that immediately alert a developer that what they are doing is not secure and must be changed. On a broader level, the Risk and Security management of the new business application are considered from the beginning.
Insightive.tv: Is cybersecurity generally considered an enabler or a necessary cost?
Michele: In the last year it has been an enabler simply because the new central bank rules impose security. You cannot create a business application that is not secure because it will be blocked by final customer security controls. So it is an enabler in that sense.
However, it is often seen as a cost. The point we are at now is that in the banking environment security is seen as more of a legislation problem than as a real problem. The maturity stamp that will be necessary to achieve within the next years is passing from doing it because we have to, to doing it because it is safe.
But I think that it is a good thing because this understanding of the security risks by the central banks has allowed us to become part of the business curation process. So, although an acceptance of this understanding by all banks will be the next step, at least we are on the right road.
Insightive.tv: How do you calculate the return on investment on cybersecurity programs?
Michele: Ultimately, if products are not secure, customers will not buy them. But there is not a specific cost evaluation of security failures. I would love that, but it is not there now. The problem that security has always had is that it is very difficult to analyse collateral investment. I do think that for a lot of people security, at the moment, is seen as a necessary cost. The difference now is that it is necessary. But it is still seen as a cost.
Insightive.tv: As a provider of security solutions to many Italian firms, what is your perspective on the industry’s reaction to the GDPR?
Michele: At the moment, that is the wrong question. If I go to my customers now and say — let’s talk about GDPR, they will say — let’s talk about that next year. At a certain point Italian lawmakers will put a date on implementation, and at that moment I will have thirty customers coming to me asking for answers. So we have to be ready.
We, in the privacy world, are obviously thinking about the GDPR. But it will be in place in two years. For the banking world, two years is a lot of time, So I think that there will be heavy modifications brought in by the GDPR, but that banks will not begin implementations until the end of 2017. Right now we are still in the old regulations.
Italian privacy laws are very strong. And I think that in a couple of years everyone will have the same awareness of GDPR as they do of the current privacy rules. What I hope, and what I think will be true, is that the GDPR will impact businesses in a more reasonable, flexible and effective way than the existing rules.
Insightive.tv: Does that mean that you see GDPR as an opportunity?
Michele: The problem with Italian privacy law is that its proscriptions do not appropriately fit the technology. For example, Italian privacy laws say that you have to update your antivirus software — which is good — but it says that you have to update it twice a year. That is so useless it’s almost funny. The GDPR will ask privacy officer to perform a risk analysis and to be consistent with the risk analysis. This is a big opportunity.
But, still, as I told you, we do not yet fully understand which fields will see opportunities based on this regulation because we have not yet begun to be pushed by our customers to provide solutions for this regulation. We are still studying.
Insightive.tv: Have past regulations impacted your digital transformation projects, and do you foresee such impact stemming from GDPR?
Michele: Italian law has shaped certain projects, and considering that aspects of the GDPR are extensions of Italian law it will have a continuing effect in that regard.
But it is honestly hard to tell where GDPR will go. The aspects of it that seem most demanding, we are already in compliance with internally because of existing Italian privacy law. But all laws have two levels — the level of what is written and the level of application. So, probably, we will have to wait for the law to be applied to understand which aspects will change.
Privacy by design is a very good example of this. The GDPR requires privacy by design. We already do privacy by design. It is not really requested by the law now, but we do it anyway. Will our way of doing privacy by design be good enough for regulators? I don’t know. We have to wait.
Michele Rivieri is Security Officer at Cedacri, overseeing all security issues. He is also the acting Privacy Officer at Cedacri, making him a hub for all information security and privacy operations within the group. We spoke with Michele to get an understanding of the cyber-security priorities at a company that specialises in IT.
Cedacri supplies financial institutions and industrial companies with software and business process outsourcing solutions. It has held the leading position in the Italian market for the last thirty years. Publically, it is not a well-known company, but their services enable a market share of Italian financial services that would make Cedacri the fourth largest national bank. This is in addition to offering facility management services to a wide range of companies.
THE GDPR AND THE GLOBAL DATA PROTECTION HORIZON