On June 20th, the Kriptia seminar “SECURITY INTELLIGENCE IN THE CORPORATE CONTEXT, BETWEEN PHYSICAL AND CYBER SECURITY” was held in Milan, highlighting the connection—in terms of utility and compliance within the corporate context—between intelligence analyses aimed at security and investigation and those for commercial purposes such as counterparty analysis, business intelligence, and travel security.
Particular attention was given to SMEs, essential components of the Italian economic fabric, which need to protect their businesses from external attacks and risks of sanctions for non-compliance with relevant regulations.
At the roundtable moderated by Raffaello Juvara, editor/editor-in-chief of securindex.com, notable guests were present. The first round of discussion brought out several very interesting and varied points, often converging.
Giulia Gubbiotti, Head of Security Intelligence at Fincantieri, highlighted that organizations still use data in a partial, fragmented, and contingent way, even though they are business-critical assets. In the security field, it is necessary to use good data and develop a data-driven culture focusing on strategic needs. To work efficiently with data, it is necessary to start from strategic and informational goals; otherwise, one falls into the paradox of knowledge, that is, big data that is difficult for corporate leadership to interpret.
Technological contribution alone is not enough because the human factor makes the difference. It is essential to start from a strategic vision and allocate financial and human resources to intelligence teams. Good continuity, retention, and diversity are success factors for a security team, along with competence and knowledge.
Mario Florio, former Security Manager at Eni and now General Manager of a Risk Management company, emphasized that the pillars of security are compliance with laws, employer responsibility, policies, and the budget as an investment and insurance to develop business opportunities to produce better and safely. Additionally, Security and Safety, although different, are complementary.
He also noted that security risk management aims at asset integrity, business continuity, and reputation. The tools are internal policies and procedures, mitigation actions, and security services.
The preparation activity requires project study, threat assessment, and a security plan, such as mitigation measures or asset extraction. Implementation requires procurement service with consulting, tendering, security services, and consequent reporting.
Angelo Tofalo, former Deputy Defense Minister, pointed out how politics and lawmakers have had great difficulty over the past 10 years in formalizing cybersecurity tools to protect the Public Administration but also businesses and SMEs. Cybersecurity is not a cost but an opportunity for the community, and it has developed from Defense to central and then territorial PA, with decreasing competencies.
Although SMEs are the weak link in the country’s system, they are a great opportunity according to Prof. Aldo Pigoli, Competitive Intelligence Expert and University Professor. In Italy, a path is being realized, although in SME operations, it is still more challenging because there is no direct relationship with state entities. They are more autonomous and refer to industry associations, which sometimes act more corporatively. From this perspective, it is essential to create a security culture that should not be seen as a cost and with regulations perceived as obstructive to operations. Even within SMEs, in recent years, informational needs have arisen, especially starting from disruptive events such as COVID-19, Ukraine, and international tensions, which have resulted in problems for business continuity. Some SMEs benefit from relationships with large companies and the compliance requirements demanded of all suppliers to which they must adapt, but it is necessary to involve them and make them aware of the importance of data and not just products.
Giulia Gubbiotti intervened to remind that large companies have the responsibility of guiding and orienting, highlighting best practices, structuring compliance processes that the entire supply chain must comply with, but also working on the culture and posture of legality for the benefit of the country system.
On this point, Angelo Tofalo reminded that Italy relies on the fabric of SMEs, and security by design is essential to ensure proactive strategies, preferably with a European perspective to harmonize national laws and not be crushed between superpowers.
According to Mario Florio, the cost for security management borne by large companies cannot be transferred to SMEs; otherwise, the profit margin compresses. But the principle must be conveyed that information culture and staff and traveler training are a safety for themselves, the employer, and the company itself. In this case, costs are lower than the damage in case of an incident.
Aldo Pigoli stated that the solution emerged in the debate because we are not starting from scratch, and there are already cultures and training at various levels, which, despite costs, generate knowledge and competence. He acknowledged that training must look at operability and not just theory. In the country’s DNA, there are best practices even in SMEs that are unfortunately not modeled and shared, and the spirit of creating a system (even at the European level) is lacking.
Valeria Ceci and Costanza P. of Social Links, a global OSINT intelligence provider with over 500 clients in 80 countries and 3 SaaS open data intelligence solutions for Maltego, talked about security intelligence in a business context, referring to a case study. At the level of due diligence, the advantages of using the OSINT solution involve a 20-35% reduction in time (and therefore costs), leading to actionable intelligence insights. Data extraction in a few minutes leaves more time for the analyst for intelligence.
Giulia Pieroni, Senior Associate of Castor Vali Africa, intervened from Kenya, illustrating the foreign context of due diligence. Historically, the most relevant regulatory references are the American Foreign Protect Act, born to prohibit companies and the entire supply chain from bribing foreign officials to obtain commercial advantages. The increasing application of this law, in addition to the British one, has led international companies to due diligence, especially of suppliers. While in Europe, even the checks are easily obtainable online; abroad, this information is more difficult to obtain and sometimes is in paper form. The OSINT part can be integrated by HUMINT (interviews with human sources, such as former employees or competitors). According to her experience, there is growing interest in protecting one’s reputation in a broader sense. Cross-border corruption investigations require superior expertise. Continuous updating and a varied multidisciplinary team with different legislative and linguistic skills are essential. It is also crucial to rely on companies that know where and how to find genuine information, especially in a country where corruption is endemic and the reliability of sources is always a maybe.
Matteo Colella, CISO of Siram Veolia, talked about physical security and how he sees the convergence between logical, physical, and environmental security, given by digital, on which increasingly private and business information is conveyed.
Corporate information assets must be protected both in the cyber and physical dimensions, now increasingly made with IT tools. Competence is varied and given by training, awareness, and knowledge of the regulatory framework. Citizens themselves must understand the importance of information entrusted to an IT medium. Data governance and protection are social issues involving both individuals and companies.
Today, physical security is sought by investing in technologies and removing the human factor, but this inevitably leads to cyber. However, it must be recognized that when technology fails, humans intervene. Companies need to have a safe environment where people themselves must ensure security. The human factor, not the technological one, makes the difference. Companies tend to automate to save, but this way, they can fall victim to cybercriminal organizations that attack them on the front of physical and informational security.
Companies can be compared to a state, with protections on their perimeter, but unlike states, they invest nothing in intelligence. Paradoxically, IT products are encouraged, but without human intelligence, environments are not secure.
Giulia Gubbiotti intervened again to emphasize that Security Management must seize opportunities and risks surrounding us and to remind how the human factor is winning and distinctive for those dealing with security. Analysts are a scarce and critical resource with transversal skills—legal, IT, communication… the challenge is retention because people are the driving and innovative force, and technology must respond to a need and cannot promote these needs.
Finally, William Farris, Director of Security for a company dealing with close protection and security management in the United States, provided his testimony in an American context. Physical security in the USA is a very lively and dynamic topic and, at the same time, an important reality from an economic point of view. While recognizing the importance of physical security and the human element, he highlighted a problem of professionalism so much that over the years, he discovered that his professionalism perfectly integrated into the American system because, paradoxically, the different rules of engagement and security, governmental and private, matured in the Italian context, were an added value in the American context.