Stefano Ramacciotti is the President of the (ISC)2 Italy Chapter. Stefano supported the promotion of CONTINUITY, a new digital training platform for business continuity managers, which is part of a project funded by the EU Programme Erasmus Plus. He has now kindly agreed to answer a few questions on the importance of raising awareness in the security industry about business continuity and resilience.
How important is it to have a security community in the Italian context and how can it be strengthened?
This is a challenging question because having a single national community from a certain perspective would be desirable and simultaneously something to avoid. When it comes to security, there are numerous aspects to consider since it has multiple facets. Historically, physical security and personnel safety come first, followed by information security, and finally, cybersecurity or, more precisely, ICT (Information and Communication Technology), to address only the main topics. In particular, the latter is decidedly multifaceted, and knowledge areas have become so specialized that there is no longer anyone who can claim to be a true expert in cybersecurity, but rather there are many experts in numerous related and diverse disciplines.
Already in this field, there is not a single community, but multiple communities that interact, communicate, and intersect. For some time now, there has been a convergence of different security fields, especially between physical and logical security. Personally, I believe that this is the path to follow, and I do not advocate for a complete merger into a single community; it does not seem like the best solution because one field could take over from the others. In my opinion, it is better for each community to maintain its individuality, its soul, but there is certainly a need for convergence between various needs to achieve the maximum possible for ensuring system security through interaction. This is to improve mutual understanding, facilitate a mutual exchange of knowledge, identify common threats, and share best practices.
To strengthen a community of communities, it is essential to foster collaboration among businesses, government institutions, and civil society organizations. Initiatives such as online forums, conferences, and joint exercises can contribute to consolidate this network, enhancing readiness, and incident response capabilities. In this sense, the recent webinar organized with Alberto Mattia, Managing Partner of PANTA RAY, to present the new CONTINUITY platform is a great example of fostering collaboration across disciplines and highlighting the synergies between the security and business continuity fields.
How can security training be targeted to make it relevant in the corporate landscape? Can the topics of security and business continuity be combined to enhance the effectiveness of training?
Security training must be targeted and relevant to the company’s context. In particular, (ISC)2 Italy Chapter, of which I am honored to be the President, focuses on cybersecurity culture and certifications across various sectors of interest. It is the Italian chapter of the renowned information security and cybersecurity association, and likely the largest global association with over half a million cybersecurity professionals scattered worldwide.
The chapter provides various certifications, with the most significant being the CISSP, which stands for Certified Information Systems Security Professional, addressing security comprehensively.
Certification candidates must demonstrate excellent knowledge in areas such as risk management (with a focus on legal, compliance, Business Continuity, and Disaster Recovery issues), security architecture and engineering, network security, identity management (IAM and physical/personnel security), vulnerability assessment and penetration testing, software development security, etc.
In addition to CISSP, ISC2 offers several other certifications. The more easily attainable ones, as they require minimal or no prior experience, include the new Cybersecurity Certification (CC), Security Administrator (SSCP), and Governance, Risk, and Compliance (CGRC). Then there are more “vertical” certifications such as the recent Cloud Security (CCSP), Secure Software Development (CCSLP), and concentrations on Security Architecture (ISSAP), Security Engineering (ISSEP), and Security Management (ISSMP).
ISC2 has always dealt extensively with the issue of business continuity as a cornerstone for business survival, as it originated within information security and later became a standalone element affecting the entire company rather than just IT. This legacy was evident during the pandemic when smaller entities, like many SMEs, initially viewed it as an IT concern rather than a company-wide issue. And for this reason, (ISC)2 Italy Chapter has decided to promote the CONTINUITY initiative, which is a platform provided free of charge thanks to the contribution of the European Union, so that interested individuals can consolidate their knowledge, sometimes acquired in the field during recent crises.
To answer the second part of the question, it is not that the topics of security and business continuity can or cannot be juxtaposed to enhance the effectiveness of training; I would say, if anything, that they must, without a shadow of a doubt, be treated together. In a modern company, the IT component is generally cross-cutting to most other sectors, and it must be structured to effectively respond to various threats and attacks. Thus, cybersecurity is closely linked to the ability to maintain operational continuity to be effective. Integrating realistic threat scenarios and operational continuity solutions into training programs can better prepare personnel to handle complex situations.
What are the key competencies of security personnel in today’s environment? Do they include business continuity or resilience components?
Key competencies in the field of security include a deep understanding of digital threats, the ability to manage security incidents, advanced technical skills, and increasingly, knowledge of business continuity and resilience. Security specialists must be able to face both digital and physical threats, coordinating an effective response and ensuring operational continuity.
Unfortunately, in Italy, reliance is often placed either on theoretical knowledge acquired through regular academic courses, often not adequately supplemented with the continuous updating needed in a constantly evolving situation with increasingly sophisticated threats, or solely on practical experience gained in the field.
Certifications, obviously if and only if issued by associations or companies that offer a high level of assurance, represent the solution as they are the primary tool for a company to verify competencies in a specific field, especially for newcomers, or as an incentive for the ongoing growth of even more experienced personnel. It ensures that these competencies are consistently maintained at an adequate level.
What are the emerging trends you are observing in strengthening companies’ security systems? How are the topics of artificial intelligence and machine learning being framed in this regard?
The emerging trends in corporate security include the increasing adoption of technologies such as Artificial Intelligence (AI) and machine learning (ML) to strengthen defense against advanced threats. These technologies can be used to analyze large amounts of data, identify anomalous patterns, and improve prevention capabilities. Thinking in terms of business continuity or disaster recovery, they can also provide responses to attacks. However, it is essential to address the ethical and security challenges associated with these technologies because, while they solve many problems, they also represent a largely unexplored new world that could pose intrinsic threats. In fact, attackers are also leveraging such systems.
How do you keep up with an operating environment populated by changing threat types? Would it be correct to say that current threats to organisations now predominantly include a mixture of both physical and digital impacts?
To keep pace with an operational environment characterized by continuously evolving threats, it is essential to maintain an open, proactive mindset, a healthy curiosity, and continuous updating. This involves constant monitoring of threat trends, participation in security intelligence communities, and ongoing updates to security policies and technologies. Current threats often involve a mix of both physical and digital impacts, requiring a broader, comprehensive, some might say holistic, view of security that encompasses all dimensions.
Additional and/or concluding remarks.
Acquiring certifications in the field of security is crucial to demonstrate skills, compliance with recognized standards, and the continuity of updates and, for some, training and since the most important certifications are challenging to obtain, having access to platforms like CONTINUITY represents an excellent resource to consolidate one’s theoretical foundations and stay updated.
To obtain reputable certifications, it is essential to have qualified instructors who provide adequate preparation. Unfortunately, especially in Italy, unlike in the Anglo-Saxon world, there is a plethora of companies offering courses with instructors who are not always sufficiently qualified and readily issue testify that have little to do with the “significant” certifications mentioned earlier.
It is worth mentioning that there are essentially three types of certifications:
- Professional certifications: the two main types are the so-called ‘horizontal’ ones, typical of managers or those who need to have a 360° view of the various security issues, and the ‘vertical’ ones, which provide clear and very in-depth information on a specific sector (such as managing a particular type of firewall).
- Product certifications: aimed at demonstrating that the product performs as expected in terms of security requirements and is therefore trustworthy.
- System or service certifications: to ensure that a system is organized and managed appropriately to respond to threats.
Certifications such as CISSP (Certified Information Systems Security Professional) and ISO/IEC 27001 can be crucial to demonstrate the competences of security professionals and ensure that the selection of security controls is appropriate and proportionate for the Information Security Management System. In both cases, it is essential to handle business continuity correctly and effectively to ensure the organization’s resilience to defend against potential threats. Indeed, no matter how many countermeasures and controls one may take, the possibility of a breach in the system will always exist and one must know how to move to ensure survival.
Adequately preparing professionals and organizing security aspects within the organization is necessary, but unfortunately not sufficient to prevent and respond to all possible incidents. Achieving 100% security is impossible to attain; therefore, it is always necessary to be ready to face incidents, ensuring business continuity during and after a security event that can occur at any time.
For a certification to remain valid, it must be dynamic and adaptable to new challenges and emerging technologies. Including elements related to artificial intelligence and machine learning in certifications can ensure that professionals are updated on the latest trends and can effectively integrate these technologies into security strategies.
In conclusion, the convergence of robust communities on the common theme of security, targeted training, and appropriate certifications constitutes a comprehensive approach to address the increasingly complex challenges of security. Corporate security is an interconnected ecosystem that requires collaboration, specialized skills, and compliance with industry standards. Keeping the focus on these key areas will ensure a safer and more resilient environment against current and future threats.
Author: Gianluca Riglietti
If you liked this article, you might enjoy reading this one.