Get To Know The Speakers: Nicola Sotira, IT Security at Gruppo Poste Italiane
We took time out with Nicola Sotira, who looks after digital security at Gruppo Poste Italiane as well as heads up the Global Cyber Security Center. Read on to find out what he’s got to say after three decades in the industry.
Nicola will be speaking at the ItaliaSec Summit, held in Rome on the 17-18 May 2017. For more information, as well as discounted entry, get in touch with firstname.lastname@example.org or check out the website at www.cs4ca.com/italiasec.
Hi Nicola, thanks for taking the time to talk to us today. You’ve got quite a varied background within information security; could you talk us through some of the things that you’ve been doing?
I started working as a programmer and then slowly moved towards a more commercial focus, through marketing and sales. It was a company selling cryptography devices operating in 40 countries and our client base was chiefly governments, armies, police forces, etc. There was a strong need for technical expertise – I mean, we were dealing with mathematicians, engineers and programmers – and I really enjoyed it.
You’ve been working in security for over three decades. How do you think the market has evolved, and what are your biggest challenges today?
I think the biggest challenge in our industry today is the constant need to change. The default IT security mentality is really overdue for change. We can’t just analyse logs and worry about what’s already happened. In business, your competitors are using market indicators to work out what will happen in one year, two, three and plan for it. Instead of business intelligence, we need to use cyber intelligence. We need to get better at predicting what future threats will look like, and apply those models to infrastructure and assets and draw up plans to mitigate these risks.
Today, we’re used to trying to protect everything, but this can’t go on forever. It’s already not working. We need to define a level of acceptable risk and anticipate it. There’s only so much we can do. This job and this department is about providing excellent service to our customers – and they are both internal as well as external. But those very same customers are also some of our greatest threats. What happens if somebody in our admin team opens a suspicious attachment, or one of our customers clicks a link thinking it’s from our marketing department? We’re running campaigns at the moment to educate our customers about simple things they can do to better protect themselves, as well as of course working internally with our staff.
You’ve been at Poste Italiane now for nearly two years, working client-side, but previously you were mostly in product-development-type roles for engineering firms. How’s that transition gone? How have you found the past two years?
Well, I’ve worked in all sorts of companies so I’m quite used to covering lots of different roles. I’ve found the transition quite natural, to be honest. I find it really helpful to know both sides of the security fence – what is best-practice from a technical perspective but also what the rest of the business needs, and what might hold them back.
I’m definitely always learning. Every day is different. I’m learning from people, from the organisation, from all sorts of places. The job is really interesting because we’re serving people – in my position it’s about helping colleagues to provide a great service to both internal and external customers.
Talk me through the work of the Global Cyber Security Center – we’ve just opened our own National Cyber Security Centre here too. What are you doing with them?
The GCSC is a global non-profit with a mission to spread cybersecurity culture. We’re active in several areas – trying to deepen an information-sharing culture, we’re working on cooperation between public and private sector, and we also publish a couple of pieces of research each year.
This September we’ll be publishing a book about SOCs and CERTs – it’ll show a best-practice example of each. We’re also working on a paper with a wide group of universities across Italy to propose changes to the education system that will give Italian citizens the knowledge and tools to work in cyber security and be more secure themselves.
Another of our key projects is about co-ordinated vulnerability disclosure. In the USA, there’s already a pretty good system, and companies are even paying out prizes in many cases. But if you tell companies here you’ve found a vulnerability in their systems, you have no protection and can be taken to court. We’d like to see this improved. In Holland, Finland and Sweden it’s happening. But we’ve got to get those discussions underway here.
Gruppo Poste Italiane is the Italian state postal services provider, part-privatized in 2014 and is headquartered in Rome. It has annual revenues of over €30bn and its group subsidiaries extend to life insurance, investment solutions, internet services, courier mail and package delivery as well as a mobile virtual network operator.