In this interview, we speak with Francesco Nigro, Bitron's Chief Information Security Officer, to learn about his experience and techniques for dealing with growing cyber threats. From his career in IT consulting to his present work at Bitron, we discuss his thoughts on staying ahead of cybersecurity threats and negotiating the complexities of data protection rules. Join us as we explore the dynamic field of cybersecurity with a qualified expert.

Can you tell us about your journey to become an information security manager? What experiences have helped shape your career in information security?

Having always been interested in IT and technology, I began working in consulting, mostly assisting SMEs and major enterprises in meeting industry requirements. Interacting with realities of varying degrees of complexity requires the ability to constantly face new obstacles. All of this led me to Bitron, a company that quickly impressed me with its extensive knowledge and history. And after over a decade, first as a collaborator and then as an employee, I still believe it is one of the best companies in the country for allowing individuals to express themselves.

Cyber threats are constantly evolving. How can you and your team stay current on developing threats and respond to new cyber security risks?

I prefer talking about teams. There are the InfoSEC department and the ICT department, whose workforce specialises in these concerns and works everyday to stay up to date on everything connected to the subject. Then there's the Bitron Team, which includes all of the company's employees who  contribute to information security on a daily basis.  Cybersecurity cannot be accomplished without collaborative efforts.

Everyone is doing their share to combat the continuously shifting threats. The expansion of technology, and the resulting evolution of increasingly "smart" devices, portability, hyper-connectivity, and the cloud, has radically altered the concept of the 'business perimeter'. Previously, it was vital to preserve organisational assets within a specified  perimeter; however, this concept has disintegrated, posing a significant challenge to those responsible with protecting the value of the massive amount of information generated, transferred, and consumed.

Compared to the past, the potential attack surface is very large; we must all do our share to assure security.

Data privacy is becoming a major concern for both businesses and consumers. How does your function contribute to protecting data privacy in our organisation?

In this case, we're talking about the law: the GDPR arrived like a meteorite, yet it imposes extremely tight constraints on how personal data can be treated. This is because  individuals are a company's most valuable asset and must be protected. People defend themselves by safeguarding their personal data; the market for personal information is one of the greatest and most profitable in the underground world of the infamous dark web. There is regular news of databases being sold. Bitron prioritises privacy. We, as an office, have a fundamental need to give clear instructions that will enable us to comply with the law and ensure the security of users' personal data.

Cybersecurity is sometimes viewed as a technical issue, but it also requires understanding and managing human behaviour. How do you handle the human aspect of cybersecurity in our organisation?

Technology only goes so far. The human factor remains an important aspect of cybersecurity. Part of our work is to raise as much awareness about the company as possible. We undertake a lot of users awareness and training; there is a training programme that spans several years and covers cybersecurity subjects in increasing depth, with a top-down approach that progresses from general to particular.

The training packages address a wide range of behaviour, beginning with personal behaviour. To put it simply, we must empower individuals to detect possible risks even in their private lives. These courses are intended to reach everyone, using simple language and clear intentions: if a user can detect a phishing email that arrives through his private channels, he will be able to do so in the workplace.

What developing technologies do you see defining the future of cyber security, and how do you strike a balance between the requirement for strong security measures and the imperative to stimulate innovation inside our organisation?

We've been discussing AI and its possibilities for quite some time now. It is a fantastic opportunity if we consider it as a tool that can provide value. However, this enormous potential comes with great risks: it is impossible to think that cybercriminals will not try to exploit these technologies. At the regulatory level, the European Parliament is also beginning to take the first steps, but it is necessary to have a good understanding of how best to exploit this technology and what risks it brings.

If we talk about innovations, we cannot close our doors; we must relate to the world, but we do not have to welcome innovations blindly. It all 'comes down' to assessing the risks and opportunities.  I am quite convinced that AI will undoubtedly be adopted by all companies in the future; how it will be implemented remains to be seen. Certainly, boundaries will be necessary—just consider the copyright issue.  Innovation should be encouraged, but with due caution.

Finally, what drives and inspires you to continue your work in cyber security, especially in light of growing problems and threats?

The answer is in the question. Constant technological advancements force humans to adapt their human-machine and human-human interaction ways. The high level of dynamism that we all witness requires individuals working in this profession to be 'always on the ball', attempting to evaluate and comprehend how new technical solutions and human behaviour will change the way we relate and operate. As a result, it is necessary to approach these new problems in a critical and constructive manner, thoroughly assess the risks, and remain committed to the business.

To put it simply, you're never bored.