In this particularly challenging period for companies, many long-ignored or underestimated information security issues are coming to light. Several accelerating factors have put corporate security under pressure; the most relevant include:

• The need to expose services globally has allowed us to reach international customers with ease, but it has also made us equally accessible to potential attackers worldwide.
• The availability of electronic money (cryptocurrencies) has made it easy to move capital across the globe without intermediaries such as banks.
• Low awareness of information security has led to short-sighted decisions, whether due to budget constraints or a lack of skills to properly assess risks.
• Reliance on third-party cloud resources has expanded the infrastructure, often unknowingly increasing the attack surface.
• A lack of security assessment during rapid application development has resulted in the release of immature applications—functional but insecure.
• A pandemic has forced many companies to improvise business continuity plans under tight deadlines.

The result of these six factors is an explosive mix, whose effects we are starting to see today—though many remain hidden from mainstream news. I would argue that we are just at the beginning; cybercrime is not only a huge business, but it has also become the “fifth dimension” of conflict.

We can also admit that we have voluntarily ignored some tools, choosing the short path rather than the long-term one:

• International certifications such as ISO/IEC 27001 or PCI-DSS have often been pursued merely to obtain the “seal,” rather than to genuinely add value to the company.
• GDPR compliance has often focused on the legal aspects, rather than addressing the complexity of IT processes, except in rare cases.

A Predictable Failure

Recent data breaches have triggered an “arms race” within companies, hiring security leaders (CISOs) who are expected to solve these challenges without strategy, budget, technical staff, or the necessary commitment. I continue to see job offers where the future CISO reports to the CIO—an evident conflict of interest.

Starting from the Beginning

Management must understand the risk posed by cyberattacks, but often lacks objective data even to consider the possibility. From this awareness, they must decide whether and how to act, delegating responsibility and authority accordingly.

What’s needed is awareness, commitment, and a leader capable of having a cross-functional vision—encompassing company processes, risks, and infrastructure—and able to guide employees toward greater information security awareness.

Companies often seek a CISO as an integral internal hire, but this approach has drawbacks:

• Experienced figures who can guide information security strategy come at a high cost.
• CISOs reporting to the CIO often have limited independence and reduced operational capabilities.
• Internal figures may focus too narrowly on their immediate context, losing sight of the global threat landscape over time, and risk becoming overly political.

A Growth Path

In my work, I often meet companies that recognize the need to address information security but struggle to develop an effective strategy. Many want to begin a structured growth path—starting with management and training existing staff. The goal is not to outsource the CISO function (which is rarely effective), but to provide the tools to those in the company who are in a position to act.

Through this gradual path, clients gain:

• An understanding of the risks related to their infrastructure.
• Awareness of how technological choices directly impact business.
• Improved processes over time, achieving higher overall security.

Most importantly, training staff equips them with the skills needed to independently manage security within the company going forward.