Managing cybersecurity risk in Italy: raising awareness & leveraging economic opportunity

As the Italian Presidency of the European Union enters into its final stretch, cybersecurity remains a priority for both Italy and the European Union. This became abundantly clear during a cybersecurity policy workshop in Rome last week attended by leading security experts from academia, public and private sector. For Italy, this focus goes beyond leading (and hopefully concluding), the negotiations on the Network and Information Security (NIS) Directive, although clearly this is and remains one of the highest priorities of the Italian presidency. Italian negotiators of this dossier have stressed that they want to reach political agreement on all major issues regarding the Directive still within the course of their Presidency. Some voices – both in Rome and in Brussels – have cautioned that many of the outstanding issues may require additional consultations, possibly beyond the time of the Italian Presidency which concludes at the end of the year. Regardless of when the Directive will be concluded, it is critical for Italy and for Europe as a whole that this framework will be risk-based and focused on raising cybersecurity levels for Europe’s core critical infrastructures and services.

Doing so will require Member States to dedicate significant resources and attention to cybersecurity. To date, many EU Member States are lacking both. In fact, the gap between cybersecurity risk and the level of cybersecurity awareness was cited as the single biggest challenge for developing Italy’s cybersecurity capacity. Italy has developed several important cybersecurity initiatives over the past year which will help protect vital national networks and assets, such as the Presidential Decree No. 67251 which introduced critical guidelines to define the organizational structures needed for the coordination of cybersecurity both domestically and internationally. This was followed by the National Strategic Framework for Cyberspace Security, published at the end of 2013. Yet, discussing these approaches also in the context of the new requirements facing Member States as part of the NIS Directive, it seems evident that additional focus needs to be put on implementation of these frameworks. One example in Italy is the National Italian Computer Emergency Response Team (CERT) which according to Italian experts is plagued by insufficient resourcing.

Another broader challenge relates to the lack of cybersecurity awareness at the senior political levels. This phenomenon is certainly not unique to Italy but numerous experts in both the public and the private sector are pointing to the need for much stronger political leadership on this issue at the national level in order to help turn sound policy frameworks into operational realities. Missing out on creating a more resilient cyberspace would significantly hamper Italy’s ability to leverage the ICT-revolution, such as cloud computing and the Internet of Things, in ways that other EU Member States have started to.

This call to action for raising awareness through sustained political commitment, not just at the national level but also at EU and international levels, was perhaps the key takeaway from the cybersecurity workshop in Rome last week. At the same time, the commitment of key stakeholders to increase capacity for dealing with cybersecurity challenges in Italy was impressive. I am convinced that Italy will not only significantly advance this key EU Directive, but that during the NIS implementation phase many of the relevant work, which has gone into creating the right frameworks, will pay off long term dividends. Bringing together public and private sector stakeholders to build and ensure a resilient cybersecurity posture will also foster economic development – both in Italy and the EU more broadly. We look forward to working with our partners in Italy and across Europe on these critical issues.

Jan Neutze
Director of Cybersecurity Policy, Microsoft EMEA

Jan Neutze is Director of Cybersecurity Policy responsible for cybersecurity policy matters in Europe, Middle East, and Africa. Before taking on Microsoft's EMEA security portfolio, Jan worked in Microsoft's Trustworthy Computing group at Microsoft Corp. in Redmond. In this role, he led engagement with governments and industry partners at an EU-level and in Germany, and developed corporate strategies on emerging cybersecurity policies, risk management, critical infrastructure protection, cybersecurity norms, and internet governance. Jan Neutze joined Microsoft from the United Nations Headquarters, where he served for three years in the policy planning staff of the UN Secretary-General and the Department of Political Affairs, leading a range of cybersecurity and counterterrorism projects. Prior to this, Jan served as program officer for foreign policy at the German Marshall Fund of the United States and as assistant director of the Program on Transatlantic Relations at the Atlantic Council of the United States. Jan Neutze holds a law degree from the Westphalian Wilhelms-University in Munster, Germany and an M.A. in security studies from Georgetown University's School of Foreign Service.