September 2021
September 2021
Interviewed by Data Manager Magazine, Alberto Valentini, CRIF’s Global IT Cybersecurity Director, explains CRIF’s strategic approach to business protection: a cross-functional shield against attacks covering spending plans, the implementation of best practices, and tools to respond to the speed of change of threats.
The threatening waves triggered by the health emergency have required companies to raise a cyber shield against the upsurge in attacks in recent months. To deal with them, CRIF, a global player in credit and business information as well as lending, business development, and open banking solutions, has benefitted from the virtuous path it has taken over the years in cybersecurity. Other challenges await the Bologna-based Group. “An awareness of the strategic importance of cybersecurity for business resilience is now widespread in the global market,” explains Alberto Valentini, CRIF’s Global IT Cybersecurity Director. “Until a few years ago, the technological progress and prosperity of a market were indicators of the expected level of cybersecurity. Today, these differences are rapidly converging toward very high standards and, in essence, are the same across the board.” However, some important differences remain - both at an industry and country level - in spending power and in how to implement security best practices. “Differences that, together with the speed of the global market,” Valentini continues, “are the main challenge for companies like CRIF, which operates in more than 35 countries. It has dealt with this through a process of continuous innovation, which over the years has required a sort of industrialization of cybersecurity, with choices that can be implemented in different technological and geographical contexts, through the delivery of business solutions that are as reusable as possible.”
CRIF is also committed to supporting its customers, both consumers and businesses, with cyber risk protection tools.
This is a subject that also concerns digital lending processes, which are undergoing a full post-pandemic acceleration. “This is dealt with,” Valentini stresses, “by supplementing our solution offering with tools for detecting anomalies related to the session and the device in use.”
PROTECTION, REACTION, AND RESPONSE
The relationship between business and cybersecurity is undergoing a profound transformation. “It’s much closer now because customers are more aware of security issues,” states Valentini. Cybersecurity is a department that maintains its core mission of protecting corporate technology assets, but it is also being entrusted with new responsibilities. “The cybersecurity department now takes part in tendering. It is involved with customers in pre-sales. It provides advice on defining security-related architectures and business processes. For this reason, it has the ear of the Board. The business expects support, which is only possible by leaving the comfort zone of its own technical verticality, also teaming up with the legal, risk, and organization departments.” The acceptance of and respect for cybersecurity among company managers and boards has grown during the health emergency. “The strengthening of this relationship,” Valentini continues, “allows many more things to get done, faster. At the same time, it is being looked at according to criteria other than purely technological aspects. Certainly, cybersecurity has gained more weight and more direct responsibility in ensuring business continuity. Cybersecurity has been called upon to offer more certainty but has received greater empowerment in return.” However, many managers and administrators still find it difficult to appreciate the return on investment in security, and they often complain about the adequacy of the measurement tools. This is also apparent from CRIF analyses.
“It is the point around which the relationship of trust with the cybersecurity department revolves,” Valentini explains. “Risk and performance metrics are very much tied to technical characteristics and are not in themselves easy to understand or useful in building a relationship. We need common ground: clarifying project deliverables, offering alternative choices and, above all, comparing cost benchmarks for the market.”
Also in this case, the benefits of security technology for business development are understood and interpreted by managers and administrators in different ways. “The company firstly wants to feel protected against cyber attacks so that it can then transfer this sense of security to its customers,” Valentini notes. “Innovation for business is in CRIF’s DNA and technology is the driving force. Cybersecurity has to drive and protect business innovation in equal measure by choosing the right technologies. It is a two-way relationship. On the one hand, the business wants to better understand security technologies. On the other hand, you need a cultural change to better understand the business, especially that of customers.”
SCALABLE ECOSYSTEM
As part of this process, the company’s cloud adoption strategy has helped change the face of cybersecurity. “The cloud has taken on an important role in CRIF’s global technology footprint, and as a result, cybersecurity has undergone a similar path of transformation and cloud adoption,” Valentini observes. “We have always delivered a Managed Security Services package to all the Group’s data centers, including vulnerability assessments, penetration testing, configuration checks on the technology infrastructure, cyber monitoring, threat intelligence, and incident response tools. And we do the same for all our development hubs, with SAST and DAST vulnerability detection services. Today, we can deliver these services both on premises and in cloud.” This has required the development of the security team’s skills, also to make the most of the cybersecurity capabilities provided by leading cloud providers, increasingly usable as a Service. “A paradigm,” Valentini notes, “that is very different from what happens on premises. Global scalability and the linearity of operating costs; this is critical to a company like CRIF, which grows significantly through global acquisitions. Cloud-delivered security services enable us to quickly integrate new businesses into our cyber ecosystem. At the same time, cloud adoption has led us to consider new data protection risks, which are different from those arising on premises in terms of technology and governance. Hence the need for greater interaction with the legal and risk management departments.”
The pandemic has been an important test case. The many changes in terms of evolving threats, needs, and a shift to remote working have directly affected CRIF, as well as its partners and customers. “Fortunately, we were ready,” Valentini stresses. “We already had a structured system of remote working in all the countries we operate in. Many of our geographically distributed teams - including cybersecurity - are already “virtual”. At the height of the pandemic, armed with the necessary knowledge and tools, we were able to concentrate on those groups and activities typically carried out on-site.”
Phishing and social engineering campaigns - aimed at exploiting the weakness of home networks in comparison to business networks and which exploited the altered emotions and distance between colleagues - grew rapidly. Faced with these multi-faceted threats – as Valentini explains – CRIF focused on employee awareness, strengthening teamwork with other business departments. “We also set up a global remote working security program to equip ourselves with new technologies for the coming years, as we expect these threats to continue to grow even once the pandemic is over.”
Source: Data Manager Magazine