From home banking, to online purchases, to the management of entire industrial processes: today access to the network is essential, both in the personal and professional fields. However, this powerful tool, in addition to having enormous potential, also conceals risks. Which ones? We talked about this with Prof. Paolo Maccarrone, Director of the International Master in Cybersecurity Management.

If we want to summarise the types of risks that companies are running today, we can say that there are typically three: confidentiality, integrity, and availability of data.

The “attackers,” in fact, may have an interest in acquiring the data not only to communicate it to third parties (confidentiality), but also in compromising or destroying it (integrity), or making it unreachable (availability), typically by asking a ransom in return.

All of these risks have grown enormously in recent years due to digitisation, which has increased the amount of data exchanged exponentially as well as the growing interconnection, mainly due to the Internet. Just think of an area, such as that of a company’s operating processes, where automation used to be managed by stand-alone servers. No connection, so virtually no risk. Today, however, machinery and plants of various kinds continuously exchange information. This is valuable data, which enables, for example, predictive maintenance to be carried out or the real-time reorganisation of production flows, but the exchange of which opens the door to new vulnerabilities that did not previously exist.

There is another aspect to highlight. The situation we are experiencing has dramatically increased the number of workers who connect to corporate servers remotely.
In the past, those who did so did not access sensitive data, or, if they did, they received a minimum of training on these issues and often used appropriately configured company devices.

In the last year and a half, however, as a result of the pandemic, more and more people are working remotely, perhaps often on personal PCs, frequently shared by family members as well. The indiscriminate use of personal devices and poor awareness of the subject has exposed – and is still exposing – workers and organisations to considerable risks.

Risks that companies seem to be aware of now. What effects is this perception having on the labour market?

For many years, we have witnessed a dual track situation, where very well-informed organisations, such as large companies  ̶  particularly those operating in certain sectors, such as telecommunications and energy, banks and insurance, stood in contrast to others who were less aware of the risks or less active on this front.
Over the last 2-3 years, however, the situation has changed: everyone has realised the importance of cybersecurity, so much so that the issue is at the top of the agenda for the majority of CEOs and their close associates.
This is linked both to the increase in the frequency of attacks of various kinds – from social engineering to data encryption with ransom demand, to intellectual property theft – and to the fact that such attacks, as mentioned earlier, also affect “core” operating processes, often leading to interruptions in production or the provision of services.
This new focus is reflected on the one hand, in an increase in investment on this front, and on the other, in some organisational changes which have led, for example, to the fact that, in several major businesses, the Head of Cybersecurity will now respond directly to the senior management, and no longer to the Chief Information Officer.

This growing importance and “pervasiveness” of cybersecurity inevitably leads to a search for professional profiles with specific skills, both by companies, to strengthen internal organisational units, and by consulting firms, which often play a key role both in setting up the security governance system and in implementing technological and organisational countermeasures. There is a growing demand that is not reflected in the market supply, as emphasised by various human resources managers and several companies specialising in recruiting.

How is MIP trying to bridge this gap?

Our Business School’s commitment to this area is not new. Indeed, last year we launched an Executive Path dedicated to those who have already gained experience in the cybersecurity sector and want to upgrade and broaden their skills to accelerate their careers.

This year, however, we wanted to expand our training offer with a Master – the International Master in Cybersecurity Management – designed for a more junior target group, those just out of university.
Our Master grew out of listening to the needs of companies, first of all our educational partners – BIP and SETA – as well as companies that have worked closely together on its design as members of the advisory board, such as Accenture, PwC and Intesa-IBM.
We therefore decided to create a programme that would give participants the tools to get a holistic view of cybersecurity.
In fact, what has emerged from the ongoing discussions with companies is that a technical understanding of vulnerabilities and how to address them is not enough: it is important to be aware of the impact these can have on the entire organisation. We are therefore turning to young people who want a career that is not purely technical, but who aspire to taking on roles of responsibility soon. This is why the Master deals with organisational and management issues as well, and also pays attention to the development of soft skills.
In light of this, it should therefore not be surprising that the Master is also open to  less “conventional” profiles, such as management engineers, graduates in business administration or in scientific disciplines  ̶  or even lawyers who have specialised in IT security regulations and who wish to go into more detail in order to enter important professional practices or join the legal staff of large organisations.

As with many of MIP’s programmes, the experiential component is fundamental. This is reflected in the composition of the Faculty, which is characterised by the presence of numerous professionals who work alongside lecturers with an  academic background, as well as in the teaching methods used. In addition, the Master includes a final project work that will be carried out in one of the many companies that have given their availability, during which the students will be able to put into practice what they have learned in class.

Finally, what advice would you like to give young people interested in the world of cybersecurity?

A very simple piece of advice – at least in appearance. To have a clear idea about what they want to do “when they grow up”. To have a precise picture in their mind of the path they envision for the next 5 or 10 years. If they are passionate about the topic and they have managerial aspirations, then this is the right path for them.