Interviewing Giulio Carducci
Inserito da Redazione il Gio, 2005-01-04 15:50
Dicembre 2004 | English | Security
0412-carducci
Giulio, what’s your opinion
about the Italian ICT security market?
The ICT Italian market reflects the overhaul weakness of the present economical situation. This trend could be however reversed if users would improve their security awareness. There is still a great market potential in companies, government bodies and private consumers. ICT security awareness in last ten years has been really minimal. Would be of utmost utility, both for private and public bodies, entities to promote in a modern and intelligent way both a security culture an assurance infrastructure in order to guarantee on the market both security plans and solutions. Such entities would act as national counterparts of Enisa, the recently established UE agency for networks and information protection.
What do you mean when you say “in a modern and intelligent way”?
Look, my friend, since years and also to-day security has been promoted by means of very generic and repetitive conferences, white papers and documents packed with well known concepts and scarcely innovative. Manufacturers had spent about all of their time in selling their products to clients, accurately avoiding to consider their management and maintenance capabilities. If just a small percentage (say fifteen percent) of ICT security expenses would be turned in planning, risk analysis and management activities (say “security governance”), results will significantly improve in efficiency.
An intelligent an modern way to promote ICT security means, according to my opinion, to strengthen the law system, to day only relying, in our country, on the “Privacy Code”, enforcing security measures not only content oriented (as for private data or for pornography), but also infrastructural. Companies should be motivated to invest in security governance, and not only in hardware and software devices. Again, I thing that assurance infrastructure should be developed in order to certify security products and solutions and security awards should be assigned to the most proficient companies.
Security, in Italy, started as a niche approach. Securteam, the company you founded, has been successful , in producing “security culture”. You think, Giulio, that small initiatives could be successful also to-day or the market is now only for giants?
I believe the two option are both true. On one side, companies claims for too high costs: their option for low cost solutions implies the acquisition of standard and not particularly creative solutions, tipically offered by large corporations. On the other side, a minority looking for excellence will appreciate creative, custom tailored and more expensive solutions, offered by small organizations. Let me introduce a consideration about ICT profession evolution: a serious technical background will remain the basic ingredient of the recipe, but is important also an integrated vision of the “corporate business security” and a better appreciation for risk analysis and operations organization and management.
The new “Privacy Code” (d.lgs. 30 giugno 2003, n. 196) introduced several novelties concerning ICT security: which is your opinion about?
In the middle nineties, when the large majority of companies complained for the recently issued privacy low (d.lgs. 675/96) I used to say that one of the great “pros” of this law was to prescribe a minimum as a security profile for ICT infrastructures. The new law you quote goes further, and updates and enlarges slightly the minimum security profile. The draw-back is now that this “minimum” is intended as “maximum”, and companies consider non other better option beyond this “minimum”. Everybody should remember that the privacy low addresses its focus to a specific content (personal data), while there is a real need to protect ICT infrastructures, independently from the nature of data themselves. Critical data could imply, in case, additional and more severe security requirements.
Let’s givo certification e a look to certification schemes: to-day everybody is looking at BS 7799 … Which is your opinion about?
In Italy, when certification is the focus, form wins hands down on substance. Accordingly with the number of quality certifications issued in the last decade, Italy should be regarded as a top ranker in terms of global competition enterprises. Which is not exactly true … A few people is interested in considering which processes and which corporate perimeters are actually certified.
Same considerations are true also for security certifications. Security certification is surely an interesting tool: to be effective, should be coupled with a high dose of awareness and maturity by companies.
What are you dealing with, Giulio? Which are your present activities? Have you some interesting readings to suggest to our associates?
I’m looking in these days with interest to what, in terms of ICT security issues, is being carried on in UE. ENISA (European Networks and Information Security Agency) recent birth seems to me a major event. National Governments should be aware of the opportunity to cooperate with Enisa, by means of local entities.
On a more personal side, I continue to investigate about risk analysis models and methodologies. I and my group continue to improve Defender Manager, the software risk analisys application we firstly delivered in 2001. Again, I’m working to a new book, the title of which is “Sustainable Security”. About readings of interest, I suggest an old book (1986) written by Ulrich Beck , still very compliant with our days and translated in Italian only in 2000: “La società del Rischio” (“Risk Society Revisited”). A more recent book is “Il Codice della privacy”, by Riccardo and Rosario Imperiali. In this book these two dear friends have been able to comment the recent privacy law (d.lgs. 196/2003) in an enlightening way, opening towards a large number of references which cover about all concerning information security regulations at both national and European level.
from: http://www.garanteprivacy.it/garante/doc.jsp?ID=1030925
Italy’s new data protection code (Legislative Decree no. 196/2003) came into force on January 1st 2004.
The Code is unique in that it brings together all the various laws, codes and regulations relating to data protection since 1996. There are three key guiding principles behind the code, which are outlined in Section 2:
The code is divided into three parts:
Seven codes are planned (including surveillance, with particular regard to video surveillance, human resources, private investigators, and advertising/marketing) which will be developed in consultation with industry groups.
Download full Personal Data Protection Code (English version)
http://www.garanteprivacy.it/garante/document?ID=727068
Contact: http://www.giuliocarducci.com
The ICT Italian market reflects the overhaul weakness of the present economical situation. This trend could be however reversed if users would improve their security awareness. There is still a great market potential in companies, government bodies and private consumers. ICT security awareness in last ten years has been really minimal. Would be of utmost utility, both for private and public bodies, entities to promote in a modern and intelligent way both a security culture an assurance infrastructure in order to guarantee on the market both security plans and solutions. Such entities would act as national counterparts of Enisa, the recently established UE agency for networks and information protection.
What do you mean when you say “in a modern and intelligent way”?
Look, my friend, since years and also to-day security has been promoted by means of very generic and repetitive conferences, white papers and documents packed with well known concepts and scarcely innovative. Manufacturers had spent about all of their time in selling their products to clients, accurately avoiding to consider their management and maintenance capabilities. If just a small percentage (say fifteen percent) of ICT security expenses would be turned in planning, risk analysis and management activities (say “security governance”), results will significantly improve in efficiency.
An intelligent an modern way to promote ICT security means, according to my opinion, to strengthen the law system, to day only relying, in our country, on the “Privacy Code”, enforcing security measures not only content oriented (as for private data or for pornography), but also infrastructural. Companies should be motivated to invest in security governance, and not only in hardware and software devices. Again, I thing that assurance infrastructure should be developed in order to certify security products and solutions and security awards should be assigned to the most proficient companies.
Security, in Italy, started as a niche approach. Securteam, the company you founded, has been successful , in producing “security culture”. You think, Giulio, that small initiatives could be successful also to-day or the market is now only for giants?
I believe the two option are both true. On one side, companies claims for too high costs: their option for low cost solutions implies the acquisition of standard and not particularly creative solutions, tipically offered by large corporations. On the other side, a minority looking for excellence will appreciate creative, custom tailored and more expensive solutions, offered by small organizations. Let me introduce a consideration about ICT profession evolution: a serious technical background will remain the basic ingredient of the recipe, but is important also an integrated vision of the “corporate business security” and a better appreciation for risk analysis and operations organization and management.
The new “Privacy Code” (d.lgs. 30 giugno 2003, n. 196) introduced several novelties concerning ICT security: which is your opinion about?
In the middle nineties, when the large majority of companies complained for the recently issued privacy low (d.lgs. 675/96) I used to say that one of the great “pros” of this law was to prescribe a minimum as a security profile for ICT infrastructures. The new law you quote goes further, and updates and enlarges slightly the minimum security profile. The draw-back is now that this “minimum” is intended as “maximum”, and companies consider non other better option beyond this “minimum”. Everybody should remember that the privacy low addresses its focus to a specific content (personal data), while there is a real need to protect ICT infrastructures, independently from the nature of data themselves. Critical data could imply, in case, additional and more severe security requirements.
Let’s givo certification e a look to certification schemes: to-day everybody is looking at BS 7799 … Which is your opinion about?
In Italy, when certification is the focus, form wins hands down on substance. Accordingly with the number of quality certifications issued in the last decade, Italy should be regarded as a top ranker in terms of global competition enterprises. Which is not exactly true … A few people is interested in considering which processes and which corporate perimeters are actually certified.
Same considerations are true also for security certifications. Security certification is surely an interesting tool: to be effective, should be coupled with a high dose of awareness and maturity by companies.
What are you dealing with, Giulio? Which are your present activities? Have you some interesting readings to suggest to our associates?
I’m looking in these days with interest to what, in terms of ICT security issues, is being carried on in UE. ENISA (European Networks and Information Security Agency) recent birth seems to me a major event. National Governments should be aware of the opportunity to cooperate with Enisa, by means of local entities.
On a more personal side, I continue to investigate about risk analysis models and methodologies. I and my group continue to improve Defender Manager, the software risk analisys application we firstly delivered in 2001. Again, I’m working to a new book, the title of which is “Sustainable Security”. About readings of interest, I suggest an old book (1986) written by Ulrich Beck , still very compliant with our days and translated in Italian only in 2000: “La società del Rischio” (“Risk Society Revisited”). A more recent book is “Il Codice della privacy”, by Riccardo and Rosario Imperiali. In this book these two dear friends have been able to comment the recent privacy law (d.lgs. 196/2003) in an enlightening way, opening towards a large number of references which cover about all concerning information security regulations at both national and European level.
Italy’s new Data Protection Code, Legislative Decree No. 196/2003
from: http://www.garanteprivacy.it/garante/doc.jsp?ID=1030925
Italy’s new data protection code (Legislative Decree no. 196/2003) came into force on January 1st 2004.
The Code is unique in that it brings together all the various laws, codes and regulations relating to data protection since 1996. There are three key guiding principles behind the code, which are outlined in Section 2:
- simplification;
- harmonisation;
- effectiveness.
The code is divided into three parts:
- the first part sets out the general data protection principles that apply to all organisations;
- part two of the code provides additional measures that will need to be undertaken by organisations in certain areas, for example, healthcare, telecommunications, banking and finance, or human resources;
- part three relates to sanctions and remedies. It is expected that the second part of the code will be developed further through the introduction of sectoral codes of practice.
Seven codes are planned (including surveillance, with particular regard to video surveillance, human resources, private investigators, and advertising/marketing) which will be developed in consultation with industry groups.
Download full Personal Data Protection Code (English version)
http://www.garanteprivacy.it/garante/document?ID=727068
Bio
Giulio Carducci has been active during the last forty years in ICT and general management in large multinational corporations. His interests for ICT security starts in 1994, when Giulio founds Securteam, now acquired by Marconiselenia Communications. Since then, by means of conferences, articles, publications, significantly contributes to promote a modern ICT and business security culture.Contact: http://www.giuliocarducci.com
» email this story | printer friendly version | 1982 reads
