Three questions with Luca Greco, CISO of Italtel: “Cybersecurity is a strategic pillar of innovation”

1) What is the role of the Chief Information Security Officer (CISO) in a complex organization like Italtel, a system integrator and developer of digital solutions?

At Italtel, the role of the CISO is central and strategic. It spans governance, risk management, and compliance, and extends to supporting the definition of technical controls for systems, acting as a security advisor to my colleagues.

My main responsibility is to define, implement, and maintain a cybersecurity strategy aligned with business objectives.

I manage regulatory compliance, with particular attention to European directives such as NIS2 and DORA, and I coordinate the review of policies, procedures, and controls, including in contractual matters.

As a system integrator, Italtel holds a privileged position between technology and the market: on one side, we engage with suppliers; on the other, we support customers in their digital transformation. This dual role makes the CISO function even more critical, particularly in terms of communication with top management, auditing, and assessing both internal and external risks.

2) How do you protect your company’s infrastructure from cyber threats?

It may sound obvious (though it isn’t), but the first step is to gain full visibility of network assets and periodically verify their status, looking for any unregistered components (shadow IT).
The second activity involves assessing the infrastructure perimeter, including both internal and external components (such as cloud and legislation), to understand the external attack surface.

The next step is implementing standard-specific controls: firewalling, intrusion detection systems (NDR), and network segmentation are essential, along with Vulnerability Management and regular Penetration Testing.

Often underestimated, a key component is installing agents (whether XDR, EDR, SIEM clients, etc.) on every server to enable and speed up all analyses in the event of a possible or confirmed breach.

All of this integrates with solid identity and access management (for employees and suppliers), following the principle of least privilege and implementing Multi-Factor Authentication (MFA) mechanisms.

These design activities must be accompanied by ongoing monitoring and analysis through SIEM (Security Information and Event Management) platforms, which allow for real-time detection of anomalies and suspicious behavior. This presupposes that incident response processes are well structured at the company level, and regularly updated and tested.

Finally, I would implement a Threat Intelligence solution to improve incident detection and to better understand the specific types of threats that could target the company.

3) What strategies are you adopting to strengthen the security culture and manage supply chain risks?

Supply chain management has been a key issue on the cybersecurity agenda for several years, even before the implementation of the DORA and NIS2 directives.
These regulations emphasize the importance of supply chain oversight by extending responsibility to one’s own supply chain, thereby raising its priority and visibility.

From my point of view, I operate according to two paradigms: Governance (the primary one) and Technological.

From a Governance perspective, I need to introduce new cybersecurity requirements contractually, working closely with the Legal and Procurement teams. This involves creating specific security addenda to be applied to the standard contractual agreements currently in use.

However, contractual action alone would not be effective without supplier auditing. The more thorough the auditing process, the more we can ensure our partners take security seriously.

Lastly, where not already in place, it’s necessary to collaborate with the Procurement team to define and classify suppliers by importance, establishing a hierarchical scale.

From a technical standpoint, we can work on two fronts:

• Internal: managing access, monitoring, and verifying supplier activities on our network through standard practices like segmentation, least privilege access, MFA, etc. This helps isolate each supplier to their own area of competence.
• External: leveraging Cyber Threat Intelligence (CTI) to evaluate the public security posture of our partners. Clearly, this isn’t a direct measure of a supplier’s actual security, but it serves as a proxy to assess their general attention to cybersecurity.

Combining supplier importance classification with the hypothetical security scale derived from CTI gives us a comprehensive risk matrix that helps prioritize which suppliers to monitor closely.

In a context where security is an integral part of corporate strategy, building a solid, shared, and verifiable security culture is the first real enabler for sustainable innovation.