“Ten years ago, would you have ever imagined that my 83-year-old grandmother would send messages via WhatsApp today?” asked Stefan Umit Uygur, CEO of 4Securitas, speaking to the General States of Information Engineering at the Italian Senate on Thursday 3rd March 2022.
There have been significant delays in implementing the reforms in the technological and cybersecurity fields that risk, in the current scenario of growing conflict, making Italy the weak link. This is why, as the CEO of 4Securitas prophetically warns, “The next 9/11 will be a cyberattack.”
According to Stefan Umit Uygur, it is also necessary to review the methods of engagement both with innovative startups and for personnel called to work in national structures such as the newly created National Cybersecurity Agency, focusing more on real skills, abilities and resourcefulness, not only on qualifications and certifications.
Speaking after the event, Mr. Uygur elaborated on the need to cast a wider net in terms of talent acquisition in the cyber sector: “Many of the most skilled hackers and security experts do not have formal training, are self-taught and exist in a parallel system to that of government agencies. There needs to be additional paths for richly talented individuals, who are not conventional employees, to take.”
Stefan has successfully implemented this hiring model at 4Securitas, which is developing an innovative and ambitious product to help companies and institutions with their cyberdefence, ACSIA XDR Plus, with a view to enhancing professionalism to create solutions capable of responding effectively to market needs.
Watch the complete address to the General States of Information Engineering at the Italian Senate
A summary of Stefan Umit Uygur’s address
Francesco Condoluci (Moderator): Let’s give the floor to another company that deals with cybersecurity, in this case, it is a fast ‘scale-up’ company formed by a group of young people. I would ask Stefan Umit Uygur to illustrate his perspective on how cybersecurity has changed in recent years, also considering what happened in 2017 when there were the two big attacks, Wanna Cry and NotPetya which I believe were watershed attacks. Since then, cybercrime has grown exponentially, so the question is, should we expect an IT version of September 11th?
Stefan Umit Uygur: A cyber version of September 11th will almost certainly occur at some time in the future. In the meantime, thanks for inviting me here, thanks to the organizers, and many thanks to Francesco. I fully agree with the earlier contributions of Alberto Pagani and Cesare D’Angelo from Kaspersky, especially the point made by Alberto, which is that it is really important that cybersecurity should not only be addressed from the technical side. The market cannot expect a product to be capable of solving safety problems in isolation. It simply isn’t. By simplifying [the problem of cybersecurity] it can be tackled in three simple steps.
The first step is that of awareness. It is a cultural and social issue, which can be addressed through awareness campaigns, etc., but we must involve all citizens, people who have nothing to do with cybersecurity. For example, in 2010 you would have never imagined that all of us, including my 83-year-old grandmother, would use smartphones. No, it was unthinkable. Today, my grandmother uses her smartphone and sends me messages on WhatsApp. We need to integrate cybersecurity into our lives in similar fashion. Whether we like it or not, it is and will be a problem that will be present in our lives, and therefore we must address cybersecurity on a cultural and social level…
Francesco Condoluci (Moderator): For example starting from schools?
Stefan Umit Uygur: Absolutely yes, starting with schools, but also let’s say on TV – now I don’t want to be critical but instead of making programs like Maria de Filippi, etc., etc. – we need to give more space to initiatives like this one. Because people of a certain age, families and elerderly people stay home to listen to this information.
The second step refers to the fact that in Italy, we are very good at creating laws but very poor at enforcing them. About sixteen years ago, I was an advisor at Montecitorio (Italian Parliament), contributing to the writing of laws. Today if you read the Digital Administration Code, article 68, 70% of it was written by myself when it was called something else, I can’t remember the then earlier name before it was renamed (CAD art.68).
Laws must be made if you know how/where to apply them in the system. Italy is a country with an old system and model, so old that if you make a modern law like that of cyber defense, it becomes incompatible with the system. That is – the legislation – cannot be applied.
While I was traveling here by plane yesterday – a three-hour flight – I started reading a document called “The Italian Cybersecurity Action Plan”. It is a document that was written in 2017. I was expecting a document of three hundred pages, but it is a ten-page document, excluding the pages of diagrams and organization charts which increase the number of pages up to 30.
I believe it was written by Renzi’s government, it is perfect as a document and plan. This document was therefore written before the attack on the Lazio Region, before the attack on other institutions, and before all of the current mayhem. The legislation was perfectly written and fine. Now we are good at writing laws – it was a Prime Minister’s decree – but we are good at putting them in the drawer, and they stay there forever. In relation to the Italian National Cyber Agency, I will give you an example of other countries with which I actively collaborate, some of the most advanced countries in the cyber world, such as Israel, the United States, Russia, and Ireland. I live in Ireland where the national cyber agency has been present for more than ten years. In Italy, it was only created last year. But the procedure, the path by which the national cyber agency was established is wrong.
By pure coincidence I was called to the Irish Senate last week because they wanted me to be on a committee that sits at the National Cyber Agency, not to lead but to act as an advisor. I am a private individual, and they called me along with many others such as professors – but not just professors. They didn’t ask me “what are your credentials?”. They asked me to join forces and make suggestions to the Irish National Cyber Agency and its framework. What does the Irish National Agency do? Coordinates all other entities. We [the Italians] on the other hand are all detached, isolated, separate. So, this is the second stage. It is not true that the law lags behind technology, but they are incompatible. The problem is incompatibility. The laws and decrees are there, but… the system needs to be reformed. The current laws must be cut, they must be tidied up and refined. There is no need to create new laws, the laws are already there. How do other countries do it? How do the more advanced countries move forward? Why are they one step ahead?
In Ireland, half the country had no electricity in the 1950s, there was no electricity while today it is a country that is at the forefront of technology. This was the second point of the cyber problem. So, the first is awareness, the second is the incompatibility between the regulations and the model that the country adopts.
The third step is the technical aspect. It is, therefore, necessary to give space to industry and the academic world and to make these institutions collaborate. I want to go back to the Italian system again. The public administration system is set up like a caste, it is unworkable. Both corporate entities like IBM (large corporation) and startups must be involved in procurement. I’m not saying this because I’m a CEO of a young cybersecurity organization, but you must get startups involved. Ask yourself, why are today’s large cyber vendors outbidding each other on a daily basis to buy early-stage start-ups ? Because they [large corporations] are too big and find it difficult to innovate… Instead, start-ups come with brilliant ideas, and big vendors buy them, provide massive cash injections and complete in 5 months what a start-up would have done in 5 years. It is the start-ups that have the ideas and the innovations, while the consolidated market gives you security, and stability. So, when a start-up responds to a public procurement process, it typically requires many millions of euros of annual revenue, vast insurance cover, multiple certificates and other bureaucratic hurdles covered… It is obvious that start-ups don’t have these resources, they can’t afford them. So, we need to simplify the public procurement process and enable scale-up companies access to the market.
Going back again to the Italian National Cyber Agency, and please take this as constructive criticism, I recently read their recruitment process and requirements only to discover that the minimum requirements stipulate a first class honours degree (or as we say a 105, 110 cum laude in Italy).
So, I’ll tell you a very short anecdote about this type of policy. About 13-14 years ago when I was working at Oracle, part of my job was to hire people and at one stage I was hiring about 20 people every week. There was an incredible turnover of personnel in the company at the time, in a company of ninety thousand employees, hundreds left and joined the company every month. After two years, I was summoned to headquarters and I was wondering what had I done? It transpired that they were inquiring into my recruitment process because the employee churn ratio in my subsidiary was massively lower than elsewhere. I had to tell them that I did not focus on academic qualifications but paid most attention to the individual ambitions, focus, capabilities and cultural fit. When I was performing interviews, I’d usually start with,”Very well, these are your qualifications (referring to their CVs)… now tell me what you can do and what you would do in the future if you join this company.” They expected a technical interview, but I asked them these types of questions and hired based on their response/attitude. Since Oracle is a company that constantly monitors everything, including employee performance, they noticed that the 92% of people I hired made career progress within 2 years.
So, they asked me to help them to review and change their hiring model/process. Very easy, I said, just remove the mandatory degree from the selection criteria and evaluate the people based on their capabilities, attitudes and real practical expertise. Four years later, I found myself working with Amazon and found that they were using a similar approach to the one that I helped introduce in Oracle a number of years earlier. So my point is, that the Italian national cyber agency has to stop focusing entirely on academic prerequisites in their hiring process, I have found that many of the best cybersecurity architects/consultants were naturally gifted but never went through the third-level system. Thank you!