Rivista Corporate Governance ISSN 2724-1068 / EISSN 2784-8647
G. Giappichelli Editore

indietro

stampa articolo indice fascicolo leggi articolo leggi fascicolo


The cloud centric business model and the cyber risks (di Simone Russo, Amagis Capital Group and Whtexch Group, Co-founder and CEO Nicolò Moschi, Account Executive at Google Cloud Riccardo Fabbri, CTO & Co-Founder NoHup Srl Antonio Giannino, Chief Risk & Compliance Officer of the Amagis Capital Group Giovanni Artese, Internal Auditor & Valuation Officer of the Amagis Capital Group Francesca Valenti,Legal & Regulatory Advisor at Amagis Capital Group and MLRO at White Exchange SPA Enrico Amarante, Legal and Compliance Associate at Amagis Capital Group Federico Sertori, Legal Counsel at WHTEXCH Solutions SRL)


I computer sono incredibilmente veloci, precisi e stupidi; gli umani sono incredibilmente lenti, imprecisi e brillanti; insieme sono potenti oltre ogni immaginazione[1].

Questa frase è molto popolare sul web, poiché sarebbe stata attribuita, probabilmente in modo erroneo, ad Albert Einstein.

Il modello di business cloud centric e i cyber risk

Computers are incredibly fast, accurate and stupid; humans are incredibly slow, inaccurate and brilliant; together they are powerful beyond imagination .

This sentence is very popular on the web, since it has been allegedly attributed, probably wrongly, to Albert Einstein.

SOMMARIO:

Article 1. The Cloud Centric Economy and the Cyber Risks (Simone Russo) - Article 2. Why Business Is Moving to Cloud (Nicolò Moschi) - Article 3. Integration Process and Hybrid Models: Is This Increasing Cyber Risks? (Riccardo Fabbri) - Article 4. The Cyber Risk Metamorphosis (Antonio Giannino – Giovanni Artese) - Article 5. The Compliance and Cybersecurity Entanglement (Francesca Valenti – Enrico Amarante – Federico Sertori) - NOTE


Article 1. The Cloud Centric Economy and the Cyber Risks (Simone Russo)

1. Introduction and Concept Computers and softwares have changed the world we live in today, they have transformed our lives, they offer incredible opportunities to our economies and have deeply reshaped the way we interact among each other, both in our social lives and in our business, affecting human relationships, the way we work, how we access services and products, but also assisting us in our daily tasks, deeply changing the perspectives of our future. Nonetheless, the digital transformation exposes all of us to new risks, starting from the tangible cybersecurity threats to the more remote and profound ones connected to future developments of Artificial Intelligence (“AI”). The humankind can tremendously benefit from the effect of the digital economy and can mitigate the risks of cyber-threats by adopting new IT measures, establishing a cybersecurity culture at corporate board level, empowering more cybersecurity information officers (CISOs) and risk managers to improve companies’ cyber resilience, and introducing compliance measures and policies to take into greater consideration and monitor cybersecurity risks. AI has unique potentials to increase global productivity and GDP, to enhance scientific discoveries, and to create enormous breakthroughs in any aspect of our society. Nonetheless, the AI advances on a very unpredictable trajectory since it compounds an exponential amount of data with increasing computing power at a speed which we humans will not be able to cope with nor understand or predict. Thus, it is essential to intervene in order to shape the development and the deployment of AI by regulating it. In particular, to achieve this purpose it is fundamental that policy makers remain vigilant and proactive, by acting in cooperation and coordinating themselves. We cannot act ex post since it could be far too late. 2. The Cloud Centric Economy [2] It should be noted that our economies have already started the Fourth Industrial Revolution [3] and whilst the digital economy began during the Third Industrial Revolution with the adoption of digital computers and digital record-keeping, it became very prominent only with the Fourth. In the digital economy every business is becoming more digital, and every company is becoming more tech. Also the consumers, especially the younger generations, are playing a major role in the digital transformation of the economy, being more and more inclined to purchase products and [continua ..]


Article 2. Why Business Is Moving to Cloud (Nicolò Moschi)

Enterprise cloud consumption has been growing at double digit for the past few years and global cloud revenues have reached around 500 Billion USD in 2022. We are still far from the peak: cloud consumption will continue to grow at a compound annual growth rate (CAGR) of approx 17% in the next 5 years, and the global cloud computing market size will surpass 1 Trillion $ by 2027 [23]. But why is business moving to the cloud? Quoting distinguished Vice President at Gartner Milind Govekar, the crisp answer might be “[because] there is no business strategy without a cloud strategy”. This would explain why 85% of organisations will embrace a cloud-first principle by 2025 [24]. Most of the benefits of the cloud are already quite clear and acknowledged by the vast majority of players: cost saving on maintaining and supporting equipment, a more flexible cost structure, easier up and down scalability, greater effectiveness in assuring business continuity and disaster recovery. Nowadays these foundational concepts are well known and accepted in most organisations. However, businesses are now exploring other advantages of the cloud. One of these is security, which is already recognized as one of its top benefits by two out of three executives [25]. This is not surprising, since a cloud environment can definitely minimise the risk related to outdated systems, patching, lack of security practices (e.g. data encryption) and poor investments, which are some of the major causes of data breaches. Indeed, infrastructure and systems are always updated, the highest standard of security best practices are most often applied, and cloud vendors handle the majority of the basic admin operations. Moreover, they invest heavily to stay on the edge of security innovation, in terms of both technology and skills. That said, a few organisations still have some distrust about cloud security, as stated in the 2022 Cloud Security Report by Fortinet [26]. This is a wakeup call for cloud vendors: although it is clear that some factors of vulnerability (such as social engineering or human errors) cannot be prevented by just running corporate systems in the cloud, some work still needs to be done to dispel all doubts. However, vendors cannot guarantee security if left alone, meaning that cloud customers must know that they are still in charge of the correct application of some security practices. Talking to Chief Information Officers (“CIOs”), the [continua ..]


Article 3. Integration Process and Hybrid Models: Is This Increasing Cyber Risks? (Riccardo Fabbri)

1. Hybrid Cloud Model: Benefits and Risks Modern infrastructures need a different and broad approach to cloud computing: private cloud offers a higher level of security and privacy but it requires the same staffing and operations of a traditional datacenter; public cloud, on the other hand, is convenient, scales quickly and has a wider portfolio of services ready-to-go, but it doesn’t offer the same control over sensitive data. With the use of hybrid cloud models, organisations are able to use and leverage a combination of on-premises infrastructure, private cloud and public cloud services. This model can provide greater flexibility, highly scalability and more control over sensitive data. But due to its intrinsic complexity and the lack of real industry standards, it also introduces some potential new risks in terms of cyber security, for example: • data security: data may be stored and processed in multiple locations – this can make it more challenging to ensure that data is always secure at rest and in transit and to prevent unauthorised access; • compliance: as data may be subject to legal and regulatory requirements depending on where it is stored and processed, it can be more difficult to ensure a full compliance and to monitor it over the time; • integration: the integration process of different environments, based on different technologies and standards, can be complex and can introduces security vulnerabilities in the design or in the implementation phases; • visibility and monitoring: in a highly distributed and heterogeneous environment it can be challenging to monitor and detect security threats. 2. Cyber Security as Design Pattern and Shared Responsibility With the Cloud Service Provider In order to mitigate all these new categories of risks, it is key for an organisation to implement strong security measures and to adopt cybersecurity standards starting from the planning and design phase, including for example in every component robust access controls, data encryption, continuous monitoring and alerting systems. Adopting hybrid cloud models requires not only new technical capabilities but also a significant change of mindset in terms of responsibilities and procedures. In particular, when implementing the use of hybrid cloud environments, organisations can effectively have more control over processes and data but it becomes important for them to fully understand the shared responsibility model between [continua ..]


Article 4. The Cyber Risk Metamorphosis (Antonio Giannino – Giovanni Artese)

1. Introduction This essay aims at depicting the evolution of cyber risks, investigating the very roots of cyber security and the current cyber attacks. Whilst cyber security is considered a vast and fragmented topic, the authors wish to identify its transformation pattern, eventually identifying solutions generally accessible to the public to mitigate and counter cyber risks and cyber attacks. Provided that a common definition of such topics is still debated in literature by a number or scholars and professionals, and considering the vast exploitation of social engineering, for ease of reference, the authors wish to further investigate and deep the definition of a cyber attack as “an attack initiated from a computer against a website, computer system or individual computer (collectively, a computer) that compromises the confidentiality, integrity or availability of the computer or information stored on it” [41] by considering that a cyber attack might not just be initiated from a computer. In fact, seventy to ninety percent of all malicious breaches are due to social engineering and phishing, which may not be initiated from a computer; hence the generalisation of the definition above [42] as “an attack initiated from an individual, a group of individuals or a computer that compromises the confidentiality, integrity or availability of the data in transit or stored on a technological means”. A cyber attack is a harmful phenomenon which arises from the existence of a cyber risk. In addressing the cyber risk definition, it is arguable that cyber risk has clearly evolved from an information technology related topic to a broader concept that comprises financial, environmental, social and behavioural aspects. In picturing the complex landscape of cyber risks and threats, some scholars have debated the twofold nature of cyber risks, namely technical and economical [43], which risks to add unnecessary complexity to the definition, while others [44] have focused on two components of the noun cyber-risk to assess: (i) what does “risk” mean in IT environments; and (ii) why such risk should be considered as “cyber”, after a proper investigation of its risk arrival (i.e. the physical or technological means via which the risk arises) and target (i.e. the “destination” of the risk) components. For the purposes of this section, the authors agree to define cyber risk as generally confirmed [continua ..]


Article 5. The Compliance and Cybersecurity Entanglement (Francesca Valenti – Enrico Amarante – Federico Sertori)

1. Introduction: Building a Cybersecurity Culture in the Organization This essay aims to highlight the impact of corporate compliance in enhancing cybersecurity within the organisations by outlining, with a practical approach, the factors which can lead to a dynamic human and technological infrastructure, able to deal with the constantly increasing cybersecurity threats [57]. Even thus it is essential component within the corporate environment, technology itself is not enough to defeat the cyber attack threats and shall be combined with a security-oriented culture in order to address the so-called “cultural threats”, such as the lack of controls and policy enforcement, the expectations of rational behaviour and the lack of proper communications and training. [58] The culture and the values conveyed by corporate leadership are crucial for fostering the right attitude toward the ever-changing security challenge, the innovative techniques and tools deployed by cybercriminals in cyber-attacks. This entails raising awareness on the significance of such threats, their impacts on the organisation, the potential damage produced by the individual conduct and the need for collective efforts and coordination within the departments. [59] In particular, it is important to get to the bottom of the corporate subculture in which physical individuals operate to minimise the exposure to cyber attacks and data corruptions. In fact, employees are often the target of cybercrimes due to the lack of knowledge to identify cyber threats which might seem legit to an employee, such as phishing emails, tailgating, and baiting. In the paragraphs below, the authors will detail why the compliance function plays a key role along with the Board of Directors for the consolidation of such culture and the prevention of misbehaviours. 2. Integrating the Compliance Handbook with the Cybersecurity Obligations As a matter of fact, cybersecurity is not only a matter of IT but it encompasses also the areas of risk, regulation and compliance. Among the many laws and regulations to be taken into account for a proper compliance monitoring, the cybersecurity obligations are becoming one of the paramount sections for the proper compliance programme / handbook of a company. [60] To overcome negative assessment results, the compliance functions should consider a two-fold approach: command-and-control model (punitive) or self-regulatory model (participatory and [continua ..]


NOTE