Poste Italiane and Cybersecurity
“We had to find a way to react [to threats] immediately,” says Poste Italiane CEO Massimo Sarmi, underscoring the simple yet essential need that led him to the development of a cybersecurity megacommunity. “By definition, we are — and we want to be and we need to be — the most trusted company in our country, because we collect money, we offer financial services, and we deliver the mail, all in a confidential way.”
Poste Italiane executes 35 million transactions a day as a result of its unique business portfolio: It is a postal operator, a mobile phone operator, a bank, and a leading issuer of Visa and MasterCard credit cards. Among other services, the company enables customers to transfer money via their cell phone SIM cards. Cybersecurity is not just a theoretical concern; it is essential to the company’s business success, its sustainability, and its growth.
Under Sarmi’s guidance, the company has developed an in-house cybersecurity operation that acts with speed and precision. In large, sleek rooms, rows of computer-bound staff sit before a master information screen that evokes a scene from a science-fiction movie. They follow everything from mail delivery to ATM transactions — in real time. They track the sources of possible threats worldwide, collect all the data they can, and relay the data to local authorities, while they themselves work to shut down potential security threats. The screen shows maps, bank activity, and tallies of threats in effect and threats extinguished, among other active data.
“We are continuously growing in terms of knowledge, day by day,” says Sarmi. “I am impressed by the ways they [hackers and cyber-criminals] change their behavior from their side, how they react immediately. It’s a daily question of measure and countermeasure.”
But Sarmi came to recognize that no matter how good a job the company was doing on its own, there was only so much it could control. For example, he explains, “Currently, if we identify a false Poste Italiane site, coming from — choose any part of the Web — we have to get in touch with the organization. And we have to ask them, ‘Please, do you know that your server has been compromised and there is a clone now of our site coming from your IP address?’ Without having an internationally defined set of rules, you have to ask for a favor instead of being able to move to protect and immediately stop this mis-functionality. And this is only one example of why we need a legal international framework for this purpose.”
Sarmi concluded that true security for his business and customers could be achieved only through an international, multisector cybersecurity arrangement. Cybersecurity itself was as much a matter of offense as it was defense. For these reasons, he needed a multiplicity of ideas. So he began the process of reaching out. “We started to realize that this phenomenon was global. And there was a question of growing in terms of capability.”
As Sarmi’s experience shows, a successful megacommunity initiator needs to be in the best possible position to attract other important participants. The initiator needs to be among the most motivated members of the community. And he or she needs to have the proper diverse background. Sarmi, given that his background was in telecommunications and given his position at the company, was the perfect initiator for a cybersecurity megacommunity. Furthermore, Poste’s impressive internal cybersecurity operation functions as something of a magnet and showpiece, underscoring Poste’s leadership position in this area. By analyzing 35 million transactions a day, Poste has accumulated enough technology and behavioral science to help put any cybersecurity initiative on a productive path.