in

fo

se

cu

ri

ty

t

od

ay

i

nt

er

vi

ew

39In

fosecu

rity Tod

aySeptem

ber/October 2005

Andrea Pirotti, the Italian leader ofthe European Network and

Information Security Agency,graduated in the top three of hiscohort at the Military Academy, andtook a degree in strategic sciencefrom the University of Turin in 1973.But, in 1976, he forsook the Italianmilitary for Marconi, and moved toJordan, as the area manager for thecompany's Middle Eastern operations.

He's recently found inspiration in abook written about the experiencesof another Italian in foreign lands, byformer prime minister of the ItalianRepublic, Giulio Andreotti. A Jesuit inChina tells of the career of MatteoRicci, a Jesuit who was an advisor tothe Chinese court in the early 17thcentury.

“Ricci planted a small seed in analien culture, with a long-term resultthat lived on in memory”, says Pirotti,who also admires Andreotti himself asa politician who has come throughdifficult times.And, like Ricci, Pirottiworked in China, establishingMarconi's Beijing office in 1994.

Enisa's executive director nowbrings his pioneering, and multi-national, experience to bear on thechallenge of combining the unevendevelopment of the territory of the EUwith respect to information security.For it is a far from uniform state of

affairs, with a plethora of initiativesacross the continent that have not, uptill now, been well co-ordinated.

“There are several initiatives forinformation security, and many R&Ddisbursements, but they are not co-ordinated at all”, says Pirotti, whotook up his position officially on 16October 2004.“No single country ispositioned to help its neighbours.Hence the need for a supra-nationalagency like ENISA”.

Looking across Europe, from hisagency's base in Crete, Pirotti sees avaried picture.“There are countries inEurope that are well equipped —countries who have invested ininformation security, and have aboveaverage to good systems: the UK,France, Germany, the Netherlands,Finland, and Sweden. But the othersare catching up quite fast, and thereare nice suprises among theaccession countries, especially Estoniaand Lithuania.

“But we have to make awarenesscampaigns across the EU.There areareas of society that are weak - likestudents and older people, and theSMEs. Smaller companies face toughcompetition from overseas, and theyhave no budget or resources todevote to security.

“In general, I would say that Europehas to improve a lot. But there is

much goodwill among the peopleresponsible for information security”.

He cites his own nation as anexample of a country that is catchingup fast.“Italy a few years ago waslagging behind.And so, three years ago,the Ministry of Communications threefocused on the problem.”He recountshow the recruitment of LuisaFranchina to the position of DirectorGeneral for Service Regulation andQuality of the Ministry ofCommunication improved thesituation. She gathered the differentbodies around the table and pushedthrough a co-ordinated effort.Franchina is a director of ENISA board.

The story so farWhat then is Enisa's role? “It's missionis to increase the security environment

Pirotti'sRisorgimento forEU informationsecurity

Brian McKenna

The European Network and Information Security Agency is nowestablished under the leadership of Andrea Pirotti. Can he unifyinformation security across the EU?

b.mckenna@elsevier.com

Andrea Pirotti: 2005 a year ofrecruitment

in

fo

se

cu

ri

ty

t

od

ay

i

nt

er

vi

ew

40

Info

security To

day

September/O

ctober 2005

of information systems in Europe. Butwe don't interfere in the internaldefence intelligence and policeactivities of the member countries.Wedon't chase cyber crime.

“We need to be cautious in respectof 'Ministry of the Interior' areas.What is important for us is to buildup good trust towards the agency”.

The agency is currently budgeted at44 people, inclusive of administration;there are between 20 and 25technicians.The budget for 2005 is�3.4m, for 2006 �6.8m.

“It is a small agency.The budget isnot a lot, but it is more than enough tocarry our mission for the time being.

“And the agency can generalize thebest information security practices ofeach of the member countries. ENISAwill disseminate its own best practicebased on those, especially for the lesswell equipped countries”.

“2005 has been a year ofrecruitment”, reflects Pirotti.“I feelthat we have been lucky, because foreach post we have assigned aboveaverage technicians.We are also luckythat we have, as director of thetechnical department,Alain Esterle,who has been the vice director of theFrench Information Security Agency.And we have, Ronald de Bruin, fromthe Netherlands, as chief of the co-operation support department. Bothare very knowledgeable and wellrespected in the community”.

Pirotti is pleased with progress sofar.“We have been told officially thatwe have broken all records in theestablishment of an agency: we have

finalized recruitment, had twomanagement board meetings, and setup three working groups.We aregoing very fast.

“Ninety per cent of our staff fromprivate sector, so good 'return ofinvestment' is in our culture; but weare also paid for by public purse sowe will deliver".

Fusion orchestrated from theperipheryThe executive director admits thatthere was a good deal of surprise thatthe agency was announced to besituated in Crete, a territory outsideof the main narratives of European IT.“Our agency might fit better in thenorthern countries, but the EU needsa fusion, so putting a centre ofexpertise in a peripheral location willgive some dynamic to the peripheralarea.And the Greek government hasbeen great, so I would like to publiclythank them.

“Anyway, we will be frequent fliers.We have a young and motivated staff.”

Enisa is a co-organizer, this year, ofthe ISSE (Information SecuritySolutions Europe) conference, andhad a big say in its location inBudapest (27-29 September).

“When decided to co-organize theevent, we wanted to give push to thenew entry countries.And Hungary isone of the best equipped amongthose, so deserves this attention”.

At the event, Enisa will “deliver firstresults of working groups, and we willbe presenting the vision for the nexttwo years”. The thirty-strongPermanent Stakeholders Group isresponsible for the latter, and the three

working groups are in: awarenessraising, Cert (computer emergencyresponse team) cooperation andsupport, and on technical and policyaspects on risk assessment and riskmanagement.

Pirotti says his management style isto “make people fully accountable forwhat they do”, and to seekcompromise wherever possible.

However, one experience atMarconi, when he was operating inChina and India, showed that this isnot always possible.

“When Lord Weinstock left Marconi[in the mid 1990s],and Lord Simpsoncame on board, in my opinion therewere managers sent to supervise theAsian market who were capable, yes,but not expert in thetelecommunications business.That ledto decisions that were detrimental toour business, in my view, and made myviews clear. I'd been in Marconi a longtime by then, and the supervisor wasmoved to another position. Usually youshould try to find a compromise, butsometimes you have to be firm”.

This penchant for the diplomatic ischaracteristically Italian. But it meansAndrea Pirotti cannot be as acerbic asthe man he admires most in the field -Professor Ross Anderson, at theUniversity of Cambridge.“He is veryclear in his thinking and in his views,and independently minded. He can bemore sharp than I can be!”

LinksENISA web site:http://www.enisa.eu.int/ISSE 2005 conference:http://www.eema.org/static/isse/

Curriculum Vitae2003-2004 Advisor to the Minister at the Italian Ministry of Communications 2001-2003 Marconi SpA, Genoa, Vice President 2001-2002 Marconi Iberia, Madrid, Director of the Board 1999-2000 Marconi Hong Kong/Taiwan, General Manager 1995-99 Marconi SpA, Genoa, Director for India and Pacific Rim 1994-95 Marconi, Beijing, General Manager Marconi China 1991-94 Marconi, Genoa, Director, South America 1990-91 Marconi Malaysia, Kuala Lumpur, General Manager 1985-90 Marconi (Defence Electronic Company), Amman, Director, Middle East 1976-85 Marconi, Genoa, Area Manager Middle East 1967-76 Italian Army, Technical Telecommunication Corps1967-72 Military Academy Signals, Transmission Engineer 1972-73 Army Corp, Transmission Officer, Bolzano. University Degree at the University of Turin, Italy, in Strategic Science1973-76 Transmission Support Unit to the Army Corp, Padua. Expert in Electronic Warfare, Crypto Units, ECCM (Electronic Counter Counter Measures),

Network and System Security Tool