Leonardo is a global industrial group, among the main global players in aerospace, defence and security that realises multi-domain technological capabilities in helicopters, aircraft, aerostructures, electronics, cyber security and space.
With over 53,000 employees worldwide, the company has a solid industrial presence in Italy, the UK, Poland and the US. It also operates in 150 countries through subsidiaries, joint ventures and investments.
As a key player in major international strategic programmes, it is a technological and industrial partner of governments, defence administrations, institutions and companies. In 2023, Leonardo recorded consolidated revenues of € 15.3bn, new orders for € 17.9bn and invested € 2.2bn in R&D. Innovation, continuous research, digital industry and sustainability are the pillars of its business worldwide.
Joining us for an exclusive Q&A today to shine a light on his career and the company’s security strategy is Roberto De Paolis, Head of Digital Security & Security Operations at Leonardo.
Can you tell us about your background and how you came to be the Head of Digital Security at Leonardo?
I have been fascinated by Information Technology since I was a child – but at that time I also liked to write creatively, small compositions mostly. Back in 1984, I participated in a regional literary competition for school students about the importance of communication and avoiding isolation.
I was surprised that the judges appreciated the theme of my entry since I wrote a story that sounded more fantastical or futuristic, rather than dealing with the lived reality of the time. I wrote about how computers could connect us and how humans can take advantage of this to avoid isolation. I scored highly, nine out of ten overall, and as a reward, I won €100. To put this in perspective, the cost of a computer at that time was about €120.
Afterwards, I bought my first computer, learned its language and began to code simple programmes. Not long after, I exchanged this small computer and bought a new one that could connect to another computer with the so-called modem. At that time the only way was to dial in using the phone line. I set up one of the first Bulletin Board Systems (BBS) in southern Italy giving a service for all users with a PC and Modem to connect, read mail and connect in a forum. We are speaking not of the Internet Age (this was 1986), so it was all command line with scrolling text.
I continued to explore, study, code and decode software and viruses. After I graduated in electronic engineering with an IT specialisation in Rome, I began to work for consulting companies as a computer languages and system operation teacher, then as a security consultant and firewall engineer. After five years of consulting, I left this path and I was hired by Northrop Grumman Italia. Here, I began to work more with enterprise software, cutting-edge equipment and I had the budget to steer and manage a security strategy.
As my career developed, I enjoyed several opportunities to work with multiple companies and businesses in media, telecoms and banking. In 2006, I configured one of the first Web Application Firewall (WAF) in Italy for a portal exposed to clients for a broadcasting company, and also established one of the first security information and event management (SIEM) platforms in Italy in 2008. I spent several years working in banking environments, always in operative security roles, until Leonardo called me at the end of 2017 to deliver, implement and maintain a security roadmap for them.
At that time, the IT Infrastructure and security operations were both overseen by a single organisation unit. My first thought was that it was a conflict of interest to manage and secure the IT infrastructure within one function, so I separated it and established an organisation unit called IT Security Operations (now renamed Digital Security & Security Operations for the enlarged scope) with four pillars: Data & Identity Protections, Security Architectures & Operations, System & Application Security, and Digital Assurance.
What excites you most about working in this area?
I love Information Technology, so I am always keen to study and explore the latest industry trends. But every time I see a new technology, I always think about its risk, how it could be used as a weapon and how this technology must be protected. Security threats are always changing, so the work is always an ever-evolving challenge. In my operative role of managing almost all technologies at Leonardo from the periphery to endpoints, in order to protect the company you must always read, plan, experiment and deploy new technologies, measures and solutions to meet the rapid developments in the security landscape.
How does Leonardo’s digital security strategy align with its overall business objectives?
My motto is ‘fast secure.’ Fast, because we need to respond quickly to business needs. Secure, because everything must be fully protected.
In terms of aligning the ‘fast secure’ approach with Leonardo’s overall company objectives, I see the business as a client for me and my organisation unit. As such, we endeavour to understand the goals, vision, identity, and priorities at Leonardo. It is then a question of establishing what is being asked of us so we can deploy the relevant security requirements, including considerations such as: segregation of duties, identifying implementation and delivery representatives, delivering and managing sweeping security operations, and then allocating resources in order meet the milestones of the business.
Can you share some specific digital security initiatives or projects that Leonardo is currently working on?
At the moment, some of the most exciting projects we are working on are identity protection (for people and machines) and automation.
One example of this is we are building the capacity to provision (in near real-time) what is needed for the onboarding of a new employee, including: account creation, software access and configurations for one-time passwords.
We are then looking to automate specific digital security processes that follow.
For instance, we are thinking about the specific security and business needs to expose a web server on the Internet or to renew a digital certificate for an existing web server used by our suppliers or clients. A digital certificate is needed from an approved Certification Authority in order to avoid a warning from the browsers. Keep in mind that Google is proposing to reduce the validity of TLS certificates to 90 days.
This will carry a significant impact on organisations reliant on manual certificate management processes. In the next few weeks, we will have this automation process live. At the same time, we are focusing on secret management, inventory and governance, as well as Kubernetes monitoring environments.
We are also working on implementing Passwordless technology in specific environments, by using a Risk Base Analytics & Behavioural approach.
Do you have any advice for companies looking to strengthen their digital security practices?
Do not follow ‘moda’, or what is trendy, for the sake of it. Choose the technology and platform that better adapts to your business needs and target IT architecture. However, do not forget to redesign processes to support your choices.
What are some of the additional contributions you’ve made to the industry that you are most proud of?
I am very proud of a research project I took part in about 20 years ago: “Threat Analysis in Wireless 802.11 Networks – A Practical Approach to Wireless Lans Security,” which was presented at the 8th International Symposium on Wireless Personal Multimedia Communications in Denmark.
Last year I made an innovative speech “FROM DIGITAL HUMAN IDENTITIES TO MACHINE TO MACHINE IDENTITY.” Although I gave the presentation in Italian, I recommend giving it a listen with English subtitles.
Lastly, I am a contributor to an Italian online newspaper that spreads the culture of cybersecurity.
For more information about Leonardo, visit leonardo.com.
Connect with Roberto.
