The first 100 days

of the Information Security Manager

Over recent years, the small and medium business has seen, in the IT context, both the consolidation of some long term guidelines (e.g. digitalisation, multi-channel…) and the appearance of new paradigms (Cloud Computing services, Social Networks, Mobile Computing,etc.).

While this phenomenon allows Made in Italy to adopt models and tools that are increasingly sophisticated yet sustainable for the achievement of business goals, it also exposes data and corporare informations to new security risks.

It is therefore evident how these new challenges make even more complex the work of those who have the burden and the privilege of protecting the information asset of an organization, either big or small.

In this scenario, such a professional profile, will certainly be required to fulfill a wide range of tasks, some of which will be simple, other more complex, still other compulsory by law, not to mention a plethora of actions definitely relevant but not very visible to the top management.

For this reason it is reasonable to think that the Information Security Manager may ask him/herself which elements and activities need to be considered first, or which approaches, methodologies and tools should be used to perform the activities within his/her competence. And furthermore: are there common aspects shared by all of the issues? If so, which of them should be considered as priorities in the current scenario?

The main objective of "The first 100 days of the Information Security Manager" is therefore to provide a range of suggestions, both methodological and practical, to a newly assigned Manager of the protection of data and information in a small or medium Made in Italy enterprise.

It also aims to contibute pragmatically to the creation of a base of knowledge and skills related to concrete issues of Information Security.

Motivations of the Authors

This mini-website and the produced material are the result of the work of about fifteen companies, law firms, management consultings and associations that have been collaborating for several years on current Information Security issues. What unites the authors is the Oracle Community for Security and the awareness that it is necessary to operate on a cultural level in order to increase the Security level which businesses equip themselves with.

With this document, the Oracle Community for Security has set the objective of supporting the Information Security Manager in properly addressing his/her choices in the short term (hence the title about the first 100 days), in order to define concrete objectives and propose actions that can lead to visible results, as well as offering an approach that enables constant improvements over time.

Who it addresses to?

This document was conceived and developed for those who, within a private Made in Italy organization operating in any sector (agriculture, industry, service), have been instructed to provide for the safety of the company's information assets, yet don't have specific expertise in the field of IT Security, or even more, of information security.

The document, in fact, faces the theme in a phased approach, from the general to the specific, from the legal aspects to the actions which are essential to protect data, through relevant topics such as best practices, training, awareness and reporting. It also provides a series of suggestions not only methodological, but also practical, which will be of particolar interest to those who have been appointed as manager of information security.

Press Review

Click on the article title to view the full content.

The tasks of the newly established CISO

A set of guidelines to assist Information Security Manager of the medium Italian enterprise to deal with the complexity of his/her role in the first hundred days after his inauguration 15/03/2013.


What should a Ciso do in his first hundred days

A study carried out by the Oracle Community for Security defines the catalogue of the Information Security Manager, from the shared definition of the objectives to the analysis of threats and vulnerabilities, from risk management to the process review 03/14/2013.


What should a Ciso do in his first hundred days

A study carried out by the Oracle Community for Security defines the catalogue of Information Security Manager, from the shared definition of the objectives to the analysis of threats and vulnerabilities, from risk management to the process review 03/14/2013.


Security Summit 2013: Oracle Community for Security

The community of Oracle partners focusing on the enterprise security issues identified the challenges ahead of the Information Security Manager from the day of his establishment, with particular reference to the context of the medium Italian enterprise.



This work results from the collaboration of the following authors and contributors.

Abeti Riccardo Studio Legale Abeti Member of Executive Committee and Chairman of Commission "New Technology, Personal Data and Communication Law" of the European Lawyers' Union. Specialist in the law of new technologies.
Anzanello Roberto AUSED / Electrolux IT Solutions Technical specialist IT Security Infrastructure Team EMEA
Arena Orlando SafeNet Regional Sales Director, Italy, Malta, Greece & Cyprus
Baldassarre Pasqualino NexSoft ITC System Integrator - Project Area Manager
Bazzani Massimo Alfa Group Delivery Manager in SEC Consulting, la Security Division di ALFA GROUP
Bechelli Luca CLUSIT Freelancer - member of Clusit Management and Technical/Scientific Committee
Bernardi Bruno CSQA Certificazioni Manager of Technologies and ICT Security Division
Bosis Angelo Oracle Sales Consulting Senior Manager
Brera Jonathan KPMG Advisory Manager Information Risk management. CISA, CISM, CRISC, L.A.ISO27001, L.A. BS25999 / ISO22301, Prince2 Foundation, socio ISACA e AIEA
Canetta Riccardo SafeNet Regional Sales Manager, Italy
Capozucca Paolo SEC Alfagroup CEO of SEC Consulting, (Security Division of ALFA GROUP) Italian associate of COMSEC, Member of AIEA, Milan chapter of ISACA, member of CLUSIT.
Castello Andrea CSQA Certificazioni Manager of Certification schemes, Technologies and ICT Security Division
Cusello Giuseppe Alfa Group Presale Manager in SEC Consulting, la Security Division di ALFA GROUP
Esposito Alfredo Infocert Information Security Manager
Fumagalli Sergio ZEROPIU VP, marketing, external relations and partnerships. Manager of consultancy services on Privacy, co-author of "Privacy guida agli adempimenti" (Privacy: a guide to requirements), Ipsoa 2005
Gatti Francesca AUSED CISA, CGEIT, AUSED Management Council, Coordinator of Security and Compliance Observatory of AUSED.
Girolimetto Martina CSQA Certificazioni Marketing & Comunicazione
Goisis Andrea ZEROPIU Advisory & Presales Specialist
Guerriero Vito KPMG Advisory Project Leader Information Risk Management, CISA, CRISC, L.A.ISO27001, CobiT 4.1 Foundation, ITIL v.3 Foundation, Prince2 Foundation, socio ISACA e AIEA
Longhi Andrea Consulente direzionale Security Governance, Business Continuity, Risk Management, Compliance. LA ISO27001, CSA member
Mariotti Andrea Ernst & Young Director IT Risk &Assurance Services, CISA, CISM, CRISC, Lead auditor ISO27001, Lead Auditor ISO20000, socio AIEA e AIPSA
Obialero Roberto ADS - Automated Data Systems Business Development IT Security & Infrastructures, GCFA, GCFW
Pennasilico Alessio CLUSIT Security Evangelist @Alba S.T., Managerial and CTS Clusit, Managerial AIP.
Piamonte Alberto AIEA IT Governance Methodologies, COBIT5. AIEA councillor and Research Director.
Ramaioli John Mario Banca Popolare di Milano Information Technology Management, Manager of Security and Operative Continuity Area. Abilab Board of Directors
Ronchetti Enrico Kelyan Database Architect & Data Security Architect
Russo Giuseppe Oracle Chief Technologist e Security Top Gun, Oracle Italia
Sanseverino Marco KPMG Advisory Senior Security Consultant, Information Risk Management CISSP, L.A.ISO27001, CobiT 4.1 Foundation
Saulli Fabio BSC Consulting Business Unit Manager IT Security Area
Spreafico Giulio AIEA Engineer, IT Governance consultant, Security, Business Continuity and Privacy, certified CISA, CISM, CGEIT and CRISC by ISACA, IS Auditor and AIEA instructor.
Telmon Claudio CLUSIT Freelancer - member of Clusit Management and Technical/Scientific Committee
Torre Vittorio NexSoft IT GRC Manager. CISSP, CISA, ISO 27001 LA
Vallega Alessandro Oracle Security Business Development Manager, Consiglio Direttivo Clusit, Coordinatore della Oracle Community for Security
Vicini Maria Cristina BSC Consulting Northern Area Manager, expert in Digital Identity, Database Security, DLP, Mobile Security, Privacy and other issues in theInformation Security area


You can download the file via the following links:

The First 100 days
Download file

A short paper on ROSI (Return on Security Investiments) published into the Italian ICT Security Report 2015 and translated into English is available here

To show your appreciation, to give us advice and / or to request any updates of our work, please contact us writing to

Per dimostrare il vostro apprezzamento, per darci un consiglio e/o per richiedere eventuali aggiornamenti dei nostri lavori potete contattarci scrivendo a

Il documento, le appendici e gli allegati sono concessi in licenza Creative Commons 4.0 Italia, Attribuzione - Condividi allo stesso modo.

La licenza utilizzata permette a chiunque di usare il nostro prodotto anche per crearne una sua evoluzione a condizione che citi gli autori originali e utilizzi a sua volta lo stesso tipo di licenza. Autorizziamo la pubblicazione anche parziale di testo e immagini non già protette da altri copyright riportando la nostra url

Back to c4s homepage