Cyber and physical convergence, the new frontier of corporate security

The risk is there and it is very serious. Supply chain resilience is not a slogan, but a necessary condition for the resilience of the entire industrial system. It is true that an extended approach introduces complexity, especially when it involves critical or strategic suppliers, but it is an unavoidable complexity, and to give up on it would mean accepting structural vulnerabilities that sooner or later emerge. It is a responsibility that cannot be delegated only to technical functions, but must be taken on in the company at top management level.

The gap between large companies and SMEs on security has been known for years, but it seems to be widening: what levers can reduce it?

We cannot allow this security gap between large companies and SMEs to become a structural vulnerability factor for the industrial system in Italia. Supply chains are interdependent and the overall level of security is determined by their weakest link: strengthening the security of SMEs therefore becomes a national interest. Alongside market levers, however, concrete public instruments are needed, and there is no shortage of examples, including recent ones, in this sense. I am thinking, for example, of the hyper-amortisation, which allows an increased deduction of up to 180% for investments in digitalisation and security, and the ZES Unica, which provides tax credits of up to 60% for eligible areas in southern Italia. In any case, these are interventions that must be understood as a systemic investment and not as mere extemporaneous fulfilment.

Will regulatory pressure burden smaller suppliers with costs and complexities that are difficult to bear, instead of strengthening the supply chain?

Yes, the risk that regulation becomes an unbearable burden for smaller suppliers exists. Regulation can only become an element of strength for the supply chain if it is supplemented with what is currently lacking, i.e. a control system for the effective application of the rules. In the absence of this element, the risk is only formal compliance, oriented towards being 'in compliance' rather than reducing the real risk. An effective control system, on the other hand, can push companies to invest in concrete measures, with tangible benefits for the entire supply chain. I use this estimate to explain the concept more concretely: compliance with NIS2 will cost companies an average of around EUR 283,000, but studies predict a positive return as early as the second year, with a reduction in incidents of 6% per year. Real security arises when compliance becomes a tool, not a goal.

The convergence of physical and cyber security is often evoked, but in practice organisations remain divided into silos. Is it a problem of technology, skills or an underdeveloped managerial culture?

It is not a problem of technology: today there are already mature solutions for a truly convergent approach, the real limitation is cultural and managerial, before that of skills. In 2024, Italian companies spent more than 2 billion euros on cybersecurity, in 2025 more than 2.2 billion, and yet, attacks have increased. Why? Because security continues to be treated as a sum of separate domains, entrusted to different functions, without a unified responsibility for risk. Instead, convergence requires a paradigm shift: reading security as a governance and business continuity issue, supported by transversal skills capable of integrating physical, cyber and OT. As long as responsibility remains fragmented, security effectiveness will also remain fragmented.

Last question: the adoption of AI and data-driven models promises greater predictive power, but also introduces new risks. Is there a danger of creating systems that are opaque and difficult to govern?

The first focus should be on how these models are adopted. It is crucial that the introduction of artificial intelligence is framed within clear processes and procedures that precisely assign roles and responsibilities to those who design these systems and those who use them. In this context, rather than creating opacity, AI and data-driven models represent an opportunity to increase top management awareness. Historically, it has always been difficult to make the economic impact of a cyber risk understandable, today AI finally makes it possible to represent it in a quantitative and tangible way. The real risk is not posed by artificial intelligence, but by making strategic decisions without the necessary data and visibility.