Andrea Succi
Group CISO
Ferrari Group
Andrea has over 16 years of experience in cybersecurity and joined Ferrari Group as the group CISO in 2023. Before this role, in 2021, he entered Amplifon as the global head of cybersecurity. His journey also includes serving as cybersecurity manager at Deloitte, where Andrea led the Deloitte resilient service line and was a key member of the Deloitte global COE for connected products security.
His career includes significant roles at Accenture, NTT Data and KPMG. Beyond his professional roles, Andrea is an active OWASP contributor, particularly for the LLMs project, reflecting his engagement with pioneering cybersecurity challenges and solutions. He holds a master’s degree in engineering management from the Polytechnic University of Milan.
Learn more about the Italy CISO community here.
Give us a brief overview of the path that led to your current role.
It all started when I was a kid. My father, a brilliant engineer himself, is the reason I work in cybersecurity. He made me curious to understand how things work and what it means to become a so-called ‘hacker’. The first symptoms appeared when I was a kid taking games apart and getting them to work again when put back together. When I was twelve, I wrote a virus for MS-DOS which only ran on my father's PC. Later, I cracked a video game (spending more time cracking the game than playing it) and experimented on satellite TV security protocol vulnerabilities.
While at university, I started taking courses related to security with interest and completed a thesis on cybersecurity entitled "Information Security Governance: An Integrated Approach to Information Security". The person I completed my thesis with helped me get hired at KPMG in their Security Advisory team and my journey continued from there.
During my work experiences in leading consulting/advisory companies, my goal was to build a well-rounded profile, able to define a strategy and talk with both leaders and technicians.
What is one of your guiding leadership principles?
It’s what I call ‘cyber-Maieutic’: the company's top management needs to understand why security is important – specifically in their daily activities – by understanding the implications of not adopting the best behaviours or making the necessary investments.
I mention ‘Maieutic’ because when people understand the truth by ‘finding it in themselves’, the result is that collaboration will be at its highest point. At this point, the leaders will be cyber champions and they will sponsor positive cyber behaviours within their teams.
With disruption being a key theme of the past few years, where do you see your role as a CISO going in the next 1-2 years?
I think the CISO role must develop alongside the constantly evolving threat landscape. With attacks becoming increasingly sophisticated, the primary aims of the CISO will be to rapidly advance cyber defence tactics and decrease the ROI for potential attackers. Ultimately, the CISO must be able to anticipate and prepare for new threats as they emerge.
What advice would you give to someone just starting out in the role as a CISO?
Ask yourself, ‘How can I make this organisation secure in a way that is not business-blocking but also not risk-taking?’. Start by understanding your risks and work backwards to understand how to mitigate them. Refrain from buying technologies if they do not mitigate your high risks – with the amazing technologies we have today, it is too easy to get lost in the ‘new toy’, even if the level of mitigation it can provide is only marginal.
Tell us 3 fun facts about yourself.
- I practice diving – I am a Dive Master and an Underwater Archaeological Operator. It is a risky activity, but much like cybersecurity, we have people, processes and equipment/technology to trust, and doing so makes this discipline far safer.
- I love to play the electric guitar – it allows me to take my mind off everything and focus solely on the music.
- I play curling at a competitive level in the Milan “Serie C” team – it allows me to work in a team and push my teammates to do better (I am recognised as our ‘motivator’).
What is the value of participating in a professional community through Evanta?
The main value is that comparison allows everyone to perform at their best. Here, we are able to learn new best practices and understand new threats and mistakes in our innovation journeys.
Evanta Governing Body members share their insights and leadership perspectives to shape the agendas and topics that address the top priorities impacting business leaders today.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.