Gyala cited by Gartner as a Sample Vendor in the “Hype Cycle for CPS Security” Report. Read

PMI, the hardest risk to manage:

Is the one we don’t know how to measure

The challenge facing Italian SMEs is not cybersecurity alone—it is the difficulty of translating cyber risk into a measurable, actionable metric.

Let’s start with the data:

The third Cyber Index PMI Report, promoted by Confindustria and Generali, with the scientific contribution of the Digital Innovation Observatories of the Politecnico di Milano and in partnership with the Italian National Cybersecurity Agency (ACN), assigns Italian SMEs an average cyber maturity score of 55 out of 100. While this marks an improvement over previous years, it still falls below the adequacy threshold of 60. (Source: Cyber Index PMI 2025, Confindustria, Generali, Digital Innovation Observatories – Politecnico di Milano, and the Italian National Cybersecurity Agency: https://corporate.generali.it/comunicati-stampa/2026-cyber-index-pmi/)

There is, however, another figure that deserves equal attention—and that must be considered alongside the first to gain a clear and comprehensive understanding of the current landscape.
Only 16% of Italian SMEs can be considered genuinely mature in cyber risk management. Most organizations remain in an intermediate position: they are aware of the problem, recognize its importance, but have not yet developed the ability to translate that awareness into effective prevention.

This presents a very different picture from the one we have traditionally been accustomed to seeing.

Previous analyses suggested that Italian SMEs simply did not consider cybersecurity to be a priority. Today’s data appears to tell a different story: awareness exists and continues to grow, but what is still missing, in most cases, is the ability to transform that awareness into an objective measurement of cyber risk.

Perceiving a risk does not mean understanding it—or knowing how to measure it.

An SME may have one hundred vulnerabilities classified as critical without being genuinely exposed. Conversely, it may have only two vulnerabilities, but if they affect the systems that govern production, accounting, or the organization’s most sensitive data, they become extremely dangerous because of the potential damage they could cause.
In the first scenario, exposure must be managed; in the second, the potential business impact is severe and the risk of damage is extremely high.

The same principle applies to assets. Knowing that you have five hundred connected devices is merely data. Knowing which ones are business-critical, which communicate with external networks, which rely on software that is no longer supported, and which should no longer even be present within the infrastructure means transforming data into knowledge.

This situation—being aware of the issue while lacking the ability to manage it effectively—is unique to cybersecurity. It is not something that occurs in any other business function.

What entrepreneur would ever make—or refrain from making—a business decision without considering the company’s numbers?
Every business leader knows their revenue, profit margins, cash flow, order backlog, and operating costs. They know these figures because they represent the starting point for every strategic decision. No one would hire new employees, invest in new machinery, or enter a new market without first having a clear understanding of the company’s financial position.

Yet this principle still seems not to apply to cybersecurity, and the report suggests that, within SMEs, this methodology remains largely underdeveloped.

It is no coincidence that the NIST Cybersecurity Framework (CSF) 2.0 places the Identify function at the very beginning of the cyber risk management process. Before an organization can protect, detect, or respond, it must know what it owns, how its assets are interconnected, what dependencies exist, and which processes truly support the business. (https://www.nist.gov/cyberframework)

For SMEs, this principle is even more critical given the nature of these organizations. Large enterprises can rely on redundancy, alternative systems, and distributed processes. Small and medium-sized businesses, on the other hand, often depend on a single server, a PLC, a NAS, or the workstation responsible for both accounting and production.

Therefore, understanding vulnerabilities is essential—first and foremost—in order to focus on those that can genuinely compromise the organization’s operational continuity and on the assets that are truly critical to the business, transforming what is often perceived as a purely technical issue into a matter of business continuity.

Knowledge – not data – is what ultimately enables informed decision-making.

Over the past few years, the landscape has also changed dramatically: SME infrastructures are no longer limited to a handful of servers and a local network. Today, they encompass cloud services, SaaS applications, mobile devices, remote vendor access, interconnected OT environments, distributed identities, and systems that continuously communicate with one another.
The attack surface has not simply expanded in size—it has become significantly more complex.
Attempting to manage this complexity by relying on people’s memory or on an infrastructure snapshot taken months earlier is simply unrealistic.

Cyber risk does not increase merely when a new vulnerability is discovered; it increases the moment an organization no longer knows where that vulnerability exists, which systems it affects, and what impact it could have on the business.

Perhaps the real cybersecurity challenge facing Italian SMEs is that they continue making decisions about a risk that, in most cases, they still do not know how to measure—or interpret.

Sources: Cyber Index PMI 2025, Confindustria, Generali, Digital Innovation Observatories – Politecnico di Milano, and the Italian National Cybersecurity Agency (ACN):
https://corporate.generali.it/comunicati-stampa/2026-cyber-index-pmi/
NIST, Cybersecurity Framework (CSF) 2.0 – Identify Function:
https://www.nist.gov/cyberframework

 NIST, Cybersecurity Framework (CSF) 2.0, funzione Identify: https://www.nist.gov/cyberframework