The foundations of SDA Bocconi's teachings lie in the original research conducted by its faculty. From their PhD theses onward, researchers tackle issues of great importance to the management world with rigor and passion. This column presents their findings.

 

Cybersecurity and digital innovation should not be viewed as opposing forces. When integrated from the outset, cybersecurity measures can become powerful enablers of strategic innovation. Drawing on real-world cases and grounded in robust theory, Nico Abbatemarco’s doctoral dissertation demonstrates how cybersecurity capabilities and Digital Strategic Initiatives (DSIs) mutually influence each other over time, helping organizations protect themselves more effectively while also accelerating and amplifying innovation.

 

Abbatemarco proposes a model that guides managers in harmonizing digital innovation with system protection. The result is a practical framework that repositions cybersecurity from a constraint to a competitive advantage.

The context

In today’s business environment, digital transformation has become a strategic priority for organizations across all industries. In academic circles, a recent stream of research introduced the concept of Digital Strategic Initiatives (DSIs): projects that leverage digital technologies to significantly advance the achievement of strategic business objectives.

 

However, alongside the push for innovation, organizations are increasingly vulnerable to cybersecurity risks. A prime example is the growing convergence of traditional Information Technology (IT) systems with Operational Technology (OT), the systems that control industrial equipment and processes. While this integration promises greater transparency and efficiency in industrial operations, it also expands the potential points of vulnerability to malicious actors, from cybercriminal groups to quasi-governmental entities engaged in espionage or sabotage.

 

As a result, cybersecurity is often perceived as a brake on innovation or relegated to a purely technical or compliance-focused function. Yet today’s landscape, characterized by pervasive threats and increasingly strict regulations such as the European NIS2 directive, calls for a fundamental shift in this mindset. Companies must now treat security as an integral part of their strategic agenda. This raises questions: How can organizations effectively embed cybersecurity into their DSIs without compromising innovation? And how does the interaction between digital innovation and cybersecurity capabilities influence organizational success in both technological and security-related goals?

The research

To explore these questions, the study adopts a qualitative, multi-method research approach, developed across four academic articles. The analysis draws on real-world cases, including Industry 4.0 projects and cross-sectoral studies. Each paper focuses on a specific aspect of the issue, including the organizational challenges of aligning innovation and security strategies;

identifying the capabilities needed to adapt to an evolving cyber landscape; understanding how security and innovation capabilities influence and co-evolve with one another over time.

 

This evolutionary process is captured in a conceptual model developed in the dissertation, which adopts a temporal and dynamic perspective. According to the model, cybersecurity and DSI capabilities are not static—they evolve continuously, shaped by internal factors such as organizational culture, structure, and resources, as well as external ones like regulation, emerging technologies, and threats. The theoretical foundation is the dynamic capabilities framework, which is expanded and applied to the underexplored field of cybersecurity.

Conclusions and takeaways

The dissertation calls for a shift in perspective: cybersecurity should no longer be seen as a constraint, but rather as an enabler of digital innovation. The findings show that when security is designed and integrated into DSIs from the outset, it not only enhances organizational resilience but also facilitates faster and more effective innovation.

 

The thesis introduces a hierarchical model of organizational capabilities needed to “innovate securely,” structured across three levels: strategic, tactical, and operational. For each level, the research provides concrete recommendations, such as aligning IT and security team objectives, or embedding cybersecurity in budgeting and risk management processes, or adopting practices like DevSecOps (Development, Security and Operations) within operational teams. Key obstacles include both structural and cultural barriers, particularly the disconnect between the Chief Information Security Officer (CISO) and top management, and the difficulty of communicating the importance of cybersecurity in terms that resonate beyond the tech sphere.

 

Finally, the dissertation contributes to the academic conversation by offering an updated taxonomy of the cybersecurity capabilities required by modern organizations. It maps the causal mechanisms linking these capabilities to business outcomes and highlights the need for further research on the managerial skills needed to lead increasingly strategic security units in an ever-evolving landscape.