Gary Eppinger – Carnival Corporation

Imagine picking up Las Vegas and moving it to London, all while keeping the Vegas nightlife, retail and hospitality running smoothly. That’s essentially what cruise ships do every day.

Now imagine keeping all of the information that flows through Vegas—personal records, credit card info, health records—safe in that metaphorical transit. Cruise ships do that, too.

At Carnival Corporation, the largest cruise company in the world, Gary Eppinger is at the helm of protecting the company’s IT and all of the personal data that flows through it. Eppinger is the company’s global chief information security officer, and since one in every two people on a cruise ship is on a Carnival Corporation cruise ship, Eppinger’s task is daunting.

As a result, he says, Carnival Corporation’s cybersecurity is “cybersecurity on steroids.”

Floating cities

In many ways Carnival Corporation’s cybersecurity concerns are similar to those faced by other Fortune 500 companies.

As part of its global supply chain, the company has to protect its customers’ information and its key processes. As a casino operator, the company has to have the same types of securities you’d find in Vegas. Because it has health clinics on all of its ships, it has to secure confidential health information. On the maritime side, the company has to protect information regarding how it navigates and moves 100-plus ships around the globe.

The list goes on. Carnival Corporation has retail stores, movie theaters, hotels, even ground transportation, and its 10 brands have corporate headquarters scattered around the world.

Though Eppinger’s responsibilities are vast, he benefits from prior experience in many of those usually separate industries. Eppinger has held IT leadership roles in the banking, health care and retail sectors.

“I used to say I always knew where my key infrastructure were, so whether it was a retail grocery store or pharmacy—unless it was in California and there was an earthquake—I knew exactly where it was,” Eppinger says. “It’s not the same game here at Carnival Corporation. We have ships moving all over the world each and every day.”

An evolving role

Eppinger divides his team—which fluctuates from 50 to 75 employees globally—into five verticals.

There’s a security architecture team that builds and designs infrastructure and applications. The security operations team, which runs and maintains those applications, is the “eye on the glass, 24/7/365 team.”

A third team controls identity access and management, which determines who can view information and data; a fourth team oversees metrics, dashboards, budgets and vendor management, which is the office of the CISO. And the fifth team is focused on compliance and regulations like Payment Card Industry (PCI) standards and HIPPA (Health Insurance Portability and Accountability Act).

Eppinger has held CISO-type roles since the mid-80s, and he’s seen the role evolve. It started off as a tech role where you were the smart kid on the block, the only one who cared about security, he says. At that time, chief information officers were in more of a “do-as-I-say” position.

Now, Eppinger finds himself in a risk management, business partner role.

“You have to be able to translate business requirements into security solutions,” he says. “I have tech guys on my team that are my data hunters and my architects, but it’s more and more important even for those roles to understand the [business] solution.”

Tech’s ripple effect

It’s more important than ever for Eppinger’s team to convey the importance of data privacy and cybersecurity to every Carnival Corporation employee.

The company takes a multi-tier strategy. Again, it does a lot of things other companies do, such as training and awareness programs and informative posters.

But the company also ties its lessons to things that are important to employees on a personal, not just professional, level. Eppinger’s team advises employees on how to protect their credit card transactions during the holidays when fraud is high and how to talk with their kids about social media and cyberbullying.

“Things like that help them better understand not only how to protect themselves from a company perspective, but protect themselves and their loved ones at home,” Eppinger says. “And the better stewards they become away from Carnival Corporation, it’ll help them be better stewards of data and information at the Carnival Corporation. It becomes part of their DNA.”

The company also does its part to protect the cruise industry as a whole—its CEO was recently named global chair of Cruise Lines International Association. That’s partly because every cyberattack or security breach that happens in the cruising space has a ripple that impacts Carnival Corporation.

“We have to be great stewards with our competitors in this space because we’re all impacted,” Eppinger says. “People forget which cruise company an event happened on, they just correlate it to cruising.”

A rising tide

Fortunately, he says the cruise industry is responsive.

“We are truly raising the bar here in Carnival Corporation and across the industry as it relates to cybersecurity capabilities and maturity.”

“We are truly raising the bar here in Carnival Corporation and across the industry as it relates to cybersecurity capabilities and maturity,” Eppinger says. “However, it’s an environment that is constantly changing, so the better we get, the better we have to be.”

The changing landscape has led to a changing risk model, one that’s getting more complicated.

“Every time we think we’re getting to the end zone, we find out we’re back at the 50 [yard line] because the goal line has been moved,” Eppinger says.

He says it’s no longer if a cyberattack or security breach will occur, but when it will occur. His team spends just as much time working defensively to prevent events as it does offensively preparing for how it will respond when events do happen.

“The exciting thing about the industry is we’ve accomplished a ton, but there’s 10 times more to do,” Eppinger says, “and I don’t think we’ll ever be done.”