Carnival Guards a City on the High Seas

At Carnival Corporation, CISO Gary Eppinger protects passengers’ most sensitive data—and provides the luxuries one expects upon departure

Gary Eppinger has worked in IT security for twenty-five years, so it’s more than fair to say he knows this space. He’s built and managed information security architecture in health care, industrial automation, and supermarkets. His current role as chief information security officer with Carnival Corporation—whose fleet of more than one hundred ships sails to the Caribbean, Europe, Mexico, and Alaska—is similar to these other positions in many ways, he says. But where it is distinct, it is remarkably so.

“I would say that 60 percent of the job is typical,” Eppinger says. “But the 40 percent that is different is dramatically different.” That 40 percent makes Eppinger’s job unique, complex, and fascinating. “When I ran security for a retail company, we didn’t worry about our store sites moving,” Eppinger says by way of example. “Their location was their location, unless there was an earthquake.”

That’s not the case, though, in maritime business. Once a ship sets sail from port—with anywhere from three thousand to four thousand passengers on board along with one thousand crew members—it becomes what Eppinger describes as a floating city, at once a hotel, a clinic, a casino, and a restaurant, with an international population. The ships are monitored from company headquarters by satellites (to figure out how to make operations more efficient), but they’re also always moving. Once a cruise is complete and passengers disembark, the vessel is cleaned, prepped, and sets off on its next voyage in mere hours. And while the ships are at sea, new ones are always being built—typically four or five every year—and existing fleets are being enhanced, so there is constant movement at every level.

Because ships disembark from ports in numerous countries, carry passengers from different parts of the world, and spend time on international waters, Carnival has to manage a myriad of compliance regulations. For example, the European Union recently established a privacy requirement that if members of the EU are on a ship that sails out of the United States or a different country, the company needs to meet the requirements of the passenger’s country of origin, while still needing to honor those of the country after departure. If a passenger gets sick during the voyage and visits the infirmary, the company needs to abide by HIPAA rules for health records, as well as those of the health department of the passenger’s country of origin.

Additionally, the US government has a counterterrorism no-sail list (similar to the no-fly list) that the company honors. Eppinger’s team is not specifically tasked with security against terrorism (that falls to the physical security team), but it is in the mix. “We are involved from a cyber perspective,” Eppinger explains. “Physical security is a peer department that we interface with and work with. There is a huge gray area in between where physical can become cyber, and cyber can become physical.”

“We know you can’t build a wall tall enough to prevent everything, so you better have capabilities to identify when something happens and the maturity to respond.”

His department manages hundreds of risks, but they can be broadly grouped as having to do with either customer data, shoreside operations, or ship operations. Across these areas, Eppinger and his team have identified twenty domain areas of security, a few of which include monitoring, security architecture, and policies and procedures. “We don’t believe we have to be world-class across all twenty, but we have to be appropriate and adequate in all of them,” he says. “Because of the nature of our business, there isn’t a single standard that is going to make sense for us. We’ve taken international standards and US standards, and customized them as one [set] that meets our needs as a maritime company using a hybrid methodology.” Every quarter, the company reviews its maturity in each area and develops strategies on how to improve.

Protecting customer data begins the moment a prospective passenger gets on the company website or calls an agent to make a reservation. Customers pay with credit cards, give out their passport information, and reveal medical conditions and dietary restrictions during the reservation process. All of that has to be kept safe to prevent personal information from ending up in the wrong hands. Once booking is complete, there is often follow-up by email for changes, updates, or enhancements to the reservation, all requiring the same degree of vigilance. Equally important is protecting any post-reservation cross-brand marketing undertaken by the company.

Data transfer continues on the ship with Wi-Fi capability at sea, which IT is continually working to enhance. Customer expectations have shifted in this area to the point where many people have an expectation that getting on the ship will be the same as walking into a hotel or going to another land-based vacation spot in terms of connectivity, Eppinger says. Those connections must be made secure, as well.

People can log in to the company website from any place in the world, which adds yet another layer of complexity. As an example, a German, a Nigerian, and a US citizen all make reservations online for a cruise departing from Miami. Each of these countries has its own unique reporting requirements. And if the site were to be compromised, the company would be subject to privacy laws from each of the three countries. Even when reviewing only US passengers, different states have different laws.

A second area of security is ship operations, including design, maintenance, and response. Eppinger and his team protect the ship’s satellite-based navigation systems, handle application-level security for the
onboard casinos, and encrypt the data on the key cards that unlock the doors to the passengers’ berths.

The team obviously doesn’t want a security breach to happen, but they also want to be ready to react speedily and adroitly if it does. “Like most companies, we spend time and dollars and focus on the prevention capability and controls,” he says. “But from a strategy perspective, we focus on our response capabilities. How do we know when something happens throughout the global environment, and are we prepared to respond and remediate? We know you can’t build a wall tall enough to prevent everything, so you better have capabilities to identify when something happens and the maturity to respond.”

Eppinger is also responsible for securing information with the company’s shoreside operations. This work makes up the 60 percent that is similar to other jobs that Eppinger has held. His team guards against cyber events in all the divisional corporate headquarters data centers, involving the provisioning of accounts, computer applications, and employee information.

While Carnival is heavily insourced, the company does work with strategic partners and outside vendors for the delivery of services and products. These partners have to pass muster in terms of security. Eppinger says that, especially with the vendors who are key to customer data or critical company infrastructure, there is vetting, a high level of contract negotiation, and requirements the vendors have to meet.

One of the ways Eppinger has put his mark on the company has been by bringing all security and compliance teams together under a single organization. He now has direct reports from the company’s ten brands in Europe, North America, Asia, and Australia. Previously, security for each brand was disconnected from the others. “We aligned them in terms of strategy, execution, and organization to deliver security systems more consistently. One of the reasons behind that change of strategy was to ensure we had consistent delivery in the twenty domain areas to make sure we were able to maximize capacity in size. It didn’t help us to be strong in one brand and weak in another. We recognized that we are only as strong as our weakest link.”