apacciooutlook logo

What Keeps Your Security Chief Up at Night : Keeping the Enterprise Secure is a Round-the-Clock Job

By Gary Eppinger, Global CISO, Carnival Corporation

What Keeps Your Security Chief Up at Night : Keeping the Enterprise Secure is a Round-the-Clock Job

Gary Eppinger, Global CISO, Carnival Corporation

 If 2014 is to be remembered as the year of cyber-attacks, then what’s ahead in 2015? Once an occasional disruption, it’s almost as if a security breach is a rite of passage for companies--according to JPMorgan,some 76 million accounts were hacked  in 2014. It’s enough to keep any IT  security professional up at night.

Last year’s lesson was that it is extremely difficult to keep unauthorized personnel out of the enterprise. We also learned that systems and processes  we previously relied on to protect the  enterprise are no longer adequate for the growing threats. That is why I believe this will be a year of change in how information is exchanged both nationally and internationally.

As a company that processes  millions of transactions daily around the globe--across time zones, geographies and political boundaries—Carnival Corporation and our nine cruise line brands are continuously improving IT security systems and practices to protect the data with which we have been entrusted. While the list of things we must think about is never-ending, I’ll share the five key areas for our focus in the coming months.

Weak Links Exploited

When you consider how enterprises have been extended by connections to third parties, customers and interconnected business ecosystems, the measures to secure these organizations are more complex than ever. Arguably,they are vital to every organization's global business operations. However, these “weak links” in the supply chain–suppliers and consultants not protected by sophisticated security safeguards–are attractive targets for hackers. That means increased risks for the confidentiality, integrity and/or availability of this data being compromised. Today’s security chiefs must remain ever-vigilant when it comes to securing the valuable and sensitive data routinely shared with suppliers.

Surprisingly, your own employees can also be a weak link–and one that is often is overlooked when assessing your vulnerabilities. Here is why: Employees are generally very helpful, going out of their way to assist coworkers, customers, vendors and partners. Bad  guys take advantage of this. They masquerade as employees of suppliers or representatives of some other legitimate business partner and launch targeted phishing attacks, singling out specific organizations or groups of individuals. The message is clear: Double down on training and awareness programs to ensure employees have the knowledge they need to be effective in protecting data.

Mobile Attacks

The world’s love affair with mobile devices is here to stay. According to the Ericsson Mobility Report released just a few months ago, by the year 2020, 90 percent of world’s population over the age of six years old will have a mobile phone. While impressive, the more we use these types of devices, the more we create opportunities for hackers. In 2014 alone, mobile device security risk increased by 25 percent as some form of  cyber-attack infected 16 million mobile devices.

Compounding the issue is the growing prevalence of employees accessing enterprise systems and data using mobile devices. In fact, Gartner predicts that by 2017, half of employers will require employees to supply their own mobile devices to use in the workplace. This trend exponentially increases the risk to any corporate IT system. Smart information security executives are carefully evaluating these new practices for potential security gaps to shore up any existing and potential future deficiencies.

Securing Emerging Technologies

In addition, we are anticipating the  growing popularity of consumer technologies such as camera headsets like the GoPro or computerized watches  like the iWatch. As our customers and  employees use more of these technologies  within our enterprise, new security concerns will arise. Already hackers are likely working on ways to gain access to these devices and the information they store in the cloud. It will be our jobs to stay one step ahead of these would-be hackers.

Authentication Evolution

It’s obvious that passwords and usernames are no longer able to provide the level of protection they once did, so CIOs are seeking new and different approaches to authentication. Options include two-factor solutions, smartphone verification or methods such as a token or biometric recognition. We are evaluating this and other options within our own operations that will allow secure access to critical information.

Threat Intelligence Sharing

This will become the norm in 2015–within our industry and between enterprise and government organizations. Integrated threat intelligence makes other security monitoring and controls far more effective. That’s why we at Carnival  participate in these initiatives:

- Information Systems Audit and  Control Association (ISACA)–This is an independent,non-profit, global association that aids in the development,adoption and use of  globally accepted, industry leading knowledge and practices for information systems.

- Infra – A partnership between the FBI and the private sector, its objective is to prevent hostile acts against the U.S. The initiative is comprised of businesses, academic institutions and state and local law enforcement agencies.

- Cyber Security group within Cruise Lines International Association (CLIA)– Our company participates with other cruise operators in the regulatory and policy development  process. The group forges strategic relationships among key cruise industry suppliers and  interacts with government agencies.

As cyber attackers learn more about companies’security programs, they will find new ways to infiltrate. That means security is a round-the-clock, 365-days-a-year job. You must be keenly aware of what is happening with your systems at all times. While difficult, this can be done. Our industry has made vast improvement in analytics tools and automated systems  that are getting smarter everyday about identifying anomalous patterns. Earlier detection and mitigation will be critical to helping safeguard systems.

It’s also important to note  that security is no longer the sole  responsibility of a few small teams within the enterprise. In our ever-connected,  technologically complex world, security is now part of every employee’s job–something every person is responsible for every single day. It is vital that employees  understand this. To be effective, security cannot function as a separate practice, occurring independently  from the day-to-day operations. It must be integral to every job, in every department and in every location, every day.

"The world’s love affair with mobile devices is here to stay"

In the end, vigilance is the key.There is no question that threats will continue evolving, coming from new and unforeseen sources. But working  together as an industry, we will continue improving our processes for early detection and mitigation,so even the smallest unauthorized  intrusion can be averted. Of this, I am confident.

It is that confidence–and the confidence I have in my fellow employees, our strategic vendors/partners, our commitment to improving our security controls, and our ability to react quickly to mitigate events–that allows me to can get some sleep at night.

New Editions

Leaders Speak

Andy Nallappan, VP & CIO,

The Industry Demands Quick Upgrade into Cloud

By Andy Nallappan, VP & CIO,

Global Information Technology, Avago Technologies

Steven Weinreb, CIO & EVP, Technology & Operations, Asia, MetLife

Embracing Advanced Tech-enabled Solutions that Foster Innovation and Growth

By Steven Weinreb, CIO & EVP, Technology & Operations, Asia, MetLife

Anil Khatri, Head IT-South Asia, SAP

Trends that are on Every CIO's Watch-list

By Anil Khatri, Head IT-South Asia, SAP

James F. Hanauer, CTO, VP Engineering and Art Saisuphaluck, Solutions Architect, R&D Lead, CTSI-Global

Simplifying Infrastructure Management with Microsoft Solutions

By James F. Hanauer, CTO, VP Engineering and Art Saisuphaluck, Solutions Architect, R&D Lead, CTSI-Global

Mickey Bradford, VP-IT/CTO, Exchange; & Jay McCartin, VP-Logistic Operations,  Army & Air Force Exchange Service

Embracing Cloud Hosting Benefits

By Mickey Bradford, VP-IT/CTO, Exchange; & Jay McCartin, VP-Logistic Operations, Army & Air Force Exchange Service