5 Questions With Franco Cerutti @ Costa Group
With the first in a series of speaker profiles ahead of the ItaliaSec Summit, we are delighted to present a short interview with Franco Cerutti, IT Operational Security Director at the Costa Group. The Costa Group is Europe’s largest cruise operator, with 26 ships at sea with capacity for 77,000 beds, and another seven ships commissioned due to enter service by 2021.
QG: So Franco, thanks for taking the time to speak with us today. Could you start by sharing a little of your background and how you got to where you are now?
FC: Of course. I’ve been at the Costa Group since 2001, and I’m now the IT Operational Security Director. It’s a job with a very wide remit, looking after the security for navigation systems onboard our ships right up to securing the payment processes and credit card details of each of our guests. Before that, I was working in operational security again with Alcatel-Lucent, the telecom provider, for 15 years.
QG: You must have seen a lot in your time; what are the biggest changes you’ve seen?
FC: Well, for sure the technology has evolved hugely. One of the biggest changes has been a widening of the playing field. The internet is great, but it certainly hasn’t made life easier for security professionals! At Alcatel, the parameters of the challenge we faced were quite well-defined. We used to be working with ancient DOS systems, which might not even be connected to a network. Now, threats can come from anywhere, anytime. The systems we’re dealing with on the ships are very powerful, and are reasonably easy to access from the outside. We have to work really hard to manage against those threats. A lot of it is increasingly out of our hands, too, with BYOD, remote access and more.
QG: The Costa Group is the biggest operator of cruise ships in Europe. What’s unique to working with ships rather than fixed assets?
FC: It definitely has its challenges. Someone said to me that working on the ships is like a factory, and another said it’s like a hospital. But it’s not really like a production environment. First off, the safety of the ship, crew and guests has to be paramount. We have thousands of people onboard and even minor incidents could have serious consequences.
From an operational standpoint, there is a lot to consider: the security of the SCADA navigation systems has to be top-notch, and then from a customer perspective we have invested heavily in the security of our onboard payment processing systems, as well as data privacy around everything from sensitive data to the onboard photographers. There are very real risks, and it’s our job to make sure that they’re taken seriously and hopefully convey to our customers that they’re fully understood and anticipated. Of course, we’d also lose a lot of customers if we were to get hacked, so it’s within our interests to take it seriously.
QG: What would you say to somebody looking to begin a career in IT security today?
FC: I think the secret to success in IT security is knowing where to strike a balance between trying to create a safe environment with the right level of managed, anticipated risk and not going too far, where you might be in danger of hindering the day-to-day operations of the company. Judging how to make those decisions is hard, and something that really only comes with experience. You don’t want to be in a situation where the processes and systems you’ve set up are too restrictive and making the organisation lose customers. These days, to think you can eliminate all threats is nonsense. But it’s about deciding on a level of manageable risk, and conveying that to all the staff at the company.
QG: At the ItaliaSec Summit, you’re joining a panel discussion about the current Italian security landscape ahead of the GDPR and the National Directive coming into force. How prepared do you think Italian business is for the impact of these regulations?
FC: Well, to be honest I don’t think anybody will be fully prepared by May 2018. Certain sectors are definitely further ahead – like banking and insurance – but in Italy we have a lot of SMEs and implementation will certainly be more difficult for them. SMEs here like to be flexible and can often overlook security, which will leave them wide open to attacks, particularly ransomware.
QG: Thank you so much for your time, Franco – we really look forward to seeing you in Rome!