Gary Eppinger
Global Chief Information Security Officer & Privacy Officer
Carnival Corporation
June 2020
The COVID-19 global pandemic has challenged almost every business in some way or another, but the travel and tourism industry has been hit especially hard. At the forefront of this is the cruise industry, which is currently at a complete halt.
We had the opportunity to talk to Gary Eppinger, Global Chief Information Security Officer & Privacy Officer for Carnival Corporation, to understand how he and his team are navigating these trying times both from a business and security standpoint. Eppinger highlights industry challenges and how Carnival plans to keep business moving forward.
How did your organization first respond to COVID-19?
From a security and compliance standpoint, we have been dramatically impacted — starting off with closing all of our corporate headquarters and getting all of our employees to work from home and the ability to do that in a secure manner.
Normally, our systems are available 7-by-24, but never at that volume of intensity. We saw systems crashing that had never crashed before.
How do you design something with the resiliency that you have never anticipated before?
From a security perspective, we think about 4,000 to 5,000 people connecting remotely – not 20,000 to 30,000 people connecting remotely at all times.
In addition to supporting a remote workforce – procuring laptops, sending desktops home and trying to improve their security infrastructure to be able to handle 25,000-30,000 remote users – the organization also had to find a way to streamline its nine different brands and integrate the security process.
What surprised you most from the COVID-19 situation?
The thing that probably surprised me the most is the magnitude of it. We have some departments that leverage working from home as part of their normal process. We also have a work-from-home policy, but we only had a workforce that was probably 10 or 15 percent leveraging it.
It was something we had done before, but not at this magnitude, which drove a huge level of complexity.
We had to close offices and get remote access up within a week. That involved a 7-by-24 task force focused on each and every individual brand IT team to be able to do it. It was business critical to support our collaboration and continuity requirements.
In terms of speed and magnitude, do you have any best practices or tips for others?
The small details will kill you. Things like getting headsets, something I never thought would be a limiting factor was a limiting factor of us being able to go faster.
Flexibility and adaptability. Our business continuity plans that we developed and tested over time weren't good enough. We had to make adjustments to meet this global business requirement. I was happy to see the team have that mindset of adaptability throughout this process.
What are some things that you have implemented that you normally wouldn’t have the time to do?
It's a lot of maintenance of systems that we tried to push even further. We have blackout periods in the cruise space — we call them “waves season,” the time when we do a lot of our bookings in the peak times. Like a lot of businesses and verticals, you want to minimize changes during those seasons because you know change will inevitably cause things to break. Things we couldn't do during waves season are the things we started to accelerate. But you have to balance and minimize the risk in that particular time, too, because we couldn't afford any outages either.
What are you most proud of?
I'm most proud of a couple things. One is the speed in which the team adapted and understood. When we started off it was a couple ships having a problem. Quickly pivoting to brands that are having the problem, then quickly pivoting to all of the brands, and then all of our competitors are having problems. We had to quickly adapt and put plans together. We thought it was going to be focused on a specific ship or a particular brand or a particular part of the world – not the whole world. We had to adapt those plans several times throughout the process.
Second, we have had a huge level of collaboration in the past, but we were overwhelmed with the ability to collaborate from brand-to-brand. We were able to knock down the walls faster than we'd ever been able to do before, to make sure we were collaborating at a pace that we needed to be successful.
Anything else you want people to take away from this situation?
I think this is an opportunity for security to continue to lead. We talk about being embedded in the business, we talk about being flexible, we talk about being innovative. All of those things are heightened now. Understanding that there is no playbook that you can pull out during a pandemic situation, you have to lean into it, keep it simple and throw out the way you also did something. You need to be comfortable in an uncomfortable situation. Never forget to also focus on the rebound while going through the storm.
Special thanks to Gary Eppinger and Carnival Corporation.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.