This week, we had an interview with Simone Fortin who is the Global Head of Cyber Security at MSC Cruises (the world’s largest privately held cruise company). Simone holds over 19 years of multinational experience in cyber security (European Union and the Middle East) from strategy to implementation. He discussed with us the security threats in the tourism and leisure industry that are the most complicated to detect and how he thinks the cybersecurity market will evolve in the next 5 years. Now, continue reading the full interview below and discover his other insights which you’ll find unique.

1. How did you first get involved with cyber security, Simone? Could you share a project or inspiration with us that prompted your involvement?

I think that is a very common answer for many people that got into this field. I bumped into it by chance when I was completing my university degree and I got passionate immediately. When I started my career, almost 20 years ago, the term “Cyber” didn’t even exist and this field was a niche for few.

What has always inspired me in being part of this community is what I call “lateral thinking”; being able to think in a different way and analyze problems and challenges out of the schemes and especially being out of the crowd. This mindset brought me to approach challenges that I was not able to think about before, surrounded by brilliant people, very frequently visionary. This is also what I’m trying to transmit to all the people that have been working with me, especially the new generations growing in Cyber security.

2. As a Global Head of Cyber Security at MSC Cruises (the world’s largest privately held cruise company), please tell us about what motivates you to keep pushing ahead every day in the cyber security field.

When I moved to this company, I was looking for a new personal challenge. I worked for all the industries, but Maritime and specifically Cruises is a sort of concentrate of all the aspects that characterize the cyber security and at the same time is undergoing a historical technology transformation. No other industry must face the dynamics of Maritime when it comes to technology challenges.

Ships are continuously moving across the seas globally, they must be able to operate disconnected and at the same time provide the services of connected smart cities, the law changes according to the position of the ship and according to the flag it has, safety and security are at the core of our business. Data Privacy, IT, OT, IoT, Payment Systems, etc.: we have all these aspects to take care of. For a cyber security professional, there couldn’t be an industry more challenging as this one.

This mix of intrinsic industry Cyber aspects merged with the historical context we are living in gives me the motivation of a never-ending space for the growth of my horizons.

3. What are the major considerations that a Head of Cyber Security has to be making when looking at investment into information security?

Especially in tough moments like this, the key question that I pose to myself is: what’s the best trade-off between the investment and its return in terms of risk management and complexity increase? There is not an easy answer. Many variables are out of our control and the variability of the threat scenario is very high.

So, at the core of my decision-making process, I have a very simple answer (ref. Prof. David Feeney): think like a dolphin and not like a whale. Applied to cyber investments, I pursue small changes that reduce the risk dramatically. It’s not only a matter of costs, but this also reflects the complexity and the surrounding resources involved.

Small changes can also be absorbed by the organization and stopping or modifying one of them is easy compared to a single complex initiative. This doesn’t mean that there isn’t an overall strategy; it simply means it’s fundamental to master the strategy up to the extent that it’s possible to split it into very small pieces maintaining the objectives and keeping the possibility of adjusting it.

4. Why is it essential to invest in an excellent cybersecurity culture?

I think that the answer is already embedded in the word “culture”. We live in a world that is pervaded by digital, and in the future, it will be even more. As in the physical world, we behave according to rules and principles that give us a secure and civil society, the same should be done in the digital space.

The physical world benefits from hundreds of years of “cultural” evolution. In the digital world, we are just at the beginning. We need to invest in cyber security culture to support and speed up this evolution and contribute to developing a space that will bring us one day to have the same level of safety (or better) we have today in the physical world.

5. What types of security threats in tourism and leisure industry are the most complicated to detect? Maybe you can give an example from real life?

Our industry presents a very large surface of attack, and it includes actors that are potentially superior in terms of capabilities, like State actors. Today, they are probably the most complicated to identify and contrast, not only in Travel and Leisure but in all the other industries as well. For example, it’s very frequent in the Maritime industry the “jamming” and “spoofing” of GPS signals in sensitive areas of the globe. These types of attacks have reached the peak of visibility in the Middle East especially due to the increase of geopolitical tensions between historically powerful nations.

In 2019 a tanker was seized by a Middle East regional nation after his navigation system was fooled and manipulated to divert the ship from international waters to national jurisdiction. Collateral damages are becoming more probable because of the increasing frequency of these events. Added to this, there are increased investments by other nations in cyber with the intent of increasing the offensive capabilities as part of national defence strategy.

6. What significant changes do you see occurring within the cyber security market over the next 5 years?

The cyber security market will continue to require new skills, not only from a technological point of view thanks to the dimension of the growing digital adoption but also in terms of legal, communication, financial, humanistic, and international policy.

I think in future the cyber will be a very deep and variegated matter that will require a large collaboration of professionals for tackling the complicated challenges we have to face (e.g. secure application of Artificial Intelligence, Human Rights Freedom in the digital space, Cyber Weapons, etc.). In my opinion, a key element is a convergence and interconnection between the “strategic” discussion at the geopolitical level and the “operational” day-by-day life, still managed at a very technical level in the cyber community and in the organizations.

7. Lastly, on a personal note, what is the best career advice you’ve received and how have you sought to put this into practice?

During my career, I’ve had the fortune to meet several brilliant people and I think that was the most relevant advice I received: be surrounded by people that are better than you, learn from them and try to be a lighthouse for other people, inspiring and contributing to their success.

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.