A

You're listening to the Cyberwire Network powered by N2K. Welcome to Afternoon cybertea, where we explore the intersection of innovation and cybersecurity. I'm your host, Dan Johnson. From the front lines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews and captivating stories to stay one step ahead. This week on Afternoon Cybertea, I am joined by Fabio Catassi. Fabio is the Chief Information Officer for Mediterranean Shipping Corp. In this role, Mr. Catassi has overall responsibility at the IT organization, including infrastructure development and security for both MSC headquarters in Geneva and the network of all of its agencies. He was formerly the President and CEO of MSC Technology, based in Warren, New Jersey. Welcome to Afternoon cybertea, Fabio.

B

Thank you, Anne, for the introduction and it's a really pleasure to be here with you today.

A

So, Fabio, you've been leading IT and security for a global organization with headquarters in Geneva. You have agencies around the world. You obviously have very critical logistics infrastructure. I would love to explore the leadership through that lens in the context of global shipping, supply chain, chain and of course what it means to run real world infrastructure. So let's get to a few questions. What does leading IT and security and maritime logistics differ from leading in a purely digital company?

B

Well, in shipping technology failure isn't an extract. It stops ships, block ports, disrupt economies. So we are not just protecting data, we are protecting logistics, physical operation, crews, cargo, safety. So that means for example, IT ot satellites, vessel or all convergence. So security decision have real world consequences, not just digital ones. So that's fundamentally change how you lead. So MSC approach reflect this philosophy, which security must be embedded in the operational processes. It cannot be treated just as a separate IT concern.

A

Yeah, I would think that. In addition, I remember the, and I don't remember the geographic name of the canal right now, but I remember the ship that was stuck for the period of time.

B

Yes, that was in the Suez Canal. It was from one of our competitors, but of course it lost the power and that's brought to a blockage that had an immense impact on economies. Both the local ones of Egypt. The canal was not operational. And of course with all the rerouting that we had anybody in the industry, for example, to do around Africa.

A

Yeah, and I think that's what I want our listeners to understand is that if global shipping were to have a security or an IT event, it doesn't just impact you as a company, it impacts your peer companies. It also can impact global supply chains and of course the global economy. And of Course be a tremendous cost to you as you're trying to reroute ships in a different location and fuel and time and just wear and tear, right?

B

Yeah, absolutely. And you know, 90% of the goods that move worldwide, they are moved through the oceans. So it's really. There is no aspect of our life as a modern civilization that is not tacked in a way or the other by ocean transportation. So if that gets disrupted, of course this means then there is a real life impact on economies and of course ultimately the people.

A

Exactly. And because of that, and I don't think that folks, I think that number is going to really hit folks when they realize that over 90% or roughly 90% of global shipping is done on the water. That means that you're working across multiple jurisdictions, multiple governments, multiple regulatory environments. How do you manage all of that

B

is a huge challenge. First of all, because shipping is global by nature, but regulations are deeply local. We have offices in 154 countries, so we operate under a myriad of overlapping frameworks, imo, gdpr, port authorities, national laws, you name it. And often this is all simultaneous. So the challenge here is to, when you look from the security perspective, for example, is to create in global consistency in security governance, but while remaining compliant and practical at the local level. Because effectively you cannot design anything for just one regulator. And it's what we do, we design for cost and variation also because very often there are changes, certain jurisdictions are better to plan things, other countries, they make announcement at the last moment, et cetera. And you need to be able to react and be ready so that the flow of goods continues interrupted, that makes perfect sense.

A

And like a lot of global organizations trying to find that baseline governance standard that then you can just not have to modify continually, but you have that high level baseline that will apply across a lot of regulatory environments is something that we certainly find useful. So your industry is obviously very physical, it's also digital. Where do you think that the biggest blind spots are emerging for an organization that really has to be dependent on both the physical and digital footprint?

B

The biggest blind spot is the assumption that operational systems are isolated because they are not. So especially now modern vessels, terminals are all connected environment, but they are built often on legacy technology that was frankly not designed for cyber threats. When you add then third party the human factor that of course in the security area is probably still the biggest unknown and uncertainty, this of course creates issues. And again, people are not really, they think that vessels are air gap or whatever, but today with satellite or whatever else, this is not a reality anymore. LEO satellite, for example, has brought high bandwidth, low latency to vessels. And that is great. It's great for crew welfare, it's great for constant monitoring for environmental controls so that we can control in real time emissions or whatever else within the ships. But at the same time, now the vessel is wired and connected through the LEO satellite constellations like any other digital assets that we have around the world.

A

That makes perfect sense to me. But thinking about, I was in Singapore last year, I spent a little bit of time there and they were touring me through the port there. And you're prob familiar that the report has gone almost completely robotic and digital. They're certainly moving that direction. And they were talking about how shipping has been a very targeted piece of infrastructure for a lot of nefarious actors. Right. And how they think about cyber and resilience because of that, because of the volume that goes through that port and the volume of goods that go through that port. Can you talk also a little about how you're thinking about resilience versus security versus just prevention of having any type of attack or any type of system outage?

B

So incident like the Napa attack were really an eye opening for the industry in its effects and consequences, et cetera. And then there were other incidents over the year that really showed how this is an area in which you cannot just rely on prevention. That is not enough. When you are in a globally connected ecosystem. Resilience is essential, critical. First of all, you need to really be geared to have fast detection, containment and recovery. So make no assumptions.

A

You're doing modernization right now at scale. So can you talk a little? You are well known for your leadership. So I want to talk a little bit about leadership and how you get the company on board. When you're modernizing systems, there's of course risk in that. And you're also defending against modern threats to.

B

Well, first of all, let's say that because we are standardizing data and process globally, while our operation runs at 24 7, there is never a holiday, never a night or a period where there is not something that is operating around the world. So from my perspective as a leader of this endeavor, it means that I need always to set clear architecture principles. So that's what the thing that we did when we started this process. And of course while the technology evolved, we keep reevaluating what we the technology we are using, how the architecture, et cetera. But then everything that is related to security is embedded from day one. Because if you arrive at the end of the process or in the middle of the process to start to think about security, you are already too late. And then you have a massive technical depth, you needed to readdress and you waste time, money and velocity in providing solution to the business. So the biggest one thing that I often do is to be the urgent to sometimes resisting shortcuts when maybe the business is really pressuring for something be done. Super. And I have to see the fact that maybe we solve today problem, but we create tomorrow risks. And because the culture that now we have established inside the organization and we have a great partnership with the business, they understand. And so that is how we keep progressing. But we do it in a way that is sustainable and safe for our organization.

A

That makes a lot of sense. And then you have to think about, and I know you think about this a lot because you're involved deeply in the planning, but the sequence, right? How do you think about sequencing innovation when you're dealing with a global organization that's operating? I like to say we're building the plane as we're flying it. So you have a global organization that's operating. How do you sequence innovation so you minimize any new risk exposures?

B

First of all, my analogy that I used countless times that we are running a marathon while we're doing staple chase jumping around and once in a while we have to do the 100 meter speed dash. So that is how I feel how our operation as IT transformation runs. And going to your question, we start with foundations, so identity, data governance, visibility. Before you start to scale, if you have this approach, then you can move incrementally based off on the risks that you want to take. So you don't let enthusiasm, especially when the new technology breaks in like the little revolution that we are having or big revolution we are having with AI. Of course there was immediately when we started a lot of enthusiasm and I was one of the people that was enthusiastic about it. But we look at it with the clear eye saying okay, this is what all we want to do. And then this doesn't mean that this innovation is blocked, but we create our own gates of readiness so that when we move to the next phase, we have built the governance and the building blocks so that that allow us then ultimately to move faster, but without having insurance and especially without breaking trust, because there is nothing worse than implementing something rushed and then you have a problem, security incident, et cetera. And then you expect the possibility to keep investing in that area just because you rushed things through and you didn't do all what necessarily be done to lay solid foundations.

A

I think that makes a lot of sense and it does lead me to ask you a little bit about AI. The modern world at some point in time is going to move towards AI. I think there are some industries that are moving more quickly, some industries are moving more slowly. But we're seeing a lot of global interest in how AI can improve productivity, how IT can improve efficacy. There's different things in cybersecurity, but also in just standard it. But I want to talk about logistics for a moment because you are the world leaders in that. Where do you see AI can actually add real operational value with regard to maritime logistics?

B

Well, there are a few areas like predator maintenance, anomaly detections, cargo visibility, operational optimization, efficiency reduction of greenhouses, emissions, documentation, security, operation, et cetera. Where AI has tremendous potential, in some cases is already making a difference. Our approach is that AI is at least where it is today as technology is most powerful. Where AI means humans, we truly believe that still the human factor is essential to the success of our business. But through AI we have tools that help us see patterns earlier or act faster. And ultimately, even when we stay in a setup in which humans still take the decisions, they are able to do that in a way that is qualitative and timely. Much faster than in the past.

A

I love that. I was reading. You're going to laugh. I was reading a fiction novel over the weekend and one of the things that happens, it was a thriller, a global thriller. And one of the things that happens is they're looking for some missing cargo on a ship and they realized that a different ship had too much weight and somehow that was, you know, they could sense that automatically from some ports. And I'm like, well that's fascinating. It was, you know, they described this high tech technology where they could do the exact weight and knew it had three extra containers on it.

B

Well, it's fascinating. Probably is also a bit fiction because when you look at to some of today of the largest container ship vessel that we and some of our competitors operate, they are able to carry 24,000 TEUs. So they are like three shipment fields combined, photo field combined. And so to be able to detect three containers out of that size and wait, it's really next level of AI? Let's put it this way.

A

Well, that's. Yeah, I knew I was talking to you, so I was like, I wonder if AI could solve that. Right. Anyway, what risks? So you thinking about AI, how it can help you innovate? I'm sure your security team is thinking about AI but what risks do you think about from AI adoption in your global infrastructure?

B

First of all, over automation without oversight, the concept of agent controlling agents, et cetera. That is an area that I think that we are a little far from a moment where I would feel more comfortable in having stuck layer of AI agent independently operating. Then of course there is the evergreen problems that they are then potentially compounded by AI or poor data quality or regulatory misalignments, et cetera. Ultimately, as we were saying earlier in infrastructure, mistakes aren't just theoretical. So they can affect also safety, continuity, et cetera. So that's why I stress all the time that the governance, human verification, transparency matter to us much more than just the speed of execution.

A

I think that makes perfect sense. I mean, you have to maintain all of your, I'm using security loosely, not necessarily cybersecurity, but you have to maintain all of your security, your resilience, your systems, and slowly figure out where AI is going to add the most value with creating the least risk. Let's pivot just a second away from cyber for a moment. You have some globally distributed organizations. You have headquarters in Geneva, you have facilities, large facilities in Warren, New Jersey. In this globally distributed organization, how much consistency do you drive or how much local autonomy do you allow?

B

Well, you have to have global guardrails, gold gun rays and global governance so that you have a consistent baseline of operation. But then this means that then you can have the local teams with their own responsibilities and time, connectivity, innovation that they want to bring up whatever initiative they want in a way that we feel it's safer and even outside of the global IT organization in which we are quite structured also and consistent across the various technology sites that we have also in India, in Italy, et cetera. But this is also very much true for our agency network. We have created, for example in our cloud infrastructure the security baseline, the way in which systems deployment, monitoring, patching, et cetera, is globally managed and governed, more importantly. But then they have the freedom to innovate and to add elements to their IT needs, system, et cetera, in freedom from a central headquarter. And that is a perfect situation because we have a very sustainable model where we don't create fragmentation. That, as you know much better than me, is the worst enemy that you can have from a side where perspective. But at the same time we are not steaming local initiative and innovation.

A

I like that approach because it's all about balance and there are local nuances, as you know, but you also can drive, we drive local innovation that sometimes becomes Global innovation because the compelling solution was so great that they built in some remote part of the world that you'd never expect, right?

B

Yeah. And for example, if I may give you an example, we created in the I area AI Champion community and we created by in every region we named AI Champion that comes from the business. They are not necessarily people with an IT background. Some of them do, some other are of course technically savvy. But they are let's say more from really the shipping business of the house in their specific areas, of course they disseminate and they make the evangelization of the organization on the various AI tools we have what they can do or not do. But then also they created their own initiatives and we've started to build the regional agentic AI farms in which the various region create their own agents. Then we created the repository where they can describe what the agents does, the business objective, et cetera. And then the other regions can start to take advantage. And that is how we we scale up for example in that area. So it's a model that we have used also another area of our IT transformation in the past. It works very, very well.

A

That's fantastic and I'm glad you're so open to it. It's great to hear from a leader who isn't rigid that they must control or drive all innovation. So you and I have a couple things in common. One, I'm originally from the great state of New Jersey and my mother's family was very Italian. But that I also completed a dual major in political science and communication and started law school and chose to go into technology instead. I see that you completed a degree in classical languages and philosophy, attempted law school and then also ended up in technology, so.

B

Exactly.

A

But I think that background of not having. I don't have a technology degree. I think that background has really helped me think about problems a little bit differently. I'd love to understand how your philosophy training has influenced how you approach technology.

B

First of all, it's beside it. I love the subject, but when it comes to where I end up as a career, I think that philosophy train you to in systems ethics, long term consequences make you able to extract problems in a very different way. When you look to a solution, you are able to correlate many independent concepts much easier so. And also technology means is never neutral. So it shapes behavior, shape responsibilities. So I think that the classical background, philosophy background, etc. Has been very helpful to me in my career when I am faced with the problems, et cetera, to look not only to the practical solution, but also to look the impact and the consequence of the choices that we were making through technology.

A

I think that's great. Do you think that studying philosophy also changes how you think about AI, responsible AI in particular?

B

Well, yes, very much so, because this has been one of the biggest debates also at the beginning of this AI revolution with generative AI, et cetera. Normally AI really raises questions of responsibility, agency trust. So because I truly believe that humans, they must remain accountable, then you have to look to AI in that context. So you cannot really, you need to be very, very careful in this area never to break trust because if you do then you would have a permanent stain on the technology. And you see some of the things that are happening in the market, et cetera, they are giving a bad name sometime to AI. But the problem there is not AI is maybe a non really responsible approach to how to implement and present this technology.

A

Makes perfect sense. I really appreciate you joining me and as we conclude Afternoon cybertea, we always like to end on a note of optimism. So when you think about global critical infrastructure over the next decade, shipping, ports, logistics, what gives you optimism?

B

Definitely that is an industry. We have learned hard lessons, we have adapted. Collaboration across all actors in the industry is improving. We are working with our competitors, with the authority, with the customers, et cetera on the standardizations. Governance overall is maturing and technology, especially AI, can make shipping safer and more resilient. So I think that the combination of all these things, when is put then in the hands of the people really becomes an amazing opportunity to keep improving and make our planet better.

A

That's fantastic. Fabio, thank you so much for joining me on afternoon CyberTea.

B

Thank you Anne. It's really been truly a pleasure to have this opportunity. Thank you again for having me and

A

many cyber thanks to our listeners. Join us next time on Afternoon cybertea. This week on the Microsoft Threat Intelligence podcast we talk about why talk is cheap in security and you actually have to do things to make things secure. Be sure to listen in and follow us@msthreatintelpodcast.com or wherever you get your favorite podcasts.