Afternoon Cyber Tea with Ann Johnson

Episode: Cybersecurity at Sea: Protecting the Global Supply Chain
Date: March 31, 2026
Guest: Fabio Catassi, Chief Information Officer, Mediterranean Shipping Corp (MSC)
Host: Ann Johnson, Corporate Vice President and Deputy Chief Information Security Officer, Microsoft

Episode Overview

This episode explores the unique cybersecurity and IT challenges faced in the maritime logistics sector, with a focus on global shipping and supply chain resilience. Ann Johnson talks with Fabio Catassi of Mediterranean Shipping Corp about protecting critical infrastructure, embedding security into operations, the impact of emerging technologies (like AI and satellite comms), regulatory complexities, and building organizational culture that balances global standards with local innovation.

Key Discussion Points & Insights

1. Leadership in Maritime IT & Security

[01:18–02:43]

• Shipping is not just about data—it’s physical logistics, crews, and cargo.
• IT failures have immediate, real-world consequences (blocking ports, stopping ships, disrupting economies).
• Security must be fundamentally embedded in operations, not viewed as a separate IT concern.

“In shipping, technology failure isn’t an abstract. It stops ships, blocks ports, disrupts economies... security decisions have real-world consequences, not just digital ones.”
— Fabio Catassi, [01:48]

2. The Global Stakes of Maritime Incidents

[02:43–04:20]

• Ann recalls the Suez Canal blockage, highlighting the interconnected economic impact.
• 90% of global goods are moved by ocean, making shipping central to modern civilization.
• Incidents don’t just affect one company—they impact peers, entire industries, and global economies.

“If global shipping were to have a security or an IT event, it doesn't just impact you as a company, it impacts your peer companies... and of course the global economy.”
— Ann Johnson, [03:21]

3. Navigating Regulatory Complexity

[04:20–05:54]

• Shipping operates globally, but regulations are locally enforced and often overlapping (IMO, GDPR, national laws).
• MSC is present in 154 countries—leading to a web of frameworks rather than one universal code.
• The goal: create global consistency in security governance, while adapting to local requirements.

“Shipping is global by nature, but regulations are deeply local... you cannot design anything just for one regulator.”
— Fabio Catassi, [04:38]

4. Integrating Physical and Digital Security

[05:54–07:57]

• Modern vessels and terminals are highly connected, often running on legacy tech not built for cyber threats.
• The belief in air-gapped or isolated operational systems is outdated.
• New satellite networks (e.g., LEO) bring connectivity and real-time control, but also new cyber risks.

“The biggest blind spot is the assumption that operational systems are isolated, because they are not. Modern vessels... are all connected environments.”
— Fabio Catassi, [06:27]

5. Security, Resilience, and Response

[07:57–09:23]

• The NotPetya attack and similar incidents taught the industry that prevention alone isn’t enough; resilience is crucial.
• Critical to have capabilities for fast detection, containment, and recovery.
• “Make no assumptions” is a guiding principle.

“You cannot just rely on prevention... resilience is essential, critical.”
— Fabio Catassi, [08:43]

6. Leading at Scale: Embedding Security

[09:23–11:27]

• MSC’s operations run 24/7 with no downtime.
• Leadership sets clear architectural and security principles from the outset; security is “embedded from day one.”
• Avoid the temptation for shortcuts, even under business pressure—solving today’s problem shouldn’t create tomorrow’s risk.
• Partnership with business units ensures a sustainable, secure modernization.

“If you arrive at the end of the process or in the middle... to start to think about security, you are already too late.”
— Fabio Catassi, [10:09]

7. Sequencing Innovation and Managing Risk

[11:27–13:39]

• Incremental approach: Start with foundations like identity and data governance before scaling.
• Don’t let new tech enthusiasm outrun proper governance.
• Implement “gates of readiness” for tech initiatives (especially AI), prioritizing trust over speed.

“You don’t let enthusiasm... outrun proper governance... There is nothing worse than implementing something rushed and then you have a security incident.”
— Fabio Catassi, [12:27]

8. AI in Maritime Logistics

[13:39–16:31]

• AI brings value in predictive maintenance, cargo visibility, operational optimization, greenhouse gas reduction, and documentation/security ops.
• The current paradigm: “AI plus human oversight.” Humans remain key to decision making, using AI for early pattern detection and faster, higher-quality decisions.
• Real-world example: Detecting three extra containers among 24,000 on a ship is still fiction-level, but AI is advancing rapidly.

“AI is most powerful where AI meets humans... Humans still take the decisions, but can do that... much faster than in the past.”
— Fabio Catassi, [14:16]

9. AI Risks and Responsible Use

[16:31–17:46]

• Biggest risk: over-automation without oversight (“agents controlling agents”).
• Human verification and governance are vital to prevent safety and continuity risks.
• Transparency and deliberate rollout keep trust intact.

“Over-automation without oversight... is an area that I think that we are a little far from a moment where I would feel more comfortable.”
— Fabio Catassi, [16:48]

10. Balancing Global Consistency with Local Autonomy

[17:46–21:39]

• MSC establishes global governance and security guardrails but allows local teams autonomy to innovate based on regional needs.
• A sustainable model avoids fragmentation—“the worst enemy from a cyber perspective”—while encouraging innovation.
• Example: “AI Champion” communities and regional agentic AI “farms” scale local initiatives to global best practices.

“We have global guardrails and global governance... but then local teams have freedom in a way that we feel is safer.”
— Fabio Catassi, [18:22]

“Sometimes local innovation becomes global because the compelling solution was so great.”
— Ann Johnson, [20:08]

11. How a Philosophy Background Shapes Leadership

[21:39–24:51]

• Both Ann and Fabio share non-technical educational backgrounds, bringing broader perspectives to technology challenges.
• Philosophy training aids long-term, systems thinking, ethics, and correlating independent concepts.
• Technology is not neutral; it shapes behavior and responsibility. A “classical” background helps leaders consider impacts and consequences beyond practical solutions.
• Responsible AI requires keeping humans accountable and maintaining trust.

“Philosophy trains you for systems, ethics, long-term consequences... technology is never neutral—it shapes behaviors, shapes responsibilities.”
— Fabio Catassi, [22:31]

“You need to be very, very careful never to break trust, because if you do then you would have a permanent stain on the technology.”
— Fabio Catassi, [23:40]

12. Optimism for the Future

[24:51–25:58]

• The maritime industry has adapted, matured governance, and fostered better cross-industry collaboration—including with competitors.
• Optimism comes from improved standardization, the promise of responsible AI, and people leveraging tech for good.

“Collaboration across all actors in the industry is improving... governance overall is maturing and technology, especially AI, can make shipping safer and more resilient.”
— Fabio Catassi, [25:09]

Notable Quotes

• “In shipping, technology failure isn’t an abstract. It stops ships, blocks ports, disrupts economies.”
  Fabio Catassi [01:48]

• “You cannot just rely on prevention... resilience is essential.”
  Fabio Catassi [08:43]

• “If you arrive at the end... to start to think about security, you are already too late.”
  Fabio Catassi [10:09]

• “AI is most powerful where AI meets humans.”
  Fabio Catassi [14:16]

• “Sometimes local innovation becomes global because the compelling solution was so great.”
  Ann Johnson [20:08]

• “Technology is never neutral — it shapes behavior, shapes responsibilities.”
  Fabio Catassi [22:31]

• “You need to be very, very careful never to break trust.”
  Fabio Catassi [23:40]

Timestamps for Key Segments

• 01:18: Leading IT and security in maritime vs. digital sectors
• 03:21: Systemic impacts of maritime incidents on global economy
• 04:38: Regulatory challenges across 154 countries
• 06:27: Blurring lines between operational tech and cyber risk
• 08:43: Shifting from prevention to resilience
• 10:09: Embedding security from project inception
• 12:27: Sequencing innovation and AI readiness
• 14:16: Practical applications of AI in shipping
• 16:48: Managing the risk of over-automation
• 18:22: Balancing global controls vs. local innovation
• 22:31: The value of a philosophy background in tech leadership
• 25:09: Optimism for the future of resilient maritime infrastructure

Summary Flow & Tone

The conversation is insightful and pragmatic, reflecting the high-stakes, complex nature of cyber risk in global shipping. Both Ann and Fabio share a mix of real-world experience, leadership philosophy, and a commitment to thoughtful, sustainable innovation. The episode concludes on a note of cautious optimism: the future of maritime logistics is promising, provided the industry continues to collaborate, adapt, and embed responsibility at every level.