[BreachExchange] CISO of the Year: Andy Powell, Maersk

[Destry Winant]

https://www.ciodive.com/news/ciso-maersk-notpetya-infosec-dive-awards/566241/

In 2017, shipping giant A.P. Moller - Maersk flexed a muscle many
didn't know it had.

After becoming a collateral victim of NotPetya — the infamous 2017
wiper cyberattack — Maersk rebuilt its IT infrastructure in 10 days.

It took Maersk less than two weeks to overhaul its IT infrastructure.
And a year later it recruited chief information security officer Andy
Powell in June 2018.

Powell, then serving as VP of cybersecurity at technology consultant
Capgemini, advised about 50 to 60 clients on NotPetya.

NotPetya "made me realize that I actually really enjoyed fighting in
the trenches, as I call it, doing the real work rather than selling
it," he told CIO Dive.

BY THE NUMBERS

10 days

How long it took Maersk to reinstall more than 4,000 servers, 45,000
PCs and 2,500 applications post-NotPetya

76 ports

The number of ports, including locations in Spain, Los Angeles and the
Netherlands, impacted by NotPetya

$300M

The NotPetya-related costs Maersk incurred

3.9%

The uptick in fixed bunker prices. There were also increased desert
times because of lower invoicing times, higher terminal cost, and
higher positioning and SG&A costs.

20%

Maersk's initial overall drop in volume from the cyberattack

Maersk's recovery was the career pivot Powell wanted. A century-old
company, Maersk was not designed for a complete infrastructure
overhaul. The anticipation of a digital and cybersecurity renaissance
baited him further.

"It's a significant transformation of a very traditional company," he
said. "That's what really excited me."

Backed and funded by leadership, in the first 18 months of Powell's
Maersk tenure, its security team went from 28 people to just under
300, which includes 150 interim contractors.

"Many CISOs go in and it's an uphill struggle to convince the business
to invest in improvement," said Powell. The board already saw the
gravity of a cyber investment, and that was a "key factor in my
decision to join."

Maersk's security operations center (SOC) was "very small, if not
minimal," he said. "There were a number of skills that we needed that
we didn't have," so Powell hired "rapidly" to fill the gaps — going
from three security experts to around 50.

Having accentuated SOC's importance in Maersk's overall business,
cyber talent saw an attractive challenge: building Maersk's security
posture "from scratch," said Powell. He also introduced the company to
"a constellation" of more than 20 cybersecurity officers across the
globe "sitting in the various key business centers."

Powell uses strategies from his military background for harmonizing
security operational principles, including trust, resilience, shared
responsibility and accountability.

Drawing on Powell's time in the Royal Air Force, "I knew that he had
that executive presence," experience running large budgets and keeping
systems patched, Mike Turner, VP at Capgemini, and former CSO and
colleague of Powell, told CIO Dive.

"He'd been through a lot of rehearsals in terms of contingency
planning and incident management and response, so I'm absolutely
certain that his experience in the military would have grounded him,"
said Turner.

The penultimate principle is championing shared responsibility
throughout the enterprise.

"Whether you're just a guy on a ship in the middle of the ocean, on
your computer in the cabin, or you're one of the key computer guys
running the systems, you are responsible for security in your area,"
said Powell. "Whatever you're doing, take responsibility for that."

Now with a well-established team at Maersk, "I can trust them to get
on with it," he said. "Don't get me wrong. I am the head on the block
if things go wrong, but I think what's most important is that you've
got a strong team," in and outside of the security organization.

As a consultant at Capgemini, Powell had layered responsibilities. "It
is very useful, very handy to have a degree of domain knowledge," said
Turner."The great thing that Andy has, which I think is absolutely
vital to senior leaders in security roles, is that ability to operate
at the board level" while mastering a business component —
cybersecurity.

"What I'd hate to feel is that somebody would have to rip everything
up and start again, because that means I haven't succeeded."

NotPetya compromised Maersk's reliability in 2017.

But "I don't think it was just a cyberattack," said Powell. "Even in
the last 18 months things have changed. The CISO of today is no longer
the technical geek who sat in the back room waiting to be told what to
do by the CIO."

"I think what happened with the CISO role is it has changed because
the business has changed," he said.

Over the last two years, Maersk has emphasized its transformation and
the role technology features in its goal of becoming "the global
integrator of container logistics," according to Maersk's Q2 2019
interim report.

Analysts anticipated trade wars would curb Maersk's volumes, but by Q2
earnings, for now, were minimally impacted, crediting "strong
reliability and capacity management."

As the company progresses — in cybersecurity and modernization —
Powell wants to lay a resilient foundation. "What I'd hate to feel is
that somebody would have to rip everything up and start again, because
that means I haven't succeeded," he said.

The success of Powell's security program is validated by Maersk's
improved protection and changes in his personal life. "When I arrived
18 months ago, I wasn't sleeping at all … because I didn't know what
the risks were, I didn't know what the problems were."

Now with experience and strategic mitigation, "one measure of my
success is getting more sleep."