In 2017, shipping giant A.P. Moller - Maersk flexed a muscle many didn't know it had.
After becoming a collateral victim of NotPetya — the infamous 2017 wiper cyberattack — Maersk rebuilt its IT infrastructure in 10 days.
It took Maersk less than two weeks to overhaul its IT infrastructure. And a year later it recruited chief information security officer Andy Powell in June 2018.
Powell, then serving as VP of cybersecurity at technology consultant Capgemini, advised about 50 to 60 clients on NotPetya.
NotPetya "made me realize that I actually really enjoyed fighting in the trenches, as I call it, doing the real work rather than selling it," he told CIO Dive.
By the numbers
Maersk's recovery was the career pivot Powell wanted. A century-old company, Maersk was not designed for a complete infrastructure overhaul. The anticipation of a digital and cybersecurity renaissance baited him further.
"It's a significant transformation of a very traditional company," he said. "That's what really excited me."
Backed and funded by leadership, in the first 18 months of Powell's Maersk tenure, its security team went from 28 people to just under 300, which includes 150 interim contractors.
"Many CISOs go in and it's an uphill struggle to convince the business to invest in improvement," said Powell. The board already saw the gravity of a cyber investment, and that was a "key factor in my decision to join."
Maersk's security operations center (SOC) was "very small, if not minimal," he said. "There were a number of skills that we needed that we didn't have," so Powell hired "rapidly" to fill the gaps — going from three security experts to around 50.
Having accentuated SOC's importance in Maersk's overall business, cyber talent saw an attractive challenge: building Maersk's security posture "from scratch," said Powell. He also introduced the company to "a constellation" of more than 20 cybersecurity officers across the globe "sitting in the various key business centers."
Powell uses strategies from his military background for harmonizing security operational principles, including trust, resilience, shared responsibility and accountability.
Drawing on Powell's time in the Royal Air Force, "I knew that he had that executive presence," experience running large budgets and keeping systems patched, Mike Turner, VP at Capgemini, and former CSO and colleague of Powell, told CIO Dive.
"He'd been through a lot of rehearsals in terms of contingency planning and incident management and response, so I'm absolutely certain that his experience in the military would have grounded him," said Turner.
The penultimate principle is championing shared responsibility throughout the enterprise.
"Whether you're just a guy on a ship in the middle of the ocean, on your computer in the cabin, or you're one of the key computer guys running the systems, you are responsible for security in your area," said Powell. "Whatever you're doing, take responsibility for that."
Now with a well-established team at Maersk, "I can trust them to get on with it," he said. "Don't get me wrong. I am the head on the block if things go wrong, but I think what's most important is that you've got a strong team," in and outside of the security organization.
As a consultant at Capgemini, Powell had layered responsibilities. "It is very useful, very handy to have a degree of domain knowledge," said Turner."The great thing that Andy has, which I think is absolutely vital to senior leaders in security roles, is that ability to operate at the board level" while mastering a business component — cybersecurity.
"What I'd hate to feel is that somebody would have to rip everything up and start again, because that means I haven't succeeded."
NotPetya compromised Maersk's reliability in 2017.
But "I don't think it was just a cyberattack," said Powell. "Even in the last 18 months things have changed. The CISO of today is no longer the technical geek who sat in the back room waiting to be told what to do by the CIO."
"I think what happened with the CISO role is it has changed because the business has changed," he said.
Over the last two years, Maersk has emphasized its transformation and the role technology features in its goal of becoming "the global integrator of container logistics," according to Maersk's Q2 2019 interim report.
As the company progresses — in cybersecurity and modernization — Powell wants to lay a resilient foundation. "What I'd hate to feel is that somebody would have to rip everything up and start again, because that means I haven't succeeded," he said.
The success of Powell's security program is validated by Maersk's improved protection and changes in his personal life. "When I arrived 18 months ago, I wasn't sleeping at all … because I didn't know what the risks were, I didn't know what the problems were."
Now with experience and strategic mitigation, "one measure of my success is getting more sleep."