In June 2018, shipping giant A.P. Moller - Maersk named Andy Powell CISO, a year after it became one of the victims of the NotPetya wiper attack.
It came at time when Powell was looking to "walk the talk," after advising clients on their ransomware recovery during his time at Capgemini, he told CIO Dive. Maersk was also ready for change.
He stepped into the role with a healthy security budget, and support from CEO Søren Skou, to develop a pragmatic security program. Powell's suggested — and now implemented — improvements, included growing his internal security team from 28 to about 150, split between the security operating center, and risk and compliance areas.
CIO Dive spoke with Powell about shared security responsibility, what makes a CISO a CISO, and how he's able to get more sleep.
This interview has been lightly edited for clarity and brevity.
CIO DIVE: How did you find yourself at Maersk?
ANDY POWELL: The three things I think that really, really excited me about the opportunity, firstly was Maersk itself and the significant transformation it was going through and is going through now. It's aspirational.
Key business leaders support the cyber agenda, which I think are a very important aspect of the role. To get CISOs you need to have the business fully on board with what you're trying to achieve and fully bought in. And I don't think it was just a cyberattack. I think they were mature [enough] to realize that it's a critical component. To build a digital business, you need a secure digital business.
Maersk was recovering from the collateral damage caused by 2017's NotPetya when you came onboard. What made you want to take on that challenge?
POWELL: I've been very fortunate to be surrounded by some very, very capable people in my team … We have a plan. We work the plan together.
The CISO is still accountable, don't get me wrong. I am the head on the block if things go wrong, but I think what's most important is that you've got a strong team, on the business side.
How do you unify your security organization's mission and mindset?
POWELL: One of the things I realized, having done this previously in the military, was key operating principles. They all understand those five principles, and they can work with them.
The first is trust. The client has got to trust us with their data, to trust us to look at their business. So we've got to build trust through the cybersecurity solutions that we put in place. That is absolutely fundamental. So client trust, client buy-in has been fundamental to what we tried to drive as a key message.
The second is resilience. Because you've got to have resilient systems because clients won't give you business if you're not resilient.
The third really is around the fact that security is everybody's responsibility. And we push that message really hard across the company … be clear about what you need to do and we train people accordingly.
The fourth one really is accountability of security and I have pushed accountability for cyber risk to the business.
And the final piece, and this has been one of the big call outs of my team to everybody, is that security is a benefit, not a burden.
The reason I say that is people's perception is that security will slow things down, will get in the way ... the reality is that if you involve security early enough, you can build solutions that actually attract additional clients.
What are some of the differences between the security organization before you came on and what it looks like now?
POWELL: We had a very small if, if minimal SOC when I arrived, it's now around 50 people … We had to hire the skills in that area [it's] hard to find these people are in high demand and low supply.
The second area that I established for the first time, was a constellation of cybersecurity officers who are across the globe. We didn't have any.
I established a team of just over 20 now who are across the globe sitting in the various key business centers [for Maersk]. And their job is to provide cybercybersecurity awareness training, guidance, advice to the business wherever they are, so they're closely linked to the various business units globally.
What's your plan for the next six to 12 months?
POWELL: My aspiration is that security becomes part of everyday culture within us.
So we in Maersk have been focused very heavily on safety, and it's quite interesting that in Danish [there's] only one word for safety and security. I've tried to align much of my security with safety.
So safety is a strong cultural value within Maersk because of what we do. And so my line is, cyber should be like safety … Whatever you're doing, you think safety you think cyber. And if people start thinking that way, then I know I've achieved what I want to achieve because we're getting to that cultural tipping point where, you know, I've got people doing my job for me.
When I arrived 18 months ago, I wasn't sleeping at all. I was waking up and I was scared witless … because I didn't know where the risks were, I didn't know what the problems were.
[Now] I'm getting sleep because I know that we've now got visibility, which is absolutely critical. If you don't understand the risk, you can't do anything about it, if that makes sense. You've got to have visibility … and [know] a lot of people working to try and mitigate them.
And in a year's time or so when the program that we've got running is coming close to completion, moving more into the next phase, my view is that we can sustain all the improvements that we put in place.
We're trying to ensure that all our people understand how to run the new cybersecurity capabilities that we have, and are able to sustain those beyond the program that we've got.
Any advice for your fellow CISOs?
POWELL: A good CEO seeks advice from their CISO all the time … In my case, I'm fortunate in that I answer to the CIO, but I also have a strong dotted line directly into the CEO, which all CISOs should have.
Any CISO who doesn't have that line isn't a CISO. [A] company is not embracing what they need to do properly if they don't have that direction. So that to me is where it matters.
You are a key component in business decision-making now, which was not the case a few years ago.
This is not a one man or one woman job … because the level of expertise you now need in this role, you can't have in one person. You need expertise from a range of different people and you need to trust that expertise and build teams expertise because if the CISO tries to do it all themselves, they will fail.
A CISO will fail if they don't get that investment. Don't get away from the business. You need to get even the lowest ranked seafarer on a ship to buy into what you're trying to do and if you can't convince them, then you're not going to convince anybody else.