The world’s largest shipping company A. P. Moller – Maersk suffered one of the world’s worst cyber attacks in 2017 when the NotPetya malware idled its ships at sea. “This was really the starting point for building our risk team and utilizing FAIR,” Neil Davis, head of cyber risk management, told a session at the 2023 FAIR Conference. The close encounter with extinction convinced Davis and team they needed to move from a compliance focus to a risk-based program.
Watch the Video:
Improving Cyber Visibility and Decision-Making at Maersk
FAIR Institute Contributing Membership required to view. Join now!
Neil’s story should resonate with any FAIR evangelist trying to get a foothold at a large institution. His FAIRCON23 talk covers:
--Moving from a high/medium/low qualitative approach; they hit the tipping point after ending up with too many medium risks to prioritize.
--Turning a GRC into a “forward-looking register.” Or as Neil characterized it, going from a list that needed to be fixed to managing the risk itself.
--Case study: risk analysis for an acquisition. “Our first proper run with FAIR was great,” in terms of giving a classic FAIR presentation with charts showing ranges. The M&A team shrugged it off. Turned out they were spreadsheet lovers. Recasting the results in Excel captured their attention. “Our learning was to think about your audience and what information they want to see.”
--Speaking of communication, “don’t just focus on ALE”. Especially at an organization like Maersk that had experienced a black swan event, ask “how much tail risk can we afford” and “can we afford to not to mitigate this risk.”
The goal of Neil’s team is to be “trusted advisers” to the business. They’re making progress: the company’s software review board now requires a FAIR analysis before purchase, jamming the team’s inbox, a good problem to have.
Learn more about the FAIR journey at Maersk. Watch the video:
Improving Cyber Visibility and Decision-Making at Maersk
FAIR Institute Contributing Membership required to view. Join now!
