The Cyber Resilience Compass 2025

The NotPetya cyberattack in 2017 significantly affected Mærsk’s short-term operational capabilities and customer service. More importantly, it marked a turning point in the company’s transition to a risk-based approach for cybersecurity investments and enhancements. Before initiating this transition, top leadership, in collaboration with stakeholders across the organization, assessed the business criticality of its applications and their roles in key business operations. This assessment provided the foundation for prioritizing investment areas effectively. Consequently, Mærsk adopted a quantified risk reduction strategy, translating risk into a “dollars-lost” equivalent, which facilitated meaningful discussions with the board and chief financial officer (CFO), ultimately securing essential funding for its cyber transformation programme. This strategy also guided decisions on where to invest in developing, operationalizing and embedding cyber capabilities. By using Monte Carlo simulations and other risk-modelling techniques, Mærsk enabled data-driven, risk-based decision- making. This methodology has also significantly improved due diligence and purchasing decisions. The steps taken since 2017 have resulted in better investment prioritization, reduced cyber risk exposure and enhanced resilience across Mærsk’s operations.CASE STUDY 1 Mærsk – Informed decision-making: Establishing a risk-based approach When PETRONAS embarked on its digital transformation journey in 2017, leadership made cyber resilience a top priority from the outset. Following PETRONAS’ shift towards a more strategic and extensive use of data, technological solutions and new ways of working – as well as its role as the operator of national critical infrastructure – the need to operate securely became a non-negotiable prerequisite. However, an initial assessment of the organization’s cybersecurity posture indicated that substantial improvements were needed to keep pace with its increasingly complex operations and digital initiatives. Driven by a clear leadership mandate, PETRONAS began building its cyber resilience capabilities in 2018, focusing on five major pillars: –Enterprise cybersecurity governance: Establishing a holistic framework for managing and enabling cybersecurity consistently across the group –Cyber defensive operations: Ensuring effective identification, detection and response to cyber threats –Identity and access: Enhancing clarity and control over who has access to what and when –Real-time operational technology (OT): Enabling better visibility of and response to threats in the OT environment –Extensive enterprise-wide education and awareness programme: Supporting all pillars by ensuring employees understand their role in protecting both themselves and the organization against cyber threats. Ultimately, executive leadership ensured that cybersecurity was not just viewed as an IT concern but as a business imperative, providing the necessary support and advocacy for the intensive three-year programme while integrating it into corporate decision-making. As a result, PETRONAS elevated its security posture from reactive to proactive, establishing cyber resilience as an actionable agenda at every level of the organization.CASE STUDY 2 PETRONAS – Leading organizational change: A cyber resilience transformation Governance, risk and compliance concerns an organization’s approach and governance mechanisms put in place to manage risk and meet compliance requirements. This involves: –Defining the organization’s risk profile –Establishing clear ownership and accountability structures –Ensuring compliance with legislative and regulatory requirements –Implementing risk mitigation measures3.2 Governance, risk and compliance The Cyber Resilience Compass: Journeys Towards Resilience 10