<p>In 2019, CISO Omar Khawaja set out to transform the compliance-driven security culture at Highmark Health — a nonprofit healthcare company based in Pittsburgh — to one focused on business outcomes and risk.</p>
<p>Khawaja turned to the <a href=”https://www.techtarget.com/searchsecurity/tip/Using-the-FAIR-model-to-quantify-cyber-risk”>Factor Analysis of Information Risk</a> (FAIR) methodology, a mathematics-based framework for <a href=”https://www.techtarget.com/searchSecurity/tip/What-is-cyber-risk-quantification-CRQ-How-to-get-it-right”>cyber-risk quantification (CRQ)</a> developed by the nonprofit FAIR Institute. Users run data through the model’s mathematical algorithms to calculate the potential financial implications of specific risk scenarios. Executives can then use that information to make decisions, such as prioritizing threat remediations and determining whether security controls are justified.</p>
<p>FAIR struck Khawaja as the “Goldilocks of risk frameworks” — substantive without being overengineered, overly complex or too academic. “It was practical, and it gave us [at Highmark] a common language on risk,” he said.</p>
<section class=”section main-article-chapter” data-menu-title=”From gut instinct to data-driven decisions at Highmark Health”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>From gut instinct to data-driven decisions at Highmark Health</h2>
<p>After securing stakeholder support and identifying and gathering necessary data inputs, Khawaja’s team used a spreadsheet to calculate and track financial loss exposures across specific risk scenarios. The model enabled him to make data-driven decisions rather than relying on instinct.</p>
<p>”In many organizations, security decisions are made from the CISO’s gut, which is honed by years or decades of experience,” said Khawaja, now field CISO at Databricks, a data intelligence services provider, and a FAIR Institute board member. “FAIR gives us a more sophisticated view: ‘Here’s what may likely happen, and we’ll show you all the math and analysis behind it.'”</p>
<p>That was especially helpful when determining if a business initiative was worth pursuing, he added. “We’d calculate the cyber risk on a yearly basis. If the risk is less than the [anticipated return], then it’s a good idea.”</p>
<p>FAIR analyses also informed security t
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: