If you’re in risk management at a healthcare organization – or any company with a diverse set of business units – you’ll want to watch this video presentation (and download the slides) from David Steng and Ferhat Yazgili from Fresenius, a European pharmaceutical, hospital, and medical equipment leader
, who took their company from no coherent cybersecurity program to FAIR-based quantitative risk management with buy-in from business leaders.
Watch Now: Case Study Video – FAIR Implementation at Fresenius
FAIR Institute Contributing Membership Required
After setting up a CISO office and conducting some basic education in risk management with stakeholders, they focused their program-building on the value chain of the business, in other words how and where the business makes money (see the chart). That clarified many of the elements needed to develop risk scenarios, such as the crown jewel assets, threat actors, and controls by business units. They also put a lot of time into interviewing business unit leaders, asking “what are your nightmare scenarios.”
The result: “Meaningful categories for cybersecurity that aligned with our business,” David said, positioning the cyber team as “a trusted adviser and not the function that never approves anything…We finally managed to get cyber visible.”
The Fresenius FAIR team faced another common perceived obstacle: not enough data. “Actually, there is,” David said. They leveraged data from industry standard sources but also built a loss magnitude database that’s carefully kept up to date. “We have a list of 27 questions to ask after every incident what the actual cost was and if any cost is foreseen for the next 12-24 months. That is the best data we have at hand.”
Watch the Fresenius Webinar now (FAIR Institute Contributing Membership required to view).
