Michelle Griffith at FAIRCON25
In the modern security landscape, the problem isn't a lack of data; it's an overwhelming surplus of it. For Jimmy Lummis and the security team at IHG, the international hotels operator, the challenge was clear: “If you have 10 million vulnerabilities and at least a quarter of them are critical or high, you’ve effectively got so much work that nothing’s going to get done.”
To solve this, IHG adopted Continuous Threat Exposure Management (CTEM), a framework designed to make sense of myriad data points and help the business decide what to focus on. By integrating FAIR (Factor Analysis of Information Risk) methodology into their CTEM program, IHG has turned technical telemetry into a prioritized roadmap for risk reduction.
Watch the presentation at the 2025 FAIR Conference by
Michelle Griffith, VP, Business Security & GRC, and Jimmy Lummis, Director of Information Security at IHG (image, right).
All is FAIR in Love and War - Leveraging CRQ for Tactical Decision Support
Here is the step-by-step approach IHG uses to manage exposure and justify security investments.
1. Define the Scenarios (Threat-Led Strategy)
Prioritization starts with intelligence, not just tool outputs. IHG’s Cyber Threat Intel (CTI) team—composed of veterans from the intelligence community—defines the "Top 8" risk scenarios. They focus on three layers:
- Global Trends: Who is targeting the world?
- Industry Specifics: Who is targeting retail and hospitality?
- Company Specifics: Who is targeting IHG specifically?
By establishing these scenarios and identifying the Top 10 Threat Actors, IHG creates a baseline for what "risk" actually looks like for their specific business with particular attention to high-value assets.
2. Establish Monitoring Cadence
At IHG, risk management isn't a quarterly report; it’s a daily event:
- 9:00 AM Situational Awareness: A daily call where security stakeholders discuss current threats and top risk scenarios.
- The 30-Minute Pre-Check: Jimmy’s team reviews their risk dashboard 30 minutes before the call to identify fluctuations in the risk scores of their Top 8 scenarios.
3. Identify and Investigate "Fluctuations"
IHG uses a quantitative threshold to trigger action. If a risk score fluctuates by more than 0.1% in a seven-day period, the team "double-clicks" to find the root cause. This investigation typically looks at three areas:
|
Factor |
Description |
Example Investigation |
|
Attack Surface |
Changes in the number of hosts or assets. |
Did 10,000 new hosts just get added to the environment? |
|
FAIR Risk Factors |
Changes in threat frequency or susceptibility. |
Did a security control (like CrowdStrike) stop reporting? |
|
Findings |
New vulnerabilities from tools like Qualys or Wiz. |
Did a new CVE appear that specifically impacts High-Value Assets? |
The team monitors for changes in risk factors and reassesses risk, sometimes several times a day.
Connect with/learn more your peers in cyber risk management - join the FAIR Institute.
4. Validate through Sanity Checks
Before sounding the alarm to the broader business, the team performs a “sanity check” checking the risk platform against their Asset Management/CMDB tools. They validate:
- Does this vulnerability actually impact our specific environment?
- How many assets are truly connected to it?
- Has a patch already been deployed but not yet reported?
5. Mobilization and Remediation
Once validated, the risk is moved to a dedicated CTEM channel. “That’s where we bring all our telemetry together” and the silos break down. The vulnerability management team and tech services receive the specific CVE data, the validated asset list, and the quantified risk score.
Because the request is backed by data showing a significant spike in IHG's overall risk posture, the reaction is “hey, we need to refocus,” and the work moves to a must-do for the security team.
The Strategic "What-If": Justifying ROI
Beyond daily operations, IHG uses this model for strategic decision support. If the vulnerability team is struggling to get the business to focus on a difficult project, they run a "What-If" scenario.
They can model the environment to show exactly how much risk reduction the business will achieve for the effort expended. This allows Security Business Partners (BISOs) to go to business leaders and say: "We've told you this is a problem; now let's talk about the ROI of fixing it in terms of dollars and risk reduction."
Conclusion
By combining the CTEM framework with the mathematical rigor of FAIR, IHG has moved away from "chasing ghosts" in their data. They have created a repeatable, defensible process that ensures the most dangerous threats are addressed first—protecting both the brand and the bottom line.
