Michelle Griffith at FAIRCON25
In the modern security landscape, the problem isn't a lack of data; it's an overwhelming surplus of it. For Jimmy Lummis and the security team at IHG, the international hotels operator, the challenge was clear: “If you have 10 million vulnerabilities and at least a quarter of them are critical or high, you’ve effectively got so much work that nothing’s going to get done.”
To solve this, IHG adopted Continuous Threat Exposure Management (CTEM), a framework designed to make sense of myriad data points and help the business decide what to focus on. By integrating FAIR (Factor Analysis of Information Risk) methodology into their CTEM program, IHG has turned technical telemetry into a prioritized roadmap for risk reduction.
Michelle Griffith, VP, Business Security & GRC, and Jimmy Lummis, Director of Information Security at IHG (image, right).
All is FAIR in Love and War - Leveraging CRQ for Tactical Decision Support
Here is the step-by-step approach IHG uses to manage exposure and justify security investments.
Prioritization starts with intelligence, not just tool outputs. IHG’s Cyber Threat Intel (CTI) team—composed of veterans from the intelligence community—defines the "Top 8" risk scenarios. They focus on three layers:
By establishing these scenarios and identifying the Top 10 Threat Actors, IHG creates a baseline for what "risk" actually looks like for their specific business with particular attention to high-value assets.
At IHG, risk management isn't a quarterly report; it’s a daily event:
IHG uses a quantitative threshold to trigger action. If a risk score fluctuates by more than 0.1% in a seven-day period, the team "double-clicks" to find the root cause. This investigation typically looks at three areas:
|
Factor |
Description |
Example Investigation |
|
Attack Surface |
Changes in the number of hosts or assets. |
Did 10,000 new hosts just get added to the environment? |
|
FAIR Risk Factors |
Changes in threat frequency or susceptibility. |
Did a security control (like CrowdStrike) stop reporting? |
|
Findings |
New vulnerabilities from tools like Qualys or Wiz. |
Did a new CVE appear that specifically impacts High-Value Assets? |
The team monitors for changes in risk factors and reassesses risk, sometimes several times a day.
Connect with/learn more your peers in cyber risk management - join the FAIR Institute.
Before sounding the alarm to the broader business, the team performs a “sanity check” checking the risk platform against their Asset Management/CMDB tools. They validate:
Once validated, the risk is moved to a dedicated CTEM channel. “That’s where we bring all our telemetry together” and the silos break down. The vulnerability management team and tech services receive the specific CVE data, the validated asset list, and the quantified risk score.
Because the request is backed by data showing a significant spike in IHG's overall risk posture, the reaction is “hey, we need to refocus,” and the work moves to a must-do for the security team.
Beyond daily operations, IHG uses this model for strategic decision support. If the vulnerability team is struggling to get the business to focus on a difficult project, they run a "What-If" scenario.
They can model the environment to show exactly how much risk reduction the business will achieve for the effort expended. This allows Security Business Partners (BISOs) to go to business leaders and say: "We've told you this is a problem; now let's talk about the ROI of fixing it in terms of dollars and risk reduction."
By combining the CTEM framework with the mathematical rigor of FAIR, IHG has moved away from "chasing ghosts" in their data. They have created a repeatable, defensible process that ensures the most dangerous threats are addressed first—protecting both the brand and the bottom line.
More coverage of the 2025 FAIR Conference