Watch this video presentation from the 2022 FAIR Conference if you’re looking to introduce quantitative risk management with Factor Analysis of Information Risk (FAIR™) to a large, siloed enterprise with well-established risk management practices.
Krishna Sheshabhattar, Director, Security GRC, Expedia Group and his advisor Randy Spusta, Global Competency Leader – Security Strategy, IBM, gave a first-year progress report on how their careful plan has played out.
Watch the FAIRCON22 session video: Presentation - Expedia Groups’ Approach to Build an Effective Security Risk Management Program with FAIR. A FAIR Institute Contributing Membership is required – join the FAIR community.
IBM Security is a sponsor of the FAIR Institute and the 2022 FAIR Conference.
From the start, Krishna was looking to extend FAIR beyond cyber, to make it the common approach to risk across the organization with the ultimate goal of enabling better, data-driven decision-making.
Their three key takeaways for introducing FAIR at this scale:
- It’s a change management project, not a technology project, so communication is job one.
- It takes time and effort to convince the organization that FAIR is not a theory but can be operationalized.
- Early on, identify and foster champions across the organization to spread the word organically.
Over the course of many meetings, they presented these talking points to win over their audiences:
Quantitative analysis from the RiskLens platform“This use case proves our point that we can present a cyber issue in terms of a business use case,” Krishna said. “This speaks to the technology leadership and to the business leadership. This is the common driving force that will converge both. This will also empower my CISO to sit down and have a conversation with the CFO to ask for more money.”
Krishna and Randy also presented this ambitious FAIR-program roadmap.
Watch the FAIRCON22 session video: Presentation - Expedia Groups’ Approach to Build an Effective Security Risk Management Program with FAIR.
