For the third year, the FAIR Institute is excited and honored to announce the finalists for the 2018 FAIR Awards. The FAIR Awards honor risk management leaders for their initiative, ingenuity and contributions to information and operational risk management. The awards recognize the deep impact that these professionals have on their organizations in enabling operational excellence and effective decision-making and in balancing the need to protect their organizations while running the business.
Both of the awards, Business Innovator and FAIR Champion aim to showcase the most forward-thinking and active members of the FAIR Institute community. The winners of the awards will be announced at the 2018 FAIR Conference at Carnegie Mellon University in Pittsburgh.
Congratulations to our 2018 FAIR Awards Finalists!
Business Innovator Award
Business innovation and technology innovation are often connected. Innovative risk officers are disrupting the status quo by leveraging new analytic capabilities and by enabling the communication and management of information risk from the business perspective. This award recognizes those risk professionals who have successfully applied FAIR principles to drive innovation.
Jack Whitsitt is a Senior VP at Bank of America where he leads a team that is managing a FAIR-based Information Security Risk Quantification and Forecasting program. Prior, he spent 15 years working his way up and through multiple information security perspectives. Most recently he spent a few years at a non-profit teaching an information security risk framework design class of his own making and participating in the development of NIST CSF.
His interest in risk analysis is anchored by his strong belief that information security problems are rooted in human psychology, communication, conflict management, and other decision-making capacity problems and that the world only gets better and safer when we work together. Jack is involved with helping to host North Carolina Chapter Meetings for the FAIR Institute and has presented on his organization’s FAIR efforts to the Congressional Cybersecurity Caucus, White House/O.M.B. and U.S. Treasury Department. Jack is being nominated for the Business Innovator Award for his efforts to organizationally elevate FAIR from Risk Analysis tool to a Risk Management Support function.
Omar Khawaja is Vice President and Chief Information Security Officer (CISO) for Highmark Health, a national health and wellness organization and the second largest integrated healthcare financing and delivery network by revenue in the United States. In his current role, Omar oversees information security and risk management for the Highmark Health portfolio of leading health care businesses that employ more than 40,000 people and serve millions of Americans in 50 states.
Omar is being nominated for the Business Innovator Award for leading the charge in transitioning from a controls-centric to a risk-centric approach to cybersecurity at Highmark. Omar has been spearheading an enterprise-wide effort to change the way the organization thinks, communicates and manages cyber risk through the adoption of the FAIR taxonomy and analysis model. As they are upgrading their risk governance practices, Omar methodically got his team as well as the executives trained on FAIR principles and reinforcing their application through hands-on exercises. Omar will be supporting the Institute this year by presenting and participating on panel at FAIRCON18.
Mark Tomallo MBA, CISM, CISSP is the Chief Information Security Officer for Ascena Retail Group, Inc., one of the largest women’s specialty retailers in the world. Mark’s background includes leadership positions at Cardinal Health, a Fortune 15 health information services, medical products manufacturer, and pharmaceutical distribution company as well as Cisco Systems and AT&T EasyLink. Mark’s 20 years of working in the information security industry and experience with technology start-ups, M&A’s, and large, corporate entities allows for a unique perspective when protecting organizations.
Mark is being nominated for the Business Innovator Award for creating the risk management organization at Ascena and built it on FAIR. He created a team, brought in consultants to help ramp up both his team and his program quickly and has since maintained that momentum of FAIR-based risk analysis to enable conversations and make decisions. Under Mark's leadership, risk management has transitioned the organization away from a compliance-based only strategy and towards risk-aligned, cost-effective decision making and security budgeting.
Attend the 2018 FAIR Conference. Register Now.
FAIR Champion Award
Transitioning to a business-aligned and data-driven culture within information risk requires leadership: intellect to envision and explain, understanding to address fear, evangelism to motivate, and courage to manage through unknowns. This award recognizes leaders at the forefront of their organization’s FAIR initiative who get data owners on board, stakeholders to help improve analysis, and decision-makers to adopt the resulting analytics as an integral part of their strategies, decision-making processes and operating rhythms.
Dr. Jack Freund, Director, Cyber Risk for TIAA and co-author with Jack Jones of the award-winning book, Measuring and Managing Information Risk: A FAIR Approach. Jack has been active in the FAIR community since 2009 and contributed to the body of knowledge and development of OpenFAIR certification in 2013.
Jack is being nominated for the FAIR Champion Award for developing the quantitative cyber risk assessment program at TIAA starting in 2012. He designed and implemented an automated quantitative cyber risk engine that delivers asset-level quantitative risk ratings. Jack supports the FAIR Institute community by regularly contributing to the FAIR Blog and he will be participating on a panel session at FAIRCON18.
Drew Simonis is the Deputy CISO at HPE. He has worked in some of the largest and most complex environments in the public sector and the private sector with firms such as IBM, AT&T, EDS and Symantec. Prior to joining HPE, Drew spent 8 years as the CISO for Willis Group Holdings (now Willis Towers Watson). Insurance exposed Drew to formal risk management and analysis methodologies and was where he first explored FAIR in hopes of providing better means to justify a security program. At HPE, his team is implementing FAIR as part of their overall risk transformation. Drew lives in North Texas and holds a Master of Science Degree in Computer Science from James Madison University.
Drew is nominated for the FAIR Champion Award as he continues his leadership and drive of FAIR within HPE. The GRC group has re-organized under Drew's leadership to help business units identify top risks that will feed into risk management and FAIR analyses. Drew is also Co-Chair of the Dallas-Fort Worth Chapter of the FAIR Institute and has participated in FAIRCON panels.
Mandy Andress is currently the CISO of Elastic and has a long career focused on information risk and security. Prior to Elastic, Mandy led the information security function at MassMutual and established and built information security programs at TiVo, Evant, and Privada. She worked as a security consultant with Ernst & Young and Deloitte & Touche, focusing on energy, financial services, and Internet technology clients with global operations. She also founded an information security consulting company with clients ranging from Fortune 100 companies to startup organizations.
She is a published author, with her book Surviving Security having two editions and used at multiple universities around the world as the textbook for foundational information security courses. She teaches a graduate level Information Risk Management course for UMass Amherst in the College of Information and Computer Sciences. Mandy has a JD from Western New England University, a Master’s in Management Information Systems from Texas A&M University, and a B.B.A in Accounting from Texas A&M University. Mandy is a CISSP, CPA, and member of the Texas Bar.
Mandy is nominated for the FAIR Champion Award for her leadership in establishing a quantitative risk management program at MassMutual, for her continued work in spreading FAIR within multiple organizations and for teaching FAIR to students in Information Risk Management at UMass Amherst.