Meet a FAIRCON22 Speaker: Omar Khawaja, CISO, Highmark Health

A favorite among FAIR Conference speakers—Omar Khawaja, CISO at Highmark Health and FAIR Institute Board Member—returns for FAIRCON22 for two sessions. As the creator and leader of one of the most extensive FAIR-based risk management programs, Omar always has actionable wisdom to present.  

Register now to see Omar in these sessions in-person or online at the 2022 FAIR Conference: 

Panel: Driving Culture Change - From a Compliance to a Risk-based Approach to Cybersecurity

Tuesday, September 27, 10:00 AM - 10:45 AM

>>Omar Khawaja, CISO, Highmark Health

>>Mark Tomallo, SVP, CISO, Victoria’s Secret

>>Mary Elizabeth Faulkner, CISO, Thrivent Financial

>>Jeff Norem, Deputy CISO, Freddie Mac

Presentation: Justifying the Value of Cybersecurity to the Business with Highmark Health and the BOSITE Framework

Tuesday, September 28, 11:15 AM - 12:00 PM

>>Omar Khawaja, CISO, Highmark Health

Check out the videos of Omar’s past appearances at FAIR Conferences for a preview of one of the best speakers in the FAIR movement: 

FAIRCON18 Video: A Master Class on Reporting Cyber Risk to the Board

Key points from Omar:

• Have the confidence to answer “I don’t know” to board questions – but always follow up.
• Don’t spout a lot of cybersecurity metrics. “The point is to make them feel like it’s being managed… All they need to know ‘Is it getting better or worse?’.”
• "Align your reporting to your organization’s maturity and culture.” 

FAIRCON19 Video: CISO Panel: Defining the Goals of an Effective Risk Management Program

“The thing that was missing for us, was each area where we had a set of controls was doing phenomenally well but when you added it all together and called it a single security program, it lacked significant cohesiveness.  We realized the first thing that a culture needs is a common language and that’s the reason we started to look at FAIR.” 

FAIRCON20 Video: Managing Risk in Times of Crisis: Applying FAIR to Become More Business-Centric during COVID

Omar covered:

• Communication strategies to get the business to “actually want to invest in security”
• A framework for assessing security expenditures based on business outcomes
• How to “sunset” controls that don’t pay their way in delivering measurable value  

 

Omar leads the C-level panel at FAIRCON21 with (clockwise): Mary Elizabeth Faulkner - Thrivent,  Betty Elliott - Freddie Mac, Harold Marcenaro - BCP

FAIRCON21 Video: C-Level Panel - How Risk Management Is Helping Companies Be More Resilient during Digital Transformation

“Being able to stretch without breaking,” was imperative during the COVID crisis, said Omar. His motto: “Relentless incrementalism is our ultimate weapon.” He recommended that CISOs put their staffs through a resilience assessment (CISA offers one) so that they train to be “responding not reacting' to crises.” 

Learn from Omar’s work building a FAIR-based risk management program at Highmark Health 

This case study from RiskLens details how he: 

• Introduced FAIR, with its risk concepts that technical and business teams both can understand, to build a strong, cohesive culture around risk management. 
• Transitioned the organization from confusing, qualitative risk assessments to quantitative analysis.
• Re-evaluated dozens of risk assessments and found that the vast majority labeled “high risk” weren’t when RiskLens/FAIR risk analysis in financial terms was applied. 
• Ran analysis of existing controls for their effectiveness with some dramatic results, including a million-dollar control producing zero risk reduction. 

Learn more in this FAIR Institute Meet-a-Member interview with Omar:

“We looked at different ways we could be more explicit about a risk-based culture, and we landed on FAIR. We thought it was the right mix of technical rigor but not so technical we would need to send people to engineering school to even implement it.”