CISO Omar Khawaja built a highly rated security program for Highmark Health, the major manager of health plans and hospitals – but something was missing, he told Health IT Security in a recently published interview.
“We’ve been strengthening each of the silos, but the overall program wasn’t strengthened because the bonds between the silos were lacking…What we arrived at is they needed a common language.”
Khawaja found that common language in the FAIR model. “It was complete, it was simple, it was on one page. It wasn’t over simplified and it wasn't more sophisticated than it needed to be.”
He required every manager to be FAIR certified, and once everyone was trained, he gave them the assignment of building a relationship with at least one other part of the security operation, using shared FAIR terminology.
Secondly, Khawaja put FAIR in the middle of the budgeting process. When a manager asks for funding, “we have a cyber risk team that comes in and does a FAIR analysis to determine the value of putting this in place…The return on investment equation, that’s where FAIR helps us.”
Read the complete interview How FAIR Can Build Common Security Language, Drive Processes in Health IT Security.
Omar Khawaja co-chairs the Pittsburgh chapter of the FAIR Institute. He was honored with the Business Innovator Award at the 2018 FAIR Conference for his work introducing FAIR at Highmark and was a panelist in the discussion “Defining the Goals of an Effective Risk Management Program at the recent 2019 FAIR Conference (read complete coverage of FAIRCON19).