At the recent FAIR Conference, Michael Prieur, Senior Director, Security GRC, for Centene Corp., a $163 billion healthcare company, shared how cyber risk quantification helped crack some problems familiar to many cyber risk program leaders: rapid company growth, third-party vendor bloat, GRC overload, increasing pressure from above to justify spend.
“Our internal risk assessment process started seeing these giant bottlenecks,” he said, that were actually impeding business processes.
Armed with FAIR, Mike got on top of three critical challenges:
Watch the video of the FAIRCON25 session:
Cutting Through the Noise: Applying Cyber Risk Quantification Across Security GRC
Problem #1: The Vendor Risk Assessment Bottleneck
To assess and onboard a vendor by passing around questionnaires and other documentation “took almost 30 days, which is insane.” Under Mike’s leadership, Centene worked out a risk rating system based on likelihood and impact of cyber events for any incoming vendor. The resulting triage means only 10-15% of vendors now require the full due diligence questionnaire.
Problem #2: Inconsistent Internal Risk Assessments
Centene uses an ITIL-compliance-based service design process for new system deployments which often required a risk assessment. Analysts would run qualitative assessments through spreadsheets — a slow and questionable process. Centene standardized on a FAIR-based system where every assessment follows the same methodology, with threat event frequencies and loss magnitudes calculated quantitatively.
Problem #3: Prioritizing Security Investments with Limited Resources
Centene had fallen into that qualitative-analysis trap in which every issue was rated high priority. With FAIR input, Mike’s team developed a “return on control metric” that “made governing the whole process so much simpler and easy.”
Get the details on how Centene solves bottlenecks with FAIR practices - watch the FAIRCON25 session now.
Network with, learn from FAIR leaders like Michael Prieur. Join the FAIR Institute.