IHG Hotels Shares Its Story of Scaling FAIR at Our RSA Conference Event

San Franciso - RSA Conference 2024 Dark

The FAIR Institute hosted a happy hour sponsored by Technical Advisor Safe Security at the 2024 RSA Conference that drew a packed house to a San Francisco wine bar, a crowd that, by a show of hands, was mostly new to quantitative cyber risk management, and clearly eager to drink up advice on starting and scaling a FAIR program from our guest speakers:

--David Jordan, SVP & Chief Information Security Officer, IHG Hotels & Resorts

--Michelle Griffith, VP, Security Governance, Risk & Compliance, IHG Hotels & Resorts

--Chad Weinman, VP, Risk Strategy & Success, Safe Security

Chad Weinman who, after FAIR creator Jack Jones, may be the most experienced person on the planet at FAIR program development, began by acknowledging dissatisfaction he’d heard from CISOs at the conference about cyber risk quantification (CRQ) as it is generally practiced today:

>>manual, labor-intensive, limited to one point in time, slow going

>>only worth doing for a few high-level analyses like identifying top 10 risks, not real-time, continuous risk management

Chad updated the audience on the work at the FAIR Institute to develop standards and methods to enable FAIR risk analysis with automation.

>>The FAIR Controls Analytics Model (FAIR-CAM) codifies and quantifies how controls affect risk, singly and as controls systems and enables auto-collecting of controls status data


>>The FAIR Materiality Assessment Model (FAIR-MAM) guides organizations to create an always-ready source of loss data for FAIR analysis

>>The FAIR Third Party Risk Assessment Model (FAIR-TAM), working in conjunction with FAIR-CAM, FAIR-MAM and telemetry, can give a comprehensive picture of how vendors or other supply chain partners create loss exposure for your organization.

“The future of FAIR is automated and easy,” Chad said.

IHG Hotels FAIR Journey

IHG is the parent for Holiday Inn and 16 other global brands, a big company but with a lean cyber risk team.

“We have four really good initiatives we want to do right now but only have resources and budget to do one of them,” said David Jordan. “That’s the kind of thing I want FAIR to help me figure out.”

The team tried their own proof of value for a FAIR program and, as Michelle Griffith said, “it took three and a half months to look at one risk using spreadsheets.” Now, they are eagerly looking forward to an automated solution.

Words of Advice for CISOs Considering a FAIR Program

Michelle and David walked through two main lessons learned on their FAIR journey.

1.  Get the team trained. Automated or not, organizations get the most value by learning together the principles and methods of FAIR, so they think in the same terms and speak the same language about risk. They advised finding a knowledgeable partner to help, at least in the early stages. (The FAIR Institute website has a wealth of educational resources and blog posts on FAIR.)

2.  Don’t boil the ocean. David and Michelle suggested starting with a limited and manageable business problem to solve with FAIR analysis, ideally one where risk quantification adds a lot of value to a big decision and will land well with an appreciative audience (especially the board). “It’s all about momentum,” Chad said – knock over the first domino and the rest will fall.

Learn from the experts, network with your peers - join the FAIR Institute!

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37