FAIR™ program manager Jason Martin generously shared the learnings from two years of FAIR implementation at Highmark Health, the major hospital and health plan administrator, in a webinar that will be of high value to anyone – from the health industry or not -- looking for some detailed guidance on launching cyber risk quantification.
Listen to the Webinar: Quantified Cyber Risk Management: Three Steps to Success with Highmark Health. Membership in the FAIR Institute (it’s free) and the Institute’s LINK discussion board required. Join now!
Jason gave his insights on how to think through the purpose of a FAIR program. The 3 steps are:
1. Knowing. Identifying the risks you face, prioritizing among them and comparing to your threat catalog (for Highmark, that’s from the industry standard, HITRUST). Jason described the process of working with other teams such as threat intelligence to funnel the concerns of the organization into analyzable risk scenarios that fit the FAIR criteria.
2. Understanding. Clarifying the logical factors driving the risk, including gathering the data from SMEs and developing a rationale for an analysis, then applying quantification (Highmark uses the RiskLens platform to produce minimum-most likely-maximum distributions based on Highmark’s loss tables).
3. Managing. Supporting the decision-makers with analyses that show risk and remediation alternatives in the financial terms that the business understands (and are compatible with a GRC tool).
He also shared some of the tools and processes developed by the Highmark FAIR team, such as
· A template for gathering data from SMEs
· A document template for reporting on FAIR analysis to the business
· Charts presenting mitigation options based on return on investment, easily digestible by decision makers
· The mechanics of a “FAIR review board” that quality-checks analyses with a panel from outside the risk team
For more on how Highmark aligns FAIR analysis with the HITRUST cybersecurity framework, see this report on a presentation Jason gave to the HITRUST annual conference. And Highmark CISO Omar Khawaja gave more detail on FAIR program introduction in this Meet a FAIR Institute Member interview.
More than 7,000 risk and security professionals from all industries network and learn as members of the FAIR Institute. Join them now (it’s free)!