Meet a Member Interview: New Pittsburgh Chapter Co-Chairs Scott Gordon, Highmark Health, and Michael Carns, UPMC

/
FAIR Inst Pittsburgh CoChairs Michael Carns Scott Gordon - Crop

Quantifying cyber risk is often a new approach to cyber risk management for many new members who join the FAIR Institute and begin their educational and professional journeys with FAIR. 

Watch our Meet a Member interview now.

Recently, I was able to chat with Scott Gordon, Team Manager IAM Role Lifecycle Management at Highmark Health (right in the image) and Michael Carns, Vulnerability Assessment Technology Lead at UPMC (left) about their experiences in the space and their plans to bring these stories to the revitalized Pittsburgh Chapter they now lead.

They both offer compelling insights into how FAIR and the Institute are revolutionizing risk management.

Both Scott and Michael’s stories highlight a critical shift in how organizations approach cyber risk – moving from a reactive, checkbox mentality to a proactive, data-driven strategy.

Key Transformational Insights

1. Beyond Traditional Metrics

Scott discovered that traditional industry standards often lack meaningful substance. The common 60-75% coverage rule for cyber insurance, for instance, means different things to different organizations. By applying FAIR principles, he's working to establish more meaningful, consistent metrics to know how to best protect the organization. 

2. Prioritizing with Purpose

Michael shares how they transformed their approach to vulnerability management at UPMC. By developing a sophisticated model, they reduced their critical vulnerability population to just a tenth of a percent of the total, allowing for more focused and effective risk mitigation.

Communicating Risk to Leadership

Both professionals emphasized the importance of translating technical complexities into business language:

>>Speak in Financial Terms: Leadership understands dollars and cents
>>Provide Future Insights: Show not just current status, but potential resource requirements and opportunities
>>Highlight Team Successes: Give credit to infrastructure teams doing the actual remediation work

The Human Side of Risk Management

Beyond the technical aspects, our conversation revealed the human element of risk management. Scott and Michael are passionate about creating more effective security programs that support, rather than hinder, business operations.

This has led to the restart of the Pittsburgh FAIR Institute Chapter which is an exciting opportunity for professionals to collaborate, share insights, and continue evolving risk management practices.

Watch the full interview below to hear about Scott and Michael’s work in depth and their advice to fellow Institute members who are starting out.

Watch our Meet a Member interview now.


Interested in Learning More?

Check out the FAIR Institute's upcoming events, become a member and attend an upcoming chapter meeting, and join us at FAIRCON25 in New York City in November, to dive deeper into risk quantification strategies.

 

Learn How FAIR Can Help You Make Better Business Decisions

Order today
image 37

Recent Blogs

SEE ALL
FAIR Institute

Meet a Member: Dallas-Ft. Worth Chapter Chair Josh Marker, SAP, on Getting the Language of Risk Right

FAIR Institute

Bridging the Gap Between Cyber and Enterprise Risk: Our Feedback on NIST IR 8286 Drafts

FAIR Institute

RSAC 2025 FAIR Institute Events: Manage Cyber Risk to Transform Uncertainty into Business Opportunity with FAIR Insights from Experts

FAIR Institute

Introducing the FAIR-U Workbook for Learners (Beta), Hands-on Training Tool for FAIR Risk Analysis