Meet a Member Interview: New Pittsburgh Chapter Co-Chairs Scott Gordon, Highmark Health, and Michael Carns, UPMC
Quantifying cyber risk is often a new approach to cyber risk management for many new members who join the FAIR Institute and begin their educational and professional journeys with FAIR.
Watch our Meet a Member interview now.
Recently, I was able to chat with Scott Gordon, Team Manager IAM Role Lifecycle Management at Highmark Health (right in the image) and Michael Carns, Vulnerability Assessment Technology Lead at UPMC (left) about their experiences in the space and their plans to bring these stories to the revitalized Pittsburgh Chapter they now lead.
They both offer compelling insights into how FAIR and the Institute are revolutionizing risk management.
Both Scott and Michael’s stories highlight a critical shift in how organizations approach cyber risk – moving from a reactive, checkbox mentality to a proactive, data-driven strategy.
Key Transformational Insights
1. Beyond Traditional Metrics
Scott discovered that traditional industry standards often lack meaningful substance. The common 60-75% coverage rule for cyber insurance, for instance, means different things to different organizations. By applying FAIR principles, he's working to establish more meaningful, consistent metrics to know how to best protect the organization.
2. Prioritizing with Purpose
Michael shares how they transformed their approach to vulnerability management at UPMC. By developing a sophisticated model, they reduced their critical vulnerability population to just a tenth of a percent of the total, allowing for more focused and effective risk mitigation.
Communicating Risk to Leadership
Both professionals emphasized the importance of translating technical complexities into business language:
>>Speak in Financial Terms: Leadership understands dollars and cents
>>Provide Future Insights: Show not just current status, but potential resource requirements and opportunities
>>Highlight Team Successes: Give credit to infrastructure teams doing the actual remediation work
The Human Side of Risk Management
Beyond the technical aspects, our conversation revealed the human element of risk management. Scott and Michael are passionate about creating more effective security programs that support, rather than hinder, business operations.
This has led to the restart of the Pittsburgh FAIR Institute Chapter which is an exciting opportunity for professionals to collaborate, share insights, and continue evolving risk management practices.
Watch the full interview below to hear about Scott and Michael’s work in depth and their advice to fellow Institute members who are starting out.
Watch our Meet a Member interview now.
Interested in Learning More?
Check out the FAIR Institute's upcoming events, become a member and attend an upcoming chapter meeting, and join us at FAIRCON25 in New York City in November, to dive deeper into risk quantification strategies.
