Omar Khawaja, the CISO at Highmark Health, is building one of the more ambitious programs to introduce FAIR we’ve heard of, in the complex risk environment of a company with insurance, hospital, retail eye care, and other health-related businesses.
Omar worked as a network engineer and, at Verizon, made the switch to marketing, assigned to promoting Verizon’s DBIR. That’s where he first was exposed to FAIR, as well as a “closeup view of how breaches actually happen” through Verizon’s MSSP operation. “And I had a good view of what people talk about when they make a business case for security. So, I started thinking about when do you use statistics and when do you use stories, and you kind of need both.” Looking for a middle road between the mindsets of engineering and marketing, he landed in the world of risk.
Omar is five years in as CISO at Highmark—he also sits on the board of HITRUST, the Health Information Trust Alliance, that manages the standard CSF for health information, and was named CISO of the Year in 2017 by the Pittsburgh Technology Council.
Q: How did you come to FAIR at Highmark?
A: A few years ago, we said we wanted to create a world-class security organization at Highmark. We went through nine months of thinking and workshopping, and we found four things that we were not already doing.
One, we have to provide frictionless security.
Two, we have to exemplify zero trust.
Three, we need an invasion-focused culture and not an installation-focused culture, saying here’s a bunch of security activities but not paying attention to the outcome.
Fourth, it’s important that we have a risk-based culture. Risk in my mind is the bridge that connects the business world to the technical world of security controls.
We looked at different ways we could be more explicit about a risk-based culture, and we landed on FAIR. We thought it was the right mix of technical rigor but not so technical we would need to send people to engineering school to even implement it.
Q: How did you go about implementing FAIR?
I said if I’m going to be the leader of the program I have to get certified, and if this is an objective across the security program for us then it should not be just the risk or GRC team that gets the training but across the organization. So, I made it a requirement that every single director and manager within the security program had to take the certification. Then that becomes the common language that we can use to talk to each other.
In 2018, every single person managing people in my organization has to come up with a very specific way that they’re starting to collaborate with another part of the security organization using FAIR. Like if I’m in vulnerability management and I care about resistance strength, now I’m going to talk to the threat management team and say “tell me what the contact frequency is for these types of events.”
Everyone has to take at least two boxes within the FAIR model and demonstrate to me how they’ve actually operationalized FAIR, and that’s part of everyone’s performance objectives for the year.
Also, one of the requirements for becoming a manager is you have to get FAIR certified. The idea is we want people to learn the right language from the start. The managers are going to drive the culture change more than anyone else and if they’re not on board, we’re not going to lead the culture in the right direction.
Q: How successful has this effort been?
A: I would love to tell you every risk analysis is based on FAIR and we don’t do any qualitative risk analysis anymore, but we are definitely on a journey headed in the right direction. Every other week, I get an update from my team and we’re talking about dealing with a situation and out of nowhere they start talking about how to leverage FAIR. For instance, when WannaCry hit, the team said we’ve got to figure out which systems to patch first and we’ll use FAIR to decide which systems present the largest risk.
As much as we can get the grassroots to internalize, that’s the value because the goal for us isn’t to use the FAIR methodology to deliver a particular risk assessment report. The goal is to create a culture that is risk-based, that isn’t always thinking there’s a gap, there’s a vulnerability, there’s a security control we haven’t purchased.
Q: How about reporting upward to the Board and C-suite
A: A lot of the measures we’ve had have been decidedly qualitative, and not even that, just a bunch of stuff we’ve done, controls, incidents. We recently identified six metrics we think are important to the health of our security program and then have particular numbers underneath that. We tier them one to five then create something called a Secure Score, which is the average of those six measures.
I think if I started them with “here’s the dollars and cents,” I probably would have jumped there too fast. I’m also really cognizant that the moment I start sharing dollar figures, I’d better be confident. So, I’ll be sharing that internally for at least eight or 12 months to let other teams pressure test it. When we finally get to the point that everyone agrees the numbers make sense, then I’ll feel ready to share that with the C-suite and the Board.
Q: You’re involved with some of the most sensitive and controversial data around, personal health information. How has FAIR helped with that challenge?
A: We looked at research from Ponemon that said that the average cost of a single health care data record in a breach is $400, and from a risk standpoint we realized those numbers were not anywhere close to being accurate. Verizon DBIR essentially dissected the Ponemon analysis and others and came up with numbers on the other extreme, in the pennies range.
If you think about Loss Magnitude, those numbers become really important We’ve done our own analysis and talked to cyber risk underwriters and developed numbers from that. If we were doing this two years ago, we wouldn’t have been able to leverage FAIR as much because the ranges for the costs would have been way too wide and broad. Now we have a better handle so our accuracy is a lot better. FAIR gives you ranges so you can describe what the shape of the curve is. That gives us the flexibility we need.
Meet more FAIR Institute members: