Michael Lewis, Cyber Security and Technology Strategy Planner at Chevron and Ashish Shah, Team Lead of Cyber Security Risk Assessment and Operational Excellence at Chevron, are the Co-Chairs of the Houston Chapter of the FAIR Institute – and have a story to tell about patience and persistence in introducing quantitative risk management at a big company that will sound familiar to many of our members.
Michael was an early believer in FAIR – he brought Jack Jones to Chevron for a proof of concept in 2008, when FAIR was first a spreadsheet plus Monte Carlo solution. Chevron first applied FAIR not for IT but for strategic risk, was a user of the early versions of FAIR analysis software, and more recently has been pushing ahead with the FAIR program under Ashish’s leadership, including an extensive training effort with the FAIR Fundamentals course.
In our conversation, Michael and Ashish discussed tips for propagating FAIR in the organization, particularly among time-challenged executives:
- The “three-legged stool” analogy for explaining the key elements of risk (threat, susceptibility, and impact)
- How to take the qualitative outputs from a GRC and add the quantitative element
And we talked about one of the major challenges in advancing quantitative risk analysis, getting access to incident data for oil and gas cybersecurity both from within the organization and the oil and gas industry generally. “As we go through all this digital transformation, some of those barriers begin to come down, but not all have,” Michael says.
“We’re on a journey here at Chevron, and I really do hope to progress on our journey on quantitative risk because I only see good things happening for us,” Ashish sums it up.
Watch the video: