In this extensive case study, Omar Khawaja, CISO for Highmark Health, takes you inside launch and operation of a successful quantitative risk management program at an $18 billion healthcare provider and insurer, leveraging the RiskLens platform and the FAIR™ standard.
You’ll learn how Omar:
--Introduced FAIR, with its risk concepts that technical and business teams both can understand, to build a strong, cohesive culture around risk management.
--Transitioned the organization from confusing, qualitative risk assessments to quantitative analysis.
--Re-evaluated dozens of risk assessments and found that the vast majority labeled “high risk” weren’t when RiskLens risk analysis in financial terms was applied.
--Ran analysis of existing controls for their effectiveness with some dramatic results, including a million-dollar control producing zero risk reduction.
The case study documents a return on investment of $11 million, based on first-year annualized loss expectancy reduction.
“If I can empower every single individual in my organization to make the right optimal decisions in the best interests of our customers and our enterprise, I can sleep like a baby every single night,” Omar said, “FAIR and RiskLens are a means for the analysis that makes those decisions.”See Full Text
The pressure is on CISOs to improve how they prioritize and communicate security initiatives to business leaders for buy-in and adoption. Not only must they address the most significant business risks, but they must also ensure budgets are being deployed effectively for maximum value and benefit. Unfortunately, this is where the risk management toolkit of many CISOs falls short.
Qualitative, Red-Yellow-Green risk rating systems or “maturity” scales based on technical frameworks do not measure risk in business terms of risk reduction in dollars or cost-benefit analysis. They only directionally help prioritize or justify security spending and are challenging to communicate effectively with business stakeholders. It is also questionable whether they alone can truly meet compliance requirements to conduct accurate and thorough risk assessments and demonstrate that security measures implemented are sufficient to reduce risk to reasonable and appropriate levels.
For Highmark Health, a large enterprise of highly diverse business operations with patient outcomes on the line, a new approach to managing security risk was needed.
The Challenges of Qualitative Risk
When Omar Khawaja joined Highmark Health as Chief Information Security Officer (CISO), many enterprise security programs of the time thrived on the emotions of fear, uncertainty, and doubt (FUD) to secure budget approval for the latest and greatest security controls.
In Khawaja’s experience, too often justification for deployment of new controls was because the organization didn’t have them. Cyber defense was an exercise of working through compliance checklists to fill gaps in the technology stack. The pitch was simple, if we don’t close these gaps, we’re at risk of becoming the next big cyberattack headline. This approach made Khawaja nervous.
Communicating risk at the executive level presented another set of challenges. Business leaders found heat maps scattered with qualitative High-Medium-Low risk status difficult to make sense of. “Leaders would be suspicious. Is this real or is it FUD?” said Khawaja. Reports were sometimes viewed as an oversaturation of information and metrics without full understanding of impact, appreciation of prioritization, or the “why should I care?”
To tackle these challenges, Khawaja wanted to build a strong, cohesive culture that was influential, persistent, and had staying power. When looking at similarly built teams, he realized a key ingredient for successfully gluing individuals together across a large enterprise was language. However, when getting to know his new organization of 170+ full-time members and upwards of 65 contractors, he didn’t hear or see a common language for how different teams communicated. “Does ‘threat’ refer to an actor or an action? Does your definition for ‘vulnerabilities’ match mine? Forget about defining risk,” said Khawaja. Suddenly, a new priority initiative stepped to the fore.
A Common Language Transforms Highmark’s Approach to Risk Analysis
The goal to establish a common language led Khawaja to FAIRTM (Factor Analysis of Information Risk), a standard for understanding, measuring, and analyzing information risk, and ultimately, for enabling well-informed decision making. While the use of FAIR initially solved communication gaps, as understanding of the standard deepened, it presented an opportunity to better identify and analyze risk. “Why don’t we replace our qualitative risk assessments that are significantly more control-centric with a true, risk-based assessment?” shared Khawaja.
As the team embraced the standard, it became clear that if they really wanted to do a good job at scenario analysis, quantification, and Monte Carlo simulations, they were not going to achieve it by hand or with spreadsheets—they would need a purpose-built tool. “That’s when we started leveraging RiskLens in our journey,” said Khawaja.
Transforming Risk Analysis with FAIR and RiskLens
Use of FAIR and RiskLens has transformed how Highmark’s ISRM program realizes the implementation of new projects. Gone is the past approach of compliance checklists and industry analyst must-haves. Today, any security project investment must align to 1 of 4 business outcomes, either risk reduction, compliance, operational excellence, or customer experience. Proposals go through RiskLens analysis to determine the value of the control in terms of how much risk it would reduce on an annualized basis.
Where project decisions for the portfolio used to be limited to architects and strategists, “unless the risk team weighs in and says ‘here’s the number’, nothing gets approved if the outcome is not clearly related to risk reduction,” said Khawaja. “Making a logical, data-driven case for the importance of our program investments felt better to me,” Khawaja shared. “I’d rather say if we don’t do this, it could cost us $27K in annualized losses—and, oh, by the way—this is similar to what happened at Company Z,” said Khawaja. “Numbers make risk very real and in some cases result in a higher likelihood of the business accepting risk. Numbers help the conversation quite a bit.”
In a typical year, Highmark Health conducts between 200 and 250 risk assessments. As part of their shift to quantitative risk assessment methods, Khawaja’s team looked at hundreds of past ‘High Risk’ findings and redid the analysis using FAIR and RiskLens. They found that the vast majority of qualitative-based high-risk findings weren’t actually high risk. “We ended up decreasing our perception of risk simply by using a more sophisticated model [and solution set] for doing the analysis,” stated Khawaja.
In addition, the Highmark team set about evaluating existing controls running in an environment where tens of millions of dollars had been invested. The team prioritized the review of the most expensive. When risk analysis came back for one of the controls, the findings were stunning. “We found the control’s value in terms of risk reduction to be pretty close to zero,” shared Khawaja. “Highmark was spending about $1M a year maintaining and executing this control. We got rid of it and transferred the savings to investments in controls that were giving us real risk reduction.”
FAIR has also improved communication between managers across the enterprise. “Use of RiskLens and operationalizing FAIR has allowed us to build lots of collaboration bridges between various functional groups that used to operate in silos,” Khawaja said.
Further, Marshall Lambert, Team Manager, Cyber Risk, and Controls Management, noted that the use of FAIR and RiskLens injected more rigor into the assessment process and more meaning into conversations with business stakeholders. “In the past, risk remediation recommendations were taken by the business as ‘you must do this' which caused push back and friction. Now we have business-friendly discussions about how much is it going to cost to get a given remediation control in place and the ROI that’s delivered.” Lambert shared.
Improving Business Outcomes
Prior to use of FAIR and RiskLens, Khawaja and team would spend a lot of time trying to determine the degree of risk for a given business unit’s operations. For Khawaja, the goal was to deliver the best sets of data and let the business decide what the risk threshold was for them. For a $15B business, a $100K loss may be tolerable to live with, but for the $1B units, a $100K loss may be the difference between having a profitable year or not.
Highmark’s new approach to quantifying risk has elevated confidence in the communication and reporting of risk and its impact on the business. Reporting is produced around a set of FAIR risk scenarios and is produced consistently across business units. As different indicators are uncovered or new threats emerge, the team will rotate risk scenarios in and out of the reporting to inform each business unit’s leadership accordingly.
“RiskLens helps me have conversations with business leaders in a much more confident manner because I know I’m measuring loss and risk in units of measure that are applicable to the business—not in security terms of vulnerabilities and threats that the business is less concerned about,” said Khawaja.
Disallowance of Non-Standard Remote Connectivity
Estimated risk reduction upwards of $2.8M. With many different Highmark business units collaborating with 3rd party entities, the ISRM team often receives requests to stand up VPN connectivity within the environment. Often the connection is controlled by the end vendor and lacks appropriate logging and monitoring controls required for standard Highmark VPN connectivity, or introduces security concerns given the placement of the server. In combination, these elements drastically increase risk exposure for 3rd party compromise onto the Highmark network.
Integration with HITRUST Common Security Framework (CSF)
When it comes to compliance, Khawaja simplifies the definition as a list of controls and a list of consequences if you don’t meet those controls. “We now have different piece parts we didn’t really know how to bring together before in a single mathematical relationship which allows us to look at risk in a more comprehensive manner,” said Khawaja.
To better understand Highmark’s risk landscape, the team integrates with HITRUST CSF, a certifiable framework that rationalizes relevant regulations and standards (such as NIST CSF) into a single overarching security and privacy framework. Achieving HITRUST CSF certification helps healthcare organizations demonstrate their HIPAA compliance. Use of RiskLens enriches Highmark’s risk insights through ROI analysis on the controls recommended by HITRUST, helping the team make the best choice decisions informed by data-driven outputs. As shared by Lambert, using defined controls and related threat events, Highmark has developed a joint process that allows for both developments of discrete FAIR loss scenarios and determining which HITRUST controls play a role in overall quantified risk exposure.
The integration between FAIR, RiskLens, and HITRUST replaces a lot of manual investigative work to appreciate risk exposure. Recommendations with relevant control information are now at everyone’s fingertips.
Armed with such insights, Highmark can prioritize efforts and investments to improve those controls with the largest risk reduction impact first. “The integration’s additional layer of objectivity adds another piece to the puzzle and helps empower decision-making constructs a little bit further,” Lambert shared.
Budget Justification for Upgrading ‘End-of-Support’ Systems
Estimated risk reduction upwards of $1M. With such a diverse mix of IT infrastructure, Highmark’s IT Support teams often find themselves facing end-of-support for older systems that continue to run mission-critical operations, e.g., end of life for Windows 2008 servers or end of support for Windows 7. In such circumstances, the IT Support teams felt they didn’t have enough justification to make a business case for the purchase of extended support for systems and applications.
“Support teams now come to us for risk analysis,” shared Lambert. “Our findings are able to convey to decision-makers the amount of cyber risk produced as a result of unsupported applications or systems residing on the network.”
Cybersecurity as Strategic Business Value
In the past, security was viewed as a cost center to be managed. However, as the team established the collective value of all controls and their related ROI, it became easier for Khawaja to demonstrate the impact of cybersecurity on the business and the overall value of the program. “When I can say we are reducing risk by $78M a year on an investment of $15M, I can build an income statement that expresses reduced risk as to the equivalent of value brought to the company—or our loss avoidance,” said Khawaja. “Now I’ve shifted the security program away from being literally a cost center to being a value center.” Khawaja shared last year’s quantified ROI for risk-reduction related projects for the following two business units, which represent the bulk of enterprise operations as follows:
“I look at my job as enablement. If I can empower every single individual in my organization that’s making decisions, to make the right optimal decisions in the best interests of our customers and our enterprise, I can sleep like a baby every single night,” said Khawaja. “FAIR and RiskLens is a means for the analysis that makes those decisions.”
Highmark Health and RiskLens: Future Direction
At a time of disruption for the healthcare industry, cybersecurity prioritization and justification is more important than ever. As Khawaja and the team look to the future, they want to begin using FAIR and RiskLens to increase the scope of risk analysis from one-off senior executive discussions to helping business leaders determine how much risk they want each level in their organization to accept.
For Highmark Health, FAIR and RiskLens have been game-changers for how the enterprise understands, quantifies, and communicates cyber risk and its impact on the business. Working together, the security team and business leaders at all levels of the organization are enabled to make decisions based on data-driven analysis and highly contextualized risk insights. In the process, the Information Security/Risk Management program has stepped forward as a trusted strategic advisor and value creator to the business, championing best practices for improving cyber risk outcomes.
About Highmark Health
Highmark Health supports millions of customers with products, services and solutions committed to creating remarkable health experiences that free people to be their best. Headquartered in Pittsburgh with a regional focus in Pennsylvania, Delaware, West Virginia, and eastern and northwestern New York, Highmark Health’s 35,000 employees serve individual consumers and businesses in 50 states and the District of Columbia.
Highmark Health companies cover a diversified spectrum of essential health-related needs including health insurance, health care delivery, population health management, dental solutions, reinsurance solutions, and technology solutions generating consolidated annual revenues totaling $18 billion.
With a 170 year legacy of compassionate care, philanthropy, and corporate responsibility, Highmark Health is proud of its tradition and culture of giving back and reinvesting in the communities they serve to ensure they remain strong and healthy.
RiskLens is the global leader in quantitative cyber risk management and author of FAIRTM, the international standard for cyber risk quantification. RiskLens solutions and capabilities empower CISOs to understand cyber risk—and to prioritize and manage cybersecurity investment decisions—in business terms. Through the RiskLens platform and services, we help CISOs make decisions to maximize the bottom-line impact a company’s cybersecurity investments will have on reducing risk, and just as importantly, to deprioritize less impactful areas of spending.