Image: 2025 FAIR Conference
As we wrap up 2025, I find myself both proud and genuinely energized by what the FAIR Institute and our community have accomplished together this year.
T
Cyber risk management is no longer a niche discipline. It’s no longer something organizations can afford to treat as a side conversation or a purely technical concern. As our 2025 State of Cyber Risk Management research revealed (more on this below), that reality became clear, and the FAIR Institute community was at the center of this ongoing shift.
What made this year special wasn’t just the volume of activity, but the momentum, maturity, and impact behind it. With the support of our members, volunteers, partners, instructors, and board, the FAIR Institute made meaningful progress toward our mission: helping organizations manage cyber risk in clear, defensible, business-relevant terms.
One of the things I’m most proud of in 2025 is the progress we made on standards, the foundation of everything we do.
This year, we continued to advance and promote the FAIR Cyber Risk Management Framework, bringing together the FAIR Model, FAIR-CAM, and related content into a coherent, practical approach to managing cyber risk end-to-end. Built on years of real-world application, the framework is increasingly serving as a common language between security teams, risk leaders, executives, and boards.
At the start of the year, we expanded our standards committee and published a new Standards Committee charter, which better formalizes our work on this front. We also published and maintained three formal standards artifacts (linked above, plus the FAIR Cyber Risk Management Program standard), reinforcing FAIR’s position as the most rigorously defined and widely adopted quantitative cyber risk management methodology. These standards are designed to be used, challenged, and improved through practice.
Notably, 2025 was also a year in which the FAIR Institute contributed directly to the broader standards and policy conversation. We provided formal feedback to NIST on the forthcoming NIST IR 8286 series, drawing on years of experience helping organizations operationalize cyber risk management. Our feedback focused on strengthening alignment between cyber risk, enterprise risk management, and executive decision-making areas where many organizations continue to struggle. We also provided input into the Organizational Risk Culture Standard, which offers essential guidance for enterprise and cyber risk leaders seeking to drive lasting improvements in how their businesses manage risk.
This engagement reflects something we take seriously at the FAIR Institute: advancing not just FAIR, but the overall maturity of cyber risk management as a discipline. The community powers that work through active workgroups and practitioners who continue to push both FAIR and the industry forward.
2025 was also a year where the FAIR Institute leaned directly into some of the most complex and urgent risk challenges organizations face today, moving beyond theory to practical solutions.
Artificial intelligence is rapidly transforming how organizations operate and how cyber risk manifests. Throughout the year, FAIR research, events, and community discussions focused on bringing structure and rigor to AI-driven cyber risk, from new threat dynamics to control effectiveness in AI-enabled environments.
A significant milestone was the launch of our AI Red Teaming and Risk Analysis course at FAIRCON25 in New York City. Designed as a hands-on experience, the course helps practitioners apply FAIR to realistic AI scenarios, testing assumptions, identifying plausible loss events, and quantifying risk in business terms. It reflects a core FAIR principle: AI risk can’t be managed effectively with generic checklists; it requires disciplined analysis and a shared decision-making language.
Third-party cyber risk remains one of the most persistent challenges for CISOs, risk leaders, and boards. In 2025, FAIR workgroups, research, and events focused on helping organizations move beyond questionnaires and scoring models toward quantifying third-party risk in financial terms, enabling better prioritization and more defensible governance decisions.
This work culminated in the launch of our FAIR Third-Party Risk Management course, which provides a structured, repeatable approach to analyzing third-party risk using FAIR. The course centers on what actually matters: realistic loss scenarios, material impact, and where risk reduction efforts will deliver the greatest value.
Together, these efforts translate two of today’s most challenging risk problems into practical skills practitioners can apply immediately while giving leaders clearer insight into risks that are increasingly appearing in boardrooms and regulatory discussions.
Alongside standards and emerging risk topics, 2025 was a strong year for research.
Our State of Cyber Risk Management research continued to grow in reach and influence, providing data-driven insight into how organizations are actually measuring, prioritizing, and managing cyber risk. The research highlights where maturity is improving, where gaps remain, and how quantitative approaches like FAIR are reshaping decision-making at senior leadership and board levels.
Just as importantly, this research is increasingly informing conversations beyond our community, helping shape external frameworks, guidance, and expectations around what “good” cyber risk management looks like.
One of the most exciting milestones of 2025 was the launch of the FAIR Institute’s education and certification program.
This year, we:
Notably, our two new courses, FAIR Third-Party Risk Management and AI Red Teaming and Risk Analysis, connect FAIR fundamentals directly to the issues organizations and boards are grappling with most today, reinforcing our commitment to practical, decision-focused cyber risk management.
Just as importantly, we laid the foundation to begin certifying FAIR professionals in early 2026. Certification is a major step forward for the community, helping organizations trust the quality and consistency of FAIR analyses while giving practitioners a clear, credible way to demonstrate their expertise.
FAIR Institute Award Winner A. J. Anand, ADP
Another moment this year that captured the FAIR community's progress was the presentation of the 2025 FAIR Institute Awards at FAIRCON.
These awards exist for a simple reason: to recognize organizations and individuals who are actually doing the work, embedding FAIR into how decisions get made, how programs are run, and how cyber risk is communicated to executives, boards, and external stakeholders. What stood out to me this year was just how diverse and mature those examples have become.
The 2025 award recipients spanned executive leadership, enterprise cyber risk programs, third-party risk management, cyber insurance innovation, and community advocacy. Taken together, they reflect a discipline that is moving well beyond early adoption. We’re seeing FAIR applied at scale, across industries, and in places where rigor and defensibility truly matter.
Just as important, these awards are not popularity contests. Winners are selected by an independent panel of senior cybersecurity and risk leaders, many of whom have built and operated FAIR programs themselves. That peer recognition makes the awards especially meaningful and reinforces that the bar for excellence in cyber risk management is rising.
If you attended a FAIR Institute event this year, you felt it: the community is thriving.
FAIRCON 2025 was our largest and most successful conference to date. We welcomed nearly 600 attendees, delivered 47 sessions led by 96 speakers, and trained over 160 professionals during our two days of pre-conference courses and workshops. The energy throughout the event made clear that FAIR is no longer emerging. It’s established, respected, and actively shaping how cyber risk is managed across industries.
Beyond FAIRCON, we hosted our European Summit, chapter meetings, webinars, executive roundtables, and virtual discussions throughout the year, creating spaces where practitioners could learn from one another, challenge assumptions, and continue advancing the discipline together.
Board Member Alex Antukh
Strong governance and diverse perspectives are critical for a mission-driven organization like ours.
In 2025, we were proud to welcome six new board members: Khalil Jackson (Bank of New York), Alex Antukh (AboitizPower), Mathias Bücherl (Heidelberg Materials AG), Chon Abraham (College of William & Mary), Michael Siegel (MIT Sloan), and Suneel Sundar (MITRE Center for Threat-Informed Defense). Each brings valuable experience, global perspective, and a shared commitment to advancing cyber risk management as a business discipline.
We also expanded our international footprint with the launch of a European Advisory Board, which will help us better serve a growing global community. At the same time, membership growth continued (surpassing 18,000 general and contributing memberships), reflecting the broader industry shift toward treating cyber risk as a true business risk, not just a technical issue.
None of this happens without the community.
To everyone who contributed to a workgroup, took a course, attended an event, participated in research, or applied FAIR inside your organization: THANK YOU! Your engagement, curiosity, and commitment to delivering better answers make this Institute and this discipline strong.
As we head into 2026, I’m more confident than ever in FAIR's role in helping organizations understand, communicate, and manage cyber risk. We’ve built real momentum this year, and we’re carrying it forward. I’ll share more about our 2026 plans and expectations soon!
If you’re not already a FAIR Institute member, join us to collaborate with the community in the new year!