The FAIR Institute Blog

CISOs Discuss their Path to Business Leadership (FAIRCON25 Video)

Written by Jeff B. Copeland | Jan 23, 2026 1:50:24 AM

Image: Vinod Madhavan and John Sapp

FAIRCON25 got right to the point of the conference with its opening panel discussion on elevating the role of the CISO as a leader of the business through owning cyber risk management. 

Panelists

Alexander Antukh, CISO, Aboitiz Power
Mathias Buecherl, CISO, Heidelberg Materials
John Sapp, CISO, Texas Mutual Insurance
Vinod Madhavan, CISO, Solstice Advanced Materials

 

Moderator

Ajay Arora, Managing Director, Deloitte (Note: Ajay has now joined SAFE as Head of CRQ and Decision Intelligence) 

Watch the FAIRCON25 video: The CISO as a Risk Leader

The discussion hit these three key points (and many more) for CISOs aspiring to be business leaders: 

Talk in Business and Financial Terms, Not Cyber-Speak

Vinod Madhavan:

When talking to business leaders, “you can report issues in red/yellow/green, but what they really worry about is the quantifiable impact that’s going to the company. All that matters is impacting revenue or EBITDA. So, even if it is a cyber risk, it is a business risk. Don’t say ‘I have 200 vulnerabilities I have to fix. Say, if we don’t fix this vulnerability, it’s a $20 million impact to the company.”

Use Quantification to Prioritize Investments, Rationalize Controls, and Push Vendors

Alex Antukh:

By applying FAIR analysis, “we found that some of the controls we had for compliance actually were generating negative ROI…We also found that some of the controls were supplementary to each other and it was possible to have one control that would cover for both. Finally, it gave us a very strong hand in negotiation with the vendors…We showed the data (on ROI) to the vendors and they agreed to actually lower the price.”

Show the Cascading Effects of Cyber Risk

John Sapp:

“When you’re talking about cyber risk, be sure to identify the cascading risks that are the result of cyber risk. Operational risk, financial risk, legal risk, regulatory compliance risk and all those things that are a cascading effect of cyber risk. That will help get the attention of those you are trying to communicate with. Also, be clear how you identify the return on investment. No, security doesn’t generate revenue but it does protect the generation of revenue.’

For more tips, watch the FAIRCON25 video: The CISO as a Risk Leader
View full post