Image: Mark Tomallo, SVP, CISO, Victoria’s Secret at 2025 FAIR Institute Semina
The ground has shifted beneath us.
AI is accelerating both innovation and adversary capabilities. Threat actors are scaling faster than traditional controls can keep pace. Regulators are demanding evidence-based risk reporting. And boards are expecting clarity, consistency, and accountability—not just updates on security activities.
Yet many executive teams find themselves struggling to answer fundamental questions with confidence. The cyber risk narratives presented to boards are inconsistent over time. Teams rely heavily on activity metrics rather than actual exposure. And qualitative risk ratings crumble under scrutiny when real decisions are on the line.
Boards and regulators will increasingly expect financially grounded cyber disclosures with consistent, traceable assumptions. The question isn't whether your organization will evolve its approach—it's whether you'll lead that evolution or be forced into it.
The future of cyber risk management isn't about generating more data. It's about enabling better, more defensible decisions.
Attend the Institute’s 4-hour educational seminar at RSAC 2026 Conference on Tuesday, March 24 from 8:30 AM - 12:30 PM in Moscone South 301 to examine why many existing cyber risk reporting practices no longer meet the needs of executives, boards, or regulators. Participants will be introduced to the FAIR (Factor Analysis of Information Risk) model as an open, defensible standard for analyzing and communicating cyber risk in business-relevant terms.
SPEAKERS:
...and more to come.
Through real-world examples and an evolving AI risk scenario, the workshop demonstrates how cyber risk management is moving beyond periodic, qualitative assessments toward continuous, measurement-driven, decision-ready risk intelligence. Attendees will gain practical insight into how quantitative risk analysis supports clearer communication, stronger governance, and more defensible decision-making.
What if cyber risk could be communicated the same way we discuss other business risks—in terms of probable financial loss?
The FAIR™ (Factor Analysis of Information Risk) model offers an open, defensible standard for analyzing and reporting cyber risk in business-relevant terms. Rather than abstract ratings, FAIR™ separates frequency, impact, and uncertainty, grounding risk analysis in economic terms that resonate with boards and regulators.
FAIR™ doesn't eliminate uncertainty—it makes uncertainty explicit and usable. It transforms the conversation from "We have high risks" to "Here's our probable exposure range, here are our assumptions, and here's how different investment options reduce that exposure."
Click to Save to Your RSAC26 Agenda
Images from 2025 seminar:
Left to right: FAIR Creator Jack Jones, FAIR expert Tony Martin-Vegue, Michelle Griffith (IHG), Mark Tomallo (Victoria's Secret)
Stay ahead of all our events: Become a FAIR Institute member now.