Todd Tucker is Managing Director of the FAIR Institute
It was a privilege to take the stage after Nick Sanna’s opening remarks at FAIRCON25, and to welcome what turned out to be our largest and most engaged conference audience ever, with nearly 600 attendees!
But what excites me most isn’t just the size of the crowd, it’s the strength of the movement. In the past year, the FAIR community has made tremendous progress on all fronts of our mission: maturing standards, advancing education, and deepening global collaboration.
Standards & Research: A Breakthrough Year
This past year, the FAIR Institute reached a new level of maturity in its standards development efforts.
We formally defined how our standards program operates through a new Standards Committee charter, bringing greater structure and transparency to the way FAIR standards are developed and governed. This foundational step enables scalable, high-integrity development of standards that reflect practitioner needs.
We also delivered several key artifacts that move the discipline forward:
- The FAIR Cyber Risk Management Framework (FAIR CRM) – A unifying structure that connects FAIR-CAM, FAIR-MAM, and the FAIR Model into a coherent, actionable cyber risk management system.
- FAIR Model v3.0 – The first formalized FAIR Institute artifact for the FAIR Model, this document sharpens the definitions that are used throughout our community and our other standards and documents.
- FAIR-CAM v1.0 – The first formal control analytics model linking control functions to the factors of the FAIR Model, representing a “physiology” of controls and risk.
- FAIR-CRMP v1.0 – A new standard that outlines how to design and operate an effective cyber risk management program.
We also published many practical white papers, including:
- FAIR Cyber Risk Scenario Taxonomy: An Analyst’s Guide
- Using FAIR to Be Compliant on ISO/IEC 27001
- An Analyst’s Guide to Cyber Risk Data Sources
And finally, we conducted our first annual State of Cyber Risk Management research, with input from more than 400 cyber risk leaders worldwide. The data clearly demonstrate that quantitative cyber risk management approaches have gone mainstream and that program maturity leads to much greater risk reduction for the enterprise.
Together, these deliverables have laid down the clearest, most actionable blueprint yet for risk-informed cyber decision-making.
Looking Ahead: 2026 Standards & Research Workstreams
Building on that momentum, our active workstreams for 2026 include:
- FAIR-MAM v2.0 – Expanding the model to support regulatory-grade materiality assessments (e.g., for SEC reporting).
- FAIR-CRMP Playbook – An implementation guide to help organizations bring FAIR-CRMP to life.
- Cyber Risk Management Competency Model – Defining the capabilities organizations need to staff and mature FAIR-based programs.
- FAIR Threat Exposure Management Community – A collaborative initiative exploring how to link control visibility to measurable risk.
- GPTs for Cyber Risk Management – Community-built tools built on foundational AI models to accelerate analysis, scenario modeling, communication, and more.
These are open, community-powered initiatives, and your input is always welcome.
Education & Certification: Building the Talent Pipeline
As demand for quantitative risk expertise grows, we’re scaling and structuring the FAIR learning journey to meet professionals at every stage of their careers.
In the past year, we launched two cornerstone courses:
- FAIR Foundations – An 8-hour introduction to the FAIR model, designed for professionals, leaders, and executives. It combines theory and hands-on exercises to build core competence in risk quantification and control analytics (FAIR-CAM).
- FAIR Cyber Risk Analysis – A practitioner-level course for applying FAIR to real-world scenarios. Includes MITRE ATT&CK integration, third-party risk, loss magnitude modeling (FAIR-MAM), and automation use cases.
Both are now part of the standard path toward FAIR Institute certifications.
Forthcoming courses include:
- FAIR Mathematics – A four-hour course to demystify Monte Carlo simulation and other modeling techniques used in FAIR. Available as an on-demand course in the coming weeks.
- FAIR Cyber Risk Communication – Teaching cyber risk managers and professionals how to communicate cyber risk to key stakeholders such as line-of-business leaders, the board of directors, and auditors and regulators.
And we’re organizing our education around role-based certifications:
- FAIR Certified Cyber Risk Professional (FAIR-CCRP)
- FAIR Certified Cyber Risk Leader (FAIR-CCRL)
- FAIR Certified Cyber Risk Executive (FAIR-CCRE)
A special thank you to our Education Advisory Committee! This diverse and global group of more than a dozen experts (from ADP, Mastercard, SAP, Richemont, Nationwide, and many others) is shaping the direction and depth of our offerings.
Membership & Collaboration: A Growing, Global Community
FAIR is a community and a movement as much as it’s a framework. And it’s gaining momentum with:
- 18,200+ members
- 23 member-led chapters worldwide
- 79 events hosted so far this year across the globe
What makes this growth especially meaningful is how actively our members are collaborating to shape the future of cyber risk management through working groups and communities of practice.
We currently have active or emerging working groups in areas including:
- AI Risk – Exploring risk quantification and governance challenges associated with artificial intelligence
- Third-Party Risk Management – Defining measurable, scalable approaches to managing risk in the extended enterprise
- Materiality Assessment & Reporting – Supporting defensible, standardized disclosures aligned with FAIR-MAM and regulatory expectations
- Threat Exposure Management – Aligning threat intelligence, controls, and exposure modeling through FAIR principles
- Cyber Risk Management Program (FAIR-CRMP) – Developing playbooks and operational guidance for program design and execution
- Cyber Insurance – Investigating how FAIR analysis can inform underwriting, coverage evaluation, and risk transfer strategies
These working groups are open to practitioners, researchers, and partners who want to contribute to pragmatic, standards-aligned advancement in the field. Whether you’re contributing to a working group, mentoring a new analyst, or speaking at a chapter event — the FAIR community thrives on practitioner engagement.
Want to get involved? Reach out to us at InvolveMe@FAIRInstitute.org.
In Closing: Why It Matters
At FAIRCON25, we saw how far we’ve come and how powerful this community can be when it works together.
To those already involved: thank you for your leadership.
To those just discovering FAIR: welcome aboard! We’re just getting started.
Together, let’s keep building the future of cyber risk management!
