From Heat Maps to Business Decisions: Key Takeaways from the FAIR Breakfast at RSA Conference 2026

/
FAIR Inst Breakfast RSAC 2026 1440x780

Left to right: Nick Sanna, Mathias Bücherl, Alexander Anthuk

At the RSA Conference 2026, the FAIR Institute hosted a packed breakfast session that captured a defining shift in cybersecurity leadership. Moderated by Nick Sanna, Founder of the FAIR Institute and President of SAFE, the discussion featured two seasoned practitioners:

  • Mathias Bücherl, CISO, Heidelberg Materials
  • Alexander Anthuk, CISO, Aboitiz Power

What unfolded was not a theoretical discussion about cyber risk—but a candid, experience-driven conversation about how CISOs are fundamentally redefining their role: from technical guardians to business decision-makers.

The End of “Possibly”: Why Traditional Risk Methods Are Breaking

The session opened with a provocative question: Are traditional risk tools—heat maps, maturity models, point-in-time assessments—still useful, or are they increasingly misleading?

The answer from both CISOs was nuanced but clear.

Qualitative approaches, while familiar, introduce dangerous ambiguity. When one executive hears “likely,” it may mean a 20% probability—while another interprets it as 80%. That ambiguity becomes untenable in the boardroom.

“If you have 15 minutes with the board and say ‘this will probably happen,’ you will not get $50 million approved.”

The takeaway:
 Modern enterprises run on financial metrics—revenue, profitability, market share—not subjective risk language.

To be effective, cybersecurity must speak that language.

FAIR Is More Than Numbers—It’s a Mindset Shift

Interestingly, both panelists emphasized that the biggest value of FAIR is not just quantification—it’s how it changes thinking.

FAIR forces organizations to:

  • Make assumptions explicit
  • Understand uncertainty
  • Embrace risk as a decision science—not a compliance exercise

Anthuk highlighted an important nuance: quantification is not a one-size-fits-all mandate. It must be applied contextually and iteratively, not dogmatically.

“Don’t apply it as a religion—apply it as a scientific method.”

This framing resonated strongly:
 FAIR is not just a model—it’s a discipline for better decision-making.

From Periodic to Continuous: Rethinking Risk in a Dynamic World

One of the clearest themes was the shift from static to continuous risk management.

Traditional approaches—quarterly or annual assessments—cannot keep up with:

  • Rapidly evolving threats
  • Expanding attack surfaces
  • The acceleration driven by AI

Both CISOs described a journey toward continuous visibility that required fundamental changes:

What Changed:

  • Threat intelligence ingestion from real-time external sources
  • Dynamic control monitoring (not just “is a control present,” but “is it effective right now?”)
  • Integration of business context, including financial impact and organizational changes

Bücherl described this as moving from manual, fragmented processes to a “risk-as-a-service” model—one that continuously feeds data into decision-making.

“If you stick to old-school approaches, you won’t keep up with the pace of change.”

Winning Board Trust: From Skepticism to Engagement

A critical part of the conversation focused on board adoption.

Initial Reality:

  • Skepticism about data quality
  • Confusion about ranges and probabilities
  • Resistance to unfamiliar models

Anthuk was candid:

“My first experience was a complete disaster.”

What Changed:

  • Educating executives on the model
  • Using ranges instead of false precision
  • Engaging finance, legal, and PR teams to validate assumptions
  • Demonstrating real outcomes

Over time, something important happened:

  • The conversation shifted from “Do we trust the model?”
  • To “Are these numbers too low?”

That shift marks a breakthrough:
 Trust in methodology enables focus on decisions.

The Real Power of CRQ: Better—and Fewer—Decisions

Perhaps the most powerful part of the discussion came from real-world use cases.

1. Turning Cybersecurity into a Business Investment Function

At Aboitiz Power, cyber initiatives are now evaluated like any other investment:

  • ROI / Return on Security Investment (ROSI)
  • Comparable to other business priorities (hiring, infrastructure, expansion)

“We stopped talking about firewalls. We became true business partners.”

2. Not Just Spending More—Spending Less

In a striking example, quantification enabled cost reduction without increasing risk.

By analyzing risk exposure across business units:

  • Expensive controls in low-impact environments were reduced
  • Critical controls were maintained where they mattered most
  • Risk posture stayed within acceptable limits

Result: $1.3M in savings

“The CEO couldn’t believe it. That’s when he wanted to learn more about FAIR.”

A Critical Insight: Context Is Everything

One of the most memorable moments came from a simple analogy.

A worn-out tire was shown to a board:

  • Initial reaction: “Catastrophic risk”
  • Then context was revealed: the tire was sitting in a garage

Suddenly: no risk

Lesson:

“Context matters. We assume too much—and talk past each other.”

This perfectly captures the challenge FAIR addresses:
 Risk is not absolute—it is contextual, probabilistic, and business-dependent.

AI: More Noise or a Turning Point?

On AI, both CISOs took a pragmatic stance.

What’s Changing:

  • Attack costs are decreasing
  • Attack velocity is increasing
  • Complexity is rising

What Won’t Change:

  • Most breaches still come down to basic failures
  • Asset management, access control, and hygiene remain foundational

“Security is not rocket science. It’s about doing the basics—consistently.”

The implication:
 AI will amplify both attackers and defenders—but fundamentals will determine outcomes.

The Future: CISOs as Business Leaders

The session closed with a powerful vision of the future.

In the next decade, success will look like:

  • Cyber risk fully integrated into enterprise risk management
  • CISOs discussing ROI, trade-offs, and value at risk—not vulnerabilities
  • Alignment across finance, legal, operations, and security

One remark captured the transformation:

“It was the first board meeting where we didn’t speak in technical terms—we talked about trade-offs and ROI.”

That is the future of cybersecurity.

Final Reflection

What made this session stand out was not theory—it was proof.

Two global CISOs demonstrated that:

  • Cyber risk can be quantified
  • Boards will engage—if you speak their language
  • Security can drive both better investment decisions and cost optimization

And perhaps most importantly:

Cybersecurity is no longer about protecting systems.
 It’s about enabling smarter business decisions.

Join the FAIR community with a free individual membership now.

image 37

Recent Blogs

SEE ALL
FAIR Conference 2023

From Heat Maps to Business Decisions: Key Takeaways from the FAIR Breakfast at RSA Conference 2026

FAIR Conference 2023

What Is Faster Patching Worth? Put a Dollar Value on Vulnerability Remediation (FAIRCON25 Video)

FAIR Conference 2023

RSAC26: FAIR Inst Continues Tradition of Education, Thought Leadership Adapted for the AI Era