As the recently appointed managing director of the FAIR Institute, attending the full FAIR Conference for the first time was an incredibly eye-opening experience. I’ve long been familiar with the principles of FAIR (Factor Analysis of Information Risk) and even spoke at FAIRCON17 on the intersection between FAIR and Technology Business Management (TBM) while I was the TBM Council’s general manager. But last week I had the opportunity to experience the community and in-depth discussions firsthand and gain new insights into the importance of cyber risk quantification and management.
Todd (image above) and Nick Sanna, President of the FAIR Institute, gave the Welcome Address at the 2024 FAIR Conference (watch the video).
Here are my top takeaways from this year’s event.
1. Today’s Cyber Risk Management Practices Slow Down the Business
The theme of the conference was “managing cyber risk at the speed of the business,” which held true for me after hearing from many CISOs and cyber risk leaders about how difficult it is to assess, measure and react to risk information quickly. Oftentimes this is a technical challenge, whereby gathering and processing risk data and information is highly manual and time consuming. And a lack of investment in cyber risk management talent is also to blame. Too few cyber risk managers are adequately trained in these practices and standards, including FAIR, making it difficult for teams to satisfy the risk management needs of their businesses.
The impact of this shortcoming is enormous. Business decisions are being made without adequate risk information. Many investments are wasted on the wrong controls, addressing less significant risks while more significant ones receive inadequate attention. And for many, decisions are being made without the input of the cybersecurity team or are being delayed by it.
2. FAIR Is Elevating the CISO Role
Another theme at FAIRCON24 was the shift in the role of the CISO from a technical leader to a strategic business partner. Several sessions, such as "Establishing the CISO as Business Leader" and "Empowering Business Decisions through CRQ", highlighted how using FAIR helps CISOs communicate cyber risk in financial terms that resonate with executive leadership and the board. This resonated with me in particular because of my background with TBM, whereby CIOs improved their standing by being able to speak in financial and business terms with their business partners.
As with TBM, this evolution of cyber risk management is critical as more organizations look to align cybersecurity strategies with broader business objectives. One of the common use cases we heard was using FAIR to focus resources and justify budgets (i.e., cyber investment management). As businesses invest more in digital programs, the ability to align cybersecurity with the business becomes even more important.
3. AI Risk Is Top of Mind
Artificial intelligence was a major topic of discussion, with sessions like "Navigating the Complexities of Managing AI Risk" and the training on "Mastering AI Governance and Risk Management". The consensus among experts was clear: Organizations must quantify and manage AI risks as they increasingly integrate AI into their operations. The FAIR model was presented as an effective tool for evaluating and mitigating the risks associated with AI, offering a structured approach to managing these emerging challenges.
The output of our AI risk working group also came up, as well as the link to the Databricks AI Security Framework coauthored by FAIR Institute board member Omar Khawaja and two of his colleagues. There has been a lot of progress on the AI risk front, with tools and knowledge that can be put into use today.
4. Third-Party Risk Management (TPRM) Is Evolving
Another major focus of the conference was third-party risk management (TPRM). Sessions such as "Embracing a True Risk-Based Approach to TPRM" and "State of the TPRM Market" explored how FAIR can be leveraged to assess third-party risks more effectively. Given the growing reliance on external vendors and partners, FAIR's ability to quantify these risks provides organizations with greater clarity and control.
I heard many CISOs express frustration that, for them, TPRM remains a compliance exercise that does too little to reduce risks. But others felt they’ve been able to meaningfully reduce risk, in part by maturing their TPRM programs, automating as much as they can, and integrating better with procurement.
5. Cyber Risk Quantification (CRQ) Is Essential for Regulatory Compliance
A growing number of organizations are facing pressure to meet regulatory requirements related to cybersecurity risk disclosure. FAIRCON24's sessions on regulatory challenges, such as "CISO Liability: How Not to Get Singled Out by the SEC", reinforced how quantifying risk through FAIR helps organizations meet these obligations. Using CRQ allows businesses to not only comply with regulations but also make more informed, data-driven decisions.
CISOs and cyber risk leaders often shared that FAIR-MAM (Materiality Assessment Model) has helped them better understand their loss magnitude, helping shape how they evaluate potential and actual losses. This model not only breaks losses down to a variety of impact categories, it aligns to cyber insurance loss types. As such, it can be used not only for regulatory compliance but cyber insurance risk modeling as well.
6. The Importance of Cross-Industry Collaboration
FAIRCON24 brought together leaders from diverse industries, including healthcare, financial services, and energy, to discuss how they are using FAIR to tackle industry-specific challenges. We held CISO roundtables for several verticals: financial services; healthcare; retail, consumer & hospitality; energy & utilities; and technology. These roundtables provided insights into how different sectors are managing risk, enhancing cybersecurity, and sharing best practices.
We are following up on these roundtables in 2025 with research boards aligned to these vertical industries. These will help CISOs and cyber risk leaders in those industries learn from their peers on how to better manage risk while sharing insights across their industry.
7. Cyber Insurance Is Shifting Towards Data-Driven Decisions
The role of FAIR in cyber insurance was another hot topic, with sessions addressing how FAIR can be used to negotiate better premiums and policy terms. Quantifying risk allows both insurers and organizations to have more transparent discussions about coverage and risk transfer. This is becoming especially relevant as cyber insurance policies evolve in response to the growing complexity of cyber threats.
We held a roundtable that was a sort of sit-down among cyber insurance leaders from companies such as Aon, Marsh, Beazley, Mosaic Insurance, Woodruff Sawyer and more. It was great to see some of our member CISOs share what they need from the cyber insurance industry. Among them: an easier underwriting process; policies and premiums tailored to the company’s specific risk posture; and more involvement of CISOs during and after the insurance purchasing process.
Conclusion
FAIRCON24 was an exceptional experience that showcased the rapid advancements in cyber risk quantification and the increasing importance of FAIR across industries. As a first-time attendee, I left with a renewed appreciation for the power of data-driven risk management and a clear vision of how FAIR can continue to drive the evolution of cybersecurity strategy. The conference highlighted the future of cyber risk management and reinforced the importance of FAIR in helping organizations navigate complex challenges in an ever-changing landscape.
I'm looking forward to applying these insights in my role at the FAIR Institute and continuing to support our community as we push the boundaries of what's possible with cyber risk quantification.
Contact Todd Tucker, Managing Director of the FAIR Institute
Not yet a member of the FAIR Institute? Join with an individual membership at no cost.