You could feel it in the room as more than 600 gathered to hear the welcome address by FAIR Institute Founder Nicola (Nick) Sanna for the 2025 FAIR Conference in New York, November 4. This 10th annual meeting had sold out – a 40% jump in attendance. The audience of CISOs, board members, risk managers, regulators, and innovators had come with an urgent need to witness and shape an uncertain future.
Nick got right to the point: “AI isn’t just changing the game—it’s resetting it.”
Machines now learn, adapt, and decide. That shift changes everything: how choices are made, where risk accumulates, and how value is created or destroyed.
“This is the biggest shift in human decision-making in more than 300 years,” Nick said.
Attackers are already exploiting AI—automating reconnaissance, generating flawless deepfakes, and mutating malware in seconds. But defenders have the same potential advantage: AI that can analyze massive telemetry, detect anomalies, automate triage, and predict threats before they strike.
The real questions at the heart of FAIRCON25: “How do we manage AI risk while unlocking its benefits? How do we evolve our models, our metrics, our tools?” Nick said.
Cyber Risk Is Business Risk. Now Everyone Gets It.
For years, the message of the FAIR Institute – and the quantitative discipline of FAIR analysis has been that cyber incidents no longer stop at the IT department.
“Cyber incidents are now so big—we just estimated the impact of the recent Jaguar Land Rover hack at a couple of billion dollars—that they’re moving markets, changing CEOs (not just CISOs), and putting boards on notice,” Nick said.
The conversation has shifted. It’s no longer “Can we prevent breaches?” but “Can we manage their business impact in real time?”
Capacity audience for Nick's address at FAIRCON25
How FAIR Changed the Conversation
Over the last decade, the FAIR community has driven one of the most profound changes in enterprise risk management—turning cybersecurity from a compliance checkbox exercise into a strategic, financial discipline.
“We turned cyber risk management into a discipline that speaks the language of CFOs, CEOs, and the board,” Nick said.
This transformation was collective. Some of the seminal figures, Nick name-checked.
- Risk Modelers like Jack Jones gave scientific rigor to risk analysis.
- Mathematicians like Douglas Hubbard proved uncertainty can be measured.
- Data Scientists like Wade Baker and the Cyentia team turned data into insight.
- Software companies such as RiskLens and SAFE Security brought automation and scale.
- Service providers such as C-Risk, Guidepoint, Protiviti, and EY operationalized FAIR in the real world.
“FAIR has elevated the CISO from the basement to the boardroom—from a defender of networks to a leader of enterprise resilience,” Nick said.
The Four Forces Shaping the Future
Nick highlighted these trends:
1. AI Is Changing the Game
AI is both accelerator and amplifier—of value and of risk.
Attackers already operate at machine speed; defenders must too. The future lies in continuous risk monitoring and AI-driven response—and in quantifying AI risk itself: which use cases create advantage, and which create liability?
2. One Unified View of Risk
Risk remains fragmented across IT, OT, third-party, cloud, and AI domains. “The next frontier is a unified, quantified view of all forms of digital risk—one risk language, one financial lens.”
3. Quantification Moves Into the SOC
“CISOs still tell me they can’t keep up with the vulnerabilities found daily—and when they prioritize, it’s by technical scores, not business impact.” Security operations will move from triaging vulnerabilities by CVSS scores to dollars at risk. That’s the next evolution—quantification embedded in security operations.
4. Regulation as Catalyst
From NIS-2 to DORA, the EU AI Act, and the SEC cyber rule, regulators now demand what the FAIR movement has long championed: defensible impact metrics, continuous monitoring, and board accountability.
The Ultimate Test for Risk Management and Business Leaders
Progress, Nick argued, is measured by a single question:
“When the board asks, ‘Are we within our cyber risk appetite?’ the CISO must be able to answer confidently in dollars and probabilities.”
He shared the story of a CISO who implemented FAIR. After a recent board meeting, the CISO said it was the first time cybersecurity wasn’t discussed in technical terms—but in financial trade-offs and investment priorities.
That, Nick said, is what a mature, risk-informed conversation looks like.
“Modern CISOs are no longer guardians of firewalls. They are risk economists, strategists, and communicators of enterprise value.”
The Road Ahead
FAIR began as a movement for quantification. It became the standard for aligning cyber with business. Now, powered by AI, it’s entering an age of autonomous cyber risk management—where systems can quantify, prioritize, and mitigate risk in real time.
But Nick was careful not to overstate the maturity:
“As a community, we are just 10 years old. Like any 10-year-old, we might believe we’ve grown up—but we’re just getting started on the journey to autonomous cyber risk management.”
Technology alone won’t complete the journey. It will take the same principles that built this community: critical thinking, collaboration, and innovation.
“Let’s make these days not just a conference—but a launchpad for the next decade of cyber risk leadership,” Nick urged the audience.
“The future of cyber risk management isn’t waiting to be discovered—it’s waiting to be built,” Nick said. “Let’s build it together.”
Interested in finding your place in the growing FAIR movement? Become an Institute member today!
