At the recent FAIR Europe Summit 2026 in London, one of the most engaging discussions of the day focused on a question that is quickly becoming central to every CISO agenda:
How do we manage cyber risk when threats, technology adoption, regulations, and business expectations are all moving faster than traditional risk management can keep up?
The panel, “Resetting Cyber Risk in the Age of AI, DORA & NIS2 — From Point-in-Time to Always On,” was moderated by Tom Callaghan, Co-founder of C-Risk, and featured an outstanding group of security leaders:
The conversation was practical, direct, and refreshingly candid. It reinforced a clear message: cyber risk management is entering a new era. Annual assessments, static questionnaires, qualitative heat maps, and compliance checklists are no longer sufficient.
The future is continuous, quantified, business-aligned, and increasingly automated.
Jason Steer opened with a sobering view of the threat landscape. Ransomware remains a major risk. Infostealer malware continues to fuel the credential theft economy. Geopolitical threats are creating new resilience concerns. Deepfakes, despite fading from the headlines, remain very real — including cases where companies have lost millions from AI-enabled fraud.
But AI is now adding a new layer of urgency.
Organizations are being pushed to adopt AI quickly to improve productivity, accelerate software development, and create competitive advantage. At the same time, many CISOs do not yet have a complete picture of which AI tools are being used across the business.
Jason shared that Recorded Future had identified roughly 80 AI tools in use across engineering and other functions — only a fraction of which had been formally approved.
Rafael Di Bari described a similar challenge at Glovo, where a fast-moving, innovative culture means new technologies are constantly being introduced. AI is empowering not only technical teams, but also non-technical employees who can now create scripts, automate processes, and build solutions without fully understanding the security implications.
This is the new reality: AI is not only a technology risk. It is an adoption risk, a configuration risk, a data risk, a governance risk, and a business risk.
The panel also explored the impact of DORA, NIS2, and the broader European regulatory environment.
Mathias Buecherl made one of the most important points of the discussion: regulation should not be treated as a reason to abandon risk-based decision-making. Even when compliance is mandatory, organizations still have choices in how they comply, how much they invest, and what level of resilience is appropriate.
His analogy was simple and powerful: if regulation says you must drive a car, you can comply with a basic Volkswagen or a Porsche 911. Both may satisfy the requirement, but they represent very different levels of investment and capability.
The point is not to underinvest. The point is to invest intelligently.
Mathias captured the balance well:
Security without compliance is overconfidence. Compliance without security is ignorance.
Rafael added that a quantified model gives security teams a defensible rationale when engaging with regulators, executives, and finance teams. When asked to reduce budget, remove a tool, or delay an investment, his team can update the risk model, compare the exposure to defined risk appetite, and make a transparent decision.
That is the power of quantitative risk management. It turns risk conversations from opinion-based debates into business discussions.
One of the strongest critiques of the panel came during the discussion on third-party risk management.
Jason was blunt: traditional third-party risk assessments are still stuck in the past. Long questionnaires create a false sense of security. They are difficult to answer accurately, quickly become outdated, and often fail to capture the real exposure created by suppliers, SaaS providers, cloud platforms, and fourth parties.
The panel agreed that third-party risk can no longer be managed as a checklist exercise.
Third-party risk is first-party risk.
If a critical supplier fails, exposes data, suffers an incident, or introduces a systemic dependency, the business impact lands on the organization. That means third-party risk must be prioritized based on business impact, not questionnaire completion.
Rafael described the need to break down silos between GRC, product security, cloud security, corporate security, and business owners. At Glovo, the team reviews third-party risks collaboratively so they can ask better questions and understand the real exposure introduced by each supplier.
The challenge, of course, is scale. Manual processes cannot keep up. That is why automation and continuous risk monitoring are becoming essential.
Perhaps the most compelling part of the discussion came from Mathias’ description of how Heidelberg Materials uses cyber risk quantification to make investment decisions.
His focus is not simply on reducing risk. It is on reducing the right risk at the right cost.
The key question his team asks is:
What is the risk burndown, and what is the cash out?
In other words: what business risk are we reducing, and what does it cost?
That mindset changes everything. It changes how teams request budget. It changes how they prioritize controls. It changes how they decide what to automate. It even changes how they decide what to stop doing.
Mathias described how his team has removed controls and retired use cases when the risk reduction no longer justified the cost. That is a level of maturity rarely possible in qualitative risk programs.
It is also exactly the kind of discipline boards and executive teams increasingly expect from CISOs.
Cybersecurity cannot be managed only as a technical function. It must be managed as a business function.
AI adoption, threat activity, third-party exposure, and regulatory expectations are changing continuously. Annual assessments and static questionnaires cannot keep pace. Organizations need always-on visibility and continuous risk analysis.
CISOs are facing too many exposures, too many tools, too many suppliers, and too many regulatory demands. Quantification helps translate these challenges into business terms so leaders can prioritize based on probable financial impact.
The most mature organizations are moving beyond “what controls do we have?” toward “what risk are we reducing, what does it cost, and what business outcome does it support?” That is the shift from cybersecurity as a technical discipline to cyber risk management as a business discipline.
The panel ended with practical advice for organizations beginning their cyber risk quantification journey.
Jason encouraged leaders to articulate risk clearly: who is exposed, what is exposed, how it could be attacked, why it matters, and what the plan is.
Mathias advised organizations to “crawl, walk, run” — start with the basics, educate the team, and recognize that FAIR is not a product, but a methodology and decision-making fabric.
Rafael recommended starting with something real: take a past incident, model it, understand the risk, and build from there.
That may be the most practical lesson of all.
The future of cyber risk management will not be built by waiting for perfect data or perfect processes. It will be built by starting with real business decisions, applying a structured model, learning through practice, and then scaling through automation.
That is how we move from point-in-time to always-on.
And that is how we reset cyber risk management for the age of AI, DORA, and NIS2.
The FAIR Institute exists to help organizations make better decisions by understanding cyber risk in business terms. If you are not already a member, we invite you to join the FAIR Institute community. General membership is free.
And if you want to continue this conversation with leading CISOs, risk leaders, board members, regulators, and practitioners, join us at FAIRCON26 in New York City on October 6–7, 2026.
The future of cyber risk management is changing quickly.
Come help shape it.