3 lessons from SAFE’s hundreds of FAIR program deployments
By Jeff Copeland
At the recent 2025 FAIR Conference, Saket Modi, CEO of SAFE, delivered a direct message to the FAIR movement: Cyber risk quantification (CRQ) is indispensable — but it’s a means to an end, not the end itself.
Watch the video of Saket’s FAIRCON presentation now.
SAFE operationalizes FAIR with continuous, real-time analyses. “That is the future as we are going forward,” Saket said, creating a shift in language and mindset: away from “quantification” as a technical discipline and toward what he called “decision intelligence”.
FAIR is a “phenomenal” standard and framework,” he explained, “but it “means nothing if you don’t turbocharge it with something that can be applied to day-to-day decisions.”
In the conference keynote, Saket laid out three major lessons SAFE (the technical adviser to the FAIR Institute) has learned from deploying FAIR-based programs across hundreds of organizations and millions of assets worldwide. Forrester’s Cyber Risk Quantification Wave has placed SAFE in the leadership position for CRQ for two years running, based in large part on SAFE’s success with its customers.
1. Leaders don’t buy cyber risk quantification (CRQ). They buy intelligence that drives actions.
2. For level of effort in cyber risk management, the CRQ juice must be worth the squeeze.
3. FAIR is being applied beyond “classic” cyber risk to AI risk, third-party risk and more, supporting intelligent decisions across a broader risk landscape.
Saket cited a simple survey he conducted with over 100 CISOs. When he directly asked them whether they “needed CRQ,” fewer than 7% said yes. “The moment you say ‘CRQ’ or ‘quantification,’ they think, ‘Oh great, another score, another dashboard,’” he said.
But when he reframed the discussion around outcomes, support jumped to 90-95%. Saket asked CISOs if they would want to know, for example:
“When you describe the outcome, pretty much everybody says, ‘I definitely need that.’”
That’s why he’s pushing to reframe the category around decision intelligence, not just quantification. Scores, he argued, matter less as absolutes and more as signals of change that drive decisions.
“The value is not whether it’s 63 or 62,” he said. “The value is that there was a sudden spike” — and you can see exactly what changed in your environment or in the outside world.
'See What Changed’ functionality on the SAFE One Platform
The second lesson, Saket said, is that the long-running debate over qualitative vs. quantitative risk analysis is a distraction. “No rational person will say quantitative is worse than qualitative,” he argued. “The real question CISOs are asking is, ‘Is the CRQ juice worth the squeeze?’”
Historically, many FAIR programs depended heavily on expert judgment: manual estimates of threat event frequency, susceptibility, primary and secondary loss, and more. That approach has limits.
“You’re giving a lot of subjective inputs to get objective outputs,” Saket said. “It would not resonate with any CISO.”
The turning point, he argued, has been the rise of API-driven telemetry, cloud-scale compute, and the ability to run tens of thousands of Monte Carlo simulations in seconds.
“The old problem was garbage in, garbage out.” Now we’re ingesting real telemetry and assessments at scale.
SAFE has built more than 200 integrations into security and IT platforms, he said, with around 150 generally available and dozens more in early access.
On the output side, he identified defensibility as the essential deliverable of CRQ.
“When you present your numbers to the CFO or the board, you get one shot,” he said. “They will ask you three questions. If you can’t show how you got there, you lose credibility.”
To address that, SAFE built interfaces that allow users to “triple-click” on results: from top-level likelihood and loss numbers down to scenarios, threat actors, control effectiveness, and leaf-level cost drivers.
“Never trust a score you can’t click,” Saket said, “So, triple click.” Defensibility is what turns a pretty chart into something you can keep bringing back to the board, month after month.
Swamy Kocherlakota, S&P Global
Saket was joined onstage by Swamy Kocherlakota, Executive Vice President, Chief Digital Solutions Officer of S&P Global, discussing implementing FAIR with SAFE in a large multinational company.
Swamy described SAFE as a way to turn overwhelming telemetry into prioritized signals: “I get nice signals on what I can do, what the weakest link is, and how I can prioritize and resolve it.”
He now uses the SAFE platform not only to brief the board and executive committee but also to measure and reward performance for his team.
Alla Valente, Forrester
Saket’s third lesson tackled another common perception: that FAIR is only suitable for traditional cyber risks like ransomware or data breaches.
Gravity doesn’t stop working when you go to Mars, he said. FAIR is the same. “The first principles apply” to AI risk, third-party risk, and much more.
He pointed to Cisco’s AI Defense initiative, which uses FAIR modeling for scenarios such as prompt injection, model evasion, and training data poisoning. FAIR, he noted, underpins the way those AI-specific risks are categorized, quantified, and prioritized.
Third-party risk is another major frontier. With estimates that roughly 60% of breaches involve third parties, Saket argued that existing TPRM approaches — split between questionnaire platforms and external ratings services — have been missing the point.
Third-party risk management had mostly lost the R, he said. “FAIR puts the R back into TPRM.”
SAFE combines outside-in signals, questionnaires, breach history, leaked credential data, contract analysis, and even fourth-party mapping, then runs those inputs through FAIR scenarios. According to Saket, the platform has now modeled more than a million vendors this way.
Alla Valente, Forrester Principal Analyst covering the third-party risk management market, also joined Saket to discuss the challenges and opportunities of TPRM.
Too often, she argued, risk has been conflated with compliance. “Compliance is your floor, not your ceiling,” she said. “Fully compliant organizations still get breached because they’re focusing on the wrong things.”
Referring to the recent AWS East outage, she warned that organizations systematically underestimate dependencies on “relatively insignificant” third parties that actually underpin identity, APIs, or other critical functions.
“If you want an AI strategy, you’re going to have a third-party strategy whether you like it or not,” she said. “Quantifying third-party risk is absolutely critical today.”
In closing, Saket urged the audience to see FAIR and CRQ as foundational for the next era of cyber and AI operations.
“FAIR and CRQ are becoming the central nervous system of autonomous, risk-based decision-making for CISOs,” he said, adding that he believes it will ultimately play the same role for AI agents making security decisions at machine speed.
Watch the video of Saket’s FAIRCON presentation now.