Finding Our North Star: Community and Collaboration at FAIRCON25

SAFE customers showcased leading-edge solutions for quantitative risk management

By Meghan Maneval, SAFE Director of Community and Education

As a first-time attendee at the 2025 FAIR Conference, “Resetting Cyber Risk in the Age of AI,” I expected the typical cyber-conference vibes: meet some new people, attend a few presentations, and leave with a new t-shirt and a bunch of funny stickers. What I found instead was a powerful, supportive, and thought-provoking community that completely changed my view of Cyber Risk Quantification.

FAIR Is a Journey, Not a Quick Fix

One of the most persistent themes at FAIRCON25 was that you can’t adopt the FAIR methodology overnight. Unlike “check the box” frameworks, implementing the FAIR model requires intentional design, a clear desired goal, and cross-functional stakeholder alignment. Several speakers emphasized that getting to full cyber risk quantification is a marathon, not a sprint. It takes time, patience, and a willingness to learn.

One such journey was illustrated by Michael Prieur, Senior Director of Security GRC at Centene Corporation. His session, “Cutting Through the Noise: Applying Cyber Risk Quantification Across Security GRC”, offered a compelling case study on how intentional CRQ implementation reduces bottlenecks and drives clearer prioritization.

Centene’s shift focused on three key areas:

1. CRQ-Enhanced Internal Risk Assessment Process: Applying FAIR internally created a structured workflow that was scalable with volume. Critically, it added a layer of professionalism and credibility, leading to better stakeholder buy-in by consistently converting technical risk into defensible financial terms.
2. CRQ-Enhanced Vendor Risk Assessment Process: By quantifying the level of risk based on vendor data access, Centene established thresholds to determine the level of control needed. This strategic, multi-tiered approach meant only 10-15% of vendors required the most detailed assessment, drastically reducing assessment bottlenecks and focusing resources where they mattered most.
3. Enterprise Cyber Risk Model: The implementation of CRQ provided the flexibility to report on key metrics, such as the return on control (ROC), which makes governing the entire process significantly easier and allows for clear reporting broken out by the NIST categories. 

When asked if they had seen a positive return on investment from implementing CRQ, the answer was a resounding “Yes,” citing the ability to reduce bottlenecks and clearly prioritize risk.Echoing that tone, the session “From Risk Chaos to Risk Mastery: How We Ditched the Spreadsheet Graveyard” powerfully demonstrated how Ashley Campbell, Director of Cybersecurity, and Chase Buckner, Solutions Specialist, applied a similar mentality at Liberty Mutual Insurance. Over the course of 2+ years, they took a phased approach from manual risk assessments to consolidated partnerships to the implementation of the SAFE One Platform for cyber risk decision making.

Saket Modi gave the keynote address at FAIRCON25. 

CRQ Is Not “One and Done”

Continuing on that theme, it was very clear from the countless panels and keynotes that the FAIR framework is not a “one and done” assessment. Traditional risk assessments or compliance checks often happen at regular intervals, such as monthly, quarterly, or annually. However, FAIR-based cyber risk quantification is a continuous tool for strategic action. This distinction is so important that Saket Modi, co-founder and CEO of SAFE Security, candidly challenged the attendees to start changing the name of “cyber risk quantification” to “cyber decision intelligence.” Modi emphasized that the true value of FAIR lies in its ability to facilitate better, faster, and more continuous decisions.

The essence of this transformation was further highlighted in the Tuesday afternoon session, “The Hype, Hope, and Harsh Reality About FAIR.” The speakers, Texas Mutual Insurance Company CISO John Sapp Jr. and SUSA Inc. CEO Teresa Suarez, began by clarifying what FAIR is and what it definitely is not. 

They further explained that the FAIR model, by itself, is not sufficient. And neither is a platform. As Sapp put it, “a fool with a tool is still a fool.” You need an ecosystem built around the model that includes people, process, and technology, in that order, to truly improve risk management and deliver strategic value.

You Will Mess Up, And that’s OK!

The vulnerable mindset at FAIRCON25 was perhaps the most refreshing takeaway. The journey to effective CRQ is paved with learning from past mistakes. The community openly acknowledged that you will mess up, and it’s okay. This acceptance of “false starts” and removing the fear of failure encouraged genuine collaboration and honest growth.

Adrienne Allen, Former Senior Director of Technology Risk and Controls at Coinbase, exemplified this mentality in her session, “From Checkbox to Chess Move: Building a Risk-Driven GRC Program”. She outlined three common failure modes that derail risk programs and highlighted how the FAIR community helps practitioners avoid them.

• Reduce Complex Models That Nobody Trusts: Focus on what actually causes losses and ensure the assumptions are explicit to ensure your numbers are credible. 
• Avoid Oversimplified Scoring: Express risk to executives in dollars and ranges, not false precision. 
• Don’t Disrespect Compliance Risk: Use FAIR to analyze key scenarios that include regulatory failure, demonstrating the financial impact of compliance gaps. 

Allen notes the best way to avoid these pitfalls is to adopt a Minimum Viable Risk Program (MVRP), focusing on small, high-value wins rather than attempting to quantify everything at once. Instead of tackling a “top 20” list, her advice was to focus on 3-5 risk scenarios that executives care most about.

By starting small and integrating into existing decision-making processes, such as exception approvals or rapid risk reviews, Allen highlighted that credibility is earned through transparency and tangible results, not complex math.

Alla Valente of Forrester at FAIRCON25

Beyond Quantification: Tactical and Strategic Support

Another profound theme that permeated the sessions was how the value of FAIR extends far beyond simply calculating cyber risk. As Alla Valente of Forrester emphasized, risks are simply opportunities when the results aren’t guaranteed. This perspective transforms CRQ from a purely defensive exercise into an engine for strategic growth.

We learned that FAIR can be used in various ways, shifting the focus from just knowing your risk to leveraging it for continuous, tactical decision-making. Liberty Mutual Insurance’s Mike Schiavone, Manager of Cyber Advisory and Risk Reporting, accompanied by Niki Hale, Manager of Third Party Security, described how they elevated CRQ by calibrating risk scenarios to the right level of granularity. 

• Strategic Decisions: Enabling business goals and meeting future market or industry needs.

• Operational Decisions: Supporting ongoing security activities and ensuring daily alignment.
• Tactical Decisions: Interactive support for immediate needs and rapid reactions to changes.

By operationalizing FAIR, organizations can move beyond annual check-ups to continuous visibility. The presenters shared how they gained the ability to rapidly identify and articulate: What could happen? How would it impact us? And what’s the cost if we do or don’t invest in mitigation?

The versatility of FAIR was further on display across various case studies, including: 

• AboitizPower’s ability to determine the Annualized Loss Expectancy (ALE) for vendors in the same way as first-party risks. This included factoring in the threat event frequency (TEF) of the vendor, their susceptibility, the probability of the vendor bridging into the organization’s network, and the resulting loss magnitude.
• Veterinary Emergency Group’s creation of tiers based on exposure versus entity risk. These two levers ensured assessments were based on the vendor’s security posture and the data exposure associated with the engagement. 
• Peloton’s Identity Governance Program’s use of FAIR to model credential-based attack scenarios and review controls allowed them to map their findings to popular security frameworks. 
• IHG’s use of the FAIR-based continuous monitoring dashboards for daily standups, at which they assess what changed across their risk posture, and escalate to their CTEM team as needed. This additional data point helps foster deeper understanding and collaboration across a globally disbursed enterprise. 

These discussions underscored that using FAIR for cyber risk quantification is just the beginning. And the presenters at FAIRCON25 are leading the way.

David Jordan (right) received the 2025 FAIR Institute Cyber Risk Executive of the Year Award along with Robert Allen from Institute Founder Nick Sanna

The Power of Collective Operationalization

The most powerful takeaway from the 2025 FAIR Conference was the palpable sense of shared purpose and community. As David Jordan, CISO at IHG Hotels & Resorts, noted in the closing remarks, the community’s comfort with sharing and working together towards solutions was inspiring. We’re all tackling the same core challenge: the need for transparency and simplicity when communicating risk to ensure that cyber risk intelligence becomes a standard way of doing business.

As FAIRCON25 came to a close, we were reminded that CISOs must no longer “think like a hacker,” but rather “think like a business owner.”

• Keep it Simple: If your core risk message isn’t simple enough for your grandfather to understand, it won’t resonate with the C-suite.
• Embrace Ranges: When stakeholders don’t believe the precise numbers, emphasize that the model is directionally correct and use clear ranges to express uncertainty.
• Principles Over Rules: Advocate for a principles-based approach that focuses on trust, safety, and security over a rigid rules-based one, especially regarding AI. 
• Report the Right Metrics: Report the return on control, or cost of risk buy-down to clearly show how investments are reducing risk. 

These proactive steps will ensure the right guidelines are in place without waiting for regulations or hackers to set the rules. The key is recognizing that compliance is the floor, not the ceiling.

As a first-time attendee, the message was clear: the future of cyber risk management hinges on a fundamental mindset shift. We must move past the fear of failure and the pursuit of false precision, embracing the collaborative spirit of the FAIR community. With this, we collectively ensure that security leaders have the clarity and credibility required to thrive in the Age of AI.