SAFE CEO Saket Modi on 3 Key Learnings on CRQ

Insights on successful cyber risk management from deploying FAIR at thousands of organizations

By Jeff Copeland

Watch the video of Saket’s FAIRCON presentation now.

Our CEO Saket Modi recently spoke at the FAIR Institute’s annual FAIR Conference in New York and – as Saket usually does – delivered a message to an audience of risk managers and business leaders that was a mix of busting through the status quo and visioning a clear path forward to a better way.  

If all this is new to you:

• FAIR (Factor Analysis of Information Risk) is a model for quantifying cyber risk in financial terms that’s at the center of SAFE’s risk management solution. 
• The FAIR Institute has successfully championed – after years of effort – the idea that cyber risk is business risk (not just technical risk). 
• SAFE is the technical sponsor of the FAIR Institute – and the category leader in cyber risk quantification and management (CRQM), enabling the largest companies in the world to leverage FAIR for “Cyber Decision Intelligence.”

Saket presented his FAIRCON25 talk as “3 Key Learnings from Our Ascent to the CRQ Summit”. You might also call them 3 Inconvenient Truths about CRQ. 

Key Learnings about Cyber Risk Quantification

1. “CRQ’s biggest weakness is its own name. It doesn’t sell – but its value is golden. That’s why we call it Cyber Decision Intelligence.”

Saket surveyed over 100 CISOs with the question “Do you need CRQ?” Seven percent answered “yes”. But when he asked value-oriented questions like, “When a new hack happens would you want to know if it could happen to you?” the “yes” answers shot up to the 90th percentile. 

“Leaders don’t care about FAIR/CRQ. They care about outcomes,” Saket said. 

“That’s why SAFE focussed relentlessly on value-based product delivery, going from CRQ to Cyber Risk Decision Intelligence.” 

That value is not just a score but context to benchmark an organization’s risk posture and “enable you to make decisions.”

Saket showed how the SAFE One platform identifies a significant change in breach likelihood – double click through to see that the change was generated by one third party, then check the strength of the relevant controls, and see how breach likelihood compares to peers.   

Saket showed a demo of the See What Changed capability of SAFE One

2.  The barrier to adoption has been the CISO community’s old FAIR mindset – something that SAFE has now changed.

Saket asked the provocative question “Is the CRQ juice worth the squeeze?” The FAIR model for quantitative analysis is clearly the winner for cyber risk management at scale, but with so many of the inputs for CRQ based on subjective estimates, FAIR had a Garbage In – Garbage Out problem. 

SAFE changed the game with inputs generated by autonomous CRQ, taking advantage of the vast amount of data now accessible via feeds from GRC’s, threat intel and more. “We cut across all these (data) verticals, ingested all this telemetry and brought them together in one place.” 

On the output side of the process, transparent inputs yield defensible results.  Or as Saket put it, “Never trust a score you can’t triple click.”

3.  FAIR’s power goes far beyond cyber risk—extending to AI, Third-Party, Geopolitical Risk Modeling, and much more.

Old habit of FAIR mind: Cyber risk modeling is only for traditional risk scenarios like ransomware. Wrong. 

Take Cisco’s new AI Defense product based on FAIR, Saket said. 

Or Take third-party risk (TPRM). Traditional methods of questionnaires and outside-in scans don’t truly speak to risk.  SAFE brought both together, “turbo charged it with agentic AI and threw all the signals into FAIR. We have now successfully applied FAIR into risk modeling of over 1.3 million third parties.”

Saket generated a SAFE TPRM dashboard 

Saket’s concluding thought: “FAIR and CRQ is the central nervous system of autonomous, cyber-risk-based decision-making for CISOs.”

Saket was joined onstage by Swamy Kocherlakota, Executive Vice President, Chief Digital Solutions Officer of S&P Global, discussing implementing FAIR with SAFE in a large multinational company. 

Alla Valente, Forrester Principal Analyst covering the third-party risk management market, also joined Saket to discuss the challenges and opportunities of TPRM. 

Learn more about automating FAIR with SAFE. Schedule a demo now!