Series 2 : Decision, not dashboards

The first series built the foundation: a data-driven approach to cyber risk analysis, connected to enterprise governance. Series 2 takes it into the room where decisions are made.

CISOs today face three high-stakes conversations that their current toolset was not built for. Defending a security budget in front of a CFO who evaluates every request in expected return per euro not maturity scores. Negotiating cyber insurance coverage when the policy was sized against sector benchmarks rather than the organisation's actual loss curve. And governing GenAI deployments when the risk surface is changing faster than any policy document can track.

In each case, the problem is the same: technical risk data that stops short of the financial translation the decision requires. A maturity score is not a return. A peer benchmark is not an exposure profile. A governance policy is not a risk estimate. The gap between what security teams produce and what business leaders need to act is the gap this series is designed to close.

Across three sessions, we work through each use case with a live model grounded in FAIR methodology and C-Risk's DDRM approach. We’ll show exactly how quantified risk analysis changes the conversation, the decision, and the outcome.

2.1 - Defending the CISO budget in euros — What-if modelling with FAIR-CAM - July 2nd

Every budget cycle, CISOs walk into the same meeting with the same problem: a security investment case built in the language of risk maturity, framework alignment, and control coverage in front of a CFO who evaluates every other capital request in expected return per euro spent.

The result is predictable. When cyber cannot be compared to marketing, capex, or R&D on the same financial dimension, it defaults to last year's number and gets cut to whatever the residual allows. The threat landscape and the maturity score are irrelevant to that decision. What matters is whether the investment case speaks the CFO's language.

In this session, we show exactly how to make that translation using FAIR-CAM to build a budget defence that links control investment directly to ALE reduction in euros. We walk through a live what-if model: from control uplift to KCI improvement, KRI reduction, and a financially expressed delta the CFO can evaluate against any other capital request on the table.

What you'll learn:

-A clear understanding of why security budgets get cut and what specifically changes when the request is denominated in euros rather than maturity scores

-A step-by-step FAIR-CAM model you can apply to your own control investments: control uplift → KCI → KRI → ALE delta

-A one-page budget defence format — three numbers, fully defensible — built to survive CFO scrutiny and procurement negotiation

-A real-world case reference: how a multi-country healthcare group got its full budget approved on first reading after adopting this approach

2.2 Cyber insurance: sizing coverage against exposure - July 21st

Most enterprises renew their cyber insurance the same way every year: confirm the coverage level, accept the sub-limits the broker offers, and negotiate on premium. The underlying assumption that the coverage is approximately right is rarely tested. Until a claim arrives.

The structural problem is that brokers price coverage against sector and revenue band, not against your actual loss curve. This is rational at portfolio level for the insurer. For the buyer, it produces a policy that is wrong in two directions at once: over-covered on operational losses the organisation could absorb, and under-covered on severe events where sub-limits and exclusions cut out precisely when they are needed most.

In this session, we show how to close that gap using a quantified FAIR loss curve and how to arrive at renewal with a negotiating position grounded in your specific exposure profile rather than what your sector peers are buying.

What you'll learn:

-A clear picture of how cyber insurance is actually priced today — and why the peer benchmark systematically produces the wrong coverage for individual buyers

-A three-step FAIR method to build your aggregate loss curve and identify both coverage gaps (over and under) before renewal, not after a claim

-A practical negotiation framework: how to align policy limits, sub-limits, and exclusions to named scenarios — and the typical premium impact when you do

-A format your CFO and CRO will both sign: exposure-aligned, financially expressed, defensible to the board and the insurer

2.3 - GenAI and cyber risk: putting numbers on what you're deploying - August 20th

Only 25 to 30% of enterprises are using GenAI at industrial scale and those that are encounter compliance, security, and data confidentiality issues almost immediately. The majority are accumulating shadow AI exposure without the measurement infrastructure to see it, let alone govern it.

The risk surface GenAI introduces is not incremental. It changes the vulnerability landscape at speed: new attack paths generated at machine scale, dependencies on third-party model providers that were never formally risk-assessed, and data flows that existing classification and DLP policies were not designed to cover. When a provider goes offline through technical failure or political decision, the operational impact is immediate. Sovereignty and concentration risk have moved from theoretical to operational.

Most organisations respond with a governance policy. Policies do not quantify exposure. They do not tell the CISO whether a specific GenAI initiative sits inside or outside risk appetite. They do not produce a number the CFO can evaluate or the board can act on. In this session, we show how to make that translation — applying the FAIR framework to GenAI-specific risk scenarios so that every initiative carries a financially expressed risk estimate before deployment.

What you'll learn:

-A structured map of the risk vectors GenAI introduces that existing frameworks do not cover: shadow AI exposure, model dependency, data leakage, and sovereignty risk

-A practical method for translating GenAI initiative risk into FAIR scenarios — data exposure events, model disruption, DORA and AI Act compliance breach — each expressed as an ALE range

-A format for positioning GenAI risk inside organisational appetite: comparable across initiatives, defensible to the board, and ready for the CFO conversation

-Concrete deployment experience from regulated European enterprises — what the first-movers encountered, and how quantified risk analysis changed their decision-making