2026 Webinar Program: Rebuilding cyber risk management

Series 1: Cyber risk management, rebuilt: from ISO 27005 to the boardroom

To help you navigate your cyber risk management challenges, C-Risk has developed a three-part webinar series on rebuilding what's broken in cyber risk management. This approach reflects Gartner's guidance on CRQ: start with decisions, express exposure in ranges and set appetite thresholds. The result is a risk program that supports decisions across the business.

We will address the shift from compliance-focused to data-driven risk management, build the foundation for defensible analysis, and connect quantified cyber risk to enterprise governance.

1.1 - Risk management is broken. Let's rebuild it.

Cyber risk programs spend a lot of effort on compliance and controls testing, but these are only components of the risk management process.

The full process of identifying, analyzing, evaluating, and treating risk should deliver defensible recommendations and decision support, with clear answers on where to invest, what to treat, and what to accept. ISO 31000 and 27005 set out the framework for getting there. The gap is between what the frameworks ask for and how programs actually implement them, with too much weight on compliance, controls, and resilience activities and not enough on the analysis and decision support that should sit at the center.

What you'll learn:

• Where ISO 31000 and 27005 place analysis and decision support in the risk management process
• How compliance, controls testing, and resilience fit into the process without taking it over
• What defensible recommendations look like, and what it takes to produce them
• Where to start closing the gap in your own program

1.2 - Risk intelligence as the foundation: the ten data factors

Data is your most valuable asset — and you likely have more of it than you think. The problem isn't a lack of data; it's that your data is disconnected, inconsistently represented, and built for individual consumers rather than the organization as a whole.

In this session, you'll learn how to identify and prioritize the key data sources that power data-driven risk management, and how those sources combine to inform and drive meaningful business decisions. We'll explore how to model data once and reuse it multiple times to increase operational efficiency — and why, when navigating uncertainty, accuracy is more important than precision.

Drawing on the FAIR framework for quantitative risk assessment, you'll discover that you don't need all the data to make confident, data-driven decisions. Some inputs are essential; others are nice-to-haves. Understanding the difference is what allows you to build a robust, scalable loss model — without waiting for perfect information.

What You'll Learn

• Identify the 10 key data factors of data-driven risk management (DDRM) — and which ones matter most
• Leverage your existing data to build a coherent, end-to-end data chain
• Determine which factors are most critical to your organization's risk posture
• Scale your data chain effectively as your program matures

1.3 - From scenarios to Board appetite: the L2 taxonomy that changes governance

Cyber risk often sits in a silo, reported in maturity scores and heatmaps that don't translate into the language the rest of the business uses for risk.

Cyber risk quantification produces insights decision-makers and business leaders can act on: exposure in financial terms, treatment options compared by cost and benefit, scenarios that map to risk appetite. It's already how they think about every other risk on the enterprise register.

What you’ll learn:

• How to present quantified cyber risk to executives, the board, and ERM in a form they already use
• How to map cyber scenarios to enterprise risk appetite
• How to use CRQ outputs to inform treatment and investment decisions
• How to integrate CRQ outputs into existing governance and reporting cycles

Looking ahead:

Series 2 will demonstrate data-driven risk management (DDRM) in practice. We’ll breakdown three use cases: defending the security budget, TPRM, and quantifying risk for GenAI initiatives. Series 3 will lay out the practical steps that lead to strategic cyber and technology risk management. You’ll gain insights on how to align your lines of defense, operationalize your risk management process, and build a data-driven roadmap for your organization.