2026 Webinar Program: Rebuilding cyber risk management

Series 1: Cyber risk management, rebuilt: from ISO 27005 to the boardroom

To help you navigate your cyber risk management challenges, C-Risk has developed a three-part webinar series on rebuilding what's broken in cyber risk management. This approach reflects Gartner's guidance on CRQ: start with decisions, express exposure in ranges and set appetite thresholds. The result is a risk program that supports decisions across the business.

We will address the shift from compliance-focused to data-driven risk management, build the foundation for defensible analysis, and connect quantified cyber risk to enterprise governance.

1.1 - Risk management is broken. Let's rebuild it.

Cyber risk programs spend a lot of effort on compliance and controls testing, but these are only components of the risk management process.

The full process of identifying, analyzing, evaluating, and treating risk should deliver defensible recommendations and decision support, with clear answers on where to invest, what to treat, and what to accept. ISO 31000 and 27005 set out the framework for getting there. The gap is between what the frameworks ask for and how programs actually implement them, with too much weight on compliance, controls, and resilience activities and not enough on the analysis and decision support that should sit at the center.

What you'll learn:

• Where ISO 31000 and 27005 place analysis and decision support in the risk management process
• How compliance, controls testing, and resilience fit into the process without taking it over
• What defensible recommendations look like, and what it takes to produce them
• Where to start closing the gap in your own program

1.2 - From scenarios to analysis: scoping cyber risk for decision support

Cyber risk analysis is only as credible as the scenarios it's built on. Many programs analyze whatever the framework or tool prompts for, rather than the scenarios that would actually inform a decision.

Scoping should start with the decisions the business needs to make and the threats most likely to affect them. Cyberthreat intelligence and expert input narrow the field to the top threat-to-business scenarios that matter. A well-scoped scenario shows you what data is needed to reduce uncertainty and support an objective analysis.

What you’ll learn:

• How to move from a generic risk register to scenarios tied to specific business decisions
• How to incorporate cyberthreat intelligence and input from subject matter experts to prioritize scenarios
• What data each scenario requires, and how to perform an analysis
• How to recognize when a scenario is well scoped

1.3 - Connecting CRQ to cyber risk governance

Cyber risk often sits in a silo, reported in maturity scores and heatmaps that don't translate into the language the rest of the business uses for risk.

Cyber risk quantification produces insights decision-makers and business leaders can act on: exposure in financial terms, treatment options compared by cost and benefit, scenarios that map to risk appetite. It's already how they think about every other risk on the enterprise register.

What you’ll learn:

• How to present quantified cyber risk to executives, the board, and ERM in a form they already use
• How to map cyber scenarios to enterprise risk appetite
• How to use CRQ outputs to inform treatment and investment decisions
• How to integrate CRQ outputs into existing governance and reporting cycles

Looking ahead:

Series 2 will demonstrate data-driven risk management (DDRM) in practice. We’ll breakdown three use cases: defending the security budget, TPRM, and quantifying risk for GenAI initiatives. Series 3 will lay out the practical steps that lead to strategic cyber and technology risk management. You’ll gain insights on how to align your lines of defense, operationalize your risk management process, and build a data-driven roadmap for your organization.