Risk Management / Quantification

Events

Views Navigation

Event Views Navigation

Today

    • Mapping What Matters: Risk Management That Drives Business Impact

    Despite growing investments in cybersecurity, many organizations still struggle to reduce real risk. Why? Because dashboards don’t reduce risk—action does. To reduce real risk, organizations must operationalize cyber risk strategies—prioritizing action over reporting, and aligning security efforts with measurable business outcomes. Topics include: • Making cyber risk visible, measurable, and relevant to business leaders • Linking asset visibility to business-critical risk decisions • Moving from reporting risk to actively reducing it—at scale Learn how to operationalize your risk strategy to prioritize action, align security with business outcomes, and turn visibility into measurable impact.
    Topics:
    , , ,

    Two People Managing 300 Vendors: Why Your TPRM Program Is Running on Willpower

    Nearly three-quarters of organizations have two or fewer full-time employees managing vendor risk, even though more than half oversee 300 or more third-party relationships. Close to half experienced a third-party cyber event in the past year. The math does not work, and most TPRM teams know it. They are running on spreadsheets, manually chasing questionnaire responses, and conducting annual assessments that produce a point-in-time snapshot of a continuously changing risk surface.

    Regulatory pressure is intensifying at the same time. Two-thirds of institutions face demands to enhance their TPRM programs, and frameworks like DORA and updated SEC disclosure requirements are raising the stakes for third-party oversight. The gap between what regulators expect and what lean TPRM teams can deliver is widening.

    Closing that gap requires coordination across assessment automation, continuous monitoring, risk intelligence, and third-party visibility platforms to scale coverage without scaling headcount.

    Topics include:

    • Automating vendor risk assessments to scale coverage without scaling headcount
    • Moving from annual questionnaires to continuous third-party monitoring
    • Prioritizing vendor oversight based on actual risk rather than treating all vendors equally

    Learn how resource-constrained TPRM teams are closing the gap between regulatory expectations and operational reality.

    Topics:
    , , ,

    You’re Patching the Wrong Vulnerabilities. Exploit Intelligence Says So.

    With more than 40,000 new CVEs published in the past year alone and projections exceeding 50,000 for 2025, patching everything is impossible. Most organizations prioritize remediation by CVSS severity scores, but severity does not equal exploitability. Research shows that 32% of reported security issues have a low probability of exploitation, while some moderate-severity vulnerabilities sit on active exploit chains right now.

    The shift from vulnerability management to exposure management reflects a growing recognition that context matters more than volume. Organizations need to know not just what is vulnerable but whether a vulnerability is reachable from the internet, whether an exploit exists in the wild, what business-critical assets sit in the blast radius, and how quickly an attacker could leverage it.

    Operationalizing this shift requires coordination across vulnerability management, attack surface visibility, penetration testing, and exposure intelligence platforms to prioritize what attackers can actually use.

    Topics include:

    • Using exploit intelligence and business context to prioritize remediation over CVSS scores alone
    • Mapping the gap between what is vulnerable and what is actually exploitable
    • Operationalizing continuous threat exposure management across hybrid environments

    Explore how leading organizations are replacing volume-based patching with risk-informed remediation that focuses on what attackers can actually use.

    Topics:
    , , , , ,

    • AI Regulations Are Moving Faster Than Your Compliance Framework. A Practical Catch-up Plan.

    The EU AI Act is in effect. NIST and ISO frameworks are expanding to cover machine identity hygiene and AI decision-making transparency. The SEC now requires public companies to disclose material cybersecurity incidents within four business days. And most GRC teams are still operating frameworks that were designed for a slower, more predictable regulatory cycle. The gap between what regulators expect and what compliance programs can deliver is growing with every new mandate, and AI adoption across the enterprise is accelerating the timeline.

    This is not just a documentation problem. AI introduces compliance challenges that existing GRC workflows were never designed to handle: models trained on data with unclear provenance, automated decisions that need audit trails, and AI deployments that span business units with no centralized oversight. Addressing this requires coordination across GRC platforms, data security tooling, AI governance solutions, and risk quantification approaches to build programs that keep pace with regulatory change. Organizations that treat AI governance as a future initiative rather than a current requirement are accumulating risk that becomes harder and more expensive to remediate with each quarter that passes.

    Topics include:

    • Mapping current GRC frameworks against emerging AI-specific regulatory requirements
    • Building audit trails and governance structures for AI-driven decisions and data usage
    • Moving from periodic compliance reviews to continuous assurance models

    Join us for a practical look at how GRC teams are updating their programs to keep pace with the regulatory demands of enterprise AI adoption.

    Topics:
    , , ,

    Supply Chain Attacks Are Getting Worse. Your Questionnaire-based TPRM Program Can't Keep Up.

    More than one-third of data breaches now involve a compromised vendor or third party. A single compromised supplier can expose customer data, halt operations, and trigger regulatory penalties. And most organizations are still managing this risk through annual questionnaires and static spreadsheets that produce a snapshot of a vendor's security posture at a single point in time. Between assessments, vendors change their infrastructure, suffer incidents, and introduce new risks that are invisible until the next review cycle.

    The questionnaire model is breaking down from both sides. Vendors are overwhelmed by repetitive, duplicative assessments from every customer, and the resulting delays mean risk teams are making decisions on incomplete data. Meanwhile, regulatory frameworks are raising expectations: continuous oversight, documented remediation, and faster disclosure timelines are becoming standard requirements. Addressing this requires coordination across assessment automation, continuous monitoring, external risk intelligence, and vendor risk platforms to build TPRM programs that match the speed and scale of today's supply chain threat landscape.

    Topics include:

    • Supplementing point-in-time questionnaires with continuous external monitoring and risk intelligence
    • Automating vendor risk assessment workflows to scale oversight without proportional headcount increases
    • Aligning TPRM programs with evolving regulatory expectations around continuous third-party oversight

    Explore how organizations are modernizing their TPRM programs to match the speed and scale of today's supply chain threat landscape.

    Topics:
    , , , ,

    The Assets You Don't Know About Are the Ones Getting Breached. Solving the Visibility-first Problem.

    Most organizations cannot produce a complete, accurate inventory of their external-facing assets. Shadow IT, forgotten cloud instances, unmonitored APIs, development environments left exposed, and acquired company infrastructure that was never integrated into security tooling all create blind spots. Attackers do not need to find a zero-day when a staging server with default credentials is sitting on a public IP. The assets that security teams do not know about are, by definition, the ones that are not being monitored, patched, or protected.

    Attack surface management starts with a premise that most vulnerability management programs skip: you cannot secure what you have not discovered. Addressing this requires coordination across ASM, CTEM, vulnerability management, penetration testing, and cloud security platforms to build a continuous view of the external attack surface as an attacker sees it, not as the asset inventory says it should look. The gap between those two views is where breaches happen. Organizations that have adopted this approach report finding assets they did not know existed, exposures that had persisted for months, and risk concentrations in areas their existing tools were not scanning.

    Topics include:

    • Continuously discovering and attributing external-facing assets beyond the known inventory
    • Identifying shadow IT, orphaned cloud resources, and unmonitored development environments
    • Prioritizing discovered exposures based on exploitability, business context, and attacker perspective

    Discover how organizations are closing the gap between what they think their attack surface looks like and what it actually is.

    Topics:
    , , , , ,