9:00 AM PT

Welcome to Cyber Risk Series: Risk Management Edition

9:05 AM PT

The Money-Minded CTEM: A Fireside Chat with Sumedh Thakar

For every new digital breakthrough, be it cloud native, quantum computing, or AI,  a raft of new operational and business risks arises. Modern enterprises accelerate digital and AI transformation, but adversaries match their pace—pushing back with equal force and sophistication.

In this candid fireside chat, Qualys’ Rich Seiersen, Chief Risk Tech Officer sits down with CEO Sumedh Thakar, to explore the evolution from attack surface management (ASM) to risk surface management (RSM), the emergence of the Risk Operations Center (ROC) as a money-minded CTEM approach, and how AI is reshaping both risk and the future of cybersecurity work. Together, they’ll unpack what it takes to move from tactical firefighting to a risk-based strategy that aligns security with enterprise value.

9:30 AM PT

Escaping the Security Treadmill: A Better Way to Show Risk

Security leaders are being asked to cover more ground with fewer people and tighter budgets. The result should sound familiar: teams running faster every year, but always behind. The problem is not effort. The problem is that technology risk is still being presented in a way that does not motivate executives to take action.

Too often, the conversation is about moving boxes from red to yellow to green. That framing makes risk appear to be a compliance task rather than a business decision. This talk is about upgrading the conversation. By speaking in the language executives already use: tradeoffs, investments, opportunity costs, and resource allocation, security leaders can shift from reporting problems to shaping strategy.

Attendees will learn how to:

• Reframe risk from colors to capital, from heatmaps to business tradeoffs
• Connect security decisions directly to resource allocation and business priorities
• Show executives the real return on security investments
• Replace “red to yellow” with a conversation about tradeoffs tomorrow

Stop running harder on the treadmill. Start leading the conversations that win support, funding, and focus.

10:00 AM PT

Quantifying the Cost of Cyber Risk

Cyber models and third-party datasets can provide valuable tools for understanding, quantifying, and managing cyber risks. They enable companies to make data-driven decisions, help to enhance cybersecurity posture, and empower organizations to effectively respond to the evolving threat landscape. No cyber datasets are one-size-fits-all, nor are they created equally, however. They should align with an organization’s specific requirements and existing cyber risk management capabilities, and they should have actual correlations with risk.

In this session, we’ll discuss how the world of cyber insurance has unique resources to separate the good from the bad from the snake oil. By using the set of companies that had cyber insurance claims, along with the universe of companies that purchased cyber insurance, we can determine which of this myriad of tools has actual correlations with cyber incidents. We’ll evaluate cyber self-assessments, outside-in scans, and dark web threat intelligence, amongst others. We’ll also look at various vendor quantification models that are being used by the cyber insurance industry and how they may impact your organization.

10:30 AM PT

Beyond the SOC: Building a Risk Operations Center for the Enterprise

As cybersecurity programs evolve, organizations are exploring new approaches to operationalize risk management at scale. Just as the SOC transformed threat monitoring, the Risk Operations Center (ROC) is emerging as a model for unifying cyber risk management across people, processes, and technology.

In this fireside chat, Jonathan Trull, CISO of Qualys, and Rahul Goel, cybersecurity leader and former CISO, will share their perspectives on what it takes to move toward a ROC model in large, complex organizations. They will discuss:

• Key considerations when evaluating or planning for a ROC
  How existing programs can be modernized to fit into this framework
  The skill sets needed to support risk operations
  Why a ROC differs from a 24/7 SOC and how to set expectations
  Strategies for gaining leadership alignment to standardize cyber risk management

Attendees will gain an inside look at how forward-thinking CISOs are approaching the journey toward a Risk Operations Center and the lessons they’ve learned along the way.

11:00 AM PT

Session to be announced!

11:30 AM PT

Cancel Exposure Whack-a-Mole with a Risk Operations Center

Security teams can no longer afford to chase endless alerts in a reactive cycle of patching and firefighting as threats multiply and regulatory pressures mount.

The future of cybersecurity lies in operationalizing risk. The Risk Operations Center (ROC) represents a new paradigm—bringing together security signals, business context, and automation to drive measurable, continuous risk reduction.

In this session, we’ll explore how Enterprise TruRisk Management (ETM) enables organizations to shift from tactical firefighting to strategic risk management. Attendees will learn how to prioritize exposures that truly matter, translate cyber risk into business terms, and make faster, more confident decisions that strengthen both security and resilience.