SiRAcon ’25 Highlights and Recap: Day 1

From Zero to Quant to ERM

SiRAcon ’25 took place last week Sep. 9-11, 2025 at the Boston Federal Reserve in Boston, MA, which marks the second year that SiRAcon has occurred at this venue.

The event theme this year was From Zero to Quant to ERM, building on last year’s theme of From Zero to Quant and emphasizing the need to have conversations about cybersecurity risk as part of broader enterprise risk management decisions. Presentations reinforced this theme and brought in considerations for AI, industry standards to aid adoption, and steps for continued growth based on learnings from the past.

The event saw more than 100 attendees between in-person and virtual attendees, and the SiRA Slack and Zoom chat allowed for lively and energizing discussion and debate across the event. As always, the SiRA community was engaged and thought-provoking throughout the week, with excellent conversations taking place during breaks across the event. The sense of community at this conference is always amazing!

If you happened to miss this year’s SiRAcon but registered, you can still access session recordings through the event site. If you did not register, the recordings will soon be added to the Members’ Area of www.societyinforisk.org and you can access them (as well as recordings from previous SiRAcons and past webinars) by becoming a Member of SiRA: https://societyinforisk.org/join.

Day 1: Tuesday, Sep. 9, 2025

Keynote: Quantitative Enterprise Risk Management

• Graeme Keith

Graeme Keith kicked off SiRAcon ’25 as the keynote presenter on Tuesday, Sep. 9. Graeme stressed the need for risk management to influence decision-making in an organization. The models used need to be actionable, causal, stochastic, and simple, but adequate. Graeme stressed that enterprise risks occur and impact across the scale of the organization and that enterprise risk management aligns enterprise objectives and decisions with governance.

Zero Trust in CRQ? Or CRQ in Zero Trust?

• John Linford

Following Graeme, John Linford dived into a presentation on areas where cyber risk quantification might be included as part of an organization’s Zero Trust transformation. John emphasized the mindset shift required to adopt Zero Trust and built on this to offer areas where CRQ might complement the transition and decision-making.

Why We Resist: Uncovering the Psychological Barriers to Effective ERM

• Jason Leuenberger

Jason Leuenberger showed the power of the mind in his presentation, providing an open and honest glimpse into his own thought processes to demonstrate the value of Kegan’s Immunity to Change and Self-Determination Theory. Jason tied these concepts back to why risk initiatives face resistance and offered suggestions for designing ERM programs that will actually work.

Integrating Cyber Risk and Enterprise Risk Using the NIST 8286 IR

• Andrew Shea

The Integrating Cybersecurity and Enterprise Risk Management (ERM) series of publications from NIST provide a valuable resource for any organization attempting to integrate cyber risk with enterprise risk, as shown by Andrew Shea. Andrew provided a breakdown of the documents in the series and offered guidance on implementation timelines and approach, highlighting technical and non-technical mitigations and utilizing the risk-adjusted return on capital (RAROC) methodology.

Navigating the Changing Cyber Landscape: Trends, Costs, and Risk Mitigation Strategies

• Wendy Hou-Neely

Wendy Hou-Neely kept the energy of day 1 flowing with an overview key cyber risk trends and statistics, highlighting the top threat areas as well as ransomware payment trends, major incident driving costs, and business interruption costs. Wendy also stressed some key risk mitigations and controls, including MFA, data management best practices, and considerations for third-party risk management.

(Nearly) a Decade of Risk Management: Lessons Learned and What’s Next

• David Severski

David Severski rounded out day 1 with an insightful (and cat-filled) presentation focused on security incident trends analysis. David offered real-world data from the Cyentia Institute to showcase changes in incident frequency (increasing), the probability of experiencing a security event (increasing for most organizations, but decreasing for mega corporations), and financial impact data (increasing). David kept the energy high and attention focused to round out the first day!

_____________________________________________________________

During SiRAcon ’25, the SiRAcon Planning Committee also announced exciting news: SiRAcon ’26 will take place from Apr. 21-23, 2026 at the Boston Federal Reserve in Boston, MA. Full event details, including the event theme, presentation proposal deadlines, and registration, will be announced in coming weeks.

Thank you to everyone who made SiRAcon ’25 a success, particularly the keynote presenters and speakers, SiRA Board Members and SiRAcon Planning Committee Members, and attendees alike!

Thank you, too, to the sponsors of SiRA and SiRAcon ’25:

• SiRA Organizational Sponsors
• • Marsh McClennan
  • Ostrich Cyber-Risk
• SiRAcon ’25 Gold Sponsor
• • Marsh McClennan
• SiRAcon ’25 Bronze Sponsors
• • Empirical Security
  • Ostrich Cyber-Risk
  • The Open Group

Finally, thank you to the Boston Federal Reserve for acting as a phenomenal host yet again and to the YOTEL Boston for providing fantastic accommodations and space for attendees.

We look forward to seeing everyone again next year at SiRAcon '26!