With the latest release of updates to the CyberStrong platform, we are dedicated to providing solutions that empower you to assess your cyber risk environment with the most accurate data and leverage your data-backed insights to the highest degree.
We’ve added updates to the governance dashboard and enabled data flow between CyberStrong and Snowflake environments. Additionally, CyberStrong users will have access to the full FAIR risk model for assessments and can assess likelihoods in years. Keep reading below to learn more about the new features we’ve added to CyberStrong and how you can leverage them for efficient cyber risk management.
Teams Access for the Governance Dashboard
With the previous iteration of the Governance Dashboard, only CyberStrong Administrators could create, edit, and view the dashboards. Global clients and service partners needed to build out CyberStrong Teams to manage each of their subsidiaries or clients and sequester assessments, data, and reporting.
We have added the ability to create individual dashboards for subsidiaries or clients and to limit access to the specific team. Teams will not have access to the other Teams' assessments, data, dashboards, or reports. Specifically, Admins can assign Teams to new and existing Governance Dashboards and remove Teams from existing Governance Dashboards.
Additional Details:
Observers will access “view only” permissions on the Governance Dashboard. Non-Admins on a Team associated with a Governance Dashboard will be able to view the dashboard.
The permissions for assessments are considered when displaying the values on the Governance dashboard. If there are no Teams associated with a dashboard, then only admins can access the Governance dashboard, and all information is displayed.
Contributors should not have access to the Governance dashboard or its endpoints.
Snowflake Push Data
Snowflake Continuous Control Automation clients want to centralize their CyberStrong data in their Snowflake environment. This update will enable these users to consolidate all of their data for custom reporting by leveraging existing reporting tools such as Tableau or PowerBI.
As an administrator of a CyberStrong customer, we have added the ability to push CyberStrong assessment and risk data into Snowflake. The user must have a Snowflake data lake to leverage this new ability. This update does not necessitate that the user be a Continuous Controls Automation client. Clients who have Snowflake and are looking for custom reporting can use the push feature, allowing them to use their existing reporting tools.
Full FAIR
Previously, the CyberStrong platform had a truncated version of the FAIR model that supported Loss Event Frequency and Loss Magnitude nodes to calculate Annual Loss Exposure. CyberStrong users and partners can implement the full FAIR risk model with this new update.
Under each FAIR field, there will be an option to expand to the child nodes:
- For Loss Event Frequency, there is an option to expand to Threat Event Frequency and Vulnerability.
- For Threat Event Frequency, there is an option to expand to Contact Frequency and Probability of Action.
- There is an option for Vulnerability to expand to Threat Capability and Resistance Strength.
- For Loss Magnitude, there is an option to expand to Primary Loss and Secondary Risk.
- For Secondary Risk, there is an option to expand to Secondary Loss Event Frequency and Secondary Loss Magnitude.
Once the leaf node is expanded, the next level node is not editable, and the leaf node has required inputs of min, max, and most likely - where min >= most likely >= max.
When viewing the risk, nodes down to the leaf nodes are shown. The nodes between the read-only leafs will show the calculated mean and standard distribution.
Evaluate Likelihood in Years
Several clients were used to entering frequencies as X events per X years. They were struggling with entering, editing, and viewing frequencies in decimals. Users can now enter and display frequencies in the platform as X events per X year(s). They should be able to enter it as a natural language form, such as “1 event per year,” “4 events per year,” or “1 event every 10 years.”
Additional Information
This change in evaluation will impact all likelihoods on FAIR (loss, threat event, contact, and secondary loss frequency). It will also affect the threat event frequency and target threat event frequency on NIST 800-30. The events and years fields support one decimal place to the right and a max of 5 to the left (99,999.9 max).
Updated Executive Dashboard
The Executive Dashboard has been updated to clearly articulate risk in financial terms. Prior to this change, Industry Risks were listed financially, but were not sorted correctly, and the Cyber Risks widget was not sorted by financial dollars.
Top Industry Cybersecurity Risks are sorted by Annual Loss Expectancy (ALE) and by Annual Loss Exposure (ALE). The new update includes a new section for tracking Risk Remediation Projects associated with aligned risks.
Teams Access for the Executive Dashboard
Similar to the Governance Dashboard updates, the same changes have been made to the Executive Dashboard regarding sequestering dashboards for different Teams and changing access. Like the previous Governance Dashboard, only CyberStrong Administrators could create, edit, and view the Executive Dashboard.
Now, there is the added ability to create individual dashboards for their subsidiaries or clients and to limit access to the specific team. Specifically, Administrators can assign Teams to new and existing Executive Dashboards and remove Teams from existing Executive Dashboards.
Additional Details
Observers have “view only” permissions for the Executive Dashboard. Non-admins on a Team associated with an Executive Dashboard can view the Executive Dashboard. The permissions for assessments are considered when displaying the values on the Executive Dashboard. If there are no Teams associated with a dashboard, then only admins can access the Executive Dashboard, and all information is displayed.
Contributors should not have access to the Executive Dashboard or its endpoints.