The CyberSaint team is dedicated to advancing the CyberStrong platform to meet your cyber risk management needs. These latest updates will empower you to benchmark your organization against NIST CSF 2.0 and assess and analyze your risk posture with data-backed insights.
We’ve added updates to risk ranges for qualitative and quantitative cyber risk analysis, improved industry risk presets, and published NIST CSF 2.0 as a public framework in the platform. Additionally, we’ve updated the industry risk categories to align with the standard industry risks and included Custom Word Report Templates.
NIST CSF 2.0
The newly updated iteration of the NIST CSF is available as a public framework for benchmarking in CyberStrong. Clients and partners can access NIST CSF 2.0 as a reference framework for assessments and reporting. The NIST CSF 2.0 Sub Categories have been uploaded as a public framework. Additionally, a new scoring model has been added to this framework:
- Partial (Tier 1)
- Risk-Informed (Tier 2)
- Repeatable (Tier 3)
- Adaptive (Tier 4)
The CSF 2.0 can be crosswalked to the CSF version 1.1 and mapped to NIST 800-53 Rev. 5 controls. CyberStrong has over 60 gold-standard frameworks built into the platform and can conduct cyber risk assessments on custom control sets.
Industry Risk Categories
Currently, manually created risks can be named anything based on the customer or partner requirements. However, those unique names may not align with the standard industry risks for the Executive Dashboard.
As an administrator of a CyberStrong customer, we have added the ability to select an industry risk for each manually created risk. Specifically, each manually created risk can be assigned one of the following industry risk categories:
- Access or Privilege Misuse
- Brute force
- Code Exploitation
- Compromised/weak credentials
- Denial of Service
- Environmental Factors
- Human Error
- Malicious insider
- Malware
- Misconfiguration
- Missing or poor encryption
- Physical
- Ransomware
- Session hijacking
- Social Engineering
- System Vulnerabilities
- Third and fourth-party vendors
- Unknown/Other
As an administrator, you can configure the Executive Dashboard to display individual or industry risk categories. If you select industry risk categories, all individual risks under the risk category will be aggregated and reported as a single Annualized Loss Expectancy (ALE) value on the dashboard.
Qualitative to Quantitative Risk Ranges
CyberStrong customers and MSPs have asked to simplify the entries for Threat Event Frequency (TEF) and Single Loss Expectancy (SLE) for NIST 800-30 and Loss Frequency (LF) and Loss Magnitude (LM) for the FAIR framework. This will enable users to quickly select values for the minimum, maximum, and most likely values if they are unsure what the value might be.
With this update, CyberStrong users can select qualitative values (Very High, High, Moderate, Low, and Very Low) and convert them into quantitative values (Min, Max, and Most Likely).
The qualitative values map to quantitative ranges as follows:
- Threat Event Frequency and Loss Frequency
- Very High: >1 Event per Year
- High: 1 Event Every 1-10 Years
- Moderate: 1 Event Every 10-100 Years
- Low: Every 1 Event 100-1,000 Years
- Very Low: 1 Event Every 1,000-10,000 Years
- Single Loss Expectancy and Loss Magnitude
- Very High: >$100M
- High: $10M - $100M
- Moderate: $1M - $10M
- Low: $100K - $1M
- Very Low: <$100K
These updates apply to users who leverage the FAIR risk model and NIST 800-30.
Industry Risk Presets
The current Industry Risks have preset ranges for revenue and company size. This limits the flexibility of the data sets. This update removes the ranges and allows users to enter their revenue and employee size directly when adding industry risks to provide higher accuracy with industry data sets.
This update will apply to all industry data input screens, including Home, Executive Dashboard, NIST 800-30, and FAIR.
NOTE: For customers and partners that have used the previous preset ranges, please review your settings, as they may have shifted during the migration. We used the average of the previous ranges to set the new values.
Custom Word Report Templates
CyberStrong Partners can now create custom reporting for their clients. This update will allow partners to send custom Word reports to their clients. This new addition allows partners and customers to upload a Word document template containing mail merge fields to their instance. Those mail merge fields will be filled in when the user downloads the report.
As an administrator, they can upload a Word template containing data, images, and table fields, collectively mail merge fields. When generating a report for a customer, the mail merge fields will be inserted into the Word template and exported as a Word document.
In case you missed our last product update, CyberStrong now offers Free Cyber Risk Analysis for all organizations looking to discover more about their top industry risks. In just three clicks, you can uncover your top industry risks and associated NIST 800-53 controls based on your organization’s industry, revenue, and company size. See your risks instantly and gain access to one of the world's largest cyber loss data sets.
For more information about the latest product updates, please contact your CSM. Schedule a demo here if any of these updates piqued your interest and you’d like to see how CyberStrong is a leading cyber risk management solution.