Are you using tools for cyber risk quantification? What are they?

Security Strategy & RoadmapGovernance, Risk & Compliance
3.7k viewscircle icon1 Upvotecircle icon30 Comments
Sort by:
CISOa year ago

EPSS
CISA KEV
EXF

Director of IT2 years ago

Have you considered Cyber Quant?

Executive Director, Enterprise Infrastructure & Cybersecurity in Finance (non-banking)3 years ago

CPI and CAAT

Director of IT in Software3 years ago

Yes. RiskLens

Global CIO in Consumer Goods3 years ago

Yes, we use OneTrust GRC.

Content you might like

How are you addressing technical debt risk resulting from AI coding tools? Have you established specific processes to manage vulnerabilities in AI-generated code, and are you collaborating with software engineering or other teams using these tools?

Read More Comments

How does your organization handle security team involvement in change requests submitted to CAB/RAB — specifically in relation to formal security review and approval?

Always required – Security must formally review and approve every change request.

Required for security-impacting changes – Security reviews only changes flagged as having potential security implications. Please comment : Who decides which changes require security review and which do not ? Is this determination manual or automated? How do you avoid gaps or oversights in this process ?100%

Not required – Security does not review changes submitted CAB/RAB by other teams.

Risk-based or automated – Security involvement is determined by a tiered model or automated risk scoring within ITSM.

View Results

If you get hired by an SMB and you’re the company’s first/only security practitioner, where should you start? (Should you focus on SANS top 20 controls? Or start with the NIST framework?)

Read More Comments

We are on the cusp of conducting a pilot of AI tooling - we intend to use Gemini & CoPilot, providing training, guidance & policy to our user group.  Before we start we should conduct a risk assessment -  my question is: can you recommend a tool or template?

Lines of business other than IT should give input on how the security awareness & training program is designed.

Strongly agree11%

Agree69%

Neutral14%

Disagree3%

Strongly disagree

View Results