Analyze Risk or Rely on Critical Controls?
There are few a ways of looking at Cybersecurity risk, and just as many schools of thought of how to decide which security controls are the most important to implement!
The CyberGRX platform allows for exploring a couple of different methods.
In the first we dive deep into analytics, pulling in threat feeds, kill chains by industry, and lots of math to analyze which sub controls are critical to controlling risk in particular industries.
In the second, you can see whether any sub control is implemented or not and match it up to the controls you think are critical. Whether you want to compare a 3rd party to the OWASP top 10, the SAN's top 20, or any other set of controls you can find matches in the descriptions in our control framework, create tags or filter by sub control scores across your portfolio to see how your vendor's benchmark across each other or the industry they reside in.
So.... math or strategy? Or both? What appeals the most to you?