Integrating CyberGRX Ratings into Enterprise Ratings...
I'd like to know how other organizations have dealt with the challenge of correlating the third-party Inherent and Residual ratings with their ratings for other information assets that they have assessed (e.g. servers, applications, databases) for enterprise reporting purposes.
Naturally, the method used to assess those assets is different from the method CyberGRX uses to assess third-parties.
Have you found that the CyberGRX inherent and residual risk ratings differ much from ratings arrived at using a different method (e.g. custom surveys, SIG, SOC2 reports)?