Quickly Customize Your Risk Management Program (using SimpleRisk.com)
by Josh Sokol (Creator & CEO of SimpleRisk)
When I first released SimpleRisk as a free and open source risk management tool at the BSides Austin conference back in March of 2013, it was because I created something that was useful to me, in my risk management program, and I thought that it might prove useful to others as well. At the time, the only options that I had were Excel Spreadsheets, which didn't scale, or purchasing a bloated and expensive GRC solution. At the time, it was all of three PHP web pages: one to submit your risks, one to view and edit the risk you'd just submitted, and one to show you all of the risks in the system. I had focused on using the NIST 800-30 Guide for Conducting Risk Assessments as the basis for my program and, as I continued to add functionality to SimpleRisk, I tried to replicate that as a framework in programmatic form. If you look at the "Risk Management" section of SimpleRisk, today, you'll note that it closely resembles the guidance in that document: submit your risks, plan mitigations, perform reviews, and turn risk management into a cyclical process.
Over the past six years, we've spoken with customers across just about any industry you can imagine. While the majority tend to use it for IT and cybersecurity risks, we've spoken with those who use it for construction, bridge and road safety, pharmaceuticals, insurance, occupational safety, and many other use cases. That's because SimpleRisk, as a tool, doesn't implement complicated workflows. We implement workflows that are universal to risk management, regardless of the vertical. Occasionally, we will have a customer who will come up to us with a very specific requirement of how they'd like their process to work, but very rarely are we unable to accommodate it. If presented with the option, most risk practitioners will take a simple, flexible, design over complicated workflows, any day.
As customer needs have evolved, however, so has SimpleRisk, as a product. Over the years, we had many customers ask about customizing fields in SimpleRisk, to meet their needs. We used to tell customers to create a custom language file and to re-purpose existing fields. While this approach worked for most customers, we felt like it fell short of expectations for an enterprise product, so in 2018 we introduced the Customization Extra. With this Extra, custom modifications of the language file is a thing of the past, as users can create virtually any field they can imagine. Currently, custom fields can be added to either risks or assets in SimpleRisk. You simply select which one you are targeting with the "Field Group" dropdown:
From there, you give your custom field a name and choose what type of field it will be. Currently, we support single-select dropdowns, multi-select dropdowns, short text, long text, user select, and date select, but have plans to expand this functionality to include other content types in the future. That said, this tends to cover the vast majority of custom field use cases that we are asked about.
From there, you simply add content into the field (for dropdowns). So, let's say you are tracking assets in SimpleRisk and want to be able to easily determine whether or not an asset has GDPR data associated with it. You can easily create a field named "Has GDPR data?", of type "Dropdown", and create options for "Yes", "No", and "Unsure". Here's an example:
Now, I add my new custom field to my asset template:
From here, I can change the ordering of any of my fields, or even remove fields that I don't need, and save my template:
Now, all of my assets have this new, custom field, available to use:
The SimpleRisk Customization Extra is one of the few SimpleRisk Extras that we do not sell a la carte. Instead, we added it, at no additional cost, into our SimpleRisk On-Premise Premium package, as well as our SimpleRisk Hosted Large Enterprise offering. Now, our SimpleRisk customers have an enhanced ability to define their own custom fields using what was already an incredibly simple, and cost-effective, framework for risk management. In the future, we plan to expand this Extra into the Governance and Compliance sections of SimpleRisk, add options such designating custom fields as required, and even integrating it into the Encrypted Database Extra to have encrypted custom fields. Just about any workflow, for any use case, is now achievable with SimpleRisk. If you are interested in experimenting with the SimpleRisk Customization Extra to see how it works, consider requesting a free 30 day trial, today!