In 2014, the NIST Cybersecurity Framework (CSF) took the world by storm, aiming to help organizations to improve their ability to prevent, detect and respond to cyber attacks.  It has been translated to many languages and is used by the governments of the United States, Japan, Israel, among many others.  The Trends in Security Framework Adoption Survey, conducted in 2016, reported that 70% of the 300 surveyed organizations view NIST's framework as a security best practice, but, that same survey also found that 50% of

Today I had a really interesting conversation with a guy from Japan via LinkedIn.  It started with him trying to sell me some website design services, but when he realized their services weren't a good fit, he asked me a question.  He said "I checked a few websites - what is this risk management thing?  If we have this web design studio, how do we calculate our risks?"

Currently, SimpleRisk supports six different risk scoring methods.  We have Classic Risk, which is the likelihood times impact calculation you probably learned studying for your CISSP.  We also support weighted likelihood and impact with that methodology.  We support CVSS 2.0, which is the Common Vulnerability Scoring System typically used when calculating the risk score associated with CVE vulnerabilities.  We support DREAD, which is the old school Microsoft risk rating methodology.  We support the OWASP Risk Rating Methodology, which was designed for assessing application security risks. 

This is just a short (1 minute) animated video explaining some of the capabilities around performing internal and third-party risk assessments with SimpleRisk.


As a CISO for a large enterprise, many times my first engagement with members of our internal teams was when they approached my team for assistance with evaluating the security of a vendor they were considering.  They worried that if they didn't involve us early enough, they would reach a point where a tool had been selected, but the security team wouldn't sign-off on it, resulting in many wasted hours of effort.  The challenge on my side was always that often times the team had multiple vendors they were evaluating at that point, and performing these risk assessments was a fairly time-inte

A couple of weeks ago I participated in a CISO Summit with a focus on the topics of Security Visibility and Incident Response.  At one point, towards the end of the summit, we fell on the topic of having a "Table Top Exercise (TTX)".  I have to admit that I'd heard of these before, but I'd never before participated in one myself.  But as these CISOs talked more and more about how it worked, who was involved, and the lessons learned, I was intrigued.

Subscribe to assessment