Content

CyberGRX Exchange

CyberGRX is a SaaS platform whose mission is to help customers and the third parties with whom they do business solve the challenge of risk management. It is built on NIST-based assessments, mapped to the ISO 27001 framework and can be mapped to most other frameworks as well.

Onboarding vendors is simple with a search feature for checking if companies are already in the system, as well as for any previously conducted assessments. Several vendors can easily be onboarded at once with bulk import functionality.

Assessments have three tiers: Tier 1 provides the strongest level of due diligence while Tier 3 is the shortest-self assessment. Their offerings range from automated validation all the way up to onsite validation. If no tier is present, that means a community member has never performed an assessment on that company.

You can easily order an assessment at the appropriate tier level based on inherent risk. You can also submit special requests to the vendor. A lot of behind-the-scenes automation takes place once an order is submitted. Assessments are built with a great deal of logic, and the skip-level feature simplifies completion by jumping sections that are not applicable based on provided answers.

Business exposure is scored as low, medium or high risk and is determined by standardized questions that are not customizable. Users receive a report on the back end to show which controls matter most for remediation. Everyone’s progress is trackable.

The Portfolio Overview shows company statistics accompanied by a colorful bubble graphic that visualizes the likelihood of a cyber event. Circle sizes directly correlate to the likelihood of risk. The assessment is based on the user’s industry, current threat intelligence and a security ratings tool. Also shown are outliers with higher likelihoods of being attacked and their impacts.

CyberGRX built a table that outlines different controls and scores them on maturity (on a scale up to five) and effectiveness (on a scale up to 100). Comments are invited on the scores for enhanced collaboration. The Top Risks Chart ranks risks from low to high, prioritizing remediation with top suggestions for moving a company toward an acceptable posture. A variety of metrics can be added for company comparisons.

It appears the CyberGRX team is attempting to shift the industry away from an aggressive assessment approach to one more focused on collaboration. Basic, no-cost support is offered through 8/5 phone support. Overall, we found this to be an intuitive, simplified platform.

Tested by Matthew Hreben

Product title
CyberGRX Exchange
Product info
Vendor: CyberGRX Price: The basic bundle is $50K. Contact: cybergrx.com
Strength
The ability for a third party to share its assessment with any upstream customer.
Weakness
We would like to have seen an option to customize the risk score questions.
Verdict
The simplicity of this product, paired with the ability to share dynamic risk data, makes it one to review for your company if you have the budget for it.

Related

DevSecOps Scanning Challenges & Tips

There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]

It Should Be ‘Cybersecurity Culture Month’

It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.