Skip to content
NOW AVAILABLE Feature Release! Learn About Our Enhanced Capabilities for Prioritizing Remediation Learn more >>

VIDEO

Donut & Data: Exploring New PlexTrac Priorities Metrics

This informational on-demand webinar showcases PlexTrac Priorities, the industry’s first configurable context-based scoring engine. PlexTrac experts, along with Charles Snyder of CAI, walk through the benefits of risk prioritization and unveil our latest PlexTrac Priorities capability: metrics! Visualize reporting with easy-to-understand chart-based views that simplify stakeholder conversations and clearly show status and risk reduction.

 

Series: On-Demand Webinars & Highlights

Category: Product Features, Risk Quantification

   BACK TO VIDEOS

Transcript

Hey, everybody. Welcome. Excited to have you here. We’ve got our donuts. We’ve already started partaking in them and got some coffee to wash it down. So hopefully you all are in the same boat. And we’re just excited to talk to you about donuts and data.

Obviously, the data is where it matters. And so we’re excited to show off some of our new metrics in our priorities module. Let me advance the slide here, as most of you might know me, but if not, I’m Dan DeCloss, founder and CTO of PlexTrac. Really excited to have Charles Snyder joining us this morning, director of cyber at CAI. Charles, why don’t you briefly introduce yourself?

Hi. Good morning, everyone. Yes, I’m Charles. I used to go by Charlie. Charlie Snyder, director of cybersecurity. I’m located here in Louisville, Kentucky. And CAI, if you’re not familiar, is a global it services firm, and we do a variety of services. But in particular, though, my area is cybersecurity, we provide cybersecurity consulting and testing services for clients both in the public sector and in commercial. And when I get in there and talk about some of the things I’ve been working with PlexTrac in the last six months on is what I’ve seen the needs for my clients that I think in the past have gone unfulfilled with other platforms and services. So I’m glad to be here and be participant.

And as I go through my comments, feel free to ask a question or interrupt me if you need clarification on something. Great. All right, awesome. Thanks. Thanks, Charlie, for joining us. Katie, why don’t you introduce yourself as well?

Hi, everybody. My name is Katie Morelan. I’m a senior product manager here at PlexTrac. I’ve been working with an amazing team internally to deliver Priorities over the last couple quarters. And so super excited to talk about the future iterations that we have to show you today and answer any questions that you might have.

Awesome. Awesome. Well, thanks again for joining us, everybody. Let’s dive in again. This is a really interactive session, so we’re going to kind of introduce, hey, what are we doing with priorities? Right. So the whole goal of today is to show off our Priorities Module with our new metrics capabilities. Really excited to show this off. Like, like case, the team’s been working really hard. What can that do for you? What kind of problems can that help solve for you and your customers and your organizations? And how do we help you improve your security posture over time? And then what is Cai doing? And what is their use case? And so that’s why Charlie’s here today. Really excited to, to just explore all this with you all. So let’s dive in.

We’re going to start our first poll. So you’re going to have a poll question out to answer. Please answer now. I think this is a perfect time to take a bite of our doughnut and drink some little bit of coffee. And that should give everybody enough time to answer their question. But how do you organize and prioritize your findings from the various sources of offensive security testing and assessments? Is it a via spreadsheets, some kind of custom internal database, formal GRC program or just ad hoc or just maybe none? All right, everybody, try to see if we can answer your questions. Seeing some stuff come in. Okay. Looks like we’re getting some good results here.

All right. All right, so I’m seeing a lot of. I’m seeing a lot of. A lot of results flow in. I’m not sure if we actually have a pie chart breakdown as you normally do, but I’m seeing a lot of a’s. I’m seeing a lot of. Does that kind of jives probably with what we would have expected. A lot of people do it.
Here’s where the poll cut. The actual poll popped up. Yeah, I think it just. Little time delay on that one. Looks like it’s working.

All right, well, we’ll give you ten more seconds to put your poll into the actual window and then we’ll produce the results. So. But in the chat, I was seeing a lot of a’s come in, so sorry to make you vote twice.

Likely the culprit. I like that comment. That’s probably true. All right, so, yes, so it looks like here’s the breakdown. So we’ve got about half of you are saying from the spreadsheet or some kind of internal database, so that’s good to know. And so let’s dive into why we feel we need a single page and Katie, maybe help answer based on some of the work that you’ve done and some of the work with Charlie that you guys have been working on, maybe talk a little bit more about why we need a single pane of glass.

Yeah. So today we find that for many offensive security assessments, the data is disjointed and not flowing into one consolidated system where clients or your business units can come in and take a look and see what’s going on. One of the biggest problems that we’ve seen and heard is, first of all, we don’t have a place to put everything. And then how do we prioritize everything against one another? We start comparing apples to oranges. There’s business context that’s missing. So that’s a key thing as well. And then I think the last piece is just being able to track and manage your remediation in a streamlined and consolidated way for your particular clients or for your business units is really, really important.

Charlie, I know that you’ve got some comments here as well, but that’s really what we were looking to kind of accomplish with priorities. Thank you, Katie. Yeah, so I’ve been in this business for doing, doing risk assessments and audits for about 20 years. And a couple of things I’ve noticed prior to my engagement with PlexTrac is a lot of times and people who are doing audits or risk assessments or pen testing, the thing is treated like a one off project. So you go in and do the assessment, you deliver a nice fat report with all these observations and prioritize risk. And traditionally, one of the things that’s happened when you engage a consulting. Great, thanks for the material. And it goes, sits on the back deck.

And what I found is my clients have been needing help after the report in managing project managing. Like, I’ve got 15 open risks that I have to address, how do I do it? And giving them guidance. So we, we talk about developing a roadmap on how to improve your maturity and compliance. And one of the things in the past that we’ve done is when we did this with spreadsheets or other tools, we had to manage all those observations and risk in spreadsheets. So that’s number a there on that list. So I would create a spreadsheet with all the data, and I had to extract data from the report.

Then I’d have to put it in a team site or a SharePoint site so my client could see it. And inevitably, unless you’re really good at writing spreadsheets, you forget to lock down a cell and somebody goes and deletes something that blows up the whole darn spreadsheet. It blows up and you have to start from scratch. So I ran through a lot of problems just on the mechanics of that. The other thing is, what I’ve seen is that by using one pane of glass as you do a risk assessment, let’s say you have your observations or priorities from that, then you want to follow up with a pen test and you can feed into one single platform. Here’s all the results from the risk assessment. Here’s the results from our pen test. Here’s the results from our purple team, and they all relate together.

vCISOs, CISOs, it directors, they complain to me, and I was at a conference recently and people complain. I’m trying to manage too many dashboards. I don’t know where all my risks are. So that’s one of the things I’m trying to solve for my clients.

Yeah, couldn’t agree more. And I think at the end of the day, what I’ve always emphasized is like, somebody has to get the work done, and how do you know what you’re supposed to be doing if you don’t have all the data in the same source, being able to help with all the prioritization. So that’s what we’re excited about to be able to offer through priorities. And you’re going to get to see it here in a little bit. So we’re excited to show it off to you, but really want to talk through like the need of it and then all the other use cases. So let’s dive into another poll question here. Let’s see if we can get this poll question up so you don’t have to enter it into the chat.

We’ll have it into the, into the little poll scenario there. So. But do you have a process to assess and analyze vulnerabilities and threats and if so, how you can also think of this or managing your risk? How do you. Yeah, what do you, you know, when a risk or a threat comes up, how do you quantify or qualify how risky it is? And how do you make a decision on where it fits on the priority scale? Yeah. Like which one should I work on first? Right? Yeah, exactly. So I think another perfect time for a bite of these delicious donuts. So I just go to the question, we don’t have a process, we’re ad hoc. You have some other analysis tools, you have a policy and people follow a procedure from that policy. It’s an ad hoc discussion group. Or actually, I added this one in yesterday because my experience is showing this one to be whoever screams the loudest. That’s what gets priority or the squeaky wheel gets the grease. Yeah. And that happens in organizations. You got one manager, one director, who seems to have the ear of everybody and their problems always get the priority.

So answer honest, as honest as you can. Yeah. All right, well, we’ll close it off here in about 3 seconds and then let’s see the results.
Okay. All right. Very interesting. Kind of distributed a lot between other analysis tools, policy with defined rules and just discussion team-based. And I think that’s probably fairly accurate. Right. With organizations, they probably have some form of way to communicate and discuss.
But how do we bring some of that objectivity into it? We don’t always want to base things off of gut feel. That leads into how do we understand, how do we bring some objectivity into something that is somewhat subjective? Katie and Charlie, I’d love to hear your discussion around our custom scoring and aspects.

Yeah, certainly. With all of those different. All of those different methods. Right. The thing that keeps coming up is how do we understand what the business impact is, and then how do we quantify it? And so our teams invested in something that we’ve called contextual scoring, and that’s something that you have the ability to come in and basically create and work with either your client or any type of stakeholder to be able to define what that scoring model might look like for you and how.

And that would help rank your priorities or your risks or those bigger areas of focus. And so for us, really, there will be a discussion with your stakeholders. I know someone just mentioned in the comment. Discussion or team base would be ideal sometimes, but there’s too many meetings already, and that’s too much time and effort. Well, we’re hoping that this will provide at least a framework and something that can be pulled up on screen and can be discussed. So are there specific flavors of various pieces of data that are on your findings and assets that could be created and could show that, hey, these particular items, if they’re falling within this equation, this is actually a higher risk for us as an organization, and that’s different. Organization to organization and industry to industry. So, Charlie, I don’t know if you want to expand a little bit on this in your particular use case and how you’ve seen this be useful today?

Well, a couple of different versions. One is, of course, like risk assessment or NIST, CSF assessment. You can then categorize it based on different aspects. But an interesting use case that came up, actually, about a year ago from one of our clients who’s a major passenger rail provider, and we were developing vulnerability and pen testing training programs and procedures for them. So one of the things we tried to highlight was you just can’t take the raw score out of Qualys or Tenable and say, that’s the highest priority.

For instance, I could have a high score on a server that. Okay, it’s a back-end office server. We don’t use much. No real critical data on there. Is that really that important or you have a moderate risk vulnerability on your most critical e-commerce server, that if it goes down, you’re shut down. And so you can leverage things like the number of assets, the number of findings, the criticality of the assets. And I explained to the client of time that you need to develop a formula for this. And what you can do now is actually to take that formula and build it into the PlexTrac tool. So you get the results from your pen testing, let’s say, or purple team, and it will automatically score it.

Now, caveat is, you probably also need to go back and do a second view. I don’t trust computers. The answer, always go back and look at it a second time. But it will help understand and explain to folks that it’s not just a raw vulnerability score that drives you or a risk assessment. A critical vulnerability on a risk assessment may or may not apply to your organization because you don’t have that asset involved.

Yeah, I think this is one of the most powerful elements of our priorities module, and it’s one that I’ve always really been excited about, is because of what you just said, Charles, is in terms of being able to collect the data from various sources and everybody scores their elements differently, but you still need to bring it into your context and have some of that objective nature to it. Right.

It’s not just a discussion at that point of like, hey, well, this pen test said that this finding was a medium, but we think it’s a high because of x, y, z. You can actually apply an objective algorithm to it that you’ve also set up to help highlight the business impact. Because the nice thing about this is that it’s open, right. A lot of other vendors will have this type of scoring for your risks kind of closed off, and you don’t really know what’s going on behind the scenes. But then you can also then be able to distinguish if it’s based on assets that are in a specific DMZ or based on the lab or findings that are related to certain compliance controls. These things all help bring that context for your business together. And you don’t have to kind of always have them in the back of your mind for those discussions that you have.

And also, someone also made a comment, I think that was very apropos. Like, we already have a ton of meetings. We don’t need more meetings to try and discuss what the prioritizations are. Let’s actually use the contextual scoring, let’s use the contextual scoring algorithms that we’ve put into PlexTrac to help provide that contextual view, that risk based priority. And then you can really just have conversations around, what’s the status of this? Who’s working on it? I don’t know if there’s anything else either of you wanted to highlight there, but I think this is a really important piece of.

That’s the last bullet point there is, creating that risk catalog. And then you actually, there’s other capabilities we won’t go into here is you can come up with standardized risk statements and in the priorities, put your risk statements, and then you can, you know, got an observation and a recommendation. That’s a priority. You also tie it to a risk statement and give that risk rating through there. Yep, exactly. Yeah. Like this, what I like to kind of refer to as this living risk register.

Right. So. Okay, so let’s see one more poll. All right. How do you report cybersecurity risk and issues to leadership and non-technical stakeholders? I think this is a really important question, another key aspect that we drive home, but we’ll give you a few minutes or a few seconds to answer this poll. Maybe take another bite of donuts and a sip of coffee.

So, Katie or Charlie, what flavor of donut are you enjoying right now? I’m having the cinnamon sugar. It’s delicious.

I’m doing the red velvet. It’s really, it’s really tasty.

I had mine before the meeting because I didn’t want to make a mess, but I had the lemon pistachio.

Yeah. I think this is a two-part question. So we’re going to have the first part, then we’ll, I think we’ll meet, review the results, and then we’ll move to the next sub bulletin. And I want to talk to you about what this means. Okay. All right.

All right. Let’s close the poll and then see what the results look like. Okay. So, again, kind of a fairly balanced in terms of the periodicity of it, but how and how it happens, whether it’s monthly status reports, periodic reviews, formal annual reports, those two kind of tied out, which is interesting. Uh, and then just some form of a combo. Right. Um, so, yeah, very interesting stuff. Okay, let’s see. So let’s dive into the next one, which is. You’ve done that. How do you feel it’s working?

So we’ll do one more quick poll. And I think. I think, Charlie, you’ve got some interesting insight here as well. Yeah. Um, so as you’re answering this now, just be caveat is with the PlexTrac metrics module will make it much easier for you to grab, especially day-to-day operational metrics like hey, where is the status of this Joe, have you got this done? Be able to provide, when you see the demo, you’ll see, be able to grab some screenshots of nice graphics that you can send to executives. One other thing I would like to say to all my IT leaders out there, the responsibility to ensure your communication is effective is solely on you. It’s not on the board of directors, it’s not on the C suite.

I know it. People and engineers like myself, why don’t they get it? I explained it perfectly. I explained the CVSS score and the vulnerabilities from the backend Linux server. Why don’t they get it? Ensuring that they understand it is on you. So whatever methods you come up with and however you plan on using PlexTrac to support that, reach out and get feedback. Yeah. See if people are actually understanding.

Ask detailed questions. Mister C Suite, madam director, on the board of directors, whoever you’re reporting to, what does this data mean to you and are you getting the information you need to make the decisions from a business perspective? That’s why I like that. Yeah. Yeah. All right, let’s see the results. So a good amount, feel that yours is effective, but I uh, maybe only moderately so. So that’s, that’s good to know.

Like hey, uh, but then there’s a, there’s a strong contingent that says, you know, like that’s maybe not, I mean, not quite as adequate as they might want. So I think with that, let’s just talk about how do we, how, how, what are we going to be able to show our customers and our pro, you know, our, the market around what, what PlexTrac can do from a priorities perspective. Katie, take, take this one away for sure. Yeah. So I think one of the advantages of PlexTrac is the ability to create and deliver those reports from your offensive security engagements. But with Priorities we’ve now been able to not only consolidate into kind of that single pane of glass, but we’ve also created that priorities metrics experience, where a business unit, a stakeholder, a client can come into, can drill into the metrics and take action on the items that they need to. It doesn’t necessarily have to live in a word doc or a PDF, it still can.

But we are starting to make the transition to allow more flexibility in app through priorities metrics. One of the things that’s really nice is being able to track progress over time and to see a breakdown of assignments. So not only for our security providers that want to be able to track maybe how their customers are moving forward on completing items to improve their security posture, you’ll still have that view, but also it will work for clients that want to come in and then do the same thing and manage kind of their teams.

Charlie, I don’t know if you want to talk a little bit about your kind of export and how you’re kind of choosing to report out to your stakeholders.

Yeah. So a couple of things going back to us talking about spreadsheets. In the past, I was having to maintain a separate spreadsheet and having a periodic review, and we’d actually would have one of my clients, I’d had the it and the OT or the engineering team on a 1 hour call, and we would walk through this because I was maintaining it on my end. We’d have to walk through line by line items and think, there’s an hour with, you know, two consultants being paid and, you know, two directors, two managers from the company. So money is going through and just update the status report. So one of the things, too is, and I was having to create, manually create graphs and charts.

And again, unfortunately, consultants do charge for their time. So if I take an hour creating a PowerPoint presentation for your quarterly review, that’s just the nature of consultants. We’re going to charge for that. So if we can make build this built in, so the results provide you the graphics that you need.

Again, you can use this from operational. Like, I assigned Bob to get that MFA implemented on that Office 365 server. Has Bob done that? You can manage day-to-day that way, but you can also report on things like, okay, mister executive, last month we had three critical open issues. This month we only have one, and we’re going to be due. We’re going to be done by next month. That’s a much better conversation to have, instead of fumbling through a bunch of paper and you don’t have a good answer.

Yeah. And I think this is the adage that we tend to emphasize, is that the document is still a valuable artifact of the engagement and the report. But it’s a snapshot in time. Right? And what we’re now providing with priorities and our metric and our new metrics is that ability to truly see the trends and the progress. Because at the end of the day, everybody wants to understand, like, are we improving? Are we getting better at our security posture, and are we focused on the right things? And that’s the whole goal around priorities. And just in general, that’s what a security team really should be focused on is like being able to track the highest priority issues, report on them effectively and be able to show progress.

Okay. With that, let’s dive into a demo because I think this is what everybody’s excited to see. So Katie, take this away. Yeah, just give me 1 second. I’m going to get my screen set up and thanks everybody for participating in the polls. As we once we close out the webinar, we will do a little raffle for all the prizes. Stay tuned.

All right, so right now we are inside of PlexTrac. And right now this view is not really white labeled at all. This is kind of just that out of the box experience. We are looking at clients and today I’m going to kind of show you and walk you through our particular example for our client named Rogue one.

So as Charles had mentioned, their particular use case, they’re going through and executing pen tests and then also following along with additional assessments. So inside of PlexTrac, you have the ability to be able to run multiple offensive security engagements, whether that’s pen test, whether that’s purple teaming engagements, a various smattering of assessments or questionnaires, and all of that data is brought in and dumped into a particular client view.

So here we are. We can see that we’ve been engaged with this customer for some time. We’ve got quite a few different items and assessments in here. So what we’ve done is we ran a kind of a assessment looking at NIST CSF to kind of see where we might want to recommend and improve this client to maybe structure their organization in a little bit of a different way. And so what we have done is after that assessment, we came in and I looked at a couple things.

So first, these are a couple of just examples. Priorities is very flexible. So you can name these in any way you want. You can use this based off of a framework or based off of just things that, you know, are maybe golden rules that you want to be able to ensure that clients are following. But in this case, we’ve decided that we’re going to be communicating to this customer through those kind of categories from NIST CSF. So we’ve looked at kind of two specific areas, asset management and then that govern piece. I’ve also highlighted that you can get a little different with the naming down here.

So if you take a look, we’ve got a couple different options in here. And what we’ve done is we’ve come in and we’ve analyzed our findings in the analytics tab. We’ve started to draw some conclusions after reviewing the reports and reviewing all of the different assessments that had come up. And we’ve come in here and we’ve actually selected findings that are related to this goal around improving their asset management. Right. So we found that their policies and procedures are maybe lacking or maybe there’s certain things just specifically around asset management, like their tooling that’s lacking. And so what we’ve done is we’ve been able to come in and gather the evidence from all of the reports and all of the engagements that have happened previously to be able to link those to this priority as evidence.

And we also have the ability to link and call out specific assets as well. So this experience is pretty straightforward. You have the ability, we have a picker here that pops up. You can kind of filter down and filter through and then make your selections as needed and then they go ahead and link to this particular priority. So this is just kind of walking you through like initial creation. This can also be done if we’re looking at, if we’re looking at a particular client and we want to come in through a different method. So if we jump back into rogue one, we can see that the priorities for this particular client are listed here in this tab.

If we wanted to jump into a specific report. So say there were findings from that NIS CSF assessment that we had done that we want to be able to link to govern. We can do that as well by just jumping into this report, making a selection and we’ll give this a little second to load. You know how the demo gods are sometimes. And then we can go ahead and link and make that selection and we’ll go ahead and drop this one into asset management and then we’ll link. If there were assets that were associated to these particular findings, we would have the option to make the selection there as well. So there’s really kind of multiple areas that you can add and create these priorities from.

Now, I wanted to just show you really quickly what this looks like for Rogue one. So our client can come in and see their kind of client portal experience of PlexTrac, whether it’s been white labeled or not, is totally up to our customers, but they can come in and see that we have priorities listed here. Obviously, this is all permission trimmed and making sure that you have the appropriate permissions to see this. But one thing that’s kind of interesting is we have four priorities that we’ve kind of identified that we want the team at Rogue one to kind of focus on to improve their posture moving forward, we can see that they’ve made a little bit of progress on that asset management one.

And you’ll see here in this column, we’ve got something called a contextual score. So what we did at the beginning of the engagement, and as we’ve continued to deliver those offensive security assessments and those multiple, multiple pen tests quarter over quarter, what we’ve done is we’ve tweaked their contextual scoring equation specifically to tailor to their business needs. So if you come in here to admin, we drop in. You see that there’s a default equation that PlexTrac has provided. But what we’ve done is we’ve gone in and we’ve created a custom one specifically for rogue one. And we’re going to call it risk quantification score.

And then we’re going to jump to the next screen. So you’ll see that we have identified a few different variables that we think are key and important with the client. One of the biggest ones was source data. So where is this data coming from? The next was determining ranges around asset criticality.
So if any of the assets that are associated to a priority are critical and that asset count is greater than 60%, that has critical. We really want to bump that score up higher. So this gets a little bit, there’s quite a few options. There’s a ton of flexibility here. You can add conditions around various pieces of data from findings and from assets. But one of the newest things that we’ve recently released is you can now use the custom fields that are found on findings in your contextual scores.

And so what this does, for example, if you had data that’s coming in from tenable and there are some threat intelligence values that are, or exploitability values that you think are really key and really important, and you want to pull those into an equation, you are now able to do that even if PlexTrac doesn’t have that particular field out of the box quite yet.

So we’re going to go ahead and click save. If you just, you can see here, actually before we do that, that we’ve got the ability to determine the asset type, we could determine scores. So if there are particular finding scores. And in this example, we have CVSS 3.1. But we actually recently introduced our 4.0 calculator. So we could actually make some changes here as well. But we’re going to go ahead and click save and then that equation has been saved and we’re going to go ahead and enable this.

And so this equation is only being enabled for rogue one. So it’s only going to be used for that particular client. If we wanted to, we could come in and create a contextual score for each client, could have an individual equation based on their special nuance, or you could create ones based off of industry, say maybe there’s some consistency with your customers that are in healthcare and you want to be able to just filter those across all of those particular clients. You’d be able to do that as well.

So we’re going to jump back into, we’re going to jump back into rogue one and we’re going to take a little look here. And so you’ll see that we had other scores that were showing here when we had the default equation enabled, and now we’ve changed it to that particular rogue one example. And you’ll see that the asset management is coming out on top as the most important priority for that particular group to focus on based off of their context and what they’ve created that contextual scoring equation around.

So we’re going to jump into metrics. I know we’re kind of leading into it, but I did want to give you guys the ability to just kind of see how we’ve structured this. And then if we jump back into priorities, we will continue to be kind of iterating and moving this metrics tab and filling it through the rest of the priority spaces where you can see it in clients and in other areas. But today it’s housed inside of the priorities module. We’ve expanded our filtering. So for those of you that are familiar with our analytics module, we’ve kind of expanded here. And what you can do is we’re going to go ahead and drop back into rogue one.

And in this example, I’m a practitioner working for an MSSP that has access to many clients. So I can see more things than what a client would be able to see if they came into, if they came into PlexTrac. So in this example, we filtered down to row one and we can see that we’ve got four priorities here. We can see that two of these priorities are currently past due. If I click on the widget, you can see our asset management that’s still showing that contextual score along with another that that’s open but not quite in process. You’re able to come in here to jump in and click into the priority and make, make changes as needed and evaluate additional pieces of data.
We have a couple other indicators up here as items are being closed out, and I’ll actually switch into another environment that’s got a little bit more, got a little bit more data just so that you guys can see.

As more and more priorities are filtered through, we’ll have more information around priorities that are within a certain target date, what you can expect from a mean time to close. So at this point, on average, these priorities are showing a mean time to close of about 180 days. And then we also have the ability just to show a quick snapshot of how many have been created in the last seven days. And then this is indicating, of all the findings, how many have been linked to a priority to kind of help drive some discussion around. There are some gaps. So in this example, you can see that only 4% of the findings for this particular example have been linked to priorities. So that might be something that you want to drill into to see if they need to be, need to be organized or assigned.

As we look, I’d like to add that as your role as an IT security leader is understanding the difference between a KPI and a KRI. If you’re doing any GRC work, this has a little bit, do a little bit of both. A key performance indicator are things, in my mind, how fast are we closing issues, how many, how many resolutions are we closing? The meantime, the closure, combined with your other data, things like number of failed fish temps and things like those, are key performance indicators. But also you can start developing key risk indicators that we still have x number of critical risk open, or we have x number of high risk of these assets open. So you’re able to report both performance of your cybersecurity team and the remaining risks to the organization.

Yeah. That’s a great call. Thank you. One thing I just about this is being able to dig into the data. Right. It’s nice to see the graphs, but to actually see the data behind it, I think is so powerful and I think a lot of folks are going to enjoy being able to interact with this so much. And again, one of the things that I’m setting up of my, as an MSFP, I’m giving read access, limited access to their data and their priorities.

And the goal is I’ll teach them the fish, I’ll teach them how to maintain this and get the reports. And the goal is let them manage it because it’s their observations, their risks, their priorities, not mine. Let them manage it and it’s a lot easier. And they have access to this tool. They can manage this a lot better than me sending a PDF document and then they have to go track things down manually.

Exactly. Yeah, exactly. For sure.

So there is some additional pieces of customization. We can, you know, remove specific statuses if you’re only interested in the items that are open or closed. And we can kind of set that back up. We can toggle between pie charts and bar charts for some of these examples and then also look at various status by various scoring options. So contextual scoring is something that doesn’t have to be applied to priorities. We do have a traditional likelihood and impact slider that’s also available.

So if, you know, initially, if the contextual scoring is a little bit too complex for maybe what you’re looking to provide, there are other options, and we kind of show those and filter that through here. One thing that’s really exciting, and Charles, I think it’s something that also kind of highlights your teach them to fish comment, but being able to evaluate and track progress based on owner.

So there are a couple different owners on priorities. We have somebody that’s the main owner of that priority. That could be a practitioner, it could be a provider, it could be somebody else, may be a manager of a business unit. And then there is also the option to have someone that’s actually owning the treatment or owning the remediation and what that process looks like. And so you do have the ability to come in here and drill down and take a look at those priorities that are assigned to specific individuals.

And if there’s been no owner assigned and you need to do that, you can come in here and do that as well. Let me get a little use case on that. And I had that client, so I would assign observations or priorities to a manager level. Then they would tell me, well, I’m assigning that to Steve, and I’m assigning this one to Joe. And again, with a spreadsheet, I had to have multiple columns. It’d be like, accountable and responsibility. This again will allow the client or your user to say, okay, I’m the owner of this. I’m accountable because I’m the director of network. So I’m accountable for doing the network segmentation project. But I’ve got two engineers working on it. And you could even break that up and you can, what’s nice about the treatment field is you can make updates in that treatment field too. Well, we got the policy issued, and you can say, next step, issue the procedure. Next step. And you know, this is a project management tool then, too.

Yeah. And just so you guys can see, this is what our priority form kind of looks like today. A lot of different options as far as indicating status and severity but then also kind of our similar experience that we have elsewhere in platform around these particular fields. And we’re continuing to invest here. And so here’s that likelihood and impact slider that I had mentioned. We’re continuing to invest here and in the future, envision more automation and those types of things. But this is kind of what it looks like today.

All right, so jumping down to the last two, the last two items. So just specifically calling out, finding tags that are associated to priorities and then asset tags as well. And so this is something that, this is something that we have tried. We know tags are very popular inside of PlexTrac. It gives you a lot of flexibility. But we wanted to be able to highlight some of those key and important ones that are sitting on, you know, critical priorities in the example that I just gave you here. And then these ones over here are showing that they have actually have no criticality.

So just to give you a little bit more information, allow you to have some flexibility. And, yeah, and these items today we are, you know, evaluating how to get these into those report exports. But today they’re definitely screenshot friendly, definitely can be zoomed in and zoomed out to get you what you need. You can remove specific statuses, change those formats to pie charts and bar charts, and kind of unlock you a little bit as you start on your priorities journey.

So, Charles, I think that’s, that’s mostly all I had wanted to kind of show today. Was there anything else that you wanted to highlight?

Not this time. I think we’ve got a couple of comments at the end here.

We’ll move on to those then.

Yeah, yeah, yeah, no, that’s great. So, yeah, I will bring that back up. Katie, I think I’m going to need you to stop sharing here. Yeah. Okay.

And let’s bring this back into slideshow. Okay. So we really walked through, like, how priorities can help you. One, bring all the data together and be able to consolidate that into prioritized elements. Be able to apply an objective algorithm that is contextually relevant to your organization or to your customers’ organizations, and then be able to actually track the progress, which is the most, I feel it’s like the most important part. Right. That’s where people are getting the work done.

And this is how you’re actually showing that you’re improving your security posture. And so that’s what we’ve been able to kind of bring together for you with the priorities module. And then let’s see. Charles, did you have any kind of final words for the webinar today?

I’ll just say it’s a, you make whatever it is. And I’ll just say working with PlexTrac has been a good experience for me because they’re responsive, because I have a particular way of doing things.

A little background. This was something that I was trying to work with other platforms with for some time because other platforms would do this analysis and like on a pen test, would spit out 137 findings. Try taking 137 findings to a C-suite and get an answer on that. And we would always have to manually put these things together in cohesive analysis and saying these 27 findings relate to out-of-date Linux servers, these 15 findings relate to blah, blah, blah, getting actionable data.

And I’ve seen some of my competitors literally generate 100-page reports that you read and you can’t make sense of. So it’s again, putting them, putting the message to the people who make decisions so they can make decisions.

Awesome. Yeah. And we’ve loved working with you too, and we love working with all of our partners and customers. So. All right, so I’m going to hand this back over to Hope, who’s going to close out the webinar and do the raffle for all. Everybody that’s been patient and we appreciate everybody in their time today. So thank you and thanks Charles, for taking time with us. Thanks Katie, for showing off a great demo. We’re excited to talk with you all more.

So before we do the raffle, I’m just going to do a little plug for Katie and me in Austin, Texas. On the 13th of August, we are doing a presentation on a custom-developed questionnaire that PlexTrac developed with me that we’re going to be leveraging the priorities module. And basically the conceit was everybody gets hit with all these cyber insurance questionnaires and they’re all done one off and they were forgotten. So we have developed with PlexTrac a cyber insurance questionnaire that takes an input from like eight different brands of cyber insurance, mapped them to the NIST CSF framework, and able to measure compliance and maturity and give a report also on a partial NIST CSF assessment. And so we’ll be doing a presentation in Austin on that and hopefully if you’re in Texas, you can come by and check that out.

Thanks, everybody. Thanks for your time. Katie and Charles, thanks again. It was a great, great time today and we’re excited to bring Priorities and the Priorities metrics to you all so that you can continue to improve your security posture and make your organizations and your customers as safe as they possibly can be. Have a great day.