Cyber risk report

The cyber risk report provides a structured view of an organization’s cybersecurity risks, current security posture, and risk mitigation strategies. Use this report to get clarity, transparency, and actionable insights about cybersecurity risks and their potential impact on your business objectives.

This report serves as a strategic communication tool, bridging the gap between technical cybersecurity operations and business decision-making. It enables leadership to make informed, risk-based decisions and aligns cybersecurity initiatives with overall business goals.

Create your analysis dashboard using the customizable reporting features. Adjust visuals and layout, and add narratives for board discussions. You can also share your dashboard with Boards sites, enabling seamless sharing and publishing of reports within the Diligent One Platform.

Accessing reporting templates in Activity Center

Prerequisite

The reporting templates must be deployed and enabled for you in your Activity Center. For assistance, contact your Customer Success Manager.

For information about accessing and using reporting template in Activity Center, see Use Diligent One dashboards as templates.

Connecting dashboards to Boards sites

For information about connecting Activity Center dashboards to Boards sites, see Diligent One: Connecting Activity Center dashboards with Boards sites .

Understanding the dashboard structure

The cyber risk report offers several key features designed to provide comprehensive cyber risk insights and facilitate data-driven decision-making. The dashboard structure consists of six tabs that allows you to craft a narrative and present results to your board. It includes visuals and KPIs indicating the current and emerging cyber threats and vulnerabilities, historical view of your organization's cybersecurity performance and improvements. Select each tab below to learn more.

This tab presents a concise overview of critical cybersecurity insights tailored for board-level discussions. You can see contextual information alongside key metrics selected from other sections of the report, ensuring that the board can make informed decisions based on a clear and focused narrative.

Available visuals

The following visuals are available in this section:

Executive Summary

Use this section to provide strategic context, highlight trends, and detail risk mitigation efforts, facilitating quick executive decision-making.

Threat Landscape

This visual presents insights into the current cybersecurity threat landscape, summarizing relevant threats faced by your organization.

Benchmarking

This section highlights historical cybersecurity risk ratings from platforms like BitSight, allowing comparisons against industry standards.

  • BitSight Risk Ratings The BitSight risk ratings are numeric scores ranging from 250 to 900, based on real-time, objective, and non-intrusive data collected from publicly available sources. Use the line charts to view historical cybersecurity ratings your organization. This visualization helps you track the trend of cybersecurity effectiveness over time.
  • NIST Cyber Security Framework Maturity The maturity framework, developed by the National Institute of Standards and Technology (NIST), provides structured guidelines, best practices, and standards to help your organization manage and reduce cybersecurity risks. These maturity levels range from "Adhoc" to "Optimized," indicating the progression from initial, unstructured practices to fully optimized and integrated cybersecurity processes.

Key Risks

Get details of the most pressing cybersecurity risks, including their status and any necessary actions for mitigation.

  • Summary Prepare a concise overview of the most critical risks that have been identified, their trends, and any changes since the last review.
  • Risk Register Highlight critical risks that have shown significant changes since their last review. The table includes risks that are deemed critical based on severity, risk scoring factors, and other agreed-upon criteria. It describes efforts such as remediation plans, the owner of the risk, and the timeline for addressing the risks.
  • Critical Risk Overdue This visual representation highlights the status of critical risks distinguishing between those that were completed on time and those that were overdue.

Incidents

This section summarizes the frequency and nature of cybersecurity incidents reported, presenting this information in a comprehensible format.

  • Summary Summarize the number of critical incidents reported in each quarter, along with the actions taken to resolve them and any pending actions.
  • Incidents per Quarter This graph illustrates the number of cyber incidents that are logged and reported within each quarter of the year.

Initiatives

Get details of the ongoing or proposed cybersecurity initiatives that seek to enhance your organization's security posture.

  • Completed and Outcomes Highlight significant initiatives that have been completed and their impact.
  • Prioritized Highlight some key or strategic initiatives that have been prioritized in the next quarter and their impact.

This tab provides definitions and explanations of all the key terms, KPIs, and technical concepts included in the cyber risk report for quick reference. It enables you to have a common, accessible understanding of the complex or technical language used elsewhere in the report, supporting clear communication and more effective decision-making.

The following terminologies are explained in this section:

  • Vulnerability Management is a proactive process aimed at identifying, assessing, mitigating, and monitoring vulnerabilities in an organization's systems, networks, and software to reduce cybersecurity risks.

  • Scanning Tools are used to identify vulnerabilities and assess security risks within an organization's IT infrastructure. These tools help in the continuous monitoring and analysis of systems to detect security weaknesses that could be exploited by attackers.

  • Penetration Testing identifies vulnerabilities, weaknesses, and security gaps in an organization's IT infrastructure and helps assess security defenses, determine potential attack vectors, and assist organizations in mitigating risks before real attackers can exploit them.

  • Security Incident and Event Management (SIEM) software consolidates an organization's security information and events in real time. It plays a vital role in identifying, managing, and responding to security incidents by providing a comprehensive view of an organization's security posture.

  • Incident Management is a structured process to minimize the impact of security incidents, restore normal operations quickly, and prevent future occurrences.

  • NIST CSF Cyber Security Framework is a framework that provides structured guidelines, best practices, and standards to identify, protect, detect, respond to, and recover from cyber threats.

This tab helps you track the status of audits across products or services, referencing common frameworks such as System and Organization Controls 2 (SOC 2) and Health Insurance Portability and Accountability Act (HIPAA). Get a summary of recent audit results, identify areas of non-compliance, and see which products or domains have passed their check.

Available visuals

The following visuals are available in this section:

Compliance/Audit

Use this section to capture the status of your audit reports per product or service.

Audit Report Status (per Product / Service) This chart illustrates the status of audits conducted on various products or services. It shows which product or service have been audited, the various audit frameworks used such as SOC2 and HIPAA, and the status of these audits.

Security Training

Use this section to track your security training analytics and prepare your security awareness campaign completion report.

Security Awareness Campaign Completion This chart tracks the completion of security awareness programs, indicating the percentage of employees or contractors who have completed mandatory or voluntary cybersecurity training.

Penetration Testing

Use this section to summarize outstanding identified issues by severity and the mean time to remediate high-risk issues.

  • Outstanding Identified Issues by Severity This chart displays the intensity of outstanding issues identified during audits or compliance checks. The severity is measured as critical, high, medium, or low. This helps in understanding the proportion of issues according to its severity.

  • Mean Time to Remediate High-Risk Issues This metric tracks the average time taken to remediate high-risk issues identified during audits, and provides insights into the efficiency of your organization's response to critical vulnerabilities.

This tab demonstrates the robustness of your organization's incident response plan. It is supported by quantitative data and emphasizes the detection, diagnosis, remediation, and prevention of incidents.

Available visuals

The following visuals are available in this section:

Incident Management

Use this section to identify, highlight, and explain periods with significant uncharacteristic increases or decreases in your organization's cybersecurity incidents. You can include commentary and data captured from your organization's incident management system.

Quarterly Incident Trend Get a high-level metric of alert generation or the number of incidents logged over a specific time period, such as monthly, quarterly, or semi-annually. The risks in this chart are categorized based on their severity level on a scale of critical, high, medium, and low.

Incident Identification

Use this section to prepare a high-level metric of alert generation or the number of incidents logged over a specific time period, such as monthly, quarterly, or semi-annually.

Quarterly Incident Trend This chart categorizes incidents based on the sources from where they were gathered. The information depicted in this chart is from the following sources:

  • Audit refers to incidents identified during your security audits.

  • Continuous Monitoring are incidents identified through automated systems that continuously monitor your organization's network and systems for any anomalies or security breaches.

  • Customer Reported are incidents that have been reported by customers. This could include feedback or complaints from customers who have experienced issues that may indicate a security incident.

  • Employee Reported are incidents reported by your employees. Employees may notice suspicious activities or potential security breaches and report them to the IT or security team.

Incident Disclosures

Use this section to report and analyze cybersecurity incidents that are considered material based on quantitative and qualitative factors.

8K Disclosure refers to a report required by the U.S. Securities and Exchange Commission (SEC). All publicly traded companies must file this report to disclose material events that could affect shareholders or investors. The purpose of the 8K Disclosure is to ensure transparency and timely reporting of significant corporate events, including cybersecurity incidents that are deemed material.

  • Last Update shows the most recent date on which a company's disclosure report was updated.

  • Disclosure Date shows the date on which a company's disclosure report was filed.

  • Company displays the name of the company that has filed disclosure report.

This tab focuses on the proactive process of identifying, assessing, mitigating, and monitoring vulnerabilities within your organization's systems, networks, and software.

Available visuals

The following visuals are available in this section:

Vulnerability Management

Outline the current vulnerabilities within your organization, highlighting high-risk assets and critical vulnerabilities that require immediate attention.

Production Vulnerabilities Use the graph get an insight into the historical data showing the proportion of open vs. remediated vulnerabilities to assess resource allocation towards remediation. The red line depicts the open vulnerabilities and the grey line depicts the remediated vulnerabilities.

Vulnerability Responsiveness

Evaluate how quickly and effectively your organization responds to identified vulnerabilities.

Open Production Vulnerabilities This chart provides an insight into the responsiveness level of your organization in reacting to the results of reported vulnerabilities. The chart includes metric such as the average time to action and/or mean time to remediation both, measured against an SLA defined in your Vulnerability Management Policy, to showcase your responsiveness.

Remediation SLA

Provide updates on SLAs, which are formalized agreements defining the expected timeframes and responsibilities for addressing and resolving identified vulnerabilities.

High and Critical Infrastructure Vulnerabilities - SLA Compliance This chart illustrates the proportion of vulnerabilities remediated by their required deadline, based on risk severity.

Use this section to focus on assessing and managing risks posed by your vendors and third-party information systems. This section evaluates your organization's progress in identifying these risks and the measures taken to manage them.

Available visuals

The following visuals are available in this section:

Third-party and Vendor Classification

Categorize vendors based on the criticality of the services they provide, such as critical, high, medium, or low risk. This classification helps prioritize efforts in managing more risky relationships.

Vendors by Classification Use this visual representation to categorize vendors based on the level of risk they pose to your organization. This chart classifies vendors into categories such as critical, high, medium, and low risk.

Third-party and Vendor Risk Assessments

Identify risk associated with third-party vendors by including metrics such as the number and percentage of vendors within the risk assessment SLAs.

Vendors within Risk Assessment SLA Use this chart to identify whether risk assessments for third-party vendors are being conducted within the agreed Service Level Agreement (SLA) timelines. The SLA determines the frequency and deadlines for conducting risk assessments, particularly for vendors identified as high or critical risk.