Sometimes we just need a sanity check and assessments offer that opportunity.  An assessment can offer a glimpse into those things that may require our attention, and ideally, some validation of our good work.  But, they can be potentially expensive.  For a quick self-assessment, there is a less-expensive option to consider.

The OWASP Cyber Defense Matrix

Sounil Yu created the matrix and announced it to the cybersecurity world at RSA 2016.  What makes the matrix so attractive is its simplicity and adaptability.  At the default value, the matrix classifies security controls across two dimensions: 

Sayers OWASP Assessment

#1.  5 Operational Functions of the NIST Cybersecurity Framework: 

#2.  5 Asset Classes:

Mapping controls across these two dimensions can help organizations identify potential gaps and overlaps in their security technology stack.  Additionally, an organization could choose to include administrative and physical controls as well, for a more complete self-assessment, as there are some considering for the balance of people, process, and technology across the matrix.  Going one step further, an organization could define this matrix to include regulatory compulsions, or any other relevant external pressures. 

OWASP Cyber Defense Matrix

“Our common language can be bounded by five asset classes and the NIST Cybersecurity Framework”

– Sounil Yu

The OWASP Cyber Defense Matrix is far from offering a deterministic analysis of a holistic security program.  But, what the matrix can do is provide a glimpse into the nature of our choices, our current security posture, and provide some actionable intelligence as to where we might target our attention and our investments.

How to get started?

Engage the Subject Matter Experts at Sayers.  We are offering guidance, assistance, a first analysis, and a first set of deliverables at low-to-no cost to our clients. 

Click to View Sayers OWASP Assessment Data Sheet