I am pushing the button for Active Risk Strategy tomorrow before Business hrs. ANything i need to know besides Risk scores going up. ANything else i need to adjust?
Nope - literally just a matter of flipping the switch then giving the console time to recalculate the risk scores.
One word of caution that we didn’t come to realize until afterwards is that there is no “Vulnerability Discovery Date by Active Risk” dashboard card. There is a new card named “Vulnerability Findings by Active Risk Score Severity and Publish Age”, but I don’t know of anybody who measures their compliance based on publish age rather than discovery date.
1 Like
oh thank you that is what I figured, oh that card information is useful. I agree Published date is not something we use either, I def would use the discovery date and do. Actually, I had whole case on publish date vs. discovery date and the way the SQL reports report and got all mixed up due to the published dates. Lol 
anyway, thanks!
@vanessa_villalpando, while reviewing the blog, I came across your contribution in which you mentioned the transitioning to Active Risk. We are planning to make the transition in a couple of weeks. Could you share your experience both before and after the transition, what your expectations were, and what recommendations you might have to help us prepare effectively? thank you!
@Violet i’m sorry for the delay… I didnt get notified on this or it went to spam. Moving to active risk was a breeze; hardest part was communicating with admins from our org to let them know scores may be higher. We are working on setting threshold for assessing by Risk this year, for now we still dwell heavily on the cvss score 8 o greater then use the Risk score as back up after assessing those CVSSv3 8 or greater(since active risk does use version 3 version 2 is still back up and some versons of 3 on vulns are not available soetimes- i sill see gaps. One of the hardest parts was also getting reports to reflect cvssv3 scores as we use alot of queries for weekly reports. Its been about a year now that i pushed that button and while risk scores got higher i think my team adapted fast- but we still have the same issues with Admins not remediating as they should or in the time frame we have laid out in or VM process. For the most part it was a good switch for our org and with in the app. I guess just depends on your org and how fast they adapt or know about how the active risk score works. Hope this helps!
1 Like