The risk dashboard of a CSPM tool is a visual representation of the security risks associated with an organization’s cloud infrastructure. It provides a consolidated overview of vulnerabilities, misconfigurations, and other security issues that could potentially lead to breaches, data leaks, or compliance violations. The primary purpose of a risk dashboard is to help security teams identify, prioritize, and address these risks effectively. The following screenshot provides a glimpse of what the risk dashboard of the Orca CSPM tool looks like. Typically, it includes the overall secure score, risk summary, and more:

Figure 10.2 – Orca CSPM risk dashboard (source: https://orca.security/resources/blog/orca-cloud-security-score/)

Here’s a breakdown of its key components and features:

• Risk scores and severity levels: The dashboard assigns risk scores or severity levels to different cloud resources or configurations based on the potential impact and likelihood of exploitation. These scores help prioritize which issues require immediate attention.
• Risk mapping and visualization: Risk dashboards often use visual elements such as charts, graphs, heatmaps, and color-coding to represent the distribution of risks across various cloud providers, regions, categories, resource types, or severity levels. This aids in identifying risk hotspots and prioritizing risk mitigation efforts in terms of quickly assessing the overall risk landscape.
• Risk aggregation: The dashboard aggregates individual risk scores of workloads to provide an overall risk assessment for the entire cloud infrastructure. This helps in understanding the collective security risk and identifying critical areas that require immediate attention.
• Top risks: The dashboard highlights the most critical and high-impact risks at the top. This allows security teams to address the most severe vulnerabilities first, reducing the organization’s exposure to potential threats.
• Filtering and sorting: Users can usually filter and sort risks based on parameters such as risk score, resource type, severity, or compliance standard. This functionality helps users focus on specific areas of concern.
• Detailed risk descriptions: Each identified risk is accompanied by a detailed description of the issue, including information about the misconfiguration, the potential impact, and recommended remediation steps.
• Historical data and trend analysis: A risk dashboard may/should display historical data to show trends in risk mitigation efforts over time. This enables organizations to track improvements and the effectiveness of their risk management strategies.
• Alerts and notifications: The dashboard can generate alerts and notifications for new or existing risks. This ensures that security teams stay informed about the latest developments.
• Remediation guidance/recommendations: For each risk, the dashboard typically provides guidance on how to remediate the issue. This guidance can include step-by-step instructions, links to relevant documentation, or recommended configuration changes.
• Compliance mapping: The dashboard also indicates how identified risks align with specific compliance standards or frameworks, making it easier for organizations to meet their regulatory requirements.
• Customizable risk policies: Organizations can often customize risk policies so that they can align the risk assessment process with their specific security requirements and risk tolerance levels.
• Collaboration features: In some cases, the dashboard enables collaboration among different teams by allowing them to annotate risks, discuss remediation strategies, and track progress collectively. For example, in the Orca CSPM tool, you can group all resources of a particular team within the organization (in Orca, it is called a business unit) and invite the responsible stakeholders by business units so that they can discuss their security scores and help them improve their security posture.

Before we look at the next dashboard type, let’s explore the significance of the risk acceptance and exception management features offered by CSPM vendors in the risk dashboard.