We're onboarding LeaniX for our cyber security team. Struggling a bit when it comes to capability mapping as it doesn't align to how business capabilities are typically aligned higher level. As cyber security maps to control frameworks and other industry capabilities there ends up being multiple levels of hierarchy with hundreds of capabilities to cover all the security domains. Looking at items like the MITRE ATT&CK framework and CSA Reference Architecture are representations of this. Has anyone else onboarding their cyber security capabilities, applications, processes, etc successfully without inflating the tool massively?
Depth on Capabilities