Security Control election criteria are often driven by InfoSec or Compliance requirements. That seems good, right? Until business leadership must be convinced to purchase costly tools, or support a restrictive process. We all know how difficult that can be. But why is that? Current approaches and facilitative tools may not include business stakeholders. This often results in a control set that doesn’t consider the business need for the IT systems and the services these systems provide. This is where the trouble begins. Involving business stakeholders earlier in the prioritization & selection process is a step towards mitigating that disconnect. The DHS CSET is a good example of a free tool that helps with prioritization, but it still does not focus on business need. Plus, there may be some hesitation to download it into your environment. Two CISSPs - both US Military Veterans & one also happens to be a full stack developer – decided (initially as a hobby project) to develop a simple (cloud hosted) tool introducing the concept; intending to provoke additional thought in this area.
I looked at the linked site and read the FAQ on that site. I do not mean to accuse either Bruce or the two "honorable US military veterans" of anything untoward, but I must say the minimal information available and the lack of transparency on the site, along with the implied sort of questions users of the SALculator will answer about their organizations make me think the site would be a useful tool for gathering business intelligence and cybersec vulnerability clues on the participating organizations.