How Sallie Mae Centralized CRI Cyber Risk Assessments with SmartSuite

^Problem

Manual Cyber Risk Assessments and Disconnected Tracking

As a financial services organization aligned with the Cyber Risk Institute (CRI) Profile, Sallie Mae must regularly assess cybersecurity controls and diagnostic statements to maintain visibility into risk posture and meet internal governance and regulatory expectations.

Sallie Mae’s cybersecurity team is responsible for managing these cyber risk assessments and maintaining oversight of their CRI profile. Prior to adopting SmartSuite, much of this work was managed through a combination of specialized tools and spreadsheets.

While the team relied on a dedicated risk platform for certain governance functions, core CRI assessment activities often required exporting data, coordinating input manually, and maintaining separate spreadsheets to track diagnostic statements and ownership across the organization.

Assessment cycles required frequent interview sessions with diagnostic statement owners, creating a time-consuming process that relied heavily on manual coordination. Reporting outputs and charts were also often created outside the primary system using tools like Excel.

In addition, the team needed a better way to manage recommendations and findings from external cybersecurity assessments. These items did not always qualify as formal risk issues in their enterprise risk platform, leaving teams without a structured way to track progress and remediation activities.

The result was a process that worked, but required significant manual effort, fragmented tracking, and multiple systems to maintain visibility.

Q1

^Solution

A Flexible System of Record for Cyber Risk Institute Assessments

Sallie Mae implemented SmartSuite as a centralized workspace to manage their CRI profile and cyber risk assessments.

The team began by migrating their full CRI profile into SmartSuite, establishing a single system of record for diagnostic statements, ownership, and assessment activities. This allowed the cybersecurity team to manage assessment inputs, documentation, and ownership tracking in one environment rather than across multiple spreadsheets and tools.

With SmartSuite’s flexible data structure, the team was able to configure fields, layouts, and records to match their existing assessment framework while improving visibility across their CRI diagnostic statements.

Beyond the core CRI assessment, the team also began using SmartSuite to manage additional cybersecurity assessments and recommendations that did not belong in their enterprise risk platform. These were structured as project workspaces, giving the team a consistent place to track findings, recommendations, and remediation activities.

As adoption grows, Sallie Mae’s cybersecurity team plans to further enhance their process by implementing automated workflows that allow diagnostic statement owners to self-service their responses—reducing the need for manual interview sessions during assessment cycles.

The team is also exploring ways to leverage SmartSuite’s reporting capabilities to generate dashboards and visual outputs directly within the platform rather than exporting data to external tools.

Q2

^Result

Centralized Cyber Risk Assessments and a Foundation for Automation

With SmartSuite in place, Sallie Mae’s cybersecurity team now has a centralized system of record for CRI assessments, improving visibility across diagnostic statements, owners, and assessment progress.

The platform has enabled the team to:

Consolidate CRI diagnostic statements and ownership tracking into a single workspace
Reduce reliance on spreadsheets for assessment management
Track cybersecurity assessment recommendations in a structured environment
Configure and evolve their workspace without requiring heavy IT support

By centralizing assessment data and ownership tracking, the team now has clearer visibility into assessment progress and can more easily prepare reporting outputs for internal stakeholders.

Because of SmartSuite’s ease of use, the team was able to independently build and adapt their environment while continuing their existing assessment cycle.

Looking ahead, Sallie Mae plans to expand their use of SmartSuite by introducing automated workflows, advanced reporting, and AI-assisted capabilities such as control mapping and governance support.

How Sallie Mae Centralized CRI Cyber Risk Assessments with SmartSuite

Manual Cyber Risk Assessments and Disconnected Tracking

A Flexible System of Record for Cyber Risk Institute Assessments

Centralized Cyber Risk Assessments and a Foundation for Automation

More Customer Stories

Catalent

1

Catalent

51

Sallie Mae

1

Helaba Bank

1

BUCS Engineering

3

Unicontrol

Team scaled 4.6x

UCLA Student Affairs

3x

Apple Bank

5+

Parsons Counseling

1,500+

Andex Kitchens

1

SWAGBOX

3

Roadchef Projects

70%

PlantBasedTreaty

100%

YES Energy Solutions

3

Ville de Pincourt

100s

Waypoint Centre

4+

UPenn Dental CDE

10+

UCLA Anderson

250+

CornholeATL

60+

So Cal Classic Car Storage

50%

Weev

75%

Ratio Christi

70%+

Quality Counts

10+

Office Express

100%

Digital Atelier

3x

ITC Germany Prod

100+

F AIR

20+

Food Truck League

700+

Georgetown University

4+

CryoFuture

1

Cryogenic Industrial Solutions

10s

CEI

100+

Collectie Overijssel

50%

Enablence Technologies

5 days

Analytic Vizion

90%

Canterbury Consulting

25%

BrigaCare

1,000

Brightways