How to Escape from Spreadsheet Hell (Cyber Risk Manager's Edition)

First a pop quiz. (Don’t worry, I won’t call on you to answer in front of the class 😉)

What percentage of your company’s critical assets and vendors have you truly assessed for cyber risk in the last 6 months?

I’m certain you’ve been able to assess some assets or vendors – but what percentage have you reallycomprehensively evaluated this year?

5%? 10%? More?

What about the other 90%?

Is being blind to 90% of your assets cyber risk acceptable to you? Your C-suite leaders? The board?

If you aren’t in the high double digits you can rest assured, you’re not alone. No one is to blame because there really hasn’t been a software solution on the market designed to accommodate the specific needs of cyber risk managers.

So, what’s really to blame?

Spreadsheets.

We make do with what we have to the best of our ability, but ultimately spreadsheets are so inefficient that they significantly limit your ability to “see” your entire company’s cyber risk. You can’t protect an asset from a threat you don’t know about.

Here are 6 other significant reasons why spreadsheets just don’t cut it today:

  1. No dynamic threat/risk mapping: Adversaries change tactics, techniques, and tools all the time to uncover the weak underbelly of their targets. To stay on top of the changing threat environment requires the ability to dynamically map threats and risks – an impossible task using a spreadsheet. (Oh and forget about linking missing controls to a remediation plan!)
  2. No real-time collaboration: Distributed teams require a distributed solution. Spreadsheets have gotten much better in this regard than in the past, but they still don’t yet fully enable a distributed team to work at optimum efficiency. Sending a single file back and forth across the world just won’t cut it.
  3. Opportunity for error: Until the cyborgs replace us, we’re stuck relying on humans to complete risk assessment tasks. Unfortunately, humans make both data entry errors, but also errors in discretion and judgement. Using spreadsheets to manage your cyber risk program is equivalent to hopping onto the interstate for a long road-trip with only a couple hours of sleep. You might get to your destination, but you also might end up in a ditch.
  4. No version control or audit trail: Managing files back and forth by email is a cumbersome and ultimately risky because all it takes is one key auditor departing to throw the program into chaos. Have you ever had to go through the sent emails folder to find the exact email from 13 months ago that documents who agreed to perform what remediation? How painful of a process is that?
  5. No continuity: What happens to all your files when a key individual changes role, department, or leaves for another company? If you rely on spreadsheets, you’re only one key departure from throwing your risk management program into disarray.
  6. No automated reporting: Assessing risk is only the first step. To make risk mitigation decisions requires the analysis to be consolidated, formatted, and presented to others. Building a report to present findings is one of the most time intensive steps in the risk process. How long does it take an analyst to report the findings of 100 assessments? Wouldn’t it be great if instead of wasting time formatting a powerpoint slide they were assessing a critical supplier they hadn’t yet had time to evaluate?

Warm Regards,

Steve