It is no secret that cybersecurity has mystified many members of the C-suite since the function was introduced. Headlines are dominated by breaches and hearings of information security shortcomings. Gartner predicts that by 2022, 50% of CEOs who lack cybersecurity postures that are defensible to their key stakeholders will be fired following material breach incidents that impact greater than 25% of their customer base. CEOs cannot afford to turn a blind eye to cybersecurity.
Here’s the problem: In speaking with hundreds of cybersecurity teams, I am consistently surprised by how many multi-million and even multi-billion dollar companies are running this now critical business function off of spreadsheets. Do business leaders see this happening and turn a blind eye, or do they just not know what’s going on?
I’ve asked myself and others, “Why do organizations still do this? And why do some feel that running their program off of spreadsheets is sufficient?”
Below are my findings.
Bad Is Better Than Worse
Especially when you get into the Fortune 500, it’s not as if these organizations aren’t investing in Governance, Risk, and Compliance (GRC). In fact, it’s the opposite; these organizations spend millions of dollars and months of investment per year in human capital to implement an enterprise GRC solution. So why do the boots on the ground spurn it to return to their spreadsheets?
The unfortunate fact is that managing hundreds of interwoven spreadsheets is more appealing to a cybersecurity team than having to manage a modular, overloaded GRC platform. Further, cyber is so misunderstood by the rest of the C-suite that a million-dollar investment can consistently go to waste with little notice.
From a senior level, though, these two tools are both equally detrimental to an enterprise’s cybersecurity posture. Capturing assessment data in a spreadsheet is like taking a picture of a moving car and pretending that the car is still in front of you when it’s already at the end of the block.
Spreadsheet assessments are inherently inefficient - the reports created from these snapshots are based on already antiquated data. The static approach that spreadsheets delay the feedback loop, which ripples through to the executive management and Boardroom meetings that CEOs and CISOs use to secure more budget and illustrate their gaps. Assessments completed on spreadsheets are outdated the minute they’re finished.
Not only are spreadsheets running on antiquated data, but they also weigh security operations down with several other inefficiencies. Stuck with a manual workflow of follow-up emails and deadline reminders, security leaders have to track down portions of a spreadsheet to compile into a master document that becomes dated by the time of completion. CISOs and CEOs need a workflow that automates the follow-up process.
In addition, security teams can get caught up in the confusion of version control with thousands of spreadsheets and switching back and forth between modules. CyberStrong automatically aggregates assessment data - enabling an integrated approach to cybersecurity management across all functions.
GRC tools and spreadsheets are not a good combination with a rapidly changing regulatory environment. In some cases, it can take months for new regulations to show up in legacy systems. Security teams are left scrambling to comply with a new or updated framework before the deadline.
Static snapshots worked when a cyber program was slow-moving enough only to need the occasional litmus test. Still, when Equifax’s CEO, CIO, and CSO are losing their jobs over a data breach, we need to recognize that those days are behind us.
“You can make a spreadsheet say whatever you want.”
I was a little shocked when I heard a security leader tell me this when I asked them why they still run compliance and risk management on spreadsheets. When the C-suite looks to technical leaders for reporting on such a critical business asset, a level of trust is implied. When business leaders are not actively involved in managing their organization’s cyber posture, these responses can be commonplace.
Using spreadsheets to manage a cyber program is like using a screwdriver to hammer a nail - sure it works, but it is not the right tool for the job. Cybersecurity leaders know it, but at times, don’t know what else to do.
The fact is that CEOs need to evaluate their cyber posture just as they would a balance sheet. Just as periodic snapshots did the job when IT was a siloed function, spreadsheets did the job when the industry lacked the knowledge (in the form of frameworks and industry data) to build something better and relied on the expertise of those working directly with the data. Although, today, everyone is working with an enterprise’s data and the siloed spreadsheet approach does not work.
Heavyweight Solutions Are Not The Answer
You may think that because I’ve seen so many organizations forgoing their already-made investment in GRC for spreadsheets that they should just dust off their GRC product and start using it. But that’s not the case. These teams keep going back to spreadsheets because GRC platforms have the same foundational flaws like a massive spreadsheet, except in a different form factor. Spreadsheets are so challenging to use that it disempowers teams to embrace continuous compliance, much less credibly report on their posture to business leaders. These hurdles make spreadsheets the lesser of the two evils and keep your infosec teams running from the GRCs, despite spreadsheets being the wrong tool for a robust cyber program.
Understand And Communicate Where Your Cybersecurity Posture Comes From (Even To Your Board)
How can you have faith in that as a business leader? On the one hand, you have unwieldy spreadsheets and, frankly, the wrong tool for the job. On the other hand, you have antiquated GRC that keep teams running back to cells and formulas (not to mention you’re paying hundreds of thousands for it).
In an era that sees new cyber threats and regulations emerge almost daily, the C-suite needs to arm their cybersecurity teams with something that saves them time, investment and is easily understood. Specifically, CEOs need a solution that comprehensively illustrates their organization’s cybersecurity posture. Further, a heavyweight cyber program does not require a heavyweight solution but rather the opposite. The more complex an enterprise cybersecurity program is, the more it demands a solution that simplifies and integrates all the disparate parts such that it is understandable to anyone regardless of technical expertise.
So to the CEOs, I’ll say - do you know where that cybersecurity report came from? Because your job depends on it.