<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

It is no secret that cybersecurity has mystified many members of the C-suite since the function was introduced. Headlines are dominated by breaches and hearings of information security shortcomings. Gartner predicts that by 2022, 50% of CEOs who lack cybersecurity postures that are defensible to their key stakeholders will be fired following material breach incidents that impact greater than 25% of their customer base. CEOs cannot afford to turn a blind eye to cybersecurity. 

Here’s the problem: In speaking with hundreds of cybersecurity teams, I am consistently surprised by how many multi-million and even multi-billion dollar companies are running this now critical business function off of spreadsheets. Do business leaders see this happening and turn a blind eye, or do they just not know what’s going on?

I’ve asked myself and others, “Why do organizations still do this? And why do some feel that running their program off of spreadsheets is sufficient?” 

Below are my findings.

Bad Is Better Than Worse

Especially when you get into the Fortune 500, it’s not as if these organizations aren’t investing in Governance, Risk, and Compliance (GRC). In fact, it’s the opposite; these organizations spend millions of dollars and months of investment per year in human capital to implement an enterprise GRC solution. So why do the boots on the ground spurn it to return to their spreadsheets? 

The unfortunate fact is that managing hundreds of interwoven spreadsheets is more appealing to a cybersecurity team than having to manage a modular, overloaded GRC platform. Further, cyber is so misunderstood by the rest of the C-suite that a million-dollar investment can consistently go to waste with little notice. 

From a senior level, though, these two tools are both equally detrimental to an enterprise’s cybersecurity posture. Capturing assessment data in a spreadsheet is like taking a picture of a moving car and pretending that the car is still in front of you when it’s already at the end of the block. 

Spreadsheet assessments are inherently inefficient - the reports created from these snapshots are based on already antiquated data. The static approach that spreadsheets delay the feedback loop, which ripples through to the executive management and Boardroom meetings that CEOs and CISOs use to secure more budget and illustrate their gaps. Assessments completed on spreadsheets are outdated the minute they’re finished.

Not only are spreadsheets running on antiquated data, but they also weigh security operations down with several other inefficiencies. Stuck with a manual workflow of follow-up emails and deadline reminders, security leaders have to track down portions of a spreadsheet to compile into a master document that becomes dated by the time of completion. CISOs and CEOs need a workflow that automates the follow-up process. 

In addition, security teams can get caught up in the confusion of version control with thousands of spreadsheets and switching back and forth between modules. CyberStrong automatically aggregates assessment data - enabling an integrated approach to cybersecurity management across all functions. 

GRC tools and spreadsheets are not a good combination with a rapidly changing regulatory environment. In some cases, it can take months for new regulations to show up in legacy systems. Security teams are left scrambling to comply with a new or updated framework before the deadline.

Static snapshots worked when a cyber program was slow-moving enough only to need the occasional litmus test. Still, when Equifax’s CEO, CIO, and CSO are losing their jobs over a data breach, we need to recognize that those days are behind us.

“You can make a spreadsheet say whatever you want.”

I was a little shocked when I heard a security leader tell me this when I asked them why they still run compliance and risk management on spreadsheets. When the C-suite looks to technical leaders for reporting on such a critical business asset, a level of trust is implied. When business leaders are not actively involved in managing their organization’s cyber posture, these responses can be commonplace. 

Using spreadsheets to manage a cyber program is like using a screwdriver to hammer a nail - sure it works, but it is not the right tool for the job. Cybersecurity leaders know it, but at times, don’t know what else to do. 

The fact is that CEOs need to evaluate their cyber posture just as they would a balance sheet. Just as periodic snapshots did the job when IT was a siloed function, spreadsheets did the job when the industry lacked the knowledge (in the form of frameworks and industry data) to build something better and relied on the expertise of those working directly with the data. Although, today, everyone is working with an enterprise’s data and the siloed spreadsheet approach does not work.

Heavyweight Solutions Are Not The Answer

You may think that because I’ve seen so many organizations forgoing their already-made investment in GRC for spreadsheets that they should just dust off their GRC product and start using it. But that’s not the case. These teams keep going back to spreadsheets because GRC platforms have the same foundational flaws like a massive spreadsheet, except in a different form factor. Spreadsheets are so challenging to use that it disempowers teams to embrace continuous compliance, much less credibly report on their posture to business leaders. These hurdles make spreadsheets the lesser of the two evils and keep your infosec teams running from the GRCs, despite spreadsheets being the wrong tool for a robust cyber program.

Understand And Communicate Where Your Cybersecurity Posture Comes From (Even To Your Board)

How can you have faith in that as a business leader? On the one hand, you have unwieldy spreadsheets and, frankly, the wrong tool for the job. On the other hand, you have antiquated GRC that keep teams running back to cells and formulas (not to mention you’re paying hundreds of thousands for it).

In an era that sees new cyber threats and regulations emerge almost daily, the C-suite needs to arm their cybersecurity teams with something that saves them time, investment and is easily understood. Specifically, CEOs need a solution that comprehensively illustrates their organization’s cybersecurity posture. Further, a heavyweight cyber program does not require a heavyweight solution but rather the opposite. The more complex an enterprise cybersecurity program is, the more it demands a solution that simplifies and integrates all the disparate parts such that it is understandable to anyone regardless of technical expertise. 

So to the CEOs, I’ll say - do you know where that cybersecurity report came from? Because your job depends on it.

You may also like

Why You Need CIS Controls for ...
on June 17, 2022

The Center for Internet Security (CIS) is a non-profit organization that helps public sectors and private sectors improve their cybersecurity. The organization aims to help small, ...

Small Business Cybersecurity ...
on June 15, 2022

To achieve peace of mind in the modern threat landscape, small business owners must have a solid security strategy and budget in place. VIPRE’s SMB Security Trends report state ...

Do Small Businesses and Startups ...
on June 10, 2022

Did you know that about 60% of small businesses shut down within 6 months by falling victim to a data breach or cyber-attack, where the average global breach cost hovers at $3.62 ...

A Pocket Guide to ISO 27001
on June 9, 2022

Let’s begin with the complete title of what’s referred to as ISO 27001. It is officially known as “ISO/IEC 27001." If you're looking to have your company certified, you'll need to ...

Benefits Of An Automated Security ...
on June 6, 2022

Proactive recognition, remediation, and mitigation of security threats are rising challenges for global businesses today. Security risk assessment is an integral part of this ...

Kyndall Elliott
The Top 5 Automated Risk ...
on June 1, 2022

Automated risk assessment tools help you assess information security risks and related metrics in real-time based on the available data internally and externally. Connecting the ...