It is no secret that cybersecurity has mystified many members of the C-suite since the function was introduced. With headlines dominated by breaches and hearings of information security shortcomings, as well as Gartner’s prediction that by 2022, 50% of CEOs who lack cybersecurity postures that are defensible to their key stakeholders will be fired following material breach incidents that impact greater than 25% of their customer base, CEOs cannot afford to turn a blind eye to cybersecurity.
Here’s the problem: In speaking with hundreds of cybersecurity teams, I am consistently surprised by how many multi-million and even multi-billion dollar companies are running this now critical business function off of spreadsheets. Do business leaders see this happening and turn a blind eye, or do they just not know what’s going on?
I’ve asked myself and others… Why do organizations still do this? And why do some feel that running their program off of spreadsheets is sufficient?
Below are my findings...
Bad Is Better Than Worse
Especially when you get into the Fortune 500, it’s not as if these organizations aren’t investing in Governance, Risk and Compliance (GRC). In fact, it’s the opposite, these organizations spend millions of dollars and months of investment per year in human capital to implement an enterprise GRC solution. So why do the boots on the ground spurn it to return to their spreadsheets?
The unfortunate fact is that managing hundreds of interwoven spreadsheets is more appealing to a cybersecurity team than having to manage a modular, overloaded GRC platform. Further, cyber is so misunderstood by the rest of the C-suite that a million-dollar investment can consistently go to waste with little notice.
From a senior level, though, these two tools are both equally detrimental to an enterprise’s cybersecurity posture. Capturing assessment data in a spreadsheet is like taking a picture of a moving car and pretending that the car is still in front of you when it’s already at the end of the block. Static snapshots worked when a cyber program was slow moving enough to only need the occasional litmus test, but when the CEO, CIO, and CSO of Equifax are losing their jobs over a data breach, we need to recognize that those days are behind us.
“You can make a spreadsheet say whatever you want.”
I was a little shocked when I heard a security leader tell me this when I asked them why they still run compliance and risk management on spreadsheets. When the C-suite looks to technical leaders for reporting on such a critical business asset, a level of trust is implied. When business leaders are not actively involved in managing their organization’s cyber posture, though, these responses can be commonplace.
Using spreadsheets to manage a cyber program is like using a screwdriver to hammer a nail - sure it works, but it is not the right tool for the job. Cybersecurity leaders know it, but at times, don’t know what else to do.
The fact is, that CEOs need to be able to digest their cyber posture just as they would a balance sheet. Just as periodic snapshots did the job when IT was a siloed function, spreadsheets did the job when the industry lacked the knowledge (in the form of frameworks and industry data) to build something better, and relied on the expertise of those working directly with the data. Today, though, everyone is working with an enterprise’s data and the siloed spreadsheet approach does not work.
What The Enterprise Is Finding: Heavyweight Solutions Are Not The Answer
You may think that because I’ve seen so many organizations foregoing their already-made investment in GRC for spreadsheets that they should just dust off their GRC product and start using it. But that’s not the case. In fact, the reason that these teams keep going back to spreadsheets is that GRC platforms have the same foundational flaws as a massive spreadsheet, except in a different form factor: they are so difficult to use that it disempowers teams to embrace continuous compliance, much less credibly report on their posture to business leaders. These hurdles make spreadsheets the lesser of the two evils and will keep your infosec teams running from the GRCs, despite spreadsheets also being the wrong tool for a strong cyber program.
Understand And Communicate Where Your Cybersecurity Posture Comes From (Even To Your Board)
How can you have faith in that as a business leader? On one hand, you have spreadsheets which are unwieldy and frankly the wrong tool for the job. On the other hand, you have antiquated GRC that keep teams running back to cells and formulas (not to mention you’re paying hundreds of thousands for it).
In an era that sees new cyber threats and regulations emerge almost daily, the C-suite needs to arm their cybersecurity teams with something that saves them time, investment and is easily understood. Specifically, CEOs need a solution that comprehensively illustrates their organization’s cybersecurity posture. Further, a heavyweight cyber program does not require a heavyweight solution - rather, the opposite. The more complex an enterprise cybersecurity program is, the more it demands a solution that simplifies and integrates all the disparate parts such that it is understandable to anyone regardless of technical expertise.
So to the CEOs, I’ll say - Do you know where that cybersecurity report came from? Because your job depends on it.