Free Cyber Risk Analysis: Your Top Cyber Risks in 3 Clicks

Get Started
Request Demo

Three Ways Tracking NIST 800 53 in Spreadsheets is Wasting Your Cybersecurity Team's Time


The new NIST 800-53 Rev 5 has over one thousand controls. Let that sink in - over one thousand individual controls. Of course, as the sophistication of cyber-attacks has increased over the years, so has the need for an increase in sophistication of the requirements and controls for federal information security. However, the control set has drastically expanded since its initial publication, resulting in many teams scrambling to absorb the new requirements of NIST SP 800-53. Many of these teams rely on the NIST 800 53 controls spreadsheet and too often manage their assessments out of spreadsheets as well; with the increasing complexity of the 800-53 control set, though, security leaders could be wasting valuable time and effort by not implementing a platform to help streamline the process.

Assessing SP 800-53 Using Spreadsheets is Wasting Your Time

1) Incongruencies and Version Control

During the assessment itself, we have seen teams working out of spreadsheets tackle the division of labor in two ways: breaking down the control set and distributing a separate spreadsheet to assessors and, on the other hand running out of the same spreadsheet, possibly out of a file sharing service.

Significant negative ripple effects result from both of these approaches that we will address in the post-assessment analysis phase and the reporting phase. However, as a whole, working out of spreadsheets results in the same static and potentially disjointed efforts that many users of GRC cybersecurity systems run into. From our conversations with customers who forewent purchasing a GRC and chose to run out of spreadsheets until they started using CyberStrong, many information security leaders simply didn’t see a process difference between using spreadsheets and legacy GRC tools. Especially in the assessment phase, whether the control set is broken up or not, the overlap between a spreadsheet and a GRC is eerily similar.

The silos and incongruencies result in wasted time and effort on the part of assessment teams. However, using an integrated solution like CyberStrong can enable teams to collaborate and conduct the cyber risk assessment in a single source of truth. Individuals across IT risk, compliance, vendor risk, and audit can add valuable assessment information to the platform without fragmenting the assessment.

2) Aggregation and Analyzing Results

Whether an organization that uses spreadsheets decides to tackle an 800-53 assessment, there are effects that appear in the aggregation and analysis of the results post-assessment.

In the case where an organization broke down the 1000+ controls into different spreadsheet documents for each team to work on, the challenge of aggregation is clear: compiling what can amount to tens of spreadsheets back into one document, aside from the need to chase down each document at the due date.

In the case of working off of one spreadsheet that has been passed around, we have seen and heard a few stories where this has worked as seamlessly as necessary. Rather, the version control nightmare scenario kicks into effect, and suddenly a chain of hundreds of emails has to be sifted to determine the most up-to-date version of the document. In cases where organizations have worked out of a file-sharing service like Box or Sharepoint, the risk exists that the most up-to-date version is not even in the shared location.

Rather than tasking managers with chasing down either multiple documents and sending the time aggregating or checking a single document for accuracy, CyberStrong streamlines the entire process by allowing teams to work across the organization from a single location and deliver automated reporting without the need for aggregation. This saves managers time on the backend and increases cyber risk analysis efficiency.

Conduct Free Cyber Risk Analysis with CyberStrong here

3) Presenting and Reporting to Leadership

Finally, moving up the chain of command, reporting on the assessment and the more excellent program health to business-side leadership. The value of an assessment is inversely correlated with the time that has passed since the assessment was completed. The nature of assessments conducted in spreadsheets and legacy GRC systems is that the assessment is essentially outdated as soon as it is completed. Then layer on top of the amount of time it takes to process (as discussed in part two), and the assessment is almost useless.

The goal for many organizations for years has been to achieve continuous assessment. However, frankly, the technology did not exist to feasibly suppor the dedication it would take to implement continuous assessment at scale. Spreadsheets, as we have seen, are simply too sporadic, and modular GRC systems lack the technology to support the integrated approach necessary to achieve it as well.

Now, though, CyberStrong enables automated risk assessments using deep integrations that update control scores in real-time using existing tech stack data from solutions already in use within an information security program. Furthermore, CyberStrong’s fully customizable Executive Cybersecurity Dashboard illustrates information security program posture in real-time for enhanced cyber reporting to the Board.

To learn more about CyberStrong, which can save your cyber risk management plan, click here to schedule a conversation.

You may also like

How to Create a Cyber Risk ...
on June 10, 2024

In today's fast-paced digital landscape, conducting a cyber risk assessment is crucial for organizations to safeguard their assets and maintain a robust security posture. A cyber ...

Critical Capabilities of ...
on June 4, 2024

Continuous Control Monitoring (CCM) is a critical component in today's cybersecurity landscape, providing organizations with the means to enhance their security posture and ...

on May 29, 2024

Artificial intelligence (AI) is revolutionizing numerous sectors, but its integration into cybersecurity is particularly transformative. AI enhances threat detection, automates ...

Critical Capabilities of Cyber ...
on May 20, 2024

In today's digital landscape, robust cybersecurity risk assessment tools are crucial for effectively identifying and mitigating cyber threats. These tools serve as the first line ...

A Practical Approach to FAIR Cyber ...
on May 10, 2024

In the ever-evolving world of cybersecurity, managing risk is no longer about simply setting up firewalls and antivirus software. As cyber threats become more sophisticated, ...

Unveiling the Best Cyber Security ...
on April 24, 2024

Considering the rollout of regulations like the SEC Cybersecurity Rule and updates to the NIST Cybersecurity Framework; governance and Board communication are rightfully ...