<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Three Ways Tracking NIST 800 53 in Spreadsheets is Wasting Your Cybersecurity Team's Time

down-arrow

The new NIST 800-53 revision five has over one thousand controls. Let that sink in - over one thousand individual controls. Of course, as the sophistication of cyber-attacks has increased over the years, so has the need for an increase in sophistication of the requirements and controls for federal information security. However, the control set has drastically expanded since its initial publication which has resulted in many teams scrambling to absorb the new requirements of NIST SP 800-53. Many of these teams rely on the NIST 800 53 controls spreadsheet and too often manage their assessments out of spreadsheets as well, with the increasing complexity of the 800-53 control set though, security leaders could be wasting valuable time and effort by not implementing a platform to help streamline the process.

Why Assessing Against SP 800-53 Using Spreadsheets is Wasting Your Team’s Time

1) Incongruencies and Version Control

During the assessment itself, we have seen teams working out of spreadsheets tackle the division of labor in two ways: breaking down the control set and distributing a separate spreadsheet to assessors and on the other hand running out of the same spreadsheet possibly out of a file sharing service.

There are major negative ripple effects that result from both of these approaches that we will address in the post-assessment analysis phase as well as the reporting phase. However, as a whole, working out of spreadsheets results in the same static and potentially disjointed efforts that many users of legacy GRC systems run into. From our conversations with customers that forewent purchasing a GRC and choosing to run out of spreadsheets until they started using CyberStrong, many information security leaders simply didn’t see a process difference between using spreadsheets and legacy GRC tool. Especially in the assessment phase, whether the control set is broken up or not, the overlap between a spreadsheet and a GRC is eerily similar.

The silos and incongruencies result in wasted time and effort on the part of assessment teams. However, using an integrated solution like CyberStrong can enable teams to collaborate and conduct the assessment in a single source of truth. Individuals across IT risk, compliance, vendor risk, and audit can add valuable assessment information into the platform without having to fragment the assessment.

2) Aggregation and Analyzing Results

Whether an organization that uses spreadsheets decides to tackle an 800-53 assessment, there are effects that appear in the aggregation and analyzation of the results post-assessment.

In the case where an organization broke down the 1000+ controls into different spreadsheet documents for each team to work on, the challenge of aggregation is clear: compiling what can amount to tens of spreadsheets back into one document, aside from the need to chase down each document at the due date.

In the case of working off of one spreadsheet that has been pass around, we have seen and heard few stories where this has worked as seamlessly as necessary. Rather, the version control night mare scenario kicks into effect and suddenly a chain of hundreds of emails has to be sifted to determine the most up-to-date version of the document. As an aside, in cases where organizations have worked out of a file sharing service like Box of Sharepoint, the risk exists that the most up to date version is not even in the shared location.

Rather than tasking managers with chasing down either multiple documents and sending the time aggregating or checking a single document for accuracy, CyberStrong streamlines the entire process by allowing teams to work across the organization from a single location and deliver automated reporting without the need for aggregation. This saves managers time on the backend and increases efficiencies in the analysis process.

3) Presenting and Reporting to Leadership

Finally, moving up the chain of command, reporting on the assessment and the greater program health to business-side leadership. The value of an assessment is inversely correlated with the time that has passed since the assessment want completed. The nature of assessments conducted in spreadsheets as well as in legacy GRC systems is that the assessment is essentially outdated as soon as it is completed. Then layer on top the amount of time it takes to process (as we discussed in part two) and the assessment is almost useless.

The goal for many organizations for years has been to achieve continuous assessment. However, frankly, the technology did not exist to feasibly suppor the dedication it would take to implement continuous assessment at scale. Spreadsheets as we have seen are simply too sporadic and modular GRC systems lacked the technology to support the integrated approach necessary to achieve it as well.

Now, though, CyberStrong enables continuous assessment using deep integrations that update control scores in real time using existing tech stack data from solutions already in use within an information security program (Splunk, Tenable, etc.). Furthermore, for reporting to leadership, CyberStrong’s fully customizable Governance Dashboards illustrate information security program posture in real-time without the effort of processing and aggregating the data as we discuss previously.

To learn more about CyberStrong can save your information security teams time and money while also enhancing assessments against frameworks like NIST SP 800-53, give us a call at 1 800 NIST CSF, or click, here, to schedule a conversation.

You may also like

Benchmarking Your Cyber Risk ...
on September 25, 2023

Benchmarking your organization against the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is a valuable step towards improving cybersecurity ...

Security Posture Management: The ...
on September 27, 2023

Cybersecurity is a complex and dynamic field, and there are several elements that security teams must continuously monitor and manage to protect an organization's security ...

Stay One Step Ahead: A Guide to ...
on September 1, 2023

Cyber risk monitoring aims to proactively manage and mitigate cyber risk to protect an organization’s valuable assets and sensitive data. This process involves regularly ...

How to Create a Cybersecurity Risk ...
on August 22, 2023

For years, the discourse in IT has been centered around cybersecurity. Yet, with the volume of cyber attacks increasing, professionals have developed a more holistic approach to ...

How to Mitigate Cyber Risks in ...
on August 18, 2023

Supply chains are complex networks of organizations, people, processes, information, and resources, all collaborating to deliver goods and services to end consumers. Due to their ...

Conducting a Cyber Risk ...
on August 11, 2023

Cyber risk has become increasingly pervasive in almost every industry. From the new SEC cyber regulations to industry standards like the NIST CSF and HIPAA, regulatory bodies are ...