February 12, 2019
IT Risk Assessments: Spreadsheets vs. Workflow Software
Spreadsheets can be a powerful tool for managing and organizing all kinds of things. I would be willing to bet that no corner of work and life exists today where spreadsheets have not found a use. In fact, probably some version of spreadsheets got us to the moon.
Spreadsheets are your best friend…until they’re not
In the information security world, spreadsheets have gained traction in managing compliance efforts and managing risk. If you’re ambitious you could probably mix in some inventory as well, and if you’re really ambitious, you could share your beloved spreadsheet for others to fill it out—hopefully without breaking it!
However at some point that helpful and organizational spreadsheet will turn on you and consume an inordinate amount of time and energy. Even worse, a small formula mistake could create egregious errors that over- or under-estimate a risk. These issues usually arise when the scale of your risk assessment needs outpaces the ability of a spreadsheet to manage the complexity of your organization. Over time and sometimes without notice, these spreadsheets require more hours of upkeep and debugging than the tool itself provides in time savings.
Quantify your efforts to justify an alternative
How do you know when you’ve reached that point? In all likelihood the person in charge of managing the spreadsheet will tell you, perhaps somewhat subjectively, that time has already arrived. But there is a more objective method to determine the “cost” of using spreadsheets using the following calculation (number of employees * time saved/employee * hourly rate = total cost savings):
Note that the time saved per employee is used to account for the net time savings since few tools will do all of the work with no human input. On the other hand, some overly complex products will actually cost you more and will require an enormous amount of time to manage and understand. Just because it costs a lot of money doesn’t mean it’s guaranteed to save you time, such as when your enterprise GRC solution requires a dedicated team to manage it. In short, when the complication of a tool outweighs the benefit, it’s time to consider a purpose-built tool for the job.
Of course, there are some other considerations about hiring an employee that this doesn’t take into account, but generally time is a valuable resource on information security teams that could be reallocated elsewhere. Even performing the act of quantifying the time spent on a process can help provide the justification for outsourcing or simplifying the process.
A purpose-built risk assessment automation & workflow tool
In the case of the spreadsheets used for compliance and risk efforts, you need a tool specifically designed for the task at hand: a risk assessment automation and workflow tool. Thankfully the UT Austin information security team built a tool, Isora, expressly to streamline the risk assessment process in a higher education environment. Isora has helped free a number of institutions from the hidden costs of spreadsheets and reach a sustainable and repeatable risk assessment process.
Learn how to establish a successful vendor risk management (VRM) program at a higher education institution using the Higher Education Cloud Vendor Assessment Toolkit (HECVAT) with our practical guide
Preparing for and acing the CMMC starts with a CMMC Pre-Assessment. Get started today with our practical step-by-step guide
The NIST 800-171 Basic Assessment is an interim requirement for all DoD contractors ahead of the CMMC. Plan your assessment with our complete guide.
The CMMC is here for DoD contractors who handle FCI or CUI. Learn everything you need to know to comply with our comprehensive CMMC guide.