February 12, 2019
IT Risk Assessments: Spreadsheets vs. Workflow Software
Spreadsheets can be a powerful tool for managing and organizing all kinds of things. I would be willing to bet that no corner of work and life exists today where spreadsheets have not found a use. In fact, probably some version of spreadsheets got us to the moon.
Spreadsheets are your best friend…until they’re not
In the information security world, spreadsheets have gained traction in managing compliance efforts and managing risk. If you’re ambitious you could probably mix in some inventory as well, and if you’re really ambitious, you could share your beloved spreadsheet for others to fill it out—hopefully without breaking it!
However at some point that helpful and organizational spreadsheet will turn on you and consume an inordinate amount of time and energy. Even worse, a small formula mistake could create egregious errors that over- or under-estimate a risk. These issues usually arise when the scale of your risk assessment needs outpaces the ability of a spreadsheet to manage the complexity of your organization. Over time and sometimes without notice, these spreadsheets require more hours of upkeep and debugging than the tool itself provides in time savings.
Quantify your efforts to justify an alternative
How do you know when you’ve reached that point? In all likelihood the person in charge of managing the spreadsheet will tell you, perhaps somewhat subjectively, that time has already arrived. But there is a more objective method to determine the “cost” of using spreadsheets using the following calculation (number of employees * time saved/employee * hourly rate = total cost savings):
Note that the time saved per employee is used to account for the net time savings since few tools will do all of the work with no human input. On the other hand, some overly complex products will actually cost you more and will require an enormous amount of time to manage and understand. Just because it costs a lot of money doesn’t mean it’s guaranteed to save you time, such as when your enterprise GRC solution requires a dedicated team to manage it. In short, when the complication of a tool outweighs the benefit, it’s time to consider a purpose-built tool for the job.
Of course, there are some other considerations about hiring an employee that this doesn’t take into account, but generally time is a valuable resource on information security teams that could be reallocated elsewhere. Even performing the act of quantifying the time spent on a process can help provide the justification for outsourcing or simplifying the process.
A purpose-built risk assessment automation & workflow tool
In the case of the spreadsheets used for compliance and risk efforts, you need a tool specifically designed for the task at hand: a risk assessment automation and workflow tool. Thankfully the UT Austin information security team built a tool, Isora, expressly to streamline the risk assessment process in a higher education environment. Isora has helped free a number of institutions from the hidden costs of spreadsheets and reach a sustainable and repeatable risk assessment process.
TX-RAMP is a new vendor risk management regulation for Texas state agencies and public higher education institutions. Here’s everything agencies need to know
Getting certified for the CMMC can seem like a daunting task. Here are 5 fool-proof steps you should take. Updated for CMMC 2.0. Read the guide
Scoping FCI & CUI and building an enclave is necessary to make compliance more efficient and cost-effective. Read the guide. Updated for CMMC 2.0
Everything you need to know about the CMMC, including its history, structure, requirements, and certification process. Updated for CMMC 2.0