Let’s face it. Most of us have some sort of dependence on Excel and PowerPoint. They serve as our centerpiece for aggregating data and building corporate presentations. However, when it comes to cyber security, neither one should be involved. They slow down the process, leave too much leeway for data “massaging” and create inconsistencies up, down and across the organization.
Yet surprisingly, at least 60 percent of the organizations we encounter, most of which are large enterprises, use Excel or PowerPoint as part of their cyber security program. In one case, a security team manually put together a security posture report using PowerPoint which took two months to complete from start to finish. In another case, we saw a company assign one person to manually look through each vulnerability scan report, split the results into spreadsheets, identify each line of business application owner responsible for remediation and manually send each one their own report. In one more case, a company collected data from their security tools in the cloud, combined it with data from their asset management tools on premises, manually inserted the information into spreadsheets, figured out who owned what and split up mitigation actions accordingly.
Not only are these manual efforts time consuming and resource intensive, they also significantly elevate the risk posture of the organization. First and foremost, manual methods impact the timeliness of data. The company in the first example took two months to create the security posture report, meaning those assets were exposed the entire time the security team took to understand the gaps in its defenses. And because individuals responsible for vulnerability risk management are manually entering the results of vulnerability scan reports into spreadsheets, which can amount to millions of vulnerabilities at any given time (see this report, “A Day in the Life of A Cyber Security Pro”), they tend to overlook some, which may expose a high-value asset.
Second, manual efforts affect the accuracy of the data. When security teams are putting together their cyber risk reports for the CISO to present to the board, they may alter the data in spreadsheets so that it is consistent with the rest of the data or makes them appear more secure than they really are. This “data massaging” is usually not a malicious act. Security teams simply aim to make the data more digestible and relevant so they will eliminate information from the report that they feel does not need to be presented. However, the board makes decisions based off incomplete data, which may lead to ineffective decisions and wasted investments. Altered data also gives the board and other C-level executives a false sense of security which may make them de-prioritize cyber risk management.
Finally, manual cyber security methods take time. Security teams are spending so many hours entering in data, tracking down who is responsible for remediation, following their progress and reporting, that they don’t have time to do what they were hired to do and most likely want to do – protect the organization. Security teams should be identifying where their crown jewels exist, those that if compromised, would impact the business the most. They should be detecting and investigating threats and continuously patching vulnerabilities that put those assets at risk. And, they should be measuring their progress so they can see how well they are doing and where they need to improve. They should not be spending days plugging numbers into spreadsheets.
So apart from living in the past and fighting real-time battles with time-lapse tools, cyber security practitioners who are forced to be spreadsheet junkies also become a dangerous choke point in the management and communication of security posture. The challenge is how to navigate a host of business and technical priorities, and manage a flood of security data, so that the business can be both more secure and more agile. The solution lies in reorienting how security is implemented. While tools can automate and accelerate decision making, it takes moving an organization away from a consumer mindset – where security teams simply report to the organization – to more of a supply chain mentality, where all stakeholders take an active role in producing a secure “product” within the organization. This way of thinking, and the technologies that enable it, lie in three main areas. Education is first. From training and policy, to distillation of secure concepts into business value, providing a common foundation for organizational security is critical. Second is engagement. From the line-of-business, to the C-Suite, and all the way up to the Board, each group needs to participate in the identification and definition of asset value. What assets are most critical, what controls are acceptable, and what processes require priority. The final category is empowerment. Through automation and tools, giving key stakeholders the ability to not only understand, but act on data that is relevant to their roles is the path to not only increased efficiency, but vast improvements in accuracy and effectiveness – and ultimately a huge reduction in organizational risk.
Thank you, PowerPoint and Excel, for the help you have given us for many work assignments. However, for cyber security, it’s time to part ways. The bad guys don’t spend months manually plugging in data into spreadsheets and slides. The good guys shouldn’t either.