Security teams are hiding an embarrassing secret from the outside world: despite their position at the vanguard of technology, security risks and threats, their actual war plans are managed on spreadsheets.
This is a far cry from the dark rooms, multi-screens, and falling code most people imagine, and it’s also a universe away from what they need.
Cybersecurity by spreadsheets?!
Microsoft Excel and Google Sheets are excellent for balancing books and managing cybersecurity budgets. However, they’re less ideal for tackling actual security issues, auditing, tracking, patching, and mapping asset inventories. Surely, our crown jewels deserve better.
And yet, security operation teams are drowning in multi-tab tomes that require constant manual upkeep.
Using these spreadsheets requires security operations to chase down every team in their organization for input on everything from the mapping of exceptions and end-of-life of machines to tracking hardware and operating systems. This is the only way to gather the information required on when, why and how certain security issues or tasks must be addressed. It’s no wonder, then, that the column reserved for due dates is usually mostly red.
This is an industry-wide problem plaguing even multinational enterprises with top CISOs. Even those large enough to have GRC teams still use Excel for upcoming audits to verify remediations, delegate responsibilities and keep track of compliance certifications.
It’s no one’s fault
How has this remained under wraps to non-security folks for so long? Usually, when reporting is due, the unluckiest team member is responsible for consolidating all the information they’ve gathered into a far more palatable presentation slide.
Teams with better luck might get to do this using Power BI, but this is entirely at the mercy of how often IT teams update them and only work for on-prem systems.
It’s not like security teams and leaders use spreadsheets as their first choice. While there are available tools to use instead, options are limited, often too expensive, and require too much time or effort to implement.
It may sound odd to those on the outside, but in most cases, it truly is faster and more effective to start an Excel sheet, export the information required from security tools or ticketing systems, and chase down relevant stakeholders on an individual basis.
4 methods to streamline security operations
Thankfully, there are methods to streamline or, at least, minimize security team reliance on manual Excel work. Some do involve an initial investment, but offer a substantial payoff.
1. Compliance frameworks
Specialized tools for compliance frameworks and related issues can do wonders by automating and managing their highly complex workflows. They include solutions like Regulait, Anecdotes and Vanta, which automatically manage access and gather evidence from various sources by seamlessly connecting with ticketing systems.
Automation is critical for reducing the number of labor-intensive tasks related to access reviews, quality parameters, security settings and control implementation.
2. Audit findings
Audit findings require intricate, detail-intensive work that GRC solutions can easily take care of instead.
If this remains out of scope for audit teams, they can alternatively use a centralized tool to encourage a more structured approach. These tools can either be custom-built or purchased off the shelf to organize audit templates with far more functionality than what Excel has to offer.
3. Vulnerabilities
Many tools are available to tackle issues like missing patches and vulnerabilities, such as code scanning, SCA, vulnerability scanners, CSPM tools, etc. Security teams can consolidate data from these sources into a data lake to achieve better reporting and derive the best actionable insights for remediation.
4. Data-lake automation
Building automation on top of data lakes is a proactive approach to ensure that issue information is always readily available to relevant stakeholders. Even better, it can even facilitate automatic ticket creation. Not only does this approach save time, it also significantly improves how efficiently security teams can resolve issues.
Purchase considerations
When considering buying solutions, it’s important to go for solutions that can be adapted. While they can be incredible time-savers for aggregating and correlating information, they can still present challenges around maintenance and customization to fit specific organizational requirements.
In addition to customizability, the most optimal choice is a comprehensive solution that aligns most of an organization’s security needs. These solutions must streamline remediation processes to remain a cost-effective investment by freeing time for security professionals to focus on critical security issues rather than being tied down by Excel-based tasks.
The stakes of cybersecurity are too high to leave to Excel spreadsheets. As a company grows and scales, the security gaps inherent in the Excel will grow increasingly untenable.
Reliance on manual processes and outdated tools increases the risk of overlooking critical vulnerabilities and hinders the ability to respond effectively to cyber threats in real-time. It’s time for the industry to work together and leave the spreadsheets behind.
link