Are you like so many other CISOs - up to your ears in Excel worksheets?


Emelie Thörnell

Cybersecurity Consultant

February 19, 2019 at 14:46

At the beginning of the year, all departments in the organization have finally submitted their annual status reports regarding departmental risks and it’s time to analyze the results. But how will you organize and crunch the numbers in all those Excel worksheets that departments use to document risks? How can you produce a collective risk profile for your organization? Where should you start, and what’s the best way to present the information? If these questions are familiar, it’s likely that your organization has outgrown its Excel worksheets. In that case, you need a more suitable solution that’s specifically designed to bring order to risk reporting chaos. 

It’s not likely that the world will abandon Excel anytime soon. Indeed, many prefer to complete risk analyses and other tasks in the familiar environment of an Excel template. The challenge comes when it’s time to create and understand the big picture of an organization’s risks, especially in large, complex companies. 

Risk analysis prompts a variety of questions, such as these:

  • What are the greatest risks in our organization? 
  • How do we manage these risks? Which actions do we need to take – and do we need to work on increasing risk awareness in the workforce or focus on technical solutions? 
  • How should we present reports of the results, and how do we tailor these reports for decision-makers and other stakeholders? 

Every industry must grapple with these questions – defense, transportation, public-sector organizations, finance, med-tech companies and retailers. The risks may differ between sectors, but the fundamental problems are the same.

The simplest way to take control of the situation is to use a specifically designed GRC tool [1] that can automate functions to measure, follow up and report the status of risks, including the key indicators – KPIs and KRIs [2]. GRC tool also makes it possible to manage compliance and information security in the organization through workflow, reminder and escalation functionality. 

At Nixu, our clients often ask us to help them determine how well they comply with information security requirements such as those set by the General Data Protection Regulation (GDPR), the NIS Directive and the ISO 27000 standard. The need for effective control is always increasing as regulations and requirements emerge and evolve. Organizations that fail to follow current rules and regulations can experience dire consequences in the form of both economic sanctions and damaged credibility. Large organizations can easily make decisions based on the wrong information if these companies do not have effective tools to support analysis. It’s simply too difficult to maintain the level of quality in information required to make well-informed decisions and choose the right path forward. 

The greatest advantage that large companies see in using GRC tools is their ability to supply fast, easy analyses that support correct decisions, structured working methods with integrated workflows, and more efficient work processes.

So where do you begin? Nixu is happy to help your organization bring GRC tools on board, but here’s a simplified explanation of the process:

GRC tool deployment process
  1. Formulate goals, needs and requirements: Begin by determining the purpose of implementing a GRC tool, and the goals your company wants to achieve. Identify various needs in the organization. Based on these, formulate your requirements on the GRC tool.
  2. Create a plan: Establish a plan for introducing the GRC tool. Determine the areas of the organization that will be included and the schedule for carrying out each step of the plan.
  3. Identify competence needs: Identify the competences you need throughout the project, for example in information security, risk analysis and legal matters.
  4. Carry out a pilot project: Begin the work successively in small steps, and put the new GRC tool through its paces in a pilot project.
  5. Evaluate: Assess the results of the pilot project and adjust the plan accordingly (and the goals if necessary).
  6. Continue the work: Continue the good work according to plan, based on knowledge gained from the pilot project. Some work steps may need adjustment or more iterations throughout the tool introduction process.

At times, the shift to new IT support frameworks and a different way of working can seem daunting. At Nixu, we offer you substantial expertise in change management. We’ve worked diligently to create acceptance for new, digitalized working methods in a wide variety of organizations. When embarking on such a significant project, it can help to hire one or more of our experts, who have considerable hands-on experience with the process of moving from Excel to GRC tools. Our competence in this field ensures that we always begin at the right point for your organization and work with successive implementation. We do not offer our own GRC tools; instead, we help you adapt any existing IT support frameworks in your organization based on the specific GRC tool needs you’ve identified. If you need assistance in selecting and purchasing a new GRC tool, we can offer our long experience in formulation of requirements. Many GRC tools are available on the market, such as ServiceNow, Archer, BWise, MetricStream, Rsam, and the open-source tool Eramba. Read our customer case to learn how we have helped Swedish agricultural cooperative Lantmännen with GRC deployment here >> 

So...if you’re a CISO who’s drowning in Excel worksheets, switch to a tool for GRC! Contact us and we’ll be glad to tell you more.

[1] GRC = Governance, Risk, Compliance

[2]  KPI and KRI = Key Performance Indicator and Key Risk Indicator

Related blogs