This is a guest post contributed by NetSPI’s partner, OpsEase.
Learn more about becoming a NetSPI partner here.


Using a spreadsheet to track and manage your controls will leave you ripe for a breach. Here’s why: You’re probably one of two types of companies.  

Scenario #1: Paying for a GRC Tool 

You’ve realized using spreadsheets for control and risk management  is a risk in of itself and shelled out big bucks to deploy a Governance, Risk Management and Compliance (GRC) solution.  

Scenario #2: Using Spreadsheets to Track Controls 

You’re like so many other companies and have evaluated GRC options only to find that they’re all too expensive. You then use a spreadsheet to build & track your controls through manual efforts. 

If you’re in camp A, congrats, you’re ahead of the game, however likely at a relatively high cost. But most companies I’ve talked with cannot justify the cost of a GRC tool and fall into the camp B — using a spreadsheet to manage controls and risks.  

As a business owner myself I completely understand. A spreadsheet doesn’t cost anything and we can get by our audit. We can show our customers and vendors a good story with our control framework. Our cyber insurance isn’t asking for too much documentation at this point so we can slide by… but the hidden costs and risks of a spreadsheet outweigh the cost of a reasonably priced GRC solution.  

5 Reasons Spreadsheets Don’t Provide Flawless Implementation of Controls

So, why is a spreadsheet your biggest cyber risk? Many possible threats exist today:  

  • Attackers trying to phish your employees 
  • Outdated systems without the latest patches 
  • A loose access control policy 
  • And a plethora of other risks 

Fortunately, your control framework has an answer to each of these. Moreover, if you flawlessly implemented and followed your control framework without fail, you’d reduce security risk exposure drastically. However, using a spreadsheet makes it impossible to flawlessly implement or follow your controls.  

Here are the top reasons why using spreadsheets for controls and risk register are your greatest security threat.  

  1. Spreadsheets are not collaborative. To be more specific, they don’t provide an ability to have controlled collaboration. Excel, SharePoint and Google Sheets are collaborative tools but they are designed for open collaboration vs. controlled. You cannot easily control visibility or assign only a subset of controls to internal or external resources.

    Locking down or hiding cells isn’t really a functional solution especially when working with an external entity like a vendor. The last thing you want to do is to give your vendor access to your security framework spreadsheet with all your controls. Your likely workaround is to send them a subset of controls in a different spreadsheet or document and then copy / paste the responses back which is manual collaboration at best.  
  1. Spreadsheets cannot be automated. So much of our world has embraced automation to ensure process adherence, efficiency, and greater compliance to an outcome. Being able to assign controls, track completion, flag risks and alert on potential incidents is the next step to improve security, track risks and prepare for an audit. If it can’t be systematically controlled to ensure adherence, it’s a risk.  
  2. Spreadsheets are ripe for human errors. An age old reality is that anytime there’s the potential for human error, it will likely happen at some point.

    Bob in IT forgets to check the firewall logs. A Microsoft SQL workload isn’t patched for months at a time and no one is checking. Sally leaves the company and still has access to the core systems months after departing.

    These are all simple examples of a control failing to be handled and the CISO or security team having no visibility or ability to track the risk.  
  3. Spreadsheets are not file systems. You cannot attach control documentation to a spreadsheet. Specifically, log files, screenshots, checklists, and the variety of other ways you need to document your controls cannot be attached, organized and presented in a spreadsheet. Most companies create a folder structure to store these files and link them into the spreadsheet. This process is terribly time consuming, fraught with potential errors (see point 3), isn’t easily collaborative (point 1), and can’t be automated (point 2) for approvals to ensure the documentation is compliant with the control.  
  4. Spreadsheets are not good enough for your auditors. They want to see proof of actions, especially attestation that something was done. A GRC system is the record of truth so that you can show your auditor and not have to dig through emails or meeting notes where you took action on a periodic control.  

By now you’ve realized that we have a distinct opinion on why spreadsheets simply do not cut it. Using them for your security framework is one of your greatest risks. Visit OpsEase, the GRC tool to help make compliance easy and affordable. 

Built by security professionals for security professionals, OpsEase is an IT security governance, risk and control (GRC) solution designed for SMB and mid-market companies to better monitor and manage their security controls. OpsEase gives solution providers a single pane of glass to manage your security frameworks, for your company or customers you manage, creating greater value for both you and your customers.