When I asked RSA Archer® VP David Walter who was their competition, he told me earnestly it was the simple spreadsheet. I believe him, especially after what I have seen what people do with spreadsheets over the years that I have been a tech reporter.
Dan Bricklin and Bob Frankston invented the electronic spreadsheet with VisiCalc for the Apple II in 1979. It wasn’t long after that when I began using it on an HP 85 running CPM to build mathematical models working at various jobs in DC. That was a sweet machine, with its three-inch monochrome monitor and all 8K of RAM. Then Lotus 1-2-3 and the IBM PC came along making spreadsheets the go-to general business tool.
It has surprising staying power, given the software has essentially had the same user interface for more than 30 years. People have been using spreadsheets for all sorts of applications, regardless of whether they were appropriate or not. Including using them for risk management. At the RSA Archer Summit 2018 this week, a mention of replacing spreadsheets by product manager Emily Shipman got some cheers from the audience.
Emily Shipman at RSA Archer Summit 2018
I have seen spreadsheets used for formatting a resume, running a presentation, as a (very) rudimentary word processor, drawing pictures of a network’s infrastructure connections and for creating maps. The presentation doesn’t sound too bad until I heard that it had a separate worksheet for each slide. You can only imagine the horror.
You can see a couple of common threads in the list above: If you don’t know how to use the right tool, jury-rig the one you’re familiar with, even if the workarounds are awkward or dumb. After all, the clarion call of a grid of empty cells is so seductive, and waiting to be filled with thousands of rows imported from your security logs or network firewalls or whatever it is that you might conjure up thinking it will help you manage risks to your business.
Here are four reasons why you want something better for integrated risk management. First, spreadsheets are great for ad hoc and quick analysis, which is why they still are used. The trouble comes when the ad hoc becomes entrenched and enshrined, and then quickly becomes outmoded and cumbersome.
Second, they can be error-prone. The tech literature is filled with horror stories such as this one about auditors who misplaced a minus sign in a single cell that turned into a financial catastrophe for that business.
Next, they are tough to use for data visualizations. Yes, you can make some nice pie charts with a few quick keystrokes that can nicely go into your presentations. Good for you. But for spotting longer-term trends and producing actionable information, you need something more potent.
Finally, they don’t do well when it comes to collaboration and creating corporate policies. When multiple people are editing a spreadsheet, trouble usually ensues. I once cited a story about Trek Bicycles, and how their product team held status meetings two to three times per week, during which the team assembled in a conference room and would update project spreadsheets one line item at a time. Via voice phone conference calls. Granted, this was in the pre-Internet era. But still. If you are trying to quantify risks, you need something that multiple people can use as a single source of truth for your business. A shaky spreadsheet isn’t even close. “It is ridiculous that spreadsheets are still being used to track vulnerabilities,” said Walter. “It is time we came out of the Stone Age.” I agree.
You need a better foundation for making your risk policies. So it is time to separate from our spreadsheets. Yes, you can still use spreadsheets for the way Dan and Bob originally intended: for calculating numbers. But that’s it.
# # #
Author: David Strom
Category: RSA Point of View, Blog Post
Keywords: Business Risk Management, Data Analysis, GRC, RSA Archer Summit