Spreadsheets are dumb. Okay, it’s not that spreadsheets are dumb, or that the people who use them are dumb. That’s not at all what I’m saying. What’s dumb is using spreadsheets to manage third-party information security risk. If I’m going to call something dumb, I’d better have some logic to back it up. Good thing. I do.
Third-party information security risk management options
Before we get into the details of using spreadsheets, let’s first cover the options for managing third-party information security risk. You have options.
The first option is to do nothing. It’s a bad option when we consider the fact that 61% of companies in the United States have experienced a breach caused by a third-party. Intrinsically, we know that third-parties don’t value our things (data) as much as they value their own things. We’ve all lent a tool or a gadget to a friend before, haven’t we?
The second option is to use a purely technical solution, as if information security were a purely technical issue. The problem is that information security isn’t a purely technical issue, it’s a business issue where people are the most significant risk. So, a shortcut technical solution isn’t going to work well either, but it’s arguably a better option than doing nothing.
The third-option is to dig a little deeper, to inquire of the third-party as to their security practices and to seek some form of attestation from them. This is a good option because we can gain insight into their technical security controls and their security practices. If we ask the right questions in the right way, we can conceivably make good risk decisions. Good risk decisions and risk management is the point of the entire exercise. Don’t be fooled into thinking that risk elimination was the goal.
We settle on the fact that we’ll need to ask some questions and decipher risk from the third-party’s responses. This is our best option, but how? What is the best way to accomplish this goal?
One way to accomplish our goals is to use spreadsheets. Open Excel, create a questionnaire, insert some drop-downs, maybe some scoring, and even some conditional formatting if we’re fancy. If we want to save ourselves the headache of creating a spreadsheet from scratch, we can download one of the hundreds of templates available with a simple Google search. Your spreadsheet is going to take time to create, and time is money. The amount of time it takes to create a spreadsheet questionnaire varies, but the average per third-party is between 3 and 5 minutes.
The real trouble and inefficiencies in using spreadsheets when it comes to managing their use. This includes scheduling, sending, reminding, supporting, reviewing, remediating, organizing, and reporting. The time to use a manual spreadsheet process can be as high as five or six hours per third-party. The manual processes will also require someone with experience to manage it sufficiently. The more third-parties you must manage, the messier the mess becomes. Manual processes are inefficient and error-prone.
According to SecurityStudio, the following estimates apply to manual spreadsheet processes:
- A single FTE can manage roughly 350 third-party information security risk assessments and decisions annually.
- The total number of hours spent on each third-party information security risk assessment and decision-making process is roughly 5 hours and 42 minutes.
- The average cost of managing 100 third-parties is slightly more than $26,000.
- The average number of FTEs to manage 100 third-parties is .28.
Managing third-party information security risk management using spreadsheets is better than not managing third-party information security risk management at all but is it a smart option? After all, I called it dumb, didn’t I?
Using third-party information security risk management software
There are dozens of third-party information security risk management tools on the market. The market has exploded because of the enormous need. Third-party information security risk is a significant issue that cannot be ignored, shortcut (purely technical) solutions aren’t cutting it, and manual processes are painfully inefficient and error-prone. The answer provided by software is to automate all steps in the manual workflow that can be automated, to standardize processes, and to set specific rules.
Automation, standardization, and rule enforcement is software’s jam. In most cases, software will come with a cost. What if you could automate, standardize, and reduce errors, and save money? A positive return on investment is possible and probable with many of the third-party information security risk management tools on the market.
Return on investment
Automation itself leads to efficiency, and efficiency leads to cost savings. The cost savings leads to a positive return on investment (ROI) when comparing software versus spreadsheets (manual).
The following estimates apply to using software automation:
- A single FTE can manage as many as 950 third-party information security risk assessments and decisions annually, compared with the estimated 350 using manual processes. This is a 171% increase.
- The total number of hours spent on each third-party information security risk assessment and decision-making process using software is roughly 2 hours and 4 minutes compare to 5 hours and 42 minutes using manual processes.
- The average cost of managing 100 third-parties is $10,125 (including typical license fees), compared to $26,000 using manual processes. Here is your positive ROI.
- The average number of FTEs necessary to manage 100 third-parties using software can be as low as .1 compared to .28 using manual processes.
The cost of a third-party information security risk management tool, whether it be a software as a service (SaaS) or on-premise solution, can be a little as $200/month.
The numbers might surprise you, and we can argue the details, but simple logic would lead us to believe:
1. We must reach out to third-parties and ask them questions if we have any hope of sufficiently managing third-party information security risk.
2. Using spreadsheets as our primary mechanism of managing third-party information security risk is inefficient, error-prone, and costly.
If we still choose to use spreadsheets to manage third-party information security risk is dumb knowing what we now know.