Can I Use Excel to Manage My InfoSec Program?

Can I Use Excel to Manage My InfoSec Program?

A Great Question

When talking to a prospective customer recently, the question was raised: “Can I just use Excel to manage my security projects?” It’s a great question since people have been repurposing tools like Excel, GitHub and Jira for years to manage their InfoSec requirements, so why not?

While these are great products, the question comes down to what was the original core problem these products sought to solve. In the case of Excel, it was to process complex calculations and formulas. For Jira and GitHub, it was to manage engineering or IT projects. None of these products were designed inherently to manage your InfoSec requirements, and so they fall short in two core areas: defining your InfoSec plan and leveraging your InfoSec information.

The (Security) Problem You Are Solving

If you are a part of an InfoSec team, you are well aware of the myriad of security-related tasks thrown on your desk on a regular basis. Perhaps a client has asked for a copy of your InfoSec policy document, asked you to fill out a lengthy security assessment questionnaire, or requested you get certified in SOC 2 or ISO27001. Each of these tasks could be handled in isolation by a spreadsheet or project management software, but this is not efficient. Done right, you could be leveraging the work you have done once, multiple times in the future. Let me explain how.

In InfoSec, everything is connected. Your InfoSec policy should be connected to the security controls you implement. In turn, your answers to your security questionnaires should accurately reflect the security controls and policies of your organization. And when you are audited by a third party to attest to your security level, that too should be consistent with your InfoSec plan of record and the commitments you have made to your customers. When you store your InfoSec requirements in different silos such as Excel for some things, and Jira for others, it becomes extremely challenging to continuously prove you are secure to your clients and auditors.

Leverage Is Key

So, what if you could have a system that connected all the dots? With Tugboat Logic’s Virtual CISO Platform, we have sought to build such a platform, designed specifically to address the requirements of the InfoSec team so they can plan better, and leverage their work over and over again. Here are some examples of the things Tugboat Logic can help with:

The Answer Is You Can, But You Shouldn’t

To close the loop on the question asked by the customer – can they use Excel or some other project management software to manage their InfoSec program? The answer is you can, but you shouldn’t. You need a purpose-built security solution that can help you define what policies and controls you need based on your line of business. Further, by keeping all of your security functions in a central system of record, you can leverage the work you do in one area (such as InfoSec policy creation) to automatically solve a problem in another area (such as answering security questionnaires). To add to this, by having a continuously maintained InfoSec platform, you will have a much more credible and consistent InfoSec program to share with clients and auditors, which will help your company win more business.