A (Bad) Day in the Life of a Cybersecurity Risk Analyst

May 22, 2020  Ben Storm

Buying a risk analysis solution vs building one is a question that we at RiskLens are accustomed to hearing. There are many factors that go into deciding if buying vs building is the right decision for your team and organization.

For instance, how much time does your CISO want you to spend on formulas and maintaining spreadsheets instead of analyzing and managing risk scenarios? Because if you choose to build, you will be spending the majority of your time managing complex formulas and maintaining spreadsheets instead of trying to meet the SLA’s of the 74 backlogged policy exceptions and 95 overdue remediation plans that need review and approval. Are you a statistician or risk professional?

Ben Storm is a Risk Consultant with RiskLens

A (Bad) Day in the Life with Spreadsheets

>>The project manager sitting twenty rows away from you is blowing up your email because you are the bottleneck for the new multi-million-dollar Crown Jewels database implementation. However, earlier in the project you identified a security control that the business can’t meet, and further analysis is required.

>>There is a quarterly board meeting coming up in two weeks and your CISO requested a high-level risk report to show the board how “risky” your company is.

>>Not to mention a zero-day came out yesterday and your CISO needs to know if the server team needs to patch out of cycle or if they can wait until the next patch cycle later in the month.

>>And you almost forgot that last week an external audit identified a high finding that needs immediate risk analysis so your leadership team can determine what action needs to be taken.

>>It also appears you just got an angry email from the director of marketing; both of your team members duplicated a risk analysis (the one working on it must not have highlighted it yellow in the spreadsheet meaning that they are running with it) -- except one rated it a “critical” and the other rated it a “medium” and the business needs answers because the marketing director is absolutely furious and already contacted your CISO and the CIO. Yup, the meeting just popped up on your calendar with all three of them at 10:00 and the clock just rolled over to 9:55. You have 5 minutes to figure this mess out.

>>Oh, and of course when it rains it pours; your teammates are out of the office today. One’s sick, the other on PTO. It’s just you. 9:56, you peek over your cubicle and see the CIO walking into your CISO’s office. Uh oh - here comes the director. Yup, they’re mad. Everyone’s mad.

>>It’s 9:57…. 3 minutes until showtime ( you can do it, I believe in you, sink or swim, now is your time to shine), you open up Excel to get your handy dandy risk analysis spreadsheet fired up and…





Your teammate must have input something funky before leaving the office last night and corrupted the entire thing. It’s 10:01. What do you do now? This was your moment. You could have been the hero.

Variations of this scenario happen weekly. Sometimes daily.

Let’s Lose the Spreadsheets and Replay this Day with the RiskLens Platform

>>If you were using the RiskLens platform, you would have been able to triage that audit finding in under 30 minutes. You could have used data helpers and the triage functionality to prioritize the overdue policy exceptions and remediation plans.

Learn more about rapid risk analysis on the RiskLens platform

>>You also would have been able to triage that zero-day in 30 minutes with the help of the data helpers that the network team helped build out three months ago.

>>The Crown Jewels database could have been added to the Asset Manager when the project started, giving your team ample time to gather control data once the project kicked off.

>>The results from the duplicated analysis could be traced back with the logging capabilities in the RiskLens platform along with rationale from the team members to see why the data is different, making a very difficult conversation much easier by being able to review objective data vs having nothing but a corrupt spreadsheet.

>>You could have not only provided your CISO with an aggregate annualized loss exposure of the risk scenarios identified that quarter, but also visualization on the risk reduction initiatives to show how your team is working to get the amount of risk to acceptable levels so your CISO could walk into that board meeting as a normal run of the mill CISO, and walk out as a bona fide rock star.

But what about you? Well… you would be the hero.