Table of Contents
Cybersecurity risk management is under growing scrutiny—not just from internal stakeholders but from regulators, auditors, and customers. Yet many organizations still rely on outdated tools like spreadsheets to track and manage risk. For one mid-sized financial institution, this reliance became a liability during a routine audit, revealing systemic weaknesses that nearly damaged its reputation.
The Problem with Spreadsheets
The institution managed its cybersecurity risk register using a shared Excel file. It seemed practical—risk descriptions, severity scores, mitigation plans, and ownership were all there. But when auditors asked for deeper evidence of due diligence, the shortcomings of the system became painfully obvious:
- No audit trail for risk reviews or approvals
- No consistent criteria for accepting or remediating risks
- No alignment with business priorities or legal obligations
- No way to show that decisions reflected a reasonable duty of care
What appeared to be a risk register turned out to be a list—devoid of the context, rigor, and accountability required to meet today’s regulatory expectations.
Understanding Duty of Care
The audit’s findings highlighted a more fundamental issue: the institution lacked a coherent framework for determining what “reasonable” cybersecurity protections looked like. In legal and regulatory contexts, organizations are expected to demonstrate duty of care—that they have taken responsible steps to prevent foreseeable harm.
Cybersecurity frameworks that incorporate duty of care principles can help decision-makers:
- Consider the impact of risks on the organization, customers, and public
- Evaluate safeguards not just by cost or technical feasibility, but by their ability to prevent harm
- Make and document defensible decisions that withstand scrutiny from auditors and regulators
A Shift in Mindset
In response to the audit, the institution didn’t just abandon spreadsheets—it rethought its entire approach to cyber risk. It adopted a standards-based framework that emphasized accountability, transparency, and business context in risk decisions.
Key shifts included:
- Contextual risk scoring: Evaluating risk with consideration of legal duty, stakeholder impact, and operational resilience
- Audit-ready documentation: Logging and justifying every decision, with clear rationales and timestamps
- Cross-functional collaboration: Enabling security, legal, and compliance teams to speak the same language
- Real-time risk visibility: Moving from static reports to dynamic dashboards that provided executive insights
Results That Matter
Within 90 days, the institution rebuilt its risk program to reflect a more mature, collaborative, and defensible posture. It passed its follow-up audit with praise for transparency and improved governance. Leadership gained new visibility into cybersecurity exposure, and the security team reported greater clarity and confidence in their role.
Lessons Learned
This story offers key takeaways for any organization still managing cyber risk through manual methods:
- Spreadsheets can’t scale: In a dynamic threat environment, disconnected tools fail to provide the insight or structure needed for modern risk management.
- Duty of care is more than legal language: It’s a strategic framework that connects cybersecurity to the business.
- Accountability requires automation: Defensible decisions depend on traceability and transparency—elements difficult to achieve with static tools.
Looking Ahead
What began as a compliance failure became a transformation in governance. By embracing a more strategic and standardized approach to cyber risk, the institution didn’t just recover—it evolved. Other organizations would do well to ask themselves: If regulators or customers looked at your risk register today, would it tell the story you want to tell?
Rosanna Pellegrino is the CRO at Reasonable Risk. Rosanna is a seasoned executive with over 30 years of experience in IT security, professional services, and product strategy. As Chief Revenue Officer at Reasonable Risk, she leads global revenue growth through strategic sales, channel development, and key alliances. Previously CRO at Nisos, she has built and scaled global sales networks and forged partnerships with firms like KPMG, PwC, Check Point, and McAfee. She also held leadership roles at Qualys and RedSeal, driving product strategy and major integrations with top industry players.
Rosanna can be reached online at [email protected], https://www.linkedin.com/in/rosannapellegrino/, and at our company website https://www.reasonablerisk.com/, https://www.reasonablerisk.com/get-started/contact-us/ for demos
