Business Analysis and Cybersecurity: What is the root cause?

Bindu Channaveerappa

We are looking at why cybersecurity should be an intrinsic part of business analysis. In the previous article , I outlined the problem by looking at a couple of cyber incidents, recognising that cybersecurity is more than just IT, and the impact is significant if we get it wrong. Looking at the potential causes for the breach in both incidents, it can be ascertained that the underlying cause was the lack of awareness or not having a security mindset. Research has repeatedly shown that most cybersecurity incidents are due to a lack of awareness, and "people" are the weakest link.

Taking a step back to gain perspective

In this article, we'll take a step back to gain perspective on the root causes of this mammoth issue which is affecting everyone professionally and personally. Understanding the background will help us to evaluate why a change in focus towards cybersecurity is necessary.

I started my career as a consultant analyst developer during the late 1990s. My job was to work with clients, understand their business requirements, design a database, build a system to meet their business needs, and prepare manuals and train users to use the new application. I was doing all of these things on a standalone computer. All my code, executables, operating system, and database, including the customer data, were in one physical system.

The only vulnerability apart from securing the physical equipment was using a floppy disk, which was used to copy data in and out of the computer, and could potentially corrupt the files if it contained a virus. Even if a file was corrupted by a virus, anti-virus software was available which could clean the data. This solution could be replicated, on any other infected computers within the organisation. One solution for all computers.

Later, computers were connected as clients to a server creating local and wide area networks. Today with the advent of the Internet and other technological advancements, systems are distributed across the globe. For instance, customers can initiate a transaction in a location on a gadget and complete the same transaction in another place and at a different time.

Across the spectrum of change

Technology has advanced from wired, to wireless to wearable. It is conceivable that technology may be implantable in the future! Imagine the potential weaknesses or vulnerabilities in a globally distributed system. What can go wrong in this new landscape? The list of potential vulnerabilities is seemingly endless. It is easy to see why so many breaches occur, and why we seemingly  hear and read about them almost every other day.

In a truly interconnected world, there is no one solution to this cybersecurity challenge. Unlike the times when information was passed between systems by floppy disks and dial-up modems, vulnerabilities in this new landscape come with their own risks and impacts. There are additional legal and compliance requirements to adhere to requiring different defence solutions, which could be technical and non-technical. Some of the solutions might involve people management, process management, disaster recovery and business continuity and more besides.

Throughout my journey as a BA, I’ve adapted to the progressing technology and changing business needs. As the businesses started to expand, a shorter list of user or system requirements back then also started to expand, into Functional Requirements (FRs) and Non–Functional Requirements (NFRs). Historically, security was considered as a type of NFR, usually restricted to roles and permissions. With the increased cybersecurity threats, this view on security is no longer sufficient.

Expansion is the future

In recent years, user experience enhancements have been made by pushing out system boundaries.. Disrupting and challenging the status quo and using technology in new  ways within the business ecosystem  has become the default way of thinking for innovative organisations. The more technology expands, the more vulnerable the ecosystem gets, and the more security controls are required.

Today robotics and AI have become part of many people's lives, whether robotic dogs patrolling the parks or Alexa and Eilik (a mini robot) on our desktops or personal assistants for homes. This is the beauty of technology. However, as the saying goes, when we pick up one end of the stick, we also pick up the other end. Along, with technology comes cybersecurity. Research from Gartner brings forth four emerging technologies and trends for 2023. Two of the four concern cybersecurity. The "smart world" - a fusion of physical and digital experiences, and the "transparency and privacy" of personal data collection.

BAs and cybersecurity

What can (or should) BAs do? Or does the problem exceed the scope of business analysis? A key question to ask is “who is responsible for cybersecurity?”. This is a tricky question to answer.

Imagine a customer walking into a store, accidentally falling due to a slippery surface or stumbling due to some obstruction. Who do you think in this situation is responsible for the accident? Is it the cleaner, staff, security guard, store manager, senior management, etc? Who in your home is responsible for securing the doors and windows or valuables? Now that you have gained a broader perspective on the topic, take a moment to ponder this question. Who is responsible for cybersecurity?

The answer, perhaps, is that everyone has a responsibility to consider cybersecurity. Yet, as it has often been said “everyone’s responsibility is nobody’s responsibility”.  With such a crucial area, it’s essential that somebody picks up the baton. As business analysts, we are well-placed to step up, ask the difficult questions, and ensure that cybersecurity is kept firmly in the spotlight.

In the next article , we'll look at the role of BAs in protecting the organisation's information and intellectual property.