How can business analysis tasks be applied in a cybersecurity initiative Leveraging Business Analysis for Cybersecurity Success: A Strategic Approach
Bindu Channaveerappa
Introduction:
In an era of increasing cyber threats and sophisticated attacks, organisations are recognising the critical need for robust cybersecurity measures. *Cyber attacks have been the fifth top-rated risk in 2020 across public and private sectors and globally increased by 125% through 2021 and continue to be on the rise. Due to the IoT cyber attacks alone, the number of attacks is expected to double by 2025. Additionally, the World Economic Forum's 2020 Global Risk Report states that the rate of detection (or prosecution) is as low as 0.05% in the U.S.
Business analysts, with their unique skill set and holistic approach, play a pivotal role in ensuring the success of cybersecurity initiatives. In three sections, this article explores how business analysis tasks can be strategically applied in cybersecurity to align security measures with business objectives and enhance overall organisational resilience.
Across the spectrum of change:
In a truly interconnected world, there is no one solution to this cybersecurity challenge. Unlike the times when information was passed between systems by floppy disks and dial-up modems, vulnerabilities in this new landscape come with their risks and impacts. There are additional legal and compliance requirements to adhere to, requiring different defence solutions, which could be technical and non-technical. Solutions now involve people management, process management, disaster recovery, business continuity, and more.
Technology has advanced from wired to wireless to wearable. It is conceivable that technology may be implantable in the future! Imagine the potential weaknesses or vulnerabilities in a globally distributed system. What can go wrong in this new landscape? The list of potential vulnerabilities is seemingly endless. Disrupting and challenging the status quo and using technology creatively within the business ecosystem has become the default way of thinking for innovative organisations. In recent years, user experience enhancements have been made by pushing out system boundaries, making imagination the new boundary. The more technology expands, the more vulnerable the ecosystem gets, and the more security controls are required.
What can (or should) business analysts do? Or does the problem exceed the scope of business analysis? The critical question is, "Who is responsible for cyber security?". And a tricky one to answer. Who is responsible for cybersecurity? The answer, perhaps, is that everyone has a responsibility towards cybersecurity. Yet, as it has often been said, "Everyone's responsibility is nobody's responsibility".
Business analysts are well-placed to pick up the baton, step up to ask difficult yet crucial questions, and ensure that cyber security is kept firmly in the spotlight. Before we address this question, what can business analysts do? It is imperative to understand the difference between the role of a business analyst and a cyber security analyst. They both are at different ends of the spectrum. They both perform analysis but play on different parts of the playground. Business analysts focus on the value proposition, and cyber security analysts focus on securing everything relating to I.T. and cyberspace.
Business analysts need not be cyber security experts but instead extend the scope of their analysis to include security holistically and call upon cyber security expertise depending upon the project, exactly the way they lean on the business SMEs (subject matter experts) when they need to understand more on a subject. And to do that, they need to have the required foundational knowledge to identify the security requirements across the project delivery and reach out to the SMEs accordingly.
It is well-established that security cannot be an afterthought or a patch at the end of the project and must be baked into the solution, starting from project inception.
Understand and define the right problem:
At the heart of every successful endeavour lies clearly and accurately identified challenges. In organisations or societies, the ability to discern the root cause of a problem lays the groundwork for strategic decision-making, efficient resource allocation, and targeted solutions. This process is akin to setting the coordinates for a journey: a precise destination ensures a focused and effective route, and the journey begins with a well-defined starting point – identifying and comprehending the right problem.
Understanding and defining the right problem is a critical first step in any cybersecurity initiative as it lays the foundation for developing effective solutions that address the organisation's specific challenges and vulnerabilities and, therefore, mandates a systematic approach:
Identify stakeholders and plan stakeholder engagement:
The dynamic and interconnected nature of cybersecurity often involves a complex web of internal and external entities, making stakeholder engagement an indispensable element to ensure that the right people are involved, informed, and influenced throughout the cybersecurity journey in an organisation.
By systematically identifying stakeholders and planning their engagement, business analysts can help build strong relationships, align interests, and foster a collaborative approach to cybersecurity initiatives within the organisation. Effective stakeholder engagement is a crucial element in implementing cybersecurity measures and contributes to a collective understanding and commitment to cybersecurity goals within the organisation.
Business analysis approach and business analysis activities:
In today's cybersecurity landscape, where the stakes are high, and threats are constantly evolving, the application of a strategic business analysis approach and the diligent execution of business analysis activities are paramount. A well-defined business analysis approach provides a structured framework for understanding the organisational cybersecurity landscape, identifying cybersecurity challenges, and formulating effective strategies. It serves as the compass, guiding the intricate process of aligning cybersecurity initiatives with overarching business goals.
The adaptability of a business analysis approach to cybersecurity enables organisations to navigate the complexities of cybersecurity, fostering resilience and empowering proactive decision-making. In essence, the integration of business analysis principles provides a strategic lens through which organisations can holistically address cybersecurity challenges, fortifying their defences in the face of an ever-changing threat landscape.
Like in business analysis, understanding the organisation's culture, overall objectives, business processes, and existing cybersecurity landscape, the specific challenges, regulatory requirements, and the organisation's risk appetite are the foundation of identifying the business analysis approach. Traditional approaches are well suited for well-defined, stable environments and projects with mandatory regulatory compliance requirements, whereas dynamic and evolving cybersecurity landscapes require adaptive and iterative approaches. Business analysis activities will be formulated based on the organisational context, chosen approach, and defined objectives. Some of the typical business analysis activities for a cybersecurity initiative may include, among others:
Conclusion:
By applying a structured and strategic approach, business analysts can ensure that cybersecurity initiatives are not isolated efforts but integral components of the overall organisational strategy.
In conclusion, business analysts can serve as indispensable advocates for embedding cybersecurity practices into the fabric of business processes and technical solutions, risk assessment, compliance adherence, and effective communication. Through collaboration, they can contribute to building a resilient cybersecurity posture that safeguards the organisation's information assets and to the organisation's overall success in an ever-changing and evolving digital world.
*AAG (2023) 'Headline Cyber Crime Statistics'. Available at: https://aag-it.com/the-latest-cyber-crime-statistics/
Embroker (2023) ‘2023 Must-Know Cyber Attack Statistics and Trends'. Available at: https://www.embroker.com/blog/cyber-attack-statistics/