5 Things Business Analysts Can Do to Advance Their Cybersecurity Practice
Suzanne Bertschi, Director, Certifications & Programs, International Institute of Business Analysis™ (IIBA®)
Share this on:
In recent years, the role of Business Analyst has expanded to that of cybersecurity specialist. BAs promote cybersecurity by acting as liaisons between security, IT, business, and project management, as well as by helping businesses apply policies, tools, and practices created for the sole purpose of preventing cyber crime. Since cyber crime is currently such a threat to businesses, a trend that is not likely to change anytime soon, the demand for BAs is on the rise. More specifically, the demand for business analysts will increase 14 percent by 2024.1
Cyber crime is expected to cause $6 trillion worth of damage yearly by 2021, according to Cybersecurity Ventures.2 As a response to this increase in cyber crime, global spending on cybersecurity will reach $133.7 billion by 2022, stated Gartner.3 BAs help organizations win the war on cyber crime by having them adopt a risk-based approachto security that includes a holistic assessment of a company’s threats and vulnerabilities. Using this risk-based approach to cybersecurity, BAs enable businesses to stay ahead of cyber threats as opposed to merely reacting to them. For these reasons, and because they help business leaders make good security decisions and work with SMEs to implement security measures, Business Analysts are a tremendous asset to all businesses that are vulnerable to cyber attacks, which is every business.
Today’s Business Analyst must be prepared to assist companies with cybersecurity as many organizations’ one-size-fits-all approaches to cyber crime will be unsuccessful. By mastering skills related to business process modeling, engaging stakeholders, assessing cyber risks, and establishing RASCI, BAs can quickly advance their cybersecurity practice and meet clients’ informationsecurity needs.
BAs Should Use Business Process Modeling for Better Cybersecurity Outcomes
Business process modeling is a technique that can be very helpful to Business Analysts working in the cybersecurity realm. Business process modeling improves efficiency, encourages best practices and standardization, and promotes process agility. The technique involves creating graphs that represent a company’s business processes. Flowcharts and data-flow diagrams are two examples of graphic methods BAs can implement when creating a business process model. The main purpose of business process modeling is to help BAs identify potential improvements to be made in a company’s processes.
Business process models can help Business Analysts better analyze and plan for security risks. “Traditional risk analysis approaches are basedon events, probabilities and impacts,” explained Stefan Taubenberger and Jan Jürjens.4 “They are complex, time-consuming, and costly, and have limitations regarding the data and assessment quality…” The team goes on to explain that an approach for risk analysis that is based on business process models bypasses these limitations. “…security risk events can be derived from the business process models together with the security requirements, and probabilities do not have to be provided.”
By growing in their understanding of business process modeling and learning to analyze cyber risks using process models, a business analysis practitioner will effectively advance their cybersecurity practice.
How to Engage Stakeholders to Increase Cybersecurity
Engaging stakeholders is a key responsibility of the businessanalysis practitioner. Without strong relationships with stakeholders, BAs can’t get the information they need to properly analyze data and help businesses manage cyber crime. Trust is an essential component in a BA-stakeholder relationship. The more a BA engages a stakeholder, the more the stakeholder trusts the BA and provides honest feedback. This leads to quicker progress on a project. Engaging stakeholders can be particularly helpful to BAs working in cybersecurity as “…broad participation from stakeholders in the digital ecosystem is essential to effectively addressing specific cybersecurity challenges,” stated the United States Telecom Association.5
The key to engaging stakeholders is discovering what is important to them and making them feel heard. When talking with stakeholders, BAs should ask them what information and data they consider to be critical and feel is most at risk. BAs should also make ita point to ask stakeholders what they would do if that information was stolen or corrupted. These types of questions build rapport with stakeholders by showing them a BAs genuine concern for the things they care about. And like asking the right questions, listening is a powerful tool for increasing engagement with stakeholders.
Become Skilled at Risk Assessment to Further Your Cybersecurity Practice
Risk assessment is a crucial component of risk management and a skill all Business Analysts should master. This is especially true as the cybercrime landscape becomes increasingly threatening to businesses. “Organizations conduct risk assessments to determine risks that are common to the organization’s core missions/business functions, mission/business processes, mission/ business segments, common infrastructure/support services, orinformation systems,” NIST explained.6 A Business Analyst can be a tremendous help to a business conducting a cyber risk assessment.
BAs are usually excellent at identifying risks, which must happen before a risk assessment can be carried out. One of the methods they should use to identify cyber risks is interviewing employees who work in the privacy area and know the company’s regulatory requirements and IT policies inside and out. “A BA may learn about these risks from business or process owners,” stated Joe Barrios.7 “The organization’s IT department may also raise a concern.”
Once risks have been identified, the BA will begin a risk assessment. During a risk assessment, BAs should identify the internal and external weaknesses of a business and determine how these vulnerabilities might be exploited, as well as the likelihood that the weaknesses could be abused. This will help the Business Analyst prioritize risks so that they can address them in the order of their importance. Increasing their risk assessment skills may be the single most effective way for a BA to expand their data security practice.
Establishing RASCI is Critical for BAs Working in Cybersecurity
BAs who want to increase their impact in the cybersecurity realm must learn how to establish RASCI by creating effective RASCI charts. A RASCI chart, sometimes referred to as a RACI chart, is a tool Business Analysts can use to delegate tasks during a project. It streamlines communication, prevents stakeholders from giving feedback all at one time, prevents work overload, and sets expectations for team members. Cyber Security and the RACI Factorexplained, “Incorporation of RACI into an organization’s approach to InfoSec ensures the organization has gone through a process of identifying the correct people, processes, information, and organizational components to be involved in InfoSec, and ensures the correct functional roles and responsibilities of each can be identified, coordinated, and communicated properly and effectively.”8
A Business Analyst can create a RASCI chart by identifying project roles and project tasks and thenassigning a stakeholder to each role and task. BAs should remember to thoroughly explain the RASCI chart to all who are involved and ensure they fully understand their role and tasks. The Business Analyst can promote engagement with the RASCI chart by ensuring each stakeholder is happy with what has been assigned to them. The better a Business Analyst becomes at establishing RASCI, the more impactful they will be as a cybersecurity specialist.
BAs Have a Responsibility to Advance Their Cybersecurity Skills
Cyber risk is business risk. With this in mind, each and every BA must become a better cybersecurity practitioner to meet the needs of their clients. Any Business Analyst willing to improve their skills related to business process modeling, stakeholder engagement, risk assessment, and establishing RASCI will inevitably advance their cybersecurity practice and add more value to any project they participate in.