Improving your organisation’s cyber security
by Henry Elisher
Business Analysis (BAPL) Consultant
“The cyber threat facing australia is undeniable and unrelenting. An issue that once only concerned IT security professionals now extends to the boardroom, to shareholders and to individuals.” Australian Cyber Security Centre
Whether you’re a small company or a large enterprise, the monetary losses resulting from a data breach can greatly affect your coffers and reputation. Good business analysis is the key to effective cyber security There has been a growing awareness of the value of investing in good business analysis to identifying the actual business needs and to ensure that the security solutions match the business environment. As per a recent story on digital guardian, there is a growing disparity between the security spend of an organisation and the financial costs of these breaches. Therefore, there is a need to think beyond cyber security in isolation and take a long, hard look at the role of business analysts in maintaining a robust security.
The increasing proliferation of technology and the popularity of software-as-a-service has increased the requirement for a good business analyst in corporate IT. For instance, implementing Salesforce.com may not require traditional IT expertise; but someone must be asking the questions ‘how can you apply it?’, ‘how can you encourage user engagement?’ and ‘how do you meet your business needs?’. Understanding these questions is critical to properly securing your Salesforce environment. A good business analyst will use their knowledge, critical thinking, and strategic approach to deliver solutions that are both secure and value adding.
If you’re an ecommerce company, you need to implement necessary measures to mitigate the risks of hacking. Before you can do this, inputs from your business analysts will be vital. Business analysts analyse your business needs and objectives to determine what security measures are going to be the best fit for purpose. Well trained business analysts can provide insight into the training required to equip employees with the best practices of password creation, email, and the use of personal devices for work. Business analysis offers a clear picture into the requirements, status quo and applicable polices, providing the organization with the complete information necessary to implement the best security technologies and actions in alignment with their strategy and objectives.
An experienced business analyst with an understanding of security technologies is a key member of the security team, providing insights to spot potential security problems and assist in devising an appropriate solution. An understanding of what your business can and cannot do should precede discussions on IT security issues in order to zero in on the right solutions.
Good requirements elicitation is essential
To find the underlying objectives of the business, a good business analyst will elicit and document requirements. To do this they need the business analysis knowledge areas in the business analysis body of knowledge (BABoK®):
- Business Analysis Planning and Monitoring
- Elicitation and Collaboration
- Requirements Life Cycle Management
- Strategy Analysis
- Requirements Analysis and Design Definition
- Solution Evaluation
Failure to properly elicit and document requirements can cause system failure or abandonment. Good requirements are a cornerstone of any project; this becomes critical for projects concerning cyber security.
Discovering security issues during testing or, in the worst case scenario, after becoming the target of a cyber-attack, place the business in a state of alarm. Both situations are always more expensive, than building a security posture based on good business analysis and requirements elicitation. Eliciting and documenting requirements – with the purpose of identifying needs, risks and assumptions associated with any security initiative/project – is therefore essential.
As organisations start facing more complex security issues and multiple technologies become necessary to address business challenges, the foundation and insights offered by expert business analysis and requirements elicitation, analysis and delivery will dictate how well an organisation can tackle cyber-attacks and IT security risk in general.