Massive cyber attacks have been in the news lately. They highlight the fragility of our Internet infrastructure, and the increasing ease with which hackers can obtain and release personal information. Companies seem increasingly vulnerable and are scrambling to respond.
If you are beginning your Business Analyst career, you may wonder what the role of the Business Analyst in cybersecurity should be. As it turns out, Business Analysts have five key roles to play in keeping their business organizations safe from cyber attack.
Setting the stage for the role of the Business Analyst in cybersecurity
First, it’s important to have a basic understanding of what cyber security is, and how business enterprises handle it.
Cybersecurity is defined as the protection of computer networks and data. Network protection prevents attacks that deny users access to the business’s computer resources such as servers. Network protection also extends to shielding the business from intrusions and use of the network for unauthorized purposes. Data protection applies to safeguarding the privacy of an organization’s data, which often contains customer information that would be harmful in the wrong hands.
Business organizations apply cybersecurity by adopting and using policies, tools, and practices directed towards the prevention of cyber attacks. Policies provide the overall guidance about what to do and how to do it. Practices are the actual implementation of the policies in the organization’s systems. Tools enable or enhance the ability of a business to implement cybersecurity.
The role of the Business Analyst in cybersecurity is primarily to ensure that the business properly adopts and employs those policies, tools, and practices.
Business Analyst Key Role #1: Ensuring compliance with cybersecurity policies
Policies originate in a lot of different places. The business may approve its own policies, often based on standards provided by cybersecurity organizations like the U.S. National Institute for Science and Technology (NIST). There may also be legal regulations from the government that may mandate the adoption of certain policies. A dedicated group of people typically manage a business’s cybersecurity policies.
Policies get you nowhere if nobody implements them. A Business Analyst may work with the policy group to understand the organization’s security policies. The Business Analyst can then ensure that the policies get properly represented as security requirements in any new or ongoing solution the organization is developing.
Business Analyst Key Role #2: Risk Management
A Business Analyst also plays a central role in helping a business manage its cybersecurity risks that could someday result in a breach. A BA may learn about these risks from business or process owners. The organization’s IT department may also raise a concern.
A BA may keep a risk log to track identified risks along with how the business is mitigating those risks. The Business Analyst would then be responsible for reporting on these risks to executive management on a regular basis. She may also help determine how to best mitigate those risks, possibly through new requirements or process changes.
The BA may also conduct or be part of an impact assessment. She would work with business and technical stakeholders to establish the precise nature of the problem and the amount of resources needed to maintain security.
Business Analyst Key Role #3: Security tool implementation
The third role for the Business Analyst in cybersecurity is helping the business properly implement security tools. There are many tools that security experts can use. One example is a “data masking” tool that scrambles sensitive data for any party without the right level of permission to view it. Another might be scanning tools that search a network for intrusions.
Once an organization decides to implement a security tool, this becomes a solution to a business need just like any other. The business would then undergo the usual process of engaging stakeholders, eliciting requirements, and conducting business process re-engineering.
Business Analyst Key Role #4: Business cases and budgeting
Doing cybersecurity properly is expensive. It requires knowledgeable, highly paid staff. The tools also aren’t cheap to deploy and maintain. (Of course, the cost of NOT doing cybersecurity properly is even more expensive.)
Organizations must budget in a way that accounts for the costs of cybersecurity. When Business Analysts create or contribute to business cases and provide high level estimates of cost for implementing a solution, they must include cybersecurity in their business case advocacy and budgeting numbers. This ensures that the solution pays its fair share for the burden that cybersecurity places on the organization.
Business Analyst Key Role #5: Disaster recovery
The least happy role for the Business Analyst in cybersecurity is when a breach actually occurs, and the business needs to clean up the mess. The operations and maintenance team is likely to be the first responder when a cyber attack occurs. However the recovery team may call on the BA’s business expertise to help devise solutions to fix the breach.
The more important role for the Business Analyst in disaster recovery, though, is in making sure that whatever happened doesn’t happen again. The organization will conduct some kind of “lessons learned” exercise to see what happened. That analysis will include the steps the business must take to fix the problem. Those steps may mean new policies, procedures, or tools. It may also mean making changes to existing solutions. Whatever the changes are, the BA will play a key role in defining new processes and creating new requirements to make sure the disaster never happens again.