Business Analysis, Cybersecurity

Five Key Roles Business Analysis Plays In Cybersecurity

Cybersecurity is one of the most trending topics in the current enterprise business world. Cybersecurity is the practice of protecting computer information systems, hardware, network, and data from cyberattacks. It’s important for product managers and business analysts to pay special attention to Cybersecurity during product planning and management so that they can help companies mitigate their risk in Cybersecurity. This is mainly because cybersecurity encompasses everything that pertains to protecting personal information, intellectual property, data, and governmental and industry information systems from theft and damage attempted by criminals and adversaries.

 In the blog, Five Key Roles for The Business Analyst in Cybersecurity, Joe Barrios discusses the five key roles business analysis plays in cybersecurity.

  • Ensuring compliance with cybersecurity policies
  • Risk Management
  • Security tool implementation
  • Business Cases and Budgeting
  • Disaster Recovery

Let’s try to understand each role in detail

1. Ensuring compliance with cybersecurity policies

  • Encourage the organization to establish an information management security system (IMSS) and during product planning process make sure IMSS requirements are also met. This helps organizations to manage their information security risks, including threats, vulnerabilities and impacts. This will also help to design controls to protect the confidentiality, integrity and availability of data and for regulating access to critical information systems and networks. 
  • Guide the management/ leadership to conduct IMSS certification audit to verify that the organization has considered and assessed the cyber-risks it faces and that they have implemented an effective and appropriate set of controls to mitigate these risks. It’s important for the business analyst to play a key role as a facilitator in these audits.
  • When working on software or products that require end-users to control their personal data and manage their online identity by enabling individuals to gather, store, update, and share personal data, it’s essential to implement a Privacy Information Management System (PIMS)
  • Implement a data minimization process. This gives individuals the right to access their data and find out how it is being used. Data minimization means keeping data that can identify individuals for no longer than necessary. Consider these as product requirements!
  • Work with the legal department and other relevant stakeholders to implement an incident response plan for the product that you are working on.
  • All third party integrations should also be considered as a part of the security strategy.
  • Work closely with management to obtain adequate cyber-insurance in place to cover any operational or legal costs, including possible fines, related to serious breaches.

2. Risk Management

  • Identify cybersecurity vulnerabilities in the system and the threats that might exploit them. These risks can compromise your cybersecurity.
  • Analyze the severity of each risk by assessing how likely it is to occur, and how significant the impact might be if it does.
  • Decisions need to be taken on how to handle each cybersecurity risk and proper procedures should be in place to handle each risk. These procedures need to be defined including all the relevant stakeholders. Every employee in the organization should be well aware of these policies and procedures.
  • Establishing communication lines with stakeholders to inform them of the likelihood and consequences of identified risks and risk statuses
  • Continuous monitoring of risks and carry out risk review processes to verify the current policies and procedures are updated and make changes when required. It’s important to understand that risks are constantly changing as the cyber threat landscape evolves.
  • Measuring and scoring cybersecurity program maturity along the way
  • Providing stats to all the relevant stakeholders so that the management can prioritize future cybersecurity investment based on risk analysis

Standards and frameworks that mandate a cyber risk management approach

  1. ISO 27001 – ISO/IEC 27001:2013 – the international standard for information security management
  2. The NCSC – The NCSC’s (National Cyber Security Centre) 10 steps to cyber security 
  3. The CIS – CIS (Center for Internet Security) Controls
  4. The PCI DSS – The PCI DSS (Payment Card Industry Data Security Standard)
  5. NIST CSF – The National Institute of Standards and Technology Cybersecurity Framework
  6. DoD RMF – The Department of Defense (DoD) Risk Management Framework (RMF) 
  7. FAIR – The Factor Analysis of Information Risk (FAIRTM)

3. Security tool implementation

It’s essential to set up the necessary tools and processes for a comprehensive cybersecurity policy. Business Analysts can play a key role in identifying and evaluating tools that need to be implemented. There are four main tools that need to be in place

  1. Endpoint protection
    • In traditional office setups, endpoints include desktops, phones and the printer, all connected and active within your network. 
    • Mobile devices like laptops, tablets and smartphones are highly vulnerable devices
    • Endpoint protection aims to cover this widening surface area of possible attack points within enterprises.
  2. Instruction detection
    • Hackers leverage a number of common attack tools to breach business networks and compromise information. Understanding these tools as they evolve will be critical to stopping malicious parties in their tracks.
    • Having intrusion detection strategies can create situations where attackers expose themselves as a result of their reliance on common hacking techniques.
    • Active intrusion detection and prevention effectively looks for threats and stops them before they cause any damage.
    • If the solution identifies any intruders, it will send notifications for organizations to act upon. It will be important for IT professionals to respond quickly to any issue and close vulnerabilities.
  3. Monitoring and management
    • Monitoring behavior and managing risk are essential in a cybersecurity strategy, as they highlight unusual activity and deliver actionable insights.
    • System monitoring and risk management are continuous efforts that must be supported. 
    • Monitoring and management systems drive proactive security models, providing truly immediate detection and response in the event of an attack.
  4. Content filtering
    • Security breaches occur due to employee actions.
    • Clicking on a seemingly viable link or ad can end up downloading malicious programs onto workstations and compromising sensitive information.
    • It’s essential to train staff members and have content filtering tools in place.
    • These tools filter screens and excludes objectionable web pages or emails from being accessed.
    • This can include eliminating emails that contain malicious links or redirecting a user away from a risky site

4. Business Cases and Budgeting

The budget shouldn’t be an obstacle when improving cybersecurity. IT security budget needs to be set up that covers key elements such as endpoint protection, network security, and employee awareness training to minimize the risk of cyberattacks and their consequences-which could include paying out millions in clean-up costs and fines.

  • It’s important for business analysts to inform the finance department and management on below expenses associated with cyberattacks.
Direct CostsIndirect Costs
Monetary theftBusiness disruption and downtime
Remediation and system repairLoss of business or customers
Regulatory and compliance finesLoss of intellectual property
Legal and public relations feesDamage to company credibility, brand and reputation
Notification, identity theft repair and credit monitoring for affected parties
Increase in insurance premium
  • When building a cybersecurity budget business analyst should be able to provide the below details so that the decision-makers can make the right decisions
    • Your industry and company size
    • Compliance and regulation mandates affecting your business
    • The sensitivity of the data you collect, use and share
    • Requests from company business stakeholders or customers

5. Disaster Recovery

Disaster Recovery Plans (DRPs) enable the efficient recovery of critical systems and help an organization avoid further damage to mission-critical operations. Benefits include minimizing recovery time and possible delays, preventing potential legal liability, improving security, and avoiding potentially damaging last minute decision making during a disaster.

  • Ensure all relevant stakeholders from the various business units are included in disaster recovery planning process
  • Define incident management roles and responsibilities
  • Conduct a business impact analysis (BIA) to identify and prioritize critical systems
  • Make arrangements for communication channels in the event of downtime
  • Exercising the DRP to test its efficacy
  • Identify and fix gaps in crisis planning before an incident occurs
  • Consider additional ramifications of a breach including how personnel and stakeholders will be affected and the legal and financial implications of noncompliance
  • Conduct after-action reviews to identify what went right, what went wrong, and annotate improvements including all the relevant stakeholders
  • Review the DRP regularly to ensure contacts are up to date and procedures are still effective and relevant
  • Maintain documentation on procedures, roles and responsibilities, metrics tracking, and adjustments for improved response times and recovery