A Framework for Integrating Cybersecurity Within Business Analysis: Moving From Insight to Implementation
Disclaimer: The views and opinions expressed in this article are those of the author and may not reflect the perspectives of IIBA.
In today's technological landscape, the frequency and sophistication of cyber threats are rising at an alarming pace. In 2021, a ransomware attack occurred every 11 seconds, a figure that’s expected to rise to every two seconds by 2031.
The global costs from ransomware alone are forecast to reach USD 265 billion annually by 2031, per Cybercrime Magazine. According to a CrowdStrike report, cloud-based intrusions saw a 75% increase in 2023, highlighting the surge in cybercriminal activity targeting cloud environments.
With AI tools and social engineering tactics, identity-based attacks have exploded in recent years. The rise of sophisticated techniques, including multifactor authentication (MFA) bypassing and SIM swapping, further complicates the security landscape.
Cybersecurity Is Business Critical
Cybersecurity is a business-critical issue that touches every part of an organization. For too long, it’s been viewed primarily as a technical responsibility belonging solely to the IT and security teams. In reality, cross-functional collaboration across the organization is required, and the business analysis community plays a vital role.
Many organizations mistakenly view cybersecurity as a cost centre, a necessary expense rather than a source of value. Yet in today's business landscape, cybersecurity can be a competitive differentiator.
Companies that show a strong commitment to protecting customer data and maintaining secure operations are more likely to win customer trust and gain market share. Business analysis professionals can help shift the perception of cybersecurity from a technical afterthought to a business enabler.
Business Analysis Professionals Are Enablers
Business analysis professionals are uniquely positioned to illustrate the value cybersecurity brings to an organization. With their comprehensive understanding of the company’s broader objectives, they can position cybersecurity as both a technical necessity and a strategic asset.
For example, business analysis professionals can help integrate cybersecurity initiatives into core business processes by emphasizing how they protect intellectual property and sensitive customer information. This, in turn, mitigates the risk of costly data breaches and operational downtime.
Business analysis professionals also play a key role in aligning cybersecurity efforts with regulatory compliance, reducing the potential for legal penalties. By framing cybersecurity as an enabler of customer trust, they can build stronger relationships, enhance brand loyalty, and safeguard the organization’s long-term reputation.
Business analysis professionals can help elevate cybersecurity to a core business objective instead of an afterthought. Recognizing security as essential to business growth ensures a solid foundation for integrating cybersecurity into daily operations.
To achieve this integration effectively, business analysis professionals must explore how they can incorporate cybersecurity into their analytical processes. This involves transitioning from a state of awareness of cybersecurity issues to actionable implementation strategies.
From Awareness to Action
My book Cybersecurity and Business Analysis positions business analysis at the heart of a successful cybersecurity strategy. With their structured approach to problem-solving, business analysis professionals can identify threats and vulnerabilities by analyzing business processes, data flows, and technology interaction.
A holistic approach is essential as it ensures asset types, threat nature, and security levels align with business objectives. This approach ultimately strengthens the organization's defence against cyber threats.
Business analysis professionals bring a distinct analytical mindset to the table. This is crucial for exploring the root causes of security concerns, questioning assumptions, and uncovering both functional and non-functional requirements. By leveraging their skills, business analysis professionals can ensure that security measures aren’t merely an afterthought but an integral part of the solution.
The Business Analysis and Cybersecurity Framework
The Business Analysis and Cybersecurity Framework, outlined in the book, expands the toolkit for business analysis professionals by providing structured techniques to assess risks, identify potential vulnerabilities, and ensure security recommendations are actionable.
It emphasizes the two pillars of business analysis and risk assessment—crucial for enhancing cybersecurity within the organization. By understanding the business landscape and focusing on risks, business analysis professionals can significantly enhance product and data security.
The framework emphasizes the importance of people and data security, understanding stakeholders, and the motivations and behaviours of cyber threat actors. Recognizing these dynamics helps organizations create security strategies that address human factors, like insider threats and social engineering, while protecting sensitive data from external adversaries.
Moreover, securing data in all its states, whether at rest, in transit, or in use, is paramount. The framework requires comprehensive measures throughout the data lifecycle, ensuring that security protocols are embedded within business processes. It helps business analysis professionals facilitate the integration of security measures into business processes by conducting thorough analyses of workflows and identifying areas where data could be vulnerable.
Another critical aspect is the financial and reputational implications of cybersecurity. The framework provides guidance on incorporating cybersecurity considerations into the business case, ensuring decision-makers recognize the value of cybersecurity investments. By integrating these elements into business proposals, business analysis professionals can help ensure cybersecurity initiatives receive the necessary support and funding.
The framework establishes a mindset as its foundational element and ethics as a guiding principle, both essential components. The mindset is an additional lens to evaluate whether an asset is merely assumed to be safe or genuinely secured against threats.
The ethical dimension is a moral cornerstone for safeguarding information, ensuring that all actions to protect assets align with the organization's values and integrity. By integrating ethical considerations, the framework not only addresses security measures but also promotes trust among stakeholders. It emphasizes the importance of responsible data management and privacy practices.
Together, these components create a robust structure that supports comprehensive cybersecurity strategies.
Embracing Continuous Security
Security isn’t a one-time project—it’s an ongoing journey. The digital landscape continuously evolves, bringing new risks and challenges.
The Business Analysis and Cybersecurity Framework offers a roadmap for business analysis and cybersecurity professionals to navigate this landscape effectively. It ensures their organizations remain in a state of readiness as new threats emerge.
Cybersecurity and Business Analysis and its accompanying training provide invaluable insights for business analysts and IT professionals. It empowers them to contribute meaningfully to an organization's security efforts, protect information assets, build secure systems, and strengthen resilience against cyber threats.
Want to gain critical cybersecurity skills? Learn more about IIBA's Certificate in Cybersecurity Analysis (IIBA-CCA). In honour of Cybersecurity Awareness Month, IIBA members get a special 20% discount on all Cybersecurity Analysis Packages until October 31. Purchase now.
About the Author
Bindu Channaveerappa is the founder of Cybersecurity for Business Analysts, a platform that provides the necessary cybersecurity knowledge and training for business analysts. Recognizing the imperative need for cyber security analysis, Bindu passionately advocates for integrating cyber security into mainstream business analysis practices and has significantly contributed to the field. She has authored the book Cybersecurity and Business Analysis, published by BCS The Chartered Institute for IT, and co-authored the Cybersecurity Certification (CCA) curriculum for the International Institute of Business Analysis (IIBA) along with shaping the CCA and CBAP certification exam questions. She has contributed to the development and review of IIBA standards and digital assets. Along with her professional endeavours, Bindu also serves as the IIBA Regional Director for EMEA.