Business analysis versus bad actors

Some business analysts are already contributing to projects and products which are predominantly focused on improving security or which have a clear security motivation, such as introducing multi-factor authentication, upgrading systems, and migrating to new infrastructures and cloud storage. But how can all business analysts play a significant role in protecting our organisations, customers and assets?

A security lens

A key aspect of good business analysis is the ability to look at projects and business situations through different lenses. Business analysts have to think beyond specific IT systems and consider the wider business process, data needs and human impacts. Because of this we are well positioned to consider a security perspective - it simply means doing what we always do; identifying the right stakeholders and asking good questions! We need to engage with subject matter experts in security and architecture teams and include their perspectives within requirements, business processes and impact assessments.

Proactive analysis

Step 3 of the 10 Steps to Cyber Security, published by the National Cyber Security Centre (part of GCHQ), is “Know what data and systems you have and what business need they support”. This sounds fundamental to any business, but many organisations do not have a consolidated list of systems. They are unclear about who uses systems and for what purpose and have little documentation or understanding of how data is collected, transported and stored. Business critical information is held in the heads of a few key individuals, and no one understands the entire picture.

Ongoing security needs to be given equal importance to rapid delivery, and business analysts can use this security imperative to champion appropriate proactive documentation and modelling. This does not have to be a huge ivory-tower initiative; it can be achieved much more manageably within each project or product team.

Understanding bad actors

We can use our extensive toolkit of business analysis techniques to understand bad actors and what they are trying to achieve, namely through creating personas and gathering user stories.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

Creating a persona for a bad actor, with malevolent or criminal intentions towards the organisation, helps to bring the risk to life. Bad actors are not ‘lone operatives in bedrooms with nothing better to do’- they can be sophisticated and well-funded enterprises. As with all personas, it is important to avoid stereotypes - especially those based on demographics - but capturing the goals and pain points for a bad actor helps us understand their vulnerabilities. Instead of trying to reduce these pain points, we try to put additional hurdles in their way.

User stories similarly allow us to analyse bad actors’ intentions and develop acceptance criteria which prevent these goals from being met. It is easy to forget that bad actors are users too – whether we like it or not. Good user stories have a very specific goal: we must avoid generic statements like ‘I want to hack the system’ and identify and analyse more concrete examples, such as ‘I want to rapidly create multiple new user accounts’.

Conclusion

Business analysis related to cybersecurity does not require business analysts to develop specific subject matter expertise. We can employ our standard approach:

• Be curious
• Engage the right stakeholders
• Use appropriate business analysis tools

Business analysts can and must shine a spotlight on cybersecurity by assuming there are bad actors lurking around every system and every project. Focus on security can be improved by asking targeted questions, and using tools such as personas and user stories to analyse bad actors embeds proactive consideration of those with villainous intent into our development processes.

In doing this, business analysts can play a critical role in reducing the risk and impact of that inevitable cyber attack.