Embracing a Security Mindset: The Next Frontier of Business Analysis
This article has been created from cybersecurity expert Mark Cross's keynote talk at the BA Manager Forum in June 2024.
Why is cybersecurity such a big issue now? Overnight, in 2020, millions of people worldwide switched from being office based to remote working. Nobody could have predicted this. In the past relatively few people had worked remotely via VPN, and the data that they were accessing was on the corporate network.
Suddenly employees, data and servers could be anywhere, with employees connecting to data in the cloud. This had a significant impact on security perimeters. Nobody could say what was safe and what was not safe, there was a significant risk of existing controls being inadequate. Security controls had to be rebuilt from the ground up almost overnight. At the same time Artificial Intelligence was exploding.
The Changing Threat Landscape?
How well do you know your malware? Some terms are well known by most BAs, such as Phishing emails and Ransomware. Fewer BAs are familiar with terms like Botnets and Rootkits. Fewer still know the term APTs (Advanced Persistent Threats).??
The first famous hacking incident was in 1999 with the ‘I Love You’ virus. Some guy in the Philippines wrote a code, so that a blank email with the subject line of ‘I Love You’ would be forwarded to everyone in the recipient’s address book. Thvirus caused around 50 million infections across the world, accounting for about 10% of the internet at the time. The virus is believed to have cost $15bn in damages from lost productivity and recovery costs. That was not a fun day, and it is why we have anti-phishing training now.??Today hacking is more sophisticated and moves away from the myth of the lone wolf hacker.??
Cybercrime is now highly organised and professional. It is conducted by large operations, with multiple teams conducting systematic research, developing advanced tools and each taking on specialised roles. Some are specialised access brokers – their job is to get access to an organisation or account and sell that on. Other teams might test defences to find in routes. They are all working together to exercise the plan.??
There are multiple incidents of organisations being hacked, with new headlines every week, it’s difficult to keep up. Some organisations have been breached repeatedly.??
A tool called Okta was publicly breached in 2022. The provider of Okta contracted work to a specialist provider to provide technical assistance, who in turn acquired a company with poor security discipline. When a laptop from the acquired company was allowed access to the Okta account, this provided hackers with a way in. For five days cybercriminals impacted 355 Okta customers, and intelligence from that laptop has been used since for other attacks.??
So, what are the motivations? To organise a ransomware attack costs about 70,000 dollars. If just 1% of those compromised pay the ransom the cybercriminals make a 40-fold return on their investment. These attackers are organised criminals, money launderers. They have access to resources, and they have an appetite for risk to make even more money.??
Just as our own organisations take advantage of AI and new software, cybercriminals are doing the same. Software is licenced on the ‘Dark Web’. For example, a tool called ‘Evil Proxy’ is a Phishing tool. It costs 400 dollars a month and requires minimal technical skills. just plug in your domains of interest, it will then give you lists of credentials for the next stage of attack.??
Now there is even nation state activity. To a degree every country participates in some such activity for national security. However, some attackers of institutions are organisations trying to influence our political agenda, steal intellectual property and degrade our economy. They are not selective about how they do this. Disguised as criminal activity, it is actually wilful sabotage and can be used on targets such as water treatment plants, schools or hospitals. The aim is not to make money, it is to disrupt operations.??
Current Cybersecurity: How Ready Are We??
How prepared are we to respond to these growing and developing threats? Much has changed since 2020. It has become harder for security teams to track what is normal activity and what is abnormal activity. Threat intelligence collected on a hyper scale has helped considerably. If one customer is targeted everyone can learn from that.?
We are all familiar with information systems. The security perimeter is the outermost level of the organisation which you can control. This could be a firewall or someone doing data entry. Beyond that you have no influence.??
Within that system you can have vulnerabilities, for example we might say: “We’ll fix it in hyper care”, but that does not happen. Or we might not have validation on an input on a web application or we might have one randomised password for all newly created admin accounts. The absence of these validations creates vulnerabilities. Any human operator could be a threat actor, there can also be environmental factors. A control is a counter measure to a risk.?
A vulnerability is a flaw in an application that could potentially be used to advance an attacker’s objectives. Many of the “good practice” coding techniques that get skipped during development to be fixed later are examples. This adds to the organisation’s security debt. An exploit is a repeatable process that an attacker can use to achieves the outcome. A security patch is a fix that is released by a vendor to address vulnerabilities that can theoretically be exploited. Development of a patch begins on “Day Zero”, any exploits that are developed BEFORE vendors are even working on a solution are called “ZERO-DAY” attacks because their targets will be largely defenceless.??
These threats are critical. There is a timeline in which piece of software can be compromised. If something is overlooked in development someone could exploit this. If the organisation is not aware of this, then this is a ‘Zero Day exploit’, because from the point where someone finds a way in there is nothing that anyone can do to stop that. The ‘Code Red’ virus had 300 million infections at its peak.?
These attacks are proliferating. The workload of the CISOs (Chief Information Security Officers) is rising phenomenally. More funding and recruitment and tools are required to address problems. Many security departments are too preoccupied fighting fires to make long term improvements.??
93% of CISOs said they are spending more time than they should on tactical tasks. In 27% of cases, CISOs are spending their time almost exclusively on tactical/operational tasks instead of strategic/management tasks. This is why they are not available to help with your project.??
What is the Role of the Business Analyst in this Brave New World??
What can BAs do to improve the situation and reduce the cybersecurity risk???
领英推荐
Every cyber-attack consists of 5 steps in a chain. You can employ defensive tactics, and you are in a race with your adversary to close off the threat. BAs are involved in the ‘identify and protect’ stage. BAs should understand the landscape and the risks and develop requirements to address the risk. Anything else is a specific information security skillset.?
There are three main players, the Information Security teams, the Senior Leadership and the IT Change teams.??
BAs are there to deliver change to add value to the organisation, while Information Security exists to minimise risk. You may find yourself a month from delivering something and Information Security says 'you must fix this, this and this', but it was not in the plan. Perhaps the requirement was not raised, and you are now out of time and resources. You end up with the change team escalating a delivery risk, Information Security withholding sign-off and Senior Leadership decides who wins – not a productive way to solve issues.?
BAs are uniquely placed here as they own relationships with a wide range of stakeholders. BAs have that analytical mindset and can identify ways of making things work. There is a great opportunity for BAs to add value. BAs need to understand the risk profile of a particular piece of work. Then they can facilitate conversations between the security and change teams.?
STEP ONE – Establish common definitions?
It is the job of the BA to explore the problem and ask pertinent questions. Are we changing the assets and adding something new? Are we changing something that needs monitoring? Are we changing the data we are capturing and what it’s used for? If we apply this lens before going to cybersecurity, we can shape the conversation and add value by going straight to the critical areas.??
STEP TWO – Develop artefacts to support security requirements?
Instead of reinventing the wheel each time, BAs can create a catalogue of reusable security requirements. For example, BAs can develop a set of Personas for ‘bad actors’ to help them imagine how product could be abused. BAs can identify appropriate Security SLAs and industry benchmarks.?
STEP THREE – Conduct early Cyber-Risk triage?
The cyber-triage baseline is not intended to represent a comprehensive picture of the organisation’s security posture, but it does give an impression of the maturity of security controls in each domain – Incomplete, Assessed, Controlled or Managed. The assessment will elicit a series of axes that highlight areas of special interest to information security (IS) teams – Governance, Data, Infrastructure and Users. Any axes below the Controlled level indicates that IS should be consulted as soon as possible.??
STEP FOUR – Reimagining prioritisation of Requirements?
BAs currently focus on the value of a feature to our intended customer and the effort required to deliver it. However, we also need to factor in the cost of this feature being available to bad actors. If a defect could allow and adversary to manipulate a service to steal customer data, post fraudulent transactions, introduce malware or disrupt service then the cost of having it would be exponentially higher than the development cost. This should be reflected in the prioritisation process.?
This will help us properly evaluate the risks of delivering poorly thought-out features and give proper acknowledgement to the value of effective safeguards.?
What’s Next for Cybersecurity??
Artificial Intelligence effectively allows you to model the way that a human specialist does a job almost instantaneously. It is currently being used for everything from reviewing CVs to making diagnoses from lab test results, but it can also be used for both defensive and offensive cybersecurity activity.?
When a team of hackers manages to breach a device on your network, it currently takes them around an hour to extend their reach to the next part of your infrastructure. In future, using AI tools, a single hacker might be able to achieve the same results in less than a minute. Exposed individuals and organisations will be compromised before they realise that they are under attack.?
Conclusion?
We have witnessed a series of dramatic waves of disruption over the last thirty years starting with ubiquitous access to the internet, the emergence of cloud computing and agile software development methodologies. Yet we are still in the early days of the AI revolution.??
Two things are certain:?
Mark Cross has been working in IT transformation for 25 years specialising in cloud transformation, data migration, information protection and cybersecurity. He is the founder and principal consultant of Envista Consulting and serves on the committee of the IIBA UK North Branch.?
?
Always useful to read or hear Mark's musings on this subject.
Business Analyst Team Manager/Agile Coach
4 个月Sally Prentice