by Business Analysis,
A recent cyber-attack resulted in a telecom giant earmarking AUD 140m to cover the data breach loss and caused immense damage to its reputation. According to ACSC Annual Cyber Threat Report, 76,000+ cybercrime reported in Australia during the FY 2021–22 (an increase of nearly 13%). Additionally, Queensland and Victoria reported disproportionately higher rates of cybercrime relative to their population.
Due to sharp increase in cybersecurity threats, organisations need to focus on their cyber defence, and it should be a high priority. To have a cyber safe environment, organisations need to focus on upgradation of their cyber posture, they need to define their cyber risk appetite and tolerance, and they need to engage with stakeholders within the organisation for the prevention, detection, and remediation of vulnerabilities. Business analysis is vital in efficiently executing the aforementioned focus areas to ensure that all decisions taken contribute value efficiently.
Upgradation of Cyber posture
The cyber posture of an organisation defines its level of cybersecurity risk. It includes existing policies of cybersecurity, security awareness programs for employees, and cybersecurity solutions deployed for safeguarding confidentiality, integrity, and availability of the organisation’s systems.
It is important to evaluate the cyber posture of an organisation to identify its gaps. Locating these chinks in their cyber armour helps stakeholders in aligning business processes with a standard security framework which results in the system not only having a stronger cyber posture but also helps in achieving any cyber related regulatory compliance. Properly implementing security frameworks like National Institute of Standards and Technology (NIST) allow institutions to mitigate risks. An efficient implementation process allows business analysts and stakeholders to plan and construct the five pillars of NIST that include identify, protect, detect, respond, and recover that allow system risk mitigation.
Defining cyber risk appetite and tolerance
Risk management allows for the addition and protection of value. Articulating the organisational risk appetite is not only an integral part of informed decision making but also bestows freedom within the defined boundaries. Risk Appetite is the amount of risk or the level of exposure an organisation is willing to enable for achieving its business objectives. A similar sounding term used in this context is risk tolerance which is the acceptable variation from the risk appetite defined by the organisation. Risk appetite is located at the strategic level whereas risk tolerance is located at the operational level. Although risk appetite and tolerance are a broader in nature, the concepts and principles extend to the information management space as well.
Risk appetite and risk tolerance can be applied to strategic direction setting and/or critical or material decision making. Boards and/or Executives review risk appetites and tolerances and when setting the strategic direction. This may be done in the case of:
- Change in Board/Executive
- Expansion, merger, acquisition, contraction or any such material change to the organisation’s purpose
- Change in the strategy
- A scheduled review
Prevention, detection, and remediation of vulnerabilities through stakeholder engagement
To conduct stakeholder engagement, firstly it is important to identify the right stakeholders. Typically, stakeholders include range from senior executives to developers, including finance, HR, the Project Management Office, marketing, sales and more. Business Analysts can utilise skill sets like all other initiatives by categorising stakeholders by their influence and interest. Stakeholders can typically be divided into three groups. The first stakeholder group will have one (or more) senior executives with decision making authority to drive best practices in cybersecurity and to allocate funding. The second group of stakeholders can include the HR, finance, etc. and they may share if there are any special requirements that a department requires to keep it cyber safe or the best ways for designing a cybersecurity awareness program & training. The third group of stakeholders are lower in their influence and interest – i.e. sales teams, and may require just-in-time cyber training or a quarterly engagement. Good engagement with stakeholders allows for a smoother and more effective implementation of cybersecurity policies.
Understanding the cybersecurity landscape is important for the organisation and its stakeholders as this organisation wide threat is sometimes just one click away. Recently, a new Risk Management Protocol has been signed off by the Minister for Home Affairs and Cybersecurity that would require organisations in critical
infrastructure to invest more in their cybersecurity protection to comply with the new national security requirements, in which the suggested measures may cost companies about $10 billion combined. The right cybersecurity strategy envisaged with business analysis can enable an organisation to continue operations and growth, whilst protecting itself and its’ customers.