top of page
Search

Cybersecurity in Business Analysis

Updated: Jul 3, 2023

You may wonder how a business analyst career and cybersecurity relate to each other. What is the role of BA in cybersecurity? Let us see why knowledge of Cybersecurity concepts are important to a BA professional.


A Business Analyst acts as a connection between the project management and technical team. A BA gathers the requirements from a client, and converts them into functional specifications. A BA requires technical experience, as he/she also helps the technical teams to convert the functional requirements into technical terms.

As the systems, and mobile devices are growing in number day by day, Internet of Things has put internet access in hands of many. With that in mind, there is always a risk of compromise in security. Many cybersecurity attacks have been in the news lately. These highlight the weakness in the Internet infrastructure, which allows the hackers to access the company's sensitive information. Many software organizations are becoming vulnerable to cybersecurity crimes, and are striving hard to respond.


What is cybersecurity? By ISACA, Cybersecurity is defined as protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems. It is a part of Information Security. Cybersecurity deals with threats due to existence of global cyberspace i.e. Internet.


The terms risk and threat are most commonly used when we talk about security. What is a Risk, and a Threat... and the difference between both? Risk is the combination of the probability of an event and its consequence. A Risk can be mitigated with control and safeguarding activities. Threat is anything that is a potential cause of an unwanted incident, that caused harm.



Some other important terminologies in Cybersecurity:


  1. Asset : Anything either tangible or intangible that is worth protecting such as: information, finances, people etc.

  2. Vulnerability : A weakness in a process which may expose the system to threats.

  3. Inherent Risk : The risks to the organization without considering the measure taken to control it.

  4. Residual Risk : The remaining risk after the organizational controls have been implemented.

  5. Adversarial Threat Event : Threat event made by human threat agent such as hackers.

  6. Non-Adversarial : Results from an error, or malfunction.

Type of Attacks



Now that we know what cybersecurity is, let us take a look at what the role of BA is in cybersecurity. It is a role of a Business Analyst to understand the importance of security.

  • A BA should know the potential cybersecurity risks and threats associated with networks, data, and infrastructure of an organization.

  • He/she should also have knowledge of the standard practices followed to analyze the risks, and create mitigation activities.

  • A BA should be aware of the governmental policies and guidelines, to establish security measures in the organization, and abide by them.

  • He/she should keep oneself up to date with latest cyber attacks, its history such as incidents, and events preceding the attacks.

While evaluating the business plans and general business rules, an organization should

keep in mind the factors that impact security, such as:

  • Nature of Business

  • Risk Tolerance

  • Security strategy

  • Industry Security Trends

  • Industry specific compliance requirements and regulations

  • Country or state regulatory and compliance requirements

  • Outsourcing services and service providers


The Business Analyst must ensure that the organization apply cybersecurity policies, tools, and practices such as:

  1. Implementation of Security tools: To implement a security tool, A BA should extract requirements and involve business stakeholders to conduct business process re-engineering.

  2. Risk Management: A BA should conduct risk analysis, keep a record of identified risks and develop mitigation activities, assess the risks in terms of impact and likelihood.

  3. Incident Management: Incident management includes activities to identify the risks to systems, design safeguards to limit the impact of events, implement activities to detect the occurrence of event, take appropriate action after occurrence of event, and plan for repair of compromised services.

  4. Budgeting: A BA will include cybersecurity costs in business budgeting, by providing the estimated cost of implementing a security solution to the assets of the organization.


To be an effective cybersecurity business analyst, a traditional BA should attain knowledge on some major cybersecurity areas such as:

  • Internet Web and Cloud

  • Encryption

  • Networking

  • Risk Analysis

  • Compliance and Auditing

  • Risk Governance

  • Incident Management

A Business Analyst may not always be a cybersecurity expert. He/she's role may be that of one working on technical projects, with a high-level knowledge of cybersecurity concepts, which is highly beneficial to organizational growth.


bottom of page