As adversaries continuously seek to disrupt, cause harm and wreak havoc on complex digital assets, enterprises must strategically plan, design and build secure, trusted systems. The ever-evolving cyberthreat landscape and the increased ubiquity of systems present significant challenges to engineers responsible for constructing these systems. The modern cyberthreat environment requires a different mindset to establish and maintain resiliency in emerging systems. If enterprises want to survive cyberspace, they must tailor their approach to focus on the fundamental principles of cybersecurity risk management and the adverse impacts to the enterprise rather than solely emphasizing technology-specific trends and solutions.
Combatting Flaws That Technology Cannot
Many security weaknesses and architectural design flaws are introduced during system engineering efforts. Although a common approach may be to identify these issues during the security testing process, identify and assess risk, and plan technical security measures or solutions to remediate or mitigate the risk, there are more efficient solutions to address the root cause of these flaws. Early in the system engineering process, before any technical implementation, enterprises should conduct a business impact analysis (BIA) as a preventive measure to define the business context, significance and a shared common understanding of the system's purpose and its intended outcomes.
The Role of a Business Impact Analysis During System Security Engineering
Too often, systems are designed and implemented without a true understanding of the purpose of the system, its relationship to the enterprise and the adverse effects that could be realized through a security incident. To address this problem, during the initiation phase of a system engineering project, key stakeholders should conduct a BIA to formally define and communicate the mission and business functions and processes that the system-of-interest will be designed to support. Not only should mission and business processes be determined, but they should also be prioritized based on the value those services provide and the impact on both strategic and tactical objectives. There are many benefits of a BIA during a system's initiation phase as shown in figure 1.
Figure 1—Benefits of a BIA for Systems Engineering
Initiation Process Area |
Benefits |
Asset Identification and Valuation |
A BIA can help easily map the mission and business processes to the assets that support the delivery of those services. This is specifically useful for complex systems that are managed, maintained and operated by multiple internal and external parties. |
Authorization Boundary Definition |
The BIA can help define the scope of protection by allowing organizations to uniquely identify the assets that support each mission and business process, determine security responsibilities and ultimately ensure accountability for each component within the authorization boundary. |
Risk Assessment |
In preparation for a risk assessment, enterprises can gain added value by leveraging the BIA to provide the business context behind system engineering initiatives and develop risk response strategies that optimize the success of mission and business processes. |
Key Takeaways
There is an ever-growing need for well-built, resilient systems that can withstand the complex attacks that adversaries execute against them. Although there is often a significant focus on the technical aspects of system engineering, emphasizing the business context behind security initiatives may lead to systems with more balanced, proportionate levels of security. Enterprises must remain vigilant about the scope and drivers behind mission and business processes to determine the consequences of a security incident and maintain traceability of system protection needs. By leveraging a BIA, enterprises can better understand the security aspects of the problem and opportunity space, achieve a shared understanding of the mission and business context, and provide greater, commensurate security protection.
Editor’s note: For further insights on this topic, read Hunter Sekara’s recent Journal article, “A Strategic Risk-Based Approach to Systems Security Engineering,” ISACA Journal, volume 2, 2022.
ISACA Journal turns 50 this year! Celebrate with us—and do not forget you can still receive the print copy by visiting your preference center and opting in!