2017 may go down as the year of ransomware, rogue software that infects a computer, scrambles the data, demands you pay money to get access back, and eventually destroys your files. In May the WannaCry ransomware cyberattack affected more than 200,000 users in over 150 countries and disrupted operations for numerous corporations. This was followed in June by a new variant of the Petya ransomware, with this cyberattack impacting over 12,000 devices in around 65 countries, along with some high profile corporations. While most ransomware still targets consumers, what is notable for business architects is that according to Kaspersky Lab, ransomware attacks on businesses increased 11x in 2016. So what is the role of a business architect regarding cybersecurity, disaster recovery, and business continuity planning? I honestly have no idea. In the spirit of never letting a serious crisis go to waste, let’s see how we can help.
Cybersecurity Framework
Let’s start with a good framework (as all good architects love frameworks). The National Institute of Standards and Technology (NIST) publishes a well-respected cybersecurity framework. At its core are five key functions that they recommend be performed concurrently and continuously to address the dynamic cybersecurity risk. These five functions are:
Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.
Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.
Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events.
Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. The Respond Function supports the ability to contain the impact of a potential cybersecurity event.
Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity event.
The Protect, Detect, Respond, and Recover Functions appear to fit squarely within the purview of the information security team. The business architect may at times get consulted for guidance and information, but it would likely be limited to that. The Identify Function, however, reads a bit like a paragraph from the BIZBOK, so let’s take a closer look at this one.
A Role for Business Architecture in Cybersecurity
Understanding the business context is what business architecture is all about, so clearly we can play a role. Business strategy maps, value streams, capability roadmaps and other business architecture blueprints can provide a foundation to the information security team to build upon for the other Functions. Identifying potential business impacts, determining risk, and prioritizing what is most critical to the business is also a key part of the Identify Function. The business capability model can be a key asset to assist with this and help to tie disparate information together. For example, imagine starting with your standard business capability model, having applications linked to the capabilities they support, with those applications linked to the CMDB which describes the underlying infrastructure (including backup and recovery systems). Now imagine having criticality and performance rankings along with a rating for the impact of a disruption for these same capabilities. You can see a powerful model emerging that can drive better decision-making across many areas.
Of course this is not easy, and building and maintaining such a model can be nearly impossible for some organizations. In that case, focus on the key capabilities and applications, the ones with the most impact. Manually maintaining this connectivity is feasible in small numbers and provides information to drive investment decisions for disaster recovery and business continuity plans. All of this goes well beyond ransomware too. As all of us and are companies become increasingly dependent on technology, we need to ensure we are protected from always-evolving cyber threats.
My fellow business architects, I ask you to be vigilant and be assertive. Engage your IT organization, information security department, and business, and find out what they are doing in the area of business continuity planning. Offer your help and share your knowledge. More broadly, pay attention to what is going on around you, not just within the company, but in your industry, country, region, and the world. Look at every crisis as an opportunity to help. If you are like me and truly believe in the value of business architecture, find new ways and places to apply it. And that can even be in places you wouldn’t expect, such as helping to prepare for and battle cybersecurity threats.
This article was prepared by Dean Heltemes in his personal capacity. The views expressed in this article are the author’s own and do not represent the view of his employer.