Last weekend was a heatwave in southern California and I spent some time at the beach to cool off. I packed my cooler, grabbed my beach chair, and umbrella. My beach bag carefully appointed with SPF, a hat, towel, sunglasses, and reading materials. I was ready for a relaxation day, and the weather forecast was perfection!
But there was a risk! For those that know me, I am very fair-skinned and freckled. This means a burn comes on in 10 minutes and painful red sunburns are something I know all too well. These sunburns are not to be ignored; they can lead to serious health risks in folks with my pale skin!
Planning for my day at the beach, I had a vision of relaxation, a few friends (sitting six feet apart – appropriate Covid19 social distancing) to chat with, a great cooler full of drinks and healthy food, a mini Bluetooth speaker, and a book. The perfect day at the beach was imagined, planned, and my requirements all thought of, planned, and implemented. My non-functional requirements, protect myself from the sun, make sure a restroom was close by, and check the tide schedule. Basically, reducing my risk of sunburn, discomfort, and my set up being washed away by a sneaker random wave.
As a BA or Product Owner your project provides a solution to a group of stakeholders, like my solution of a relaxing day at the beach, every solution comes with risk. Cyber Security is a top risk for today’s’ solutions, systems, users, customers, and organizations. Some people try to avoid it altogether, much like some avoid the sun altogether, some avoid providing their data to any system as part of a user process. Today’s project and product teams need to take Cyber Security into account on every project and for every product. Additionally, I don’t see this as s specialty area for BAs or a separate project, rather an inclusive area of our work as BAs on any level of effort. We have to think about the user, customer, and organizational risk, including Cyber Security.
So you may be asking yourself, how do BAs and POs do this?
- Understanding the user goals and workflows the data follows.
- Not everything can be perfectly secure, we have to narrow down the risks and this starts with understanding the user goals and workflows. This will help you analyze and lead conversations with the team and key stakeholders about cybersecurity risks and get the requirements needed to be vetted throughout the conversation. Cybersecurity requirements are not to be “gathered”, they are to be “elicited”, your stakeholders do not explicitly state them, and they assume everything will be handled. We are not mind readers, so we must facilitate the right conversations to find the inherent risks.
- Understand the data flows from the user through the solution and back to the users.
- Once we understand the user workflow, you can understand the data flow. What data is being provided by users and then moving through the various systems? Once you understand this, you can discuss what data is a high risk, then target protecting that data for the impacted user flows. Know that it is a circular process.
- Anticipate where potential risks exist.
- With the user flows and data flows in view, you can analyze and anticipate where the risks exist. This will provide the inputs to start the conversations with the team and stakeholders!
- Facilitate powerful conversations by bridging the gap.
- Facilitating powerful conversations is about bringing meaningful structure to the conversation and engaging others to discuss what has not yet been identified. Bring the anticipated risks, from a user point of view to the conversation. Discuss the potential risks, how big the risk is, and get the technical experts and business teams talking about it together. Be the bridge; navigate everyone onto the bridge to talk together. Don’t run across the bridge talking to everyone separately, be the bridge and bring them together in a meaningful way!
- Help stakeholders and teams prioritize non-functional security requirements based on business and user risk.
- Now that you have the team and stakeholders talking, move to facilitate prioritization. Assume we can’t have everything perfected with NO risk by the deadline and on the budget. Therefore, given these constraints, what should we secure first? Are their ranges of “secure” to consider? Here, you do not have to be the cybersecurity expert, but per the normal BA role of facilitating user value and risk shines on. Be the facilitator of powerful conversations and decisions.
- Evaluate and Monitor the outcomes and risks.
- Once implemented (in parts and/or whole), it is always the BAs role to evaluate how the solution is working compared to the business needs and intention. This applies here too!
As for my day at the beach, I learned that my umbrella needs an SPF rating. I was under the umbrella the entire time and still got burned bright red! We can’t be perfect at risk mitigation, but the important part is having the right conversations, and prioritize based on risk. In this case, I am sure without the umbrella the burn could have been far worse, and I can do better next time with more SPF lotion and an SPF umbrella. Evaluating then monitoring the outcomes and making adjustments is a big part of our role as BAs!