For any organizational leader taking the first steps towards developing a security architecture, they will soon encounter the mysterious 'business attributes'.
Business attributes are absolutely vital for security architecture to be successful, but as with so many other aspects of technology and cyber security - they might be important, but not necessarily easy.
So what are business attributes, how do you define them, and what are some examples? Let's dig into it.
Think you've skipped a step? Try reading "What is security architecture and why is it important?" first.
Business attributes are defined traits of a particular organizational unit (i.e. IT, sales, HR) that in some way contribute to its revenue or help reduce costs. They are, in essence, key metrics of success. You'll notice in the examples below that they are generally written as adjectives - words that describe the activities, personality or outcomes of that unit.
Critically, business attributes are traceable back to the core objectives of the business, and each can be measured to determine whether the business unit is meeting its goals or falling behind in them.
Depending on the organization, some business units have a plethora of attributes, while some very few. As we all know, each business is unique.
Examples of business attributes
As found in SABSA's Appendix A (which we will refer to again further below):
How are business attributes used?
Going through the process of creating and defining business attributes can help your organization in two ways:
Reintroducing Matko's Pizzeria as our 'case study'
If you've seen our webinar on "Transforming business through security architecture" or you've read our "Behind the scenes of implementing security architecture" article, you'll have already been introduced to Matko's Pizzeria.
This is our go-to 'case study', an example business that helps us relate key security architecture concepts to a more understandable, less technical context. We're not going to refer to cyber security in Matko's Pizzeria, but rather keep things broad and simple so you can apply the lessons to your own enterprise without getting bogged down in the technicalities.
We'll come back to Matko throughout the article. For now, though, let's move on!
We really cannot overstate the importance of breaking down your organization into its various component units. Every arm of your enterprise has a role to play in the smooth running and safety of the organization as a whole. If you can't identify where your threats are coming from and how they might interact with various people and systems around the company, how can you ever defend against them?
Even if you believe a department is insignificant - too small to be a vulnerability or pose any threat - know that it still might carry with it a degree of risk and must be considered. Leave no stone unturned!
Defining Matko's business units
We know that Matko runs a pizzeria in Munich. So what are his units?
Matko believes at first that most of his revenue and costs filter through the kitchen and bar, but what if there's a problem with his food storage (i.e. a sanitation issue)? What if someone in marketing posts the wrong Tweet? What if he hires the wrong staff member? Risks to the business can come from anywhere, so Matko has to be prepared across all his units.
So if we're gathering all of this information, where will it live?
This is where we need to build a taxonomy to collect and store all of the information we're building right now, and will continue to build hereafter. This taxonomy must be easy to find, simple to navigate and written in a manner that another person can actually read. It's pointless to go through all of this and then not be able to recall, find or read this mission-critical info!
Steps for building your security architecture taxonomy
So how does Matko organize his taxonomy?
Matko creates a new Excel sheet for each of his business units.
To help him better understand the complexities of his kitchen, he also chooses to break down 'Kitchen' into its more specific components (those stations we mentioned earlier), but they become sub-chapters of his wider 'Kitchen' document for simplicity.
Even though his team is small and multiple staff work across multiple functions, or units, he still treats each function separately for the purposes of deriving good BAs.
Now that we've laid out the groundwork and built a place to store it all in, we can start to dig into our business attributes - and that begins with our drivers.
First, what are business drivers?
These are key inputs that drive the organization. They are activities that affect the operational and financial results of the enterprise, usually split into revenue and costs. For an example, see our Matko's Pizzeria diagram below.
Why are we completing this step?
Business drivers are going to help inform our attributes. Because we want to be able to trace attributes back to the organization's goals through revenue and cost, we need some link in the chain that connects the two - that's where our drivers come in.
Later in this process, if we struggle to connect a business attribute to a business driver, it's possible that the attribute just isn't relevant to our business yet. Putting any money into control strategies for this trait could, therefore, be wasteful and unhelpful (it isn't adding revenue or cutting costs).
Drivers also help with our ability to measure. If attributes are connected to a driver, that means they're connected to our organizational results. So, we should be able to easily measure progress and therefore determine our success over time.
So what drives Matko's business?
If we look into a pizzeria in Munich, we might develop business drivers like these…
Learn more: Watch our webinar "Transforming business through security architecture" on demand.
This step is all about finally producing our list of attributes and ensuring they feel linked to our drivers. Later we'll get clear on their definition and how to measure them - for now treat this step like a big brainstorming session.
Again, the definition of business attribute: Key traits, written like adjectives, that describe key metrics of success for a business unit.
How to map out organizational attributes
Think about each of your business units in terms of descriptive words. What are the ideal adjectives for your teams, processes and products? Fast? Consistent? Accurate? Are your products Long Lasting? Are your deliveries always On Time?
Map out as many adjectives as you can think are relevant. We will expand on each later, which will help us wittle the list down a bit.
Need help? Let's visually link those attributes to your drivers
On a page, write your business drivers down in one column and brainstorm your business attributes in another.
Try to draw a line between key drivers and attributes - there should be a clear relationship between one and the other. If there isn't, and you're jumping hoops to try and get an attribute to link to a driver, chances are it's not right for you.
Still need help? Look to SABSA for example business attributes
We've already mentioned SABSA, and with good reason. SABSA is a popular international security architecture framework that has developed a number of resources to provide examples to organizations following their process. These examples are incredibly useful for brainstorming, but we should note that they tend to be a bit generic and will likely need customized to suit your unique requirements.
Spark your inspiration: Find a list of examples in SABSA's Appendix A.
An important note about unknown unknowns
In business there will always be things that you don't know you don't know - those 'unknown unknowns'. Unfortunately, just because we don't know about them doesn't mean they don't pose a threat.
We can try to eliminate some of the unknown unknowns from your business by doing research into threats in your industry - looking for common problems. Additionally, refer back to your drivers to explore every avenue of where those costs and revenues could come from.
You will need to work closely with key stakeholders in each business unit to get their expertise. But, a fresh pair of eyes is probably what you really need. This is why people turn to third-party security architecture specialists - who are experts in liaising with stakeholders and snooping out unknown unknowns.
No budget for a third party? Your last resort is turning to the CISO, or a similarly relevant C-suite executive with strong knowledge of the business unit you're tackling.
Examining Matko's business attributes
We could pull out a host of business attributes for a popular little pizzeria, but for now let's highlight just two that we've identified for Matko's Kitchen and Storage units:
In the next step we will define these and talk about how to measure them.
With our list of attributes brainstormed, we need to get clear on what those adjectives mean to our enterprise. So, now we'll expand them by adding a clear definition and talking about how to measure them for success.
Defining your business attributes
It's important to define business attributes so that there can be no mistaking their intent. Anyone should be able to pick up your taxonomy, see the list, and understand what you meant.
Now how do you measure those?
This should be relatively simple. If it's not, it might be because a particular attribute is not well linked to a business driver.
Finally, think about whether these attributes depend on others
Business attributes rarely act alone. In many cases, an attribute from this business unit will impact that attribute over there, which may then have a flow-on effect to the one over there. Understanding those dependencies now can make the rest of the security architecture process easier, as you will better understand what impacts what, and therefore what risks are more or less important.
Expanding on Matko's business attributes
Let's look again at Matko's attributes of Fresh and Consistent. How would we define and measure those?
Attribute Name: Fresh
Attribute Explanation: Ingredients are stored in conditions that reduce the likelihood of spoilage. Measured in amount of food wasted before it can be used.
Attribute Name: Consistent
Attribute Explanation: Goods are consistent quality, people get what they expect. Measured in customer feedback and sales figures.
At this stage, you'll have a taxonomy broken down into business units, which are then broken down into drivers that themselves reflect either revenues or costs. You will have brainstormed a list of applicable business attributes, defined them, discussed how to measure them and highlighted key dependencies between attributes.
Congratulations! You have successfully completed the Define phase of security architecture. Next up comes the Create and Manage phases. We have provided a simple overview of these below. To learn even more, check out our article "Behind the scenes of implementing security architecture" or check out our webinar on the subject.
We've packed a lot of information into this one article, and the reality is it's not going to be as easy as we've made it sound. That's because security architecture can be time-consuming and complex, and that's OK - you don't need to do it yourself.
If you need a fresh pair of eyes and the backing of an expert, we're here for you. At dig8ital, we know each business is unique and pride ourselves on offering tailored cyber security solutions to all of our customers.
Want to know how we might be able to help you? Contact us for a free maturity consultation.