Let’s Turn Those Business Drivers into Useful Business Attributes

For any organizational leader taking the first steps towards developing a security architecture, they will soon encounter the mysterious ‘business attributes’.

Business attributes are absolutely vital for security architecture to be successful, but as with so many other aspects of technology and cyber security – they might be important, but not necessarily easy.

So what are business attributes, how do you define them, and what are some examples? Let’s dig into it.

Think you’ve skipped a step? Try reading “What is security architecture and why is it important?” first.

Let’s start by defining business attributes and their purpose

Business attributes are defined traits of a particular organizational unit (i.e. IT, sales, HR) that in some way contribute to its revenue or help reduce costs. They are, in essence, key metrics of success. You’ll notice in the examples below that they are generally written as adjectives – words that describe the activities, personality or outcomes of that unit. 

Critically, business attributes are traceable back to the core objectives of the business, and each can be measured to determine whether the business unit is meeting its goals or falling behind in them.

Depending on the organization, some business units have a plethora of attributes, while some very few. As we all know, each business is unique.

Examples of business attributes

As found in SABSA’s Appendix A (which we will refer to again further below):

•  Accessible: “Information to which the user is entitled to gain access should be easily found and accessed by that user.”
• Timely: “Information is delivered or made available to the user at the appropriate time or within the appropriate time period.”
• Future-proof: “The system architecture should be designed as much as possible to accommodate future changes in both business requirements and technical solutions.”          

How are business attributes used?

Going through the process of creating and defining business attributes can help your organization in two ways:

1. They help you break down your business and think about its every component. In order to generate useful business attributes, you must first look at your entire organization, its every department, its every leader, the chain of command, and ensure that you are extremely clear on each component – including who owns what, and where the risks could be.
2. They help you prioritize potential threats to the organization and build control strategies. After working through this task, it will start to become very clear where the red flag areas of your business are, and therefore where you need to spend the most budget in the short-term to close critical gaps.

Reintroducing Matko’s Pizzeria as our ‘case study’

If you’ve seen our webinar on “Transforming business through security architecture” or you’ve read our “Behind the scenes of implementing security architecture” article, you’ll have already been introduced to Matko’s Pizzeria.

This is our go-to ‘case study’, an example business that helps us relate key security architecture concepts to a more understandable, less technical context. We’re not going to refer to cyber security in Matko’s Pizzeria, but rather keep things broad and simple so you can apply the lessons to your own enterprise without getting bogged down in the technicalities.

We’ll come back to Matko throughout the article. For now, though, let’s move on!

Let’s talk about how to define your attributes

Step 1: Break down your organization into its components

We really cannot overstate the importance of breaking down your organization into its various component units. Every arm of your enterprise has a role to play in the smooth running and safety of the organization as a whole. If you can’t identify where your threats are coming from and how they might interact with various people and systems around the company, how can you ever defend against them?

Even if you believe a department is insignificant – too small to be a vulnerability or pose any threat – know that it still might carry with it a degree of risk and must be considered. Leave no stone unturned!

• Example: Imagine the marketing intern who has login access to the business network and downloads a malicious file by mistake. Or the hacker who walks into reception and hands a USB stick loaded with malware to the receptionist to plug into their computer – automatically uploading the virus into your business. Both of these have happened in real life.

Defining Matko’s business units

We know that Matko runs a pizzeria in Munich. So what are his units?

1. Kitchen (which we can break further into key kitchen stations, too, like pizzas, pastas, entrees, desserts)
2. Storage
3. Bar
4. Front of house
5. Marketing/advertising
6. Management and HR
7. Financial

Matko believes at first that most of his revenue and costs filter through the kitchen and bar, but what if there’s a problem with his food storage (i.e. a sanitation issue)? What if someone in marketing posts the wrong Tweet? What if he hires the wrong staff member? Risks to the business can come from anywhere, so Matko has to be prepared across all his units.

Step 2: Establish a taxonomy of this information

So if we’re gathering all of this information, where will it live?

This is where we need to build a taxonomy to collect and store all of the information we’re building right now, and will continue to build hereafter. This taxonomy must be easy to find, simple to navigate and written in a manner that another person can actually read. It’s pointless to go through all of this and then not be able to recall, find or read this mission-critical info!

Steps for building your security architecture taxonomy

1. Everything in this process above and below must go into the taxonomy.
2. Start with an org chart – a structure of the business. Include details on who owns and leads which function, such as HODs and the chain of command.
3. Each of the steps below should be done per business unit.
4. Write all of this information down in a Word doc or Excel sheet, provided it is organized efficiently. Most companies won’t need anything more complex than this for their taxonomy.
5. Start a new document for each business unit, with perhaps a folder or repository to collect all the business units together so they can be found easily.

So how does Matko organize his taxonomy?

Matko creates a new Excel sheet for each of his business units.

To help him better understand the complexities of his kitchen, he also chooses to break down ‘Kitchen’ into its more specific components (those stations we mentioned earlier), but they become sub-chapters of his wider ‘Kitchen’ document for simplicity. 

Even though his team is small and multiple staff work across multiple functions, or units, he still treats each function separately for the purposes of deriving good BAs.       

Step 3: Establish business drivers

Now that we’ve laid out the groundwork and built a place to store it all in, we can start to dig into our business attributes – and that begins with our drivers.

First, what are business drivers?

These are key inputs that drive the organization. They are activities that affect the operational and financial results of the enterprise, usually split into revenue and costs. For an example, see our Matko’s Pizzeria diagram below.

Why are we completing this step?

Business drivers are going to help inform our attributes. Because we want to be able to trace attributes back to the organization’s goals through revenue and cost, we need some link in the chain that connects the two – that’s where our drivers come in.

Later in this process, if we struggle to connect a business attribute to a business driver, it’s possible that the attribute just isn’t relevant to our business yet. Putting any money into control strategies for this trait could, therefore, be wasteful and unhelpful (it isn’t adding revenue or cutting costs).

Drivers also help with our ability to measure. If attributes are connected to a driver, that means they’re connected to our organizational results. So, we should be able to easily measure progress and therefore determine our success over time.

So what drives Matko’s business?

If we look into a pizzeria in Munich, we might develop business drivers like these…   ‍

Learn more: Watch our webinar “Transforming business through security architecture” on demand.

Step 4: Brainstorm your business attributes

This step is all about finally producing our list of attributes and ensuring they feel linked to our drivers. Later we’ll get clear on their definition and how to measure them – for now treat this step like a big brainstorming session.

Again, the definition of business attribute: Key traits, written like adjectives, that describe key metrics of success for a business unit.

How to map out organizational attributes

Think about each of your business units in terms of descriptive words. What are the ideal adjectives for your teams, processes and products? Fast? Consistent? Accurate? Are your products Long Lasting? Are your deliveries always On Time?

Map out as many adjectives as you can think are relevant. We will expand on each later, which will help us wittle the list down a bit. 

Need help? Let’s visually link those attributes to your drivers

On a page, write your business drivers down in one column and brainstorm your business attributes in another.

Try to draw a line between key drivers and attributes – there should be a clear relationship between one and the other. If there isn’t, and you’re jumping hoops to try and get an attribute to link to a driver, chances are it’s not right for you.

Still need help? Look to SABSA for example business attributes

We’ve already mentioned SABSA, and with good reason. SABSA is a popular international security architecture framework that has developed a number of resources to provide examples to organizations following their process. These examples are incredibly useful for brainstorming, but we should note that they tend to be a bit generic and will likely need customized to suit your unique requirements.

Spark your inspiration: Find a list of examples in SABSA’s Appendix A.

An important note about unknown unknowns

In business there will always be things that you don’t know you don’t know – those ‘unknown unknowns’. Unfortunately, just because we don’t know about them doesn’t mean they don’t pose a threat. 

We can try to eliminate some of the unknown unknowns from your business by doing research into threats in your industry – looking for common problems. Additionally, refer back to your drivers to explore every avenue of where those costs and revenues could come from.

You will need to work closely with key stakeholders in each business unit to get their expertise. But, a fresh pair of eyes is probably what you really need. This is why people turn to third-party security architecture specialists – who are experts in liaising with stakeholders and snooping out unknown unknowns. 

No budget for a third party? Your last resort is turning to the CISO, or a similarly relevant C-suite executive with strong knowledge of the business unit you’re tackling.

Examining Matko’s business attributes

We could pull out a host of business attributes for a popular little pizzeria, but for now let’s highlight just two that we’ve identified for Matko’s Kitchen and Storage units:

• Kitchen: Fresh
• Storage: Consistent

In the next step we will define these and talk about how to measure them.

Step 5: Expand on each business attribute by defining them

With our list of attributes brainstormed, we need to get clear on what those adjectives mean to our enterprise. So, now we’ll expand them by adding a clear definition and talking about how to measure them for success.

Defining your business attributes

It’s important to define business attributes so that there can be no mistaking their intent. Anyone should be able to pick up your taxonomy, see the list, and understand what you meant.

• Ask yourself: What does this attribute mean to you? If you had to explain it in one sentence, what would you say? Think about it in terms of business outcomes, again remembering that it should be linked to your drivers (and thus, revenue or cost).

Now how do you measure those?

This should be relatively simple. If it’s not, it might be because a particular attribute is not well linked to a business driver.

• Ask yourself: How do you know if you are succeeding or failing at this attribute? What metrics are involved? What processes will be required to monitor for this success? What KPIs need to be considered?

Finally, think about whether these attributes depend on others

Business attributes rarely act alone. In many cases, an attribute from this business unit will impact that attribute over there, which may then have a flow-on effect to the one over there. Understanding those dependencies now can make the rest of the security architecture process easier, as you will better understand what impacts what, and therefore what risks are more or less important.

• Ask yourself: Does this business attribute impact another, potentially in a different business unit? I.e. if there was a failure here, would the other attributes notice? Consider an example customer service attribute of, say, ‘Always Available’ or ‘Fast Service’, and how it might be linked to logistics attributes such as ‘Delivered on Time’ or ‘Clean’, etc.

Expanding on Matko’s business attributes

Let’s look again at Matko’s attributes of Fresh and Consistent. How would we define and measure those?

Attribute Name: Fresh
Attribute Explanation: Ingredients are stored in conditions that reduce the likelihood of spoilage. Measured in amount of food wasted before it can be used.

Attribute Name: Consistent
Attribute Explanation: Goods are consistent quality, people get what they expect. Measured in customer feedback and sales figures.

So what comes next?

At this stage, you’ll have a taxonomy broken down into business units, which are then broken down into drivers that themselves reflect either revenues or costs. You will have brainstormed a list of applicable business attributes, defined them, discussed how to measure them and highlighted key dependencies between attributes.

Congratulations! You have successfully completed the Define phase of security architecture. Next up comes the Create and Manage phases. We have provided a simple overview of these below. To learn even more, check out our article “Behind the scenes of implementing security architecture” or check out our webinar on the subject.

1. Create phase – Threats and opportunities: Here we would take those business attributes, go back through each of them, and ask ourselves what the key threats are to those success metrics. What’s going to block us, or harm us? We can also look for opportunities – areas of improvement or potentially new business.
2. Create phase – Impact analysis: When we perform an impact analysis, we’re trying to determine just how much a particular threat might affect the organization. This can tell us which threats are a higher or lower priority, so we can direct budget towards mission-critical gaps first and deal with less-important issues later.
3. Create phase – Identify control strategies: When we know our threats (and which we need to prioritize) we can start to think of control strategies for them. What can we do to mitigate those threats?
4. Manage phase – Identify security services: The next stage is obvious – with a list of control strategies thought out, we need to look for new security services that will implement our new strategies. ‘Services’ here could mean new technology, or it could mean staff training, different policies, and other non-technical elements.
5. Manage phase – Implement security services: Finally, with a list of services in mind, we can start implementing all of them. This step can take a long time, even years depending on the scope, but with your list of priorities in hand you’ll know where to start.

Need a fresh pair of eyes? We can help

We’ve packed a lot of information into this one article, and the reality is it’s not going to be as easy as we’ve made it sound. That’s because security architecture can be time-consuming and complex, and that’s OK – you don’t need to do it yourself.

If you need a fresh pair of eyes and the backing of an expert, we’re here for you. At dig8ital, we know each business is unique and pride ourselves on offering tailored cyber security solutions to all of our customers.

Want to know how we might be able to help you? Contact us for a free maturity consultation.