Yes, Business Process Maps Are Boring

Jack Freund
Author: Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, Chief Risk Officer, Kovrr
Date Published: 15 March 2023

Tips of the Trade

Being a cybersecurity professional means committing to a career of continuing education. While for many people that takes the form of learning the latest technologies, it also means cultivating a good set of soft skills. The degree to which one should develop their soft skills varies based on a variety of factors. For instance, a professional who wishes to spend more time on the technical aspects of information security should focus on learning technical skills. Alternatively, if one wants to lead a team and rise through the executive ranks, they ought to improve their soft skills. Most cyberrisk professionals can benefit from finding a balance between both skill sets.

Risk communication is a critical skill set for those looking to effectively convey priority to an organization. There is much to be said about this topic, but for a primer, the ISACA® Journal article Communicating Technology Risk to Nontechnical People: Helping Enterprises Understand Bad Outcomes covers many of the basics. A critical element of risk communication is to understand how technical infrastructure, hardware (both real and virtual) and software work together to support an organization's goals and objectives.

It is critical to understand an enterprise’s mission and the products and services that support it. Essentially, in regard to their employer, an employee must be able to answer the question, “What do we do here?” As a corollary to that, an employee should be able to answer the question, “How does my organization make money?” Even if the organization is not-for-profit, there is still money flowing through it. Government organizations likewise spend and collect money, but they are also focused on the delivery of critical services. Mapping an organization’s vision and mission to its products and services and connecting them to the flow of resources (whether money or something else) is important. Any readers thinking to themselves that this sounds similar to a business process map would be correct.

Business process maps are a critical component of business continuity planning (BCP) exercises. They show a connection between the activities that are necessary to deliver organizational products and services. Often the results of these exercises are the only repository of business processes in the entire organization. While a business process map is likely to be far more interesting to business professionals (e.g., someone with a Master of Business Administration [MBA] degree) than someone focused on threat intelligence, the truth is that the business process map is an incredibly powerful tool. It connects the technical aspects of an organization's operations to products, services and, ultimately, the mission.

What other resource allows an employee to determine whether an application’s compromise is going to impact the primary money-makers or mission-critical services in an organization? Indeed, creating or leveraging business process maps is important because they are clear guides for translating the technical aspects of an organization’s operations (e.g., applications, servers, network equipment, cloud service providers [CSPs]) to the business impacts. Applications deemed critical must be mapped to critical business processes that support high-impact products and services for the organization. Once that connective tissue is in place, it opens up many other interesting ways to report metrics and risk.

Imagine what could be achieved if vulnerability metrics were aligned to products and services and not merely platforms. Similarly, consider what benefits could be derived if a risk’s potential impact was emphasized by demonstrating how much money could be lost if critical business processes were affected. Business process mapping can enable these benefits—but only with the help of effective risk communication practices.

While business process maps may not be considered as exciting as emerging technologies such as cryptocurrencies and artificial intelligence (AI) chatbots, they are integral to the success of an organization. If a cybersecurity team does not take the time to document business processes and how money flows through their organization, it is highly likely that there are cybercriminals doing so in the meantime.

Jack Freund, Ph.D., CISA, CISM, CRISC, CGEIT, CDPSE, NACD.DC

Is a vice president and head of cyberrisk methodology for BitSight, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, ISSA Distinguished Fellow, FAIR Institute Fellow, IAPP Fellow of Information Privacy, (ISC)2 2020 Global Achievement Awardee and the recipient of the ISACA® 2018 John W. Lainhart IV Common Body of Knowledge Award.