I'm a BA. Should I retrain in security?
08:00 Friday, 12 November 2021
UK Cyber Security Council
Business Analysts (BAs) are in demand. The analysis phase of a project is among the most crucial, as it is in this step that the requirements for the new product, system or service are collated - often dragged kicking and screaming from the minds of the people in the business for whom the new entity is being developed. So, it's no surprise that at the time of writing (October 2021) LinkedIn's job site has 11,245 matches in a search for "business analyst".
Given that there is an oft-cited security skills gap in UK businesses, with 680,000 of them admitting that they are short on even the most basic security talent, we can be sure that many of these vacancies relate to business analyst roles (in fact, the detail of the aforementioned report states that such roles formed part of the search criteria when the figure were being collated). So is there the potential for a cunning BA to cross-train into security in order to jump the queue for security-related BA roles?
In a word: yes. And the "why" is simple: security is complicated and the average person (not to mention the average BA) has little or no experience or expertise in cyber security save what they have learned as users - spotting phishing scams, locking PC screens when leaving their desk, and so on.
And unlike most business analysis tasks, the BA role on a security project has an extra complication over that for a more mainstream project. Imagine, say, a project to implement a new accounting system: the finance team will be brimming with ideas about how they want it to look, how inbound invoices will be routed, how they want journal outputs to look, and so on. In a security project, though, the BA is working with users who, on the whole, know nothing of import about security and who certainly won't be opening a firehose of requirements on the BA. It's rare to carry out a security project led by the business - they're generally the consumers of the system's functionality and not the ones who decide what that functionality should be.
It seems obvious, then, that a business analyst with a decent level of knowledge in cyber security would add significant value to security projects - if only to help plug a few of the gaps when it comes to requirements. The ability to draw on a repository of security knowledge, experience and an awareness of the state of the art can bring tremendous value: the world would be a better place if BAs around the globe were saying to users things like: "I know you've always used a password, but would you find fingerprint or face recognition a more attractive way of logging in?"
Of course, it's natural that a bit of subject matter knowledge in the non-technical roles in the project team will help. For example, this correspondent used to use a project manager who was such a techie geek that he'd have been able to configure a Cisco network switch or phone system had the need arisen, and those skills were invaluable when it came to understanding how long elements of an installation would take. But security is special because it's so new, so fast-moving, so complicated - which brings us to think of security-specific knowledge as more of a "must have" than a "nice to have".
So, if you're a BA considering whether getting some formal security training would be worthwhile, the answer is very easy: yes, go and do it. It won't cost a fortune, and it will most definitely push you up the recruitment ladder when organisations are filling the BA element of their security skills gaps.