The British Computer Society June newsletter featured an article by Neil Cordell. The article opens with the following statement: “When it comes to dealing with cyber security, technologists must focus more on threats and controls and less on risk”. Mr. Cordell is concerned that implementing security controls is entirely in the hands of technologists, who have no real idea of what impact these controls might have on business productivity or the protection of real business assets. So far, so good, but what’s this about ‘less risk’?
Although proposing business alignment of cyber security, Mr. Cordell has a classical technologist’s view that ‘risk’ is the result of poor IT implementations, not the result of ‘doing business’. He believes that risk is a problem that technology alone can solve. He does not see risk as being an essential element of doing business, grasping opportunities to enhance business value, and facing threats that would imperil those opportunities. This succinctly captures the problem of IT thinkers – they do not grasp the concept of business risk appetite. They believe that a ‘risk-free’ world is possible, if only we could spend enough time and money on looking at cyber-threats and implementing controls.
When the author refers to threats, he means cyber threats, such as hacking, denial of service, data theft, natural disasters, etc., unrelated to the business level. SABSA takes us into a new direction of thinking, in which we concentrate on understanding the business first and foremost, without reference to the technology that underpins its operations. We look at the business opportunities and threats, assessing those most relevant to business success. We see the world in terms of a ‘business stack’, as shown in the figure, which has technology layers towards the lower end, but which is populated in its higher layers with business focused thinking. Note that the concept of ‘risk’ is present at all layers.
In SABSA we develop Business Attribute Profiles (BAPs) to be used as proxy-assets for risk assessment. These BAPs form a multi-tiered balanced scorecard, in which performance targets are set for each individual attribute. Starting at the top of the stack we first develop a BAP for the business value chain. We then work down the stack deriving attributes for each layer, driven from the layer above. The attributes become more technical as we go down, and ultimately we derive some attributes that are specific to cyber security, but these can only be useful if we begin by considering the business value chain as the top-level driver for all things.
The concept of Balanced Score Card (BSC) was first published by Kaplan and Norton in the early 1990’s. The overall summary of this approach is shown in the figure.
BSC takes four different views of enterprise strategy and encourages exploration of all four views. If you want to explore your value chain, this is a great place to begin. The method fits perfectly with the SABSA way of thinking. You should be able to identify your value-chain attributes by using the BSC framework as a guide. SABSA doesn’t reinvent wheels that are already there, but it’s a good framework for integrating methods that contribute to the holistic process of enterprise risk management.