How business function mapping can help align IT and cybersecurity with business priorities [Q&A]

In the modern business world, organizations face the ongoing challenge of aligning their IT and cybersecurity efforts with their business priorities.

The difficulty lies in understanding how your infrastructure supports your business's core functions. Without this understanding, prioritizing cybersecurity initiatives, managing vulnerabilities, and ensuring business continuity remains an uphill battle.

We talked to Redjack CEO Greg Virgin to learn more about business function mapping and how it can help with the challenge.

BN: What is 'business function mapping'?

GV: Business function mapping is the process of knowing and understanding exactly what parts of your IT estate support the specific business concerns of your leadership team and board of directors. 'Business functions' are things that are easy for a board of directors to understand -- like 'communications' or 'shipping and logistics' -- things that the business does as part of its normal operations. Typically we see organizations grouping IT infrastructure components (commonly referred to as 'assets') by their IT characteristics, such as 'Windows servers,' whereas business function mapping focuses on how these assets support business-centric functions.

To be clear, business function mapping is also different from looking at infrastructure from the perspective of which department the IT spending is attributed to. What we focus on with business function mapping is knowing everything that contributes to the successful delivery of a particular operational function or service, including external third party systems that aren’t tracked in the asset inventory systems that the IT team uses.

BN: Haven't large organizations already done this? Who has the biggest challenge in this regard?

GV: Actually, no. I've worked with some of the largest organizations in the world, and typically they don't know more than about 30 percent of the infrastructure that makes their business functions run. You have to remember that large organizations have grown organically over the years -- they weren't designed up-front to work as they do now. Whether it's from new initiatives they've launched or from M&A activities or whatever, they've now got an extremely complex environment that’s very difficult to understand.

Add to that the constant rate of change in any environment -- I've seen up to a 15 percent drift per month in infrastructure components that support a given business function -- it's an impossible task for anyone to manage manually. The IT team may think they've got a handle on it, but I've never seen a case where they actually do.

BN: How can this deliver benefits for the business and for IT?

GV: The most important benefit is supporting resilience. If you've identified your critical business functions, and mapped all the components required for delivering those business functions, then you can not only make sure to apply extra security measures where it counts, but also know how exactly you need to bring things back up in case of an outage. We've worked with a customer who was able to restore critical functions within 15 minutes -- they never could have done that without a complete understanding of the assets and dependencies for those functions.

Having that understanding also helps in other ways. For example, in digital transformation or cloud migration projects, you also need that complete view. You can't successfully change something unless you know how it works in the first place.

BN: What are the first steps in creating a business process map?

GV: The first step is to get an objective source of truth about your entire infrastructure -- on-premises, in the cloud, in containers, and all the third parties you’re connected to. You need to make sure you’re identifying everything that communicates within your environment. This is impossible to do without automation -- too often I've seen organizations try to compile the information manually, which not only takes a lot of time but is also prone to significant errors. Then you need to use AI to unravel the complexity, and stay on top of the changes.

BN: Why is mapping particularly important for cybersecurity?

GV: Knowing how your infrastructure components are connected to your business functions lets you do a better job of attack surface analysis and vulnerability management. You can identify and protect your most critical attack surfaces based on business function dependencies. No organization has all the resources they need for cybersecurity, so it makes sense to focus on protecting the most important assets at the most strategic places.

BN: How often does the mapping need to be reviewed?

GV: With up to 15 percent of infrastructure drift every month, it's essential to stay on top of what's powering your critical business functions. This requires both automation and AI, plus software to help you understand the results and provide recommendations for actions you can take to improve your security posture and resilience.

Image credit: Suriyaphoto/Dreamstime.com