#BPM enables #cybersecurity because the latter is an inside job

Blogpost of Larry Karisny "Is Cybersecurity an Inside Job?" -- http://globalriskcommunity.com/profiles/blog/show?id=5112778%3ABlogPost%3A151183&xgs=1&xg_source=msg_share_post (registration required) concludes that
Problems occur in business processes when someone or some technology does something wrong whether intentional, mistakenly or as part of a targeted attack. We can only achieve true security when multiple actions and process can be detected simultaneously and in real time. New technologies are offering these capabilities in a time when we are rapidly expanding interconnected humans to intelligent machines that have capabilities that are so large we are having trouble even viewing these processes.

We need to start recognizing that authentication of a person no matter how accurate the techniques used are only the first level of cybersecurity. True security can only be achieved when combining prevention and detection technologies at the real time business or process input action level. Most security breaches occur quickly and are themselves an input process action. Using technology than can focus on these input actions is where we need to focus our efforts.

True cybersecurity will be obtained when we can effectively view, audit, correct and block organizational process actions. If you could have a technology that does this, then why not?

Maybe, instead of reactively "view, audit, correct and block processes" at run-time, proactively build-in the security into business processes at design-time?

A few examples of how BPM addresses security concerns are below.

The blogpost http://improving-bpm-systems.blogspot.ch/2011/10/ea-view-on-enterprise-risk-management.html shows the big picture in which each process is enriched with the security/risk monitoring and evaluation.

The blogpost http://improving-bpm-systems.blogspot.ch/2012/09/practical-process-anti-pattern-doum.html recommends that any resource must be available only if an actor is carrying out a particular activity in a particular process instance.

And the slides 25-27 from http://improving-bpm-systems.blogspot.ch/2013/04/addressing-security-concerns-through-bpm.html show that some security can be guaranteed at the design time. It is possible to design cybersecurity not only within a particular process template, but also within a system of process templates.

Thus, explicit and executable business processes will help to improve the security (sure the architecture defines how).


No comments: