Can business process reengineering lead to security vulnerabilities: Analyzing the reengineered process

Digitization, while a boon for business productivity, carries inherent liability for information security. During the last few decades, companies have reengineered business processes on the back of digital data and computer networks. Recently, companies are beginning to realize that increased accessibility, and productivity, carries a hidden cost of making the data more vulnerable to security breaches. It makes intuitive sense to incorporate information security into strategic decision-making during business process reengineering. However, the intricate and complex nature of information security obscures the return on security investment, making companies reluctant to invest in security policies or technology. Consequentially, companies are often forced to suboptimally retrofit security into their business processes in response to security breaches. The case study presents an information security risk analysis proactively conducted at General Electric Energy's Wind Division after the business process reengineering of their product data storage and sharing process. The goal of the study was to identify the security risks in the redesigned process using a structured matrix-based risk analysis approach that links the assets of the organization at risk to security controls.