Mark Cross was awarded the BA of the Year Award at the BA Conference Europe 2025. This is his winner’s interview.

Can you tell us about your BA journey?

I’ve been a business analyst for around fifteen years, before that I was a network engineer. I was attracted to the BA role because I could see problems with projects being delayed or cancelled. I wanted to be more involved in the process, including establishing the requirements. 

I see the BA as a ‘Value Steward’. Organisations need to protect their income, and to protect their long-term stability and their sustainability. The BA role is to work with all stakeholders to make sure all elements are considered. 

Why did you decide to apply for BA of the Year?

First, I’m passionate about cybersecurity, it’s a key concern and I wanted to shine a spotlight on the topic. Secondly, I saw it as a chance to show the neurodiverse community what somebody with neurodiversity can achieve. Finally, I knew the challenge would do me good. I was suffering from imposter syndrome, and when I saw Pip Hall win two years ago, I realised I was intimidated by idea of standing for such a high-profile accolade, having never even stood up in front of so many of my peers before. I like to tackle my fears head on and test my abilities, so I entered the competition in 2024, and again this year. It was one of the biggest challenges I’ve ever faced. 

How do you feel about winning the competition?

Winning was not the point of entering. For me, it was more about seeing what I was capable of. However, now that I’ve won I am absolutely delighted! I’m honoured and grateful that my efforts have been recognised in this way. 

I see the work behind my win as necessary work, promoting the cybersecurity agenda. Security breaches in high profile organisations are making the news. BAs can help organisations to make the right changes, protect what they are delivering and accept nothing less than the best from their cybersecurity teams. There are many threats out there. The organisations that are best prepared will get through relatively unscathed.

I could not have won without the support of my team, the wider BA community, and my wife who is my greatest supporter.

You had a message for the neurodiverse community: “This is what you can achieve when you find something that’s bigger than fear.” Can you tell us more about your advocacy for neurodivergent professionals in the IT industry?

Twenty years ago, I’d been in the IT industry for around eight years. I was technically competent, but I knew there were things I struggled with. For example, I would have difficulty talking if there were more than three people in the room. As I’ve already mentioned, my response to fear is to confront it. For example, I was afraid of heights, so I took up rock climbing and jumped out of a plane. I was afraid of public speaking, so I joined Toastmasters and became an Area Governor overseeing five clubs. 

If you struggle, my message is that there are ways of working around the constraints such as overwhelm, overstimulation and communication. It is working out how to apply yourself more effectively, finding a niche which aligns with your personal aptitudes and mission. It is about finding find a way to be more (not less) of yourself whilst being able to deliver what the world expects and needs. This is hard work, so having a challenge and a goal helps. Believing in something bigger than yourself helps you to overcome the fear. 

Obviously giving back to the BA community is a big part of the award. Can you tell us about the IIBAs global CyberSIG of which you are the founding chair, and the impact you are making?

I first spoke with IIBA about the idea of a Cyber Special Interest Group (CyberSIG) last year. With the rise of AI and the increasing number of cyber threats, cybersecurity has become a critical part of the business analyst’s role. Today, it’s more important than ever for BAs to have multiple specialisms so we can explore new domains and address the diverse needs of our stakeholders.

In my own work, I operate across cloud transformation, data enablement, and cybersecurity—bridging these areas to deliver better, longer-lasting outcomes. It’s encouraging to see leaders in the cybersecurity community now recognizing the value of business analysts who bring both cybersecurity awareness and the BA mindset. After all, cybersecurity must be embedded from the very beginning of any project. One of my co-chairs has told me that her organisation is saving up to 80% of the cost of resolving security issues later simply by addressing them earlier in the development process.

The IIBA CyberSIG provides a space for cyber-curious BAs to connect, ask questions, and collaborate on solving real-world challenges. Whilst we are still in the early stages, we are starting important conversations about the unique value BAs bring to cybersecurity and how we can help nurture the next generation of talent in this space.

What would you say to anyone thinking of apply to BAOTY?

Absolutely go for it! Don’t just do it for yourself, do it for the community, for something you believe in. Those who do well in the competition are not necessarily very senior, or doing high profile or spectacular work, they are those who offer the best of themselves, carrying out meaningful work to change things in the industry for the better. They support others without expecting anything in return, helping good people to do good things and sharing best practices to better fulfil the needs of the BA community. If you enter, ask yourself what you want your legacy to be, what you want to work on.

What is next for you?

I’m off to Australia next month to talk at the Australian Information Security Association’s National CyberCon and the Festival of Business Analysis. I’m continuing to build up CyberSIG, and developing training tailored to allow cybersecurity experts and BAs to collaborate. 

I am also carrying out research for the UK’s Cybersecurity Body of Knowledge (www.cybok.org) to explore how an understanding of cybersecurity can help business analysts and other change professionals to achieve better outcomes for their organisations. 

Is there anything else you would like to add?

I’d like to emphasise the importance of continuing professional development. It’s about more than collecting certificates—it’s about mastering a shared set of practices so that, as you progress through your career, you understand the baseline and can build on it through innovation and growth.

As a member of several professional associations, I’ve gained valuable insights into the broader ecosystem in which I work. I encourage everyone to embrace continuous learning and improvement. It’s not about the destination, but the journey—and about finding the best path forward from the many options available.

I’d love to hear from anyone who is curious about cybersecurity and business analysis, whether you have a success story to share, a problem to solve or if you would just like to know more. The best way to find me is to engage with me on LinkedIn. 

You may be interested in reading Embracing a Security Mindset: The Next Frontier of Business Analysis | Assist Knowledge Development where Mark Cross urges BAs to better understand cyber threats and cybersecurity.