Protection of services seems to be the way of the future, and as a project manager how do you deliver a Cyber Security related project successfully? The answer no different to any other project, the process is the same, planning doesn’t change and stakeholder management should be paramount. Although Cyber Security is everybody’s business, it is still relatively new when it comes down to delivering these related projects within an enterprise. Convincing those affected of spend, time and the impact takes skill, providing facts helps immensely.
Although there are many intricacies when project managing a cyber security project, we will only look at high level factors to consider when delivering a project of this nature. It is paramount for cyber security strategy to be embedded within the business process, rather than be something that stands alone. Strategies will differ across industries and businesses, and share critical elements. The outcome should be how cyber security protects and enables value to the business by;
- Basing strategy to align with business goals.
- Cyber security issues should be communicated in simple business language.
The project strategy should be driven from the top. A strong cyber security strategy is part of the organizations core message and is set by senior executives. It’s always easier to implement cyber security earlier rather than later. It should be embedded in every project, and every activity, from the beginning. Cyber security is more than just IT, as it affects supply chain, human resources, finance and more.
The project team should include resources who have an understanding of cyber security. As the project manager, there has to be a level of understanding from your part to separate fact from fiction when surrounded by particularly skilled resources. The cyber security project team has an appropriate mix of skill sets, including organizational change management, crisis management, third-party risk management and strategic communications.
Governance shouldn’t change because it is a cyber security project, establish a cyber security steering committee. Having a steering committee that needs to approve all security projects is essential for an effective cyber security governance program. Have the right security stakeholders on board to help with the implementation as part of the organizations culture. Advocates help spread the cyber security vision across the enterprise.
Cyber threats are always changing, establishing controls to provide adequate protection in order to minimize the risks or impact of any threat. Risk management is project management 101, and understanding what they are and how to mitigate them is very important. Threats need to be continuously monitored and make sure security posture is improving every day. It is critical to quickly detect and react to cyber threats. Using multiple threat intelligence sources, assists in anticipating a threats next move.
Although the project is allocated, resources will come and go as required but a core team should be established. Focus the resources on the business critical assets. Base resource allocation on risk assessment finding, placing efforts where the business is most vulnerable.
Unfortunately, organizations cannot be 100% secure, elements of risk remain. As the project manager all should be identified and mitigation put into place as mentioned earlier. A strong incident response capability is essential in case something undesirable happens. Incident response is not just a technology issue, but needs both technical and management involvement. An incident response plan should be developed and tested regularly.
In most organizations there needs to be a cultural transformation, as people are the core of a business, so cyber security is everyone’s responsibility. Cyber security should be made relevant to each business area and factored into all business decisions. When each component in the information security management system, the people, processes and technology, come together and works in harmony, there will be pay-off from the cyber security investment.
Let us know your experience with Cyber security projects, the tools you use, your approach, we would like to hear from you. All the very best on your project management journey.
Being vigilant on how security is managed within an organisation, in particular when managing projects must be crucially and heavily evaluated. At a time where there is an increased expectation for transparency and privacy. Security breaches will be strictly punished, security should be at the forefront of thoughts and not just for what the projects are meant to deliver but also how they are run.
Customers often expect to be able to interact with organizations digitally and this creates additional concerns and risks. Whilst we should of course keep the clear and present cyber-security risks front of mind, we shouldn’t ignore the broader information security risks which might have nothing to do with the particular technology or process that is being worked on. In fact, it’s an opportunity to ask some crucial questions about existing processes that may have emerged years ago that are no longer fit for purpose today.
There have been projects conducted to develop online portals for customers, these type of projects are becoming more and more common. When conducting projects of this nature, interaction with security experts, architects, and having very robust non-functional requirements with testing is a must. However, this can also create a “Rod for your back” when the focus is on security, the online processes becomes so secure that even authorized users can’t access the portal. Having a password that expires after one month for example is probably pretty irritating if an ‘average’ customer accesses their account once or twice per year.
This creates an issue and dilemma for the team, especially when the scope or remit from the stakeholders representing customers want to focus on ease of use. Then there are another group of stakeholders who have an interest in ensuring compliance and managing risk who wanted to focus on impenetrable security. The challenge, it turns out, is to find a sensible balance between the two.
When examining a situation of this nature, two questions become pertinent.
- “How else can customers engage with us?”
- “What security protocols are there via those channels?”
Focus on these questions can find out if a customer the information provided by a customer is actually accurate. Especially when basing identification on pieces of information that were held on file—typically things like full name, address, postal code, date of birth and so on. All this information sounds quite acceptable and sensible. However thinking broadly, who knows this information about you? Possibly neighbours, distant relatives and a proportion of colleagues. Let’s not mention if the post is used, meaning how is a signature validated?
It should be understood that Cyber Security is important but don’t forget about the broader information security. Situations arise where new processes are subject to checks and balances that may not exist on other channels. This in turn creates a useful opportunity to ask: “are we being too risk averse here? If not, do the same risks exist for other channels? And if so, shouldn’t we strengthen them too?”
In many cases, it’ll be completely sensible to continue with a focus on cybersecurity, especially when introducing new processes, while also tightening up older processes that might not have been examined for many years. This assists with promotion of a more holistic view on risk, and helps reduce the risk of fraud or information leakage. Whilst large-scale IT system breaches might mean that a huge quantity of data is compromised, and this should be avoided at all times. It also shouldn’t be underestimated the reputational damage of one or two personal records being misappropriated for fraudulent reasons.
As with so much of what is performed as project managers, business analysts, ensuring a systemic and holistic approach, working with our customer and stakeholders to zoom out and see a clearer picture of balancing cyber-security, information security and what is trying to be achieved by the project, is a very careful balancing act. Let us know your thoughts on cyber-security, Information Security when running your projects, we would like to read your comments.