Who are these security folks and how do they operate? Simply stated, the role of information security is to balance risk and value toward enablement of the business. Security practitioners understand and communicate risks and provide solutions within the context of business value-creation. Solutions are chosen that reduce risk, and may include any number of security initiatives such as: creating isolated networks to protect critical data, installing intrusion prevention devices, logging and monitoring security events, or achieving compliance with a security standards, etc.
Information security groups also exist to provide education and awareness regarding company security policies and procedures while performing real time threat monitoring and remediation.
Here are four critical areas to focus on and remember when assigned your next Information Security Project:
1. Secure Executive sponsorship and formal backing
Executive leadership must be on-board with, scope, objectives and strategic fit Involvement and backing from the CSO or senior security leadership as well as the publicized alignment with strategic company initiatives demonstrates to users at large that the project or security initiative is not simply another “nice to have”.
This is also particularly important because your project may require folks to participate in security training or to complete a security specific task. In many cases, having on-going senior leadership support and backing will be your saving grace. Executive leadership on information security projects is particularly important because the company’s competitive advantage is based largely on ensuring that critical data is protected and accessible. Once leadership acknowledges and embraces this, these projects are no longer viewed as straight costs, but investments in creating; and enabling trusted, manageable and scalable information protection and access. While you have the Sponsor’s attention, ask for insight into the overall IT security plan (or strategy). This will provide additional clarification and focus as to the role your project plays in the grand scheme. Also, take this opportunity to learn what you can regarding key resources assigned to your project.
2. Know your Security solution(s)
Researching the security solution to be implemented will not only provide the context necessary for a deeper understanding of matters at hand, but demonstrate to your team and stakeholders that you’re invested and success minded. This diligence should also extend to any contractual agreements and internal working agreements. Without this knowledge, you may face trust issues with the client, as well as an increased lag in overall resolution, as they will expect the PM to be able to handle most issues and questions. Deeper functional understanding may also provide insights into associated operational security projects. To be effective, IT security must be operationalized, and the very best way to get there is through integrated and well managed projects.
3. Establish a common Risk Management approach
The generally accepted information security approach to Risk varies slightly from the standard PM approach. While specific risk events, their probability and associated impact ring true to project managers, security practitioners tend to think in terms of threats and the possibility of these being exploited to expose particular vulnerabilities. With this method, business assets are typically assigned a value, in order that the threat, and vulnerability, if exposed, can be quantified. Given the slightly different approach to risk management, it will be beneficial to meet as close to project inception as possible to develop a common approach to identifying, documenting and managing overall risk. This will establish a solid foundation for the often semi-uncomfortable risk discussions and pave the road for necessary assignments and follow-ons.
Additional ESI Risk Management specific articles:
Seven steps to becoming a Risk Superhero
4. Know your Project Team, Vendors and Sub-contractors
Never underestimate the importance of collaborative planning and communication. The closer the team, the more productive the collaboration and communication can be. Attempt a one-on–one meeting with each team member, vendor or sub-contractor prior to the kick-off meeting to discuss their role, specific areas of expertise and to air out questions and concerns in a non-threatening environment. This will pave the road for knowledge and experience sharing going forward. During the kick-off meeting, encourage open discussion of individual roles and input items to clarify each party’s interests in and commitment to the project.
As project managers, we have all managed technical change, but the current pace of technological advancements coupled with an influx of increasingly sophisticated security threats and attacks, as well as the need to comply with a myriad of privacy laws and security protection standards all but guarantee heightened interaction and benefits to partnering with your local information security group.
Solid executive backing, knowledge of the solution(s) under consideration, a common and agreed upon risk approach and knowledge of team and vendor relationships will greatly increase the chances of your next information security project being a smashing success.
Sean P. Lowe, PMP, CRISC is an information technology project manager and freelance writer with 15 years of experience in managing systems integration, process development and enhancement and Information Security Compliance Assessment Projects.