The cyber threat is real and growing. Against this backdrop, information security is coming to the fore as a key project deliverable. Any large change risks the introduction of new security vulnerabilities into an organisation that may not have been present before. Project Managers must address the security aspects of their projects to ensure that the next major breach isn’t introduced by them!
These four simple yet crucial tips will help Project Managers focus on information security within their projects and give you the very best chance of success.
Tip 1: Identify, record and address the information security requirements in project initiation
To ensure success Project Managers must make every effort to identify and define the information security requirements at the very start of the project, and then ensure the necessary processes are in place for their delivery.
From personal experience, if you don’t address the security requirements early enough in the project cycle, this can have a big impact on milestones and project scope when they do eventually surface – as they inevitably will.
Make sure that information security is considered as an ongoing concern throughout the project life cycle and managed as such.
As a Project Manager, I am ever mindful of the need to achieve the business goals whilst maximising the benefits to the organisation, but not considering the security implications could prove catastrophic to the project.
Tip 2: Security should be achievable, measurable and managed
Security within a project needs achievable, measurable objectives that are integrated into the project plan and implemented with effective controls and metrics.
You can demonstrate compliance by rigorous testing and validation activities. You’ll need to manage the expectations of the security authority, such as the Accreditors, throughout this period. A good way to achieve this level of engagement is to include key project milestones within the plan that need sign-off by the security authority. In doing so, you give the security authority an element of control: they take responsibility for checking that the security requirements are addressed and implemented to their satisfaction. This also serves as a confidence check for the Project Manager that no requirements have been overlooked or omitted.
Tip 3: Create a project security role, and call on the professionals
You can enhance your existing project processes by introducing a security role within the project, and making this person responsible for the security deliverables.
For larger projects, these deliveries could be a work package in itself, managed by the security lead. A security lead will be an invaluable asset to the Project Manager, being in an ideal position to advise on how security requirements can affect project planning and resources, and what possible controls and monitoring need to be implemented to aid in their delivery.
In reality, the job of mitigating low probability/impact threats would normally fall to the Project Manager. Managing medium to high probability/impact threats may well require a subject matter expert.
If a company has the relevant skills and security experience, this can be an internal function shared between projects; otherwise, an external contracted service would be the best option.
Tip 4 – Get it tested
Most government and commercial contracts require that the security elements are subjected to assurance testing and formal certification. There are a number of organisations or companies that you can task with this responsibility, the most popular being the Communications Electronics Security Group (CESG).
CESG is the UK Government’s National Technical Authority for Information Assurance (IA), and protects the vital interests of the UK by providing policy and assistance on the security of communications and electronic data, working in partnership with industry and academia.
CESG can provide services such as:
- An IT Health Check (ITHC): http://www.cesg.gov.uk/servicecatalogue/CHECK/Pages/index.aspx
- CESG Assured Service (CAS): http://www.cesg.gov.uk/servicecatalogue/cas/Pages/cas.aspx
- CESG Tailored Service (CTAS) for more bespoke deliverables: http://www.cesg.gov.uk/servicecatalogue/CTAS/Pages/CTAS.aspx
Testing can take an inordinate amount of time to arrange and can be very costly. To avoid the risk of de-railing the project, you need to identify and plan the scope and test parameters carefully.
If this area of the project is not paid the amount of attention it deserves, the fallout could come as a nasty shock. The resultant delays and potential complications could serve to undermine all the earlier project deliverables.
Ignore information security at your peril!
With an increasing level of cyber threat, every Project Manager must take information security seriously. The effectiveness of the security requirements could ultimately prove key to the outcome of the project.
Most Project Managers have a good grasp and understanding of the security requirements within their projects but may need assistance with the detailed requirements and planning for their delivery.
Forsaking security can be that one major stumbling block that causes a project to fail. Failure to define the security requirements, manage the processes for their delivery, and consult the experts at the right stage will ultimately prove pivotal. Ignore it at your peril. But if you get it right you are much more likely to meet your time, cost and quality metrics for the initial delivery, and throughout the systems lifecycle.
Whether you are a business, public sector organisation, or a Government supplier, Ascentor can provide that tailored security consultancy to ensure your project security requirements are addressed, managed and delivered with the utmost professionalism.