Project management is a well-researched function that helps in executing projects regardless of them being in the IT or non-IT domain. There are many processes, maturity models, tools and learnings available, and best practices documented for practitioners. Having an established project management framework ensures that nothing falls through the cracks. It helps track real and tangible efforts, along with the overall output.
Cyber security is a tech-heavy domain, and project/program management is essential to deliver successful projects. However, cyber security requires a few tweaks in regular management practices as it comes with a different set of requirements. Cyber security is a security management program that is complex in nature and entails systematic processes. It deals with all aspects of a company’s operations, from mapping and recruiting skilled security professionals to vendor risk management. It involves protecting and securing computer systems, networks, and data from theft or damage, thereby ensuring business continuity. A project manager usually has to oversee many one-time and recurring cyber security tasks while handling usual responsibilities and priorities.
A good project management framework will ensure that projects are delivered smoothly, without exceeding budgets, and are carried out in the timeframe decided. For any project management program to be successful, it’s important to define roles and responsibilities, a detailed plan of action, and milestones to be achieved.
While most of the standard project management practices hold good in cyber security programs, there are a few cyber security-specific aspects that need to be taken care of with absolute diligence and strict adherence. Here is a ready reckoner for all cyber security managers, presented in addition to the regular project/program management-proven principles:
- Maximum inclusion in-scope: Even though it sounds cliché, but for most of the contracts, the focus usually is to define the ‘out-of-scope’ elements, irrespective of the type of project. In cyber security, though, in-scope is more important as controls have to be applied across 100% of the estate. There can never be partial security. Even if one critical server is excluded, it may lead to a devastating breach.
- Baseline as-is security posture: It is crucial to baseline as-is security posture (current state of security) as a first step, especially in the era of digital transformation. It helps to understand and gauge the current threat exposure of an organisation so that appropriate controls can be designed to minimise cyber threats and risks. The TO-BE security state should be designed in collaboration with all stakeholders, and then initiatives should be prioritised to enhance the security maturity. The right baseline of maturity and knowledge of hotspots is extremely important so as to draw appropriate attention and investments from stakeholders.
- Secure by Design: Secure by Design is a practice that has two facets from a cyber security management perspective. The first is to create a culture of ‘Secure by Design’ across the organisation. A secured software development lifecycle (SDLC) needs to be embraced compulsorily, and it is imperative for executive leadership and CISOs to mandate it in all ongoing IT programs. The second is to identify all existing vulnerabilities, including the ones being patched, and remediate all of them diligently so that nothing is left exposed. This is a continuous program to make sure an organisation is always free from vulnerabilities.
- Cyber hardening: Any existing application migration to digital adds new complexity and risk into the estate. If risks and vulnerabilities are being inherited from legacy apps, they should be cyber security hardened. All production movements need to be cyber security certified.
- Employing competitive skills and maintaining standards: Cyber security skills are fundamental for the success of projects and programs. These skills are in huge demand in the market, and any shortage may cause major delays in ongoing projects. Organisations must have a well-defined process to hone skills or reskill employees in cyber security technologies. In addition, cyber security managers should also ensure standards, hardening guidelines, playbooks and use cases are baselined and put in practice by their teams consistently.
- Well-defined RACI (Responsible, Accountable, Consulted and Informed) matrix: Since cyber security is a shared responsibility across the organisation, it is very important for various teams to know the RACI matrix. It’s crucial for project management programs to incorporate a detailed RACI matrix, for eliminating any ambiguity and for gaining precise results.
- Maintaining Risk Register: This tool is of fundamental use to all cyber security managers. Calling out the risks clearly will not only help in highlighting them at appropriate forums but also help in mitigating them collaboratively. It is an evolving document and should be used and maintained at all times. It is observed that critical risks are recorded in the risk register, and are very often left unattended. There is no value in identifying risks and not remediating them!
- Supply chain risks: As organisations have to inevitably deal with partners and vendors, it is crucial to pay special attention to third party risk management. Although a difficult task, organisations should convince and ensure their vendors and partners are investing into defined and sturdy security programs. If needed, clear policies and guidelines should be published for external stakeholders to adhere to and make integrations secure.
- Cyber metrics: Cyber assurance can be best estimated based on cyber metrics and trends. There are multiple metrics defined in the cyber security domain, and hence identifying the right metrics, creating a process to measure, analyse and actionise the improvements, can be done easily and is known to be the key for any program success.
- Innovation: Innovation is another important aspect that cyber security managers should apply to successfully manage initiatives within prescribed time and budget. There are many platforms that can be leveraged for this along with advanced technologies such as automation, AI and ML, deep learning, data science, product innovations, and Kanban.
- White Hat hacking: The trick is to stay a step ahead of the attacker! It is a good strategy to invest in the ‘Red Teaming’ or ‘Penetration Testing’ exercise to unearth hidden mines. There may not be a direct ROI, but even if one potential attack is averted, the ROI is huge. Cyber security managers should have the knowledge and nuances of this domain to be able to effectively manage projects.
- Security awareness: In spite of all advanced technological controls, “people” are still considered as the weakest link in the cyber chain. Cyber criminals tend to lure people in giving away their credentials. Investing in frequent ‘anti-phishing’ campaigns and awareness training with special focus on people is an absolute must for any organisation. Implementing this strategy in the project management plan is vital.
With cyber attacks increasing exponentially and organisations investing heavily in security controls, it is critical that the cyber security programs are managed strategically and effectively to maximise ROI, minimise potential risks and protect organisations.