Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Tracking projects and initiatives within information security is especially difficult. Tools that are useful for more traditional project management may not be as useful in InfoSec, where the landscape is constantly shifting. Emergency patching or incident
response (IR), for example, can shift resources away from a given project. Stakeholders outside the information security team require visibility to see and understand the impact of these interruptions, as well as to visualize the expected completion
times of their upcoming projects.
This piece highlights features to look for in an information security-focused project tracking/management tool and explain why they are important.
Many tools help define projects, but information security requires tools that adapt to rapid changes in schedule. Security initiatives are often preempted by events such as a new zero-day becoming public or responding to an incident, and the tools used
by security must quickly adapt as circumstances change.
Many project tracking tools that seem security-focused are very tailored for governance, risk management and compliance (GRC). These tools should only be adopted if the primary problem is managing GRC operations.
Trying to adapt GRC-focused tools to be maximally useful for security project management is a lot like trying to fit a square peg into a round hole. Using a GRC tool is only recommended when the tool is already deployed and InfoSec lacks the budget for
Tools in this space, although most are generally thought of as IT ticketing systems, include: Jira; ManageEngine; ServiceNow and SharePoint.
To be maximally flexible to security’s needs, any tool used for InfoSec project management should support the following:
Take a closer look at a select number of key features to consider:
While many tools in this space are software-as-a-service (SaaS) only, Jira also offers options for on-prem deployment. This may be important for some security-focused organizations that cannot store data in the cloud for contractual or regulatory reasons.
In addition, it is common for SaaS deployments to be priced by the number of users, moving to on-prem ensures pricing remains predictable and consistent, regardless of the number of users needing access.
The ability to have multiple queues, each with different permissions, will help ensure the tool is maximally useful. For example, consider use cases where only those in sales can view a certain project, but anyone can view an operations project or vice
If your project management tool lets the organization customize the schema with the fields appropriate to a given project it helps ensure maximum use of the tool.
Depending on your organization’s threat model, your security team may want everything protected with MFA. As a result, consider a tool that ties into your chosen MFA vendor. This increases confidence on the logging and tracking data, since a simple
credential compromise does not allow access to the project tracking system.
Consider integrations with tools used for internal communications about projects such as Slack. This can help remove the need to log into a separate project management system, while maintaining existing process workflows that support productivity levels.
Projects often require management of knowledge that is not appropriate for the project management system itself. However, the knowledge management system may need some view into the document management system (and vice versa). Consider an integration
between with your project management system and knowledge management system.
While it is common for tool to allow for support notifications via email, ingesting data via email is important for some workflows as well. This means any properly formatted email can fill in specific fields in project tickets.
Dashboards are important for quick and easy status reporting, particularly for those who do not need details of project (such as an executive). The benefit of using an integrated dashboard is that details are immediately available for any item featured.
Dealing with InfoSec project management can be especially difficult. Tools that adapt easily to generic project management do not always lend themselves to the rapid changes required of InfoSec projects. Integrations and customizations matter everywhere,
but in InfoSec people are unlikely to use a tool if it breaks their workflow. This means integrations into existing team workflows is critical.
To get a better handle on project management, security teams should consider tools with the following features, including:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.