InfoSec-Specific Executive Development for CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive labs to build you and your team's InfoSec skills
Implementing complex security technology is difficult enough, without throwing multiple IT teams and business stakeholders in the mix. Often security teams are looking for improved workflows and project prioritization while being cognizant of implementing
processes and procedures that will not be seen as negatively impacting other areas. This piece outlines InfoSec project management best practices.
Problems with projects coming in on time, on budget and within specifications are common in all functions of business. Technology projects, either in IT or information security, are no different, but come with their own set of complications. While the
technology to be implemented does play a role in the outcome of a project, the main determinants of success are closely tied to process and leadership.
Many times, staff try to drive enterprise projects that change the way people work and cause disruptions in workflows. These activities are rarely successful when driven from the bottom up by technology experts. Instead, security staffers and project
planners should try to interact and communicate early with all affected parties so they can gain cooperation from the majority and then use the governance structure to encourage the few who are non-compliant.
A common mistake with technology projects is having the line staff be the same experts who are assigned both critical technology work and critical project work. Project management is a separate set of skills and needs to have appropriate resourcing. To
be successful, a governance structure should be put in place with leadership from all affected areas and from institutional leadership. By using some basic processes, assigning clear accountability for success, and being assertive with visibility
and transparency of the work status and barriers, the team can greatly improve its chances for better outcomes.
Technology projects are full of risks and challenges, but the outcomes you should consider aiming for are either a successful project or one where deficits are visible, transparent, understood and approved by the project sponsors and the institution.
To have this kind of environment, there must be engaged governance and oversight. This should include an institutional security committee that assists with defining priorities and has leadership from across the business areas. We recommend this group
holding regular meetings, be involved in project prioritization and having regular work status reports.
Consider providing the security committee with access to the audit committee for regular updates, as well as regular reporting to the board of directors. Figure 1 provides an example of a typical governance structure, including the role of the audit committee.
Project management processes are also critical for success. The outcome of these processes are to:
Many tools are available from multiple sources to help in the documentation of a project, but an important thing to remember is that the documentation is an outcome of doing the work and not an end. High-priority processes that should be put in place
Consider flow-charting affected workflows to be able to clearly articulate the changes that need to be made early during the design and planning phase. This includes both new activities for staff, as well ones no longer needed.
A third task is to manage and communicate the risks and status of a project. This means identifying anticipated risks as well as having a risk log that is regularly reviewed.
Initial risks can be collected using a fishbone diagram (see Figure 3).
Then, ongoing risks can be added to a risk log.
Risks, barriers and project status should also be entered into a dashboard and presented to leadership with plans to overcome them, along with details about any assistance needed. If you are unable to overcome the barriers and leadership is unwilling
to assist, this needs to be documented and appropriate updates made to whatever project aspects are affected.
The fourth critical step is to develop a project plan that lists the task, timelines and resources, and identifies dependencies. In IT, it can be very easy to overdo a project plan, making it difficult to maintain and understand. The plan can be done
using multiple tools, ranging from enterprise project planning (EPM) software to a low-tech whiteboard approach. The only rule is the tool and details must match both the organization’s maturity and the complexity of the work.
No matter the tool or format, it is important to be able to track accountable resources and impacts of barriers or delays. It is also beneficial if a larger multi-year plan is broken down into “edible” six months of detail so individual tasks
are better understood.
To sum up, successful implementation of security technology across departments requires:
However, it’s also important during all the planning and communication, you are able to articulate the outcome as meeting a business need. For example, try to avoid naming your project “Implement NAC,” rather consider a name such as
“Decrease the Risk of a Sensitive Data Breach.” This allows you to better communicate to teams outside of security and to leadership the impacts of delays and inability to meet requirements. As you provide status reports to the project
sponsors and leadership, it also allows you to frame the discussion and potential impacts in terms they understand.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.
October 19, 2021
By IANS Faculty
Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance tools and platforms. Understand the processes, tools, stakeholders and focus required for a best practice continuous compliance program.
October 14, 2021
Learn how the DDoS threat is evolving and get a step-by-step playbook to ensure your organization is protected against DDoS attacks and has a response plan in place.
October 12, 2021
Uncertain how to secure your M365 environment? Our Faculty identify and explain the five primary areas of M365 that will provide the best security return-on-investment with the least user experience impacts.