There are many factors that make an effective project manager. From my experience, project managers face the biggest challenges managing and communicating project inter-dependencies, open actions, risks and issues.
To help myself and others, I’ve developed a simple spreadsheet, which includes templates for the above items.
For example, open actions can be tracked in the table below, making it easier to keep all the stakeholders aligned on what needs to be done and by when.
|Date Raised||Raised By||Original Action||Progress Update / Revised Actions||Category||Owner||Priority||Target Completion Date||Status|
Additionally, dependencies can be captured in the table below. This format emphasises the potential conflict between the parties and enables a constructive dialogue to clarify inter-dependencies and agree on the critical path.
|Deliverable Title||Provider||Delivery Date||Receiver||Required Date||HandShake?||RAG||Comments / Actions|
Feel free to download the PM Toolkit template (in the Excel format) along with tabs for risk and issue management and adjust it to your needs.
Image courtesy phasinphoto / FreeDigitalPhotos.net
Web applications are a common attack vector and many companies are keen to address this threat. Due to their nature, web applications are located in the extranet and can be exploited by malicious attackers from outside of your corporate network. I managed a project which reduced the risk of the company’s systems being compromised through application level flaws. It improved the security of internet facing applications by:
- Fixed over 30,000 application level flaws (e.g. cross-site scripting, SQL injection, etc) across 100+ applications.
- Introduced a new testing approach to build secure coding practices into the software development life cycle and to use static and dynamic scanning tools.
- Embedded continuous application testing capabilities.
- Helped raise awareness of application security issues within internal development teams and third parties.
- Prompted the decommissioning of legacy applications.
Image courtesy Danilo Rizzuti / FreeDigitalPhotos.net
Good poker players are known to perform well under pressure. They play their cards based on rigorous probability analysis and impact assessment. Sounds very much like the sort of skills a security professional might benefit from when managing information security risks.
What can security professionals learn from a game of cards? It turns out, quite a bit. Skilled poker players are very good at making educated guesses about opponents’ cards and predicting their next moves. Security professionals are also required to be on the forefront of emerging threats and discovered vulnerabilities to see what the attackers’ next move might be.
At the beginning of a traditional Texas hold’em poker match, players are only dealt two cards (a hand). Based on this limited information, they have to try to evaluate the odds of winning and act accordingly. Players can either decide to stay in the game – in this case they have to pay a fee which contributes to the overall pot – or give up (fold). Security professionals also usually make decisions under a high degree of uncertainty. There are many ways they can treat risk: they can mitigate it by implementing necessary controls, avoid, transfer or accept it. Costs of such decisions vary as well.
Not all cards, however, are worth playing. Similarly, not all security countermeasures should be implemented. Sometimes it is more effective to fold your cards and accept the risk rather than pay for an expensive control. When the odds are right a security professional can start a project to implement a security change to increase the security posture of a company.
When the game progresses and the first round of betting is over, the players are presented with a new piece of information. The poker term flop is used for the three additional cards that the dealer places on the table. These cards can be used to create a winning combination with each player’s hand. When the cards are revealed, the player has the opportunity to re-assess the situation and make a decision. This is exactly the way in which the changing market conditions or business requirements provide an instant to re-evaluate the business case for implementing a security countermeasure.
There is nothing wrong with terminating a security project. If a poker player had a strong hand in the beginning, but the flop shows that there is no point in continuing, it means that conditions have changed. Maybe engaging key stakeholders revealed that a certain risk is not that critical and the implementation costs might be too high. Feel free to pass. It is much better to cancel a security project rather than end up with a solution that is ineffective and costly.
However, if poker players are sure that they are right, they have to be ready to defend their hand. In terms of security, it might mean convincing the board of the importance of the countermeasure based on the rigorous cost-benefit analysis. Security professionals can still lose the game and the company might get breached, but at least they did everything in their power to proactively mitigate that.
It doesn’t matter if poker players win or lose a particular hand as long as they make sound decisions that bring desired long-term results. Even the best poker player can’t win every hand. Similarly, security professionals can’t mitigate every security risk and implement all the possible countermeasures. To stay in the game, it is important to develop and follow a security strategy that will help to protect against ever-evolving threats in a cost-effective way.
Images courtesy of Mister GC / FreeDigitalPhotos.net
Leron Zinatullin is the author of The Psychology of Information Security.
We discussed improving team productivity previously. I received a few comments regarding this topic, which I decided to address here. I would like to cover the question of developing your team members through coaching.
I remember attending a workshop once, where the participants were divided into two teams and were presented with a rather peculiar exercise. The facilitator announced that the goal of this competition was to use newspaper and tape to construct a giraffe. The teams would be judged on the height of the animal: the team who will manage to build the tallest one wins.
There are many variations of this exercise, but they all boil down to the same principle. The real aim is to understand how people work together. How they plan, assign roles and responsibilities, execute the task, etc.
In the end, everyone had a chance to discuss the experience. Participants were also presented with feedback on their performance. But can people’s performance be improved? And if yes, what could have been done in order to achieve positive and lasting change?
The answer to these questions can be found in coaching.
Coaching is all about engaging people in an authentic way. There might be different opinions on the same problem, which doesn’t necessarily mean that there is only one universal truth. How much do you appreciate and respect what other people think?
Coaching, however, is not about knowing all the answers, but about listening, empathising and understanding others. Here are some example questions you can use:
- What is happening in your life and career?
- What’s going well?
- Where do you want to be?
- What do you need to do to get there?
- What is the first step you would take today?
The last thought I would like to mention here is about giving people time to reflect. Some silent and alone time can yield unexpected results. Our brain is bombarded with enormous amounts of information on a daily basis. Finding time to quiet your mind and slow down can help you to listen to your inner voice of intuition. This can help you come up with innovative solutions to seemingly unsolvable problems.
What is the difference between two photos below?
Yes, you are right – without the mist we can see the building more clearly. Something similar is happening with our projects: early in the initiation stage, there is a lot of uncertainty. It is really hard to estimate time and cost requirements, especially when the scope of work is not clearly defined.
However, it is still important to come up with an estimate, even if it is very high-level. Ideally, we have to define a way to manage the scope, schedule, requirements, financials, quality, resources, change, risks, stakeholders, communications, etc. Later in the project we can progressively elaborate on the plan to make it more accurate.
As far as an initial estimate for a timelines goes, even creating a list of activities and understanding dependencies can dramatically reduce the fog.
Try engaging your team members: ask them how long they think certain work packages might take to complete. Organise a workshop to discuss and capture the dependencies and risks. Make sure you have buy-in from your team and everyone is aware of the critical path
Yes, things can and will change, but having a plan helps you to become more aware of the potential impact of this change on budget, scope or quality. Ultimately, a good plan can help project managers put things into perspective and monitor and control projects more effectively.
Major changes frequently introduced by security projects might be seen as necessary evils without delivering value to the business. To change this perspective, a project manager should proactively manage benefits and make sure they are achievable and verifiable.
The key objectives of benefits management is to ensure that benefits are identified, defined, and linked to the company’s business strategy.
Realistic planning of benefits is the first step to achieve project success. It is, however, an ongoing activity and requires many iterations. In order to drive the realisation of benefits, the following template can be used to capture potential benefits and measure its impact on the organisation
|Benefit||Expected benefit outcome||Benefit Type||Where will the benefit occur?||Who will be affected?|
Image courtesy of ddpavumba / FreeDigitalPhotos.net
All companies have assets. They help them generate profit and hence require protection. Information security professionals help companies to assess and manage risk to these assets and make sure that cost-effective and appropriate response strategies are chosen to address these risks.
Enterprises in turn may decide to implement mitigation strategies in the form of technical, procedural, physical or legal controls. These implementations would have a defined start and end date and would require resources and hence a project rather than an operational activity.
However, such implementations have their own project risks. According to the Guide to the Project Management Body of Knowledge, risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.
The project risk management process is similar to the information security risk management and consists of four stages:
1. Identification – Log risk, agree and assign an owner
2. Analysis – An owner assesses risk and sets probability and impact
3. Monitoring and Control – An ongoing process of tracking identified risks, monitoring residual risks, identifying new risks, executing risk response plans and evaluating their effectiveness throughout programme.
4. Response planning – What response will be taken to manage the risk
It is a good practice to involve your team and all relevant stakeholders during the project planning stage to identify the risks and populate the risk log
- ID – assign a number (e.g. 1, 2, 3)
- Risk– a specific definition of the risk event.
- Consequence –what effect each entry has on the business/change programme/projects
- Trigger – an event which signals the risk occurrence
- Date Raised – when the risk was initially raised
- Date Updated – when the risk was updated
- Owner – a person responsible for monitoring risk event, notifying team, and executing risk response
- Due Date – when will the actions be completed
- Probability (on a scale 1-5) – likelihood of the risk occurring
- Impact (on a scale 1-5) – impact if the risk does occur
- Risk Score – probability x Impact
- Response Strategy – a specific agreed actions which will take place to manage the risk (Avoid, Transfer, Mitigate, Accept))
- Current Status – indicate risk status (Red, Amber, Green, Closed)
During the execution of the project, the risk log should be continuously revised and kept up to date to ensure that project issues, risks and mitigating actions are fully and formally assessed and managed throughout the project lifecycle.