Project Management – Cyber Security Leadership

The complexity of communication

As someone who worked for both large multinationals and small tech startups, I’m often asked whether the scale of the organisation matters when building security culture.

I think it does. Managing stakeholders and communication gets increasingly complex in larger organisations. In fact, the number of communication paths tends to increase dramatically with every new stakeholder introduced to the network.

I’ve had the privilege to advise a number of smaller companies in the beginning of their journey and I must admit it’s much more effective to embed secure behaviours from the start. We talk about security by design in the context of technical controls – it’s no different with security culture.

While working as a consultant, I helped large corporations with that challenge too. The key is to start small and focus on the behaviours you want to influence, keeping stakeholder engagement in mind. Active listening, empathy and rapport building are essential – just rolling out an eLearning module is unlikely to be effective.

Project Manager’s Toolkit

There are many factors that make an effective project manager. From my experience, project managers face the biggest challenges managing and communicating project inter-dependencies, open actions, risks and issues.

To help myself and others, I’ve developed a simple spreadsheet, which includes templates for the above items.

For example, open actions can be tracked in the table below, making it easier to keep all the stakeholders aligned on what needs to be done and by when.

Date Raised	Raised By	Original Action	Progress Update / Revised Actions	Category	Owner	Priority	Target Completion Date	Status

Additionally, dependencies can be captured in the table below. This format emphasises the potential conflict between the parties and enables a constructive dialogue to clarify inter-dependencies and agree on the critical path.

Deliverable Title	Provider	Delivery Date	Receiver	Required Date	HandShake?	RAG	Comments / Actions

Feel free to download the PM Toolkit template (in the Excel format) along with tabs for risk and issue management and adjust it to your needs.

Image courtesy phasinphoto / FreeDigitalPhotos.net

Application Security Project

Web applications are a common attack vector and many companies are keen to address this threat. Due to their nature, web applications are located in the extranet and can be exploited by malicious attackers from outside of your corporate network. I managed a project which reduced the risk of the company’s systems being compromised through application level flaws. It improved the security of internet facing applications by:

Fixed over 30,000 application level flaws (e.g. cross-site scripting, SQL injection, etc) across 100+ applications.
Introduced a new testing approach to build secure coding practices into the software development life cycle and to use static and dynamic scanning tools.
Embedded continuous application testing capabilities.
Helped raise awareness of application security issues within internal development teams and third parties.
Prompted the decommissioning of legacy applications.

Image courtesy Danilo Rizzuti / FreeDigitalPhotos.net

Poker and Security

Good poker players are known to perform well under pressure. They play their cards based on rigorous probability analysis and impact assessment. Sounds very much like the sort of skills a security professional might benefit from when managing information security risks.

What can security professionals learn from a game of cards? It turns out, quite a bit. Skilled poker players are very good at making educated guesses about opponents’ cards and predicting their next moves. Security professionals are also required to be on the forefront of emerging threats and discovered vulnerabilities to see what the attackers’ next move might be.

At the beginning of a traditional Texas hold’em poker match, players are only dealt two cards (a hand). Based on this limited information, they have to try to evaluate the odds of winning and act accordingly. Players can either decide to stay in the game – in this case they have to pay a fee which contributes to the overall pot – or give up (fold). Security professionals also usually make decisions under a high degree of uncertainty. There are many ways they can treat risk: they can mitigate it by implementing necessary controls, avoid, transfer or accept it. Costs of such decisions vary as well.

Not all cards, however, are worth playing. Similarly, not all security countermeasures should be implemented. Sometimes it is more effective to fold your cards and accept the risk rather than pay for an expensive control. When the odds are right a security professional can start a project to implement a security change to increase the security posture of a company.

When the game progresses and the first round of betting is over, the players are presented with a new piece of information. The poker term flop is used for the three additional cards that the dealer places on the table. These cards can be used to create a winning combination with each player’s hand. When the cards are revealed, the player has the opportunity to re-assess the situation and make a decision. This is exactly the way in which the changing market conditions or business requirements provide an instant to re-evaluate the business case for implementing a security countermeasure.

There is nothing wrong with terminating a security project. If a poker player had a strong hand in the beginning, but the flop shows that there is no point in continuing, it means that conditions have changed. Maybe engaging key stakeholders revealed that a certain risk is not that critical and the implementation costs might be too high. Feel free to pass. It is much better to cancel a security project rather than end up with a solution that is ineffective and costly.

However, if poker players are sure that they are right, they have to be ready to defend their hand. In terms of security, it might mean convincing the board of the importance of the countermeasure based on the rigorous cost-benefit analysis. Security professionals can still lose the game and the company might get breached, but at least they did everything in their power to proactively mitigate that.

It doesn’t matter if poker players win or lose a particular hand as long as they make sound decisions that bring desired long-term results. Even the best poker player can’t win every hand. Similarly, security professionals can’t mitigate every security risk and implement all the possible countermeasures. To stay in the game, it is important to develop and follow a security strategy that will help to protect against ever-evolving threats in a cost-effective way.

Images courtesy of Mister GC / FreeDigitalPhotos.net

Developing your team through coaching

We discussed improving team productivity previously. I received a few comments regarding this topic, which I decided to address here. I would like to cover the question of developing your team members through coaching.

I remember attending a workshop once, where the participants were divided into two teams and were presented with a rather peculiar exercise. The facilitator announced that the goal of this competition was to use newspaper and tape to construct a giraffe. The teams would be judged on the height of the animal: the team who will manage to build the tallest one wins.

There are many variations of this exercise, but they all boil down to the same principle. The real aim is to understand how people work together. How they plan, assign roles and responsibilities, execute the task, etc.

In the end, everyone had a chance to discuss the experience. Participants were also presented with feedback on their performance. But can people’s performance be improved? And if yes, what could have been done in order to achieve positive and lasting change?

The answer to these questions can be found in coaching.

Coaching is all about engaging people in an authentic way. There might be different opinions on the same problem, which doesn’t necessarily mean that there is only one universal truth. How much do you appreciate and respect what other people think?

Coaching, however, is not about knowing all the answers, but about listening, empathising and understanding others. Here are some example questions you can use:

What is happening in your life and career?
What’s going well?
Where do you want to be?
What do you need to do to get there?
What is the first step you would take today?

The last thought I would like to mention here is about giving people time to reflect. Some silent and alone time can yield unexpected results. Our brain is bombarded with enormous amounts of information on a daily basis. Finding time to quiet your mind and slow down can help you to listen to your inner voice of intuition. This can help you come up with innovative solutions to seemingly unsolvable problems.

Project Planning

What is the difference between two photos below?

Yes, you are right – without the mist we can see the building more clearly. Something similar is happening with our projects: early in the initiation stage, there is a lot of uncertainty. It is really hard to estimate time and cost requirements, especially when the scope of work is not clearly defined.

However, it is still important to come up with an estimate, even if it is very high-level. Ideally, we have to define a way to manage the scope, schedule, requirements, financials, quality, resources, change, risks, stakeholders, communications, etc. Later in the project we can progressively elaborate on the plan to make it more accurate.

As far as an initial estimate for a timelines goes, even creating a list of activities and understanding dependencies can dramatically reduce the fog.

Try engaging your team members: ask them how long they think certain work packages might take to complete. Organise a workshop to discuss and capture the dependencies and risks. Make sure you have buy-in from your team and everyone is aware of the critical path

Yes, things can and will change, but having a plan helps you to become more aware of the potential impact of this change on budget, scope or quality. Ultimately, a good plan can help project managers put things into perspective and monitor and control projects more effectively.

How to plan and deliver benefits on an information security project

Major changes frequently introduced by security projects might be seen as necessary evils without delivering value to the business. To change this perspective, a project manager should proactively manage benefits and make sure they are achievable and verifiable.

The key objectives of benefits management is to ensure that benefits are identified, defined, and linked to the company’s business strategy.

Realistic planning of benefits is the first step to achieve project success. It is, however, an ongoing activity and requires many iterations. In order to drive the realisation of benefits, the following template can be used to capture potential benefits and measure its impact on the organisation

Benefit	Expected benefit outcome	Benefit Type	Where will the benefit occur?	Who will be affected?

Image courtesy of ddpavumba / FreeDigitalPhotos.net

Managing Risk on Security-related Projects

All companies have assets. They help them generate profit and hence require protection. Information security professionals help companies to assess and manage risk to these assets and make sure that cost-effective and appropriate response strategies are chosen to address these risks.

Enterprises in turn may decide to implement mitigation strategies in the form of technical, procedural, physical or legal controls. These implementations would have a defined start and end date and would require resources and hence a project rather than an operational activity.

However, such implementations have their own project risks. According to the Guide to the Project Management Body of Knowledge, risk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.

The project risk management process is similar to the information security risk management and consists of four stages:

1. Identification – Log risk, agree and assign an owner

2. Analysis – An owner assesses risk and sets probability and impact

3. Monitoring and Control – An ongoing process of tracking identified risks, monitoring residual risks, identifying new risks, executing risk response plans and evaluating their effectiveness throughout programme.

4. Response planning – What response will be taken to manage the risk

It is a good practice to involve your team and all relevant stakeholders during the project planning stage to identify the risks and populate the risk log

ID – assign a number (e.g. 1, 2, 3)
Risk– a specific definition of the risk event.
Consequence –what effect each entry has on the business/change programme/projects
Trigger – an event which signals the risk occurrence
Date Raised – when the risk was initially raised
Date Updated – when the risk was updated
Owner – a person responsible for monitoring risk event, notifying team, and executing risk response
Due Date – when will the actions be completed
Probability (on a scale 1-5) – likelihood of the risk occurring
Impact (on a scale 1-5) – impact if the risk does occur
Risk Score – probability x Impact
Response Strategy – a specific agreed actions which will take place to manage the risk (Avoid, Transfer, Mitigate, Accept))
Current Status – indicate risk status (Red, Amber, Green, Closed)

During the execution of the project, the risk log should be continuously revised and kept up to date to ensure that project issues, risks and mitigating actions are fully and formally assessed and managed throughout the project lifecycle.

Download a sample risk log

Managing Stakeholders and Communication on Security-related Projects

Enterprises across the world are becoming more and more aware of security-related issues and their impact on the business, making them increasingly willing to address them. Although they are open to listening to the security professionals’ advice, the language the business speaks is different.

It is important for security specialists to understand the business requirements and communicate the value of security accordingly. Managing stakeholders and communication is therefore becoming one of the essential skills of the modern security professional.

One should understand that the earlier people are involved in a security project, the easier it is to get their buy-in. It is useful to spend some time on planning the communication prior to a project kick-off.

As a first step to such planning, a stakeholder register could be created capturing the contact information, expectations about the project, level of influence, and other characteristics, as in the table below.

As soon as the stakeholders are identified, a communication management plan should be created. One can engage the stakeholders to identify the best way of communication, its frequency, responsibility and a reason for sending.

While managing a project, a security professional spends almost all his / her time communicating in various ways. Proper stakeholder engagement and communication planning can make the security-related projects run much smoother. At the end of the day, security professionals are there to help people to make the business more secure. This task can be achieved more easily when people are cooperating with the security professionals rather than trying to sabotage the project.

Tracking the Progress of an Information Security Related Project

A project is, by definition, a goal-driven activity to be completed by a specific deadline. Although many security professionals dedicate most of their time to daily operational tasks, some of the most valuable contributions they can deliver to a company are in the form of security projects. Such projects may include enterprise-wide security solutions implementations, security reviews or risk assessment.

The success of such an exercise will highly depend on the skills and experience of the individual who manages the project. The reasons for which a security project may fail can be countless, but one of the most common ones is the lack of proper tracking.

Let’s imagine, for a second, that all the necessary planning was done, a charter was signed, and a sponsor fully supports the project. How can the project manager know if everything is going according to the plan?

A simple answer is by tracking the progress. There are several measurable indicators a project manager can keep track of, but a crucial one is the schedule.

Tracking the progress according to a schedule helps to identify possible risks and take timely preventive actions, such assigning more resources to the tasks or undertaking some of the activities in parallel.

Project management was never about tools and software, though they may be very helpful. A sample spreadsheet was developed for project tracking which you can use to track the activities on your project. It was created for infrastructure / application hardening programmes and perfectly fits projects with clearly defined scopes of similar tasks.

Download a sample tracker