Project Manager’s Toolkit


There are many factors that make an effective project manager. From my experience, project managers face the biggest challenges managing and communicating project inter-dependencies, open actions, risks and issues.

To help myself and others, I’ve developed a simple spreadsheet, which includes templates for the above items.

For example, open actions can be tracked in the table below, making it easier to keep all the stakeholders aligned on what needs to be done and by when.

Date Raised Raised By Original Action Progress Update / Revised Actions Category Owner Priority Target Completion Date Status

Additionally, dependencies can be captured in the table below. This format emphasises the potential conflict between the parties and enables a constructive dialogue to clarify inter-dependencies and agree on the critical path.

Deliverable Title Provider Delivery Date Receiver Required Date HandShake? RAG Comments / Actions

Feel free to download the PM Toolkit template (in the Excel format) along with tabs for risk and issue management and adjust it to your needs.

Image courtesy phasinphoto /

Application Security Project


Web applications are a common attack vector and many companies are keen to address this threat. Due to their nature, web applications are located in the extranet and can be exploited by malicious attackers from outside of your corporate network.  I managed a project which reduced the risk of the company’s systems being compromised through application level flaws. It improved the security of internet facing applications by:

  • Fixed over 30,000 application level flaws (e.g. cross-site scripting, SQL injection, etc) across 100+ applications.
  • Introduced a new testing approach to build secure coding practices into the software development life cycle and to use static and dynamic scanning tools.
  • Embedded continuous application testing capabilities.
  • Helped raise awareness of application security issues within internal development teams and third parties.
  • Prompted the decommissioning of legacy applications.

Image courtesy Danilo Rizzuti /

Poker and Security

Good poker players are known to perform well under pressure. They play their cards based on rigorous probability analysis and impact assessment. Sounds very much like the sort of skills a security professional might benefit from when managing information security risks.

What can security professionals learn from a game of cards? It turns out, quite a bit. Skilled poker players are very good at making educated guesses about opponents’ cards and predicting their next moves. Security professionals are also required to be on the forefront of emerging threats and discovered vulnerabilities to see what the attackers’ next move might be.

At the beginning of a traditional Texas hold’em poker match, players are only dealt two cards (a hand). Based on this limited information, they have to try to evaluate the odds of winning and act accordingly. Players can either decide to stay in the game – in this case they have to pay a fee which contributes to the overall pot – or give up (fold). Security professionals also usually make decisions under a high degree of uncertainty. There are many ways they can treat risk: they can mitigate it by implementing necessary controls, avoid, transfer or accept it. Costs of such decisions vary as well.


Not all cards, however, are worth playing. Similarly, not all security countermeasures should be implemented. Sometimes it is more effective to fold your cards and accept the risk rather than pay for an expensive control. When the odds are right a security professional can start a project to implement a security change to increase the security posture of a company.

When the game progresses and the first round of betting is over, the players are presented with a new piece of information. The poker term flop is used for the three additional cards that the dealer places on the table. These cards can be used to create a winning combination with each player’s hand. When the cards are revealed, the player has the opportunity to re-assess the situation and make a decision. This is exactly the way in which the changing market conditions or business requirements provide an instant to re-evaluate the business case for implementing a security countermeasure.


There is nothing wrong with terminating a security project. If a poker player had a strong hand in the beginning, but the flop shows that there is no point in continuing, it means that conditions have changed. Maybe engaging key stakeholders revealed that a certain risk is not that critical and the implementation costs might be too high. Feel free to pass. It is much better to cancel a security project rather than end up with a solution that is ineffective and costly.

However, if poker players are sure that they are right, they have to be ready to defend their hand. In terms of security, it might mean convincing the board of the importance of the countermeasure based on the rigorous cost-benefit analysis. Security professionals can still lose the game and the company might get breached, but at least they did everything in their power to proactively mitigate that.

It doesn’t matter if poker players win or lose a particular hand as long as they make sound decisions that bring desired long-term results. Even the best poker player can’t win every hand. Similarly, security professionals can’t mitigate every security risk and implement all the possible countermeasures. To stay in the game, it is important to develop and follow a security strategy that will help to protect against ever-evolving threats in a cost-effective way.

Images courtesy of Mister GC /

Developing your team through coaching

We discussed improving team productivity previously. I received a few comments regarding this topic, which I decided to address here. I would like to cover the question of developing your team members through coaching.

I remember attending a workshop once, where the participants were divided into two teams and were presented with a rather peculiar exercise. The facilitator announced that the goal of this competition was to use newspaper and tape to construct a giraffe. The teams would be judged on the height of the animal: the team who will manage to build the tallest one wins.

teamwork and securtiy - exercise as a distraction

There are many variations of this exercise, but they all boil down to the same principle. The real aim is to understand how people work together. How they plan, assign roles and responsibilities, execute the task, etc.

In the end, everyone had a chance to discuss the experience. Participants were also presented with feedback on their performance. But can people’s performance be improved? And if yes, what could have been done in order to achieve positive and lasting change?

The answer to these questions can be found in coaching.

Coaching is all about engaging people in an authentic way. There might be different opinions on the same problem, which doesn’t necessarily mean that there is only one universal truth. How much do you appreciate and respect what other people think?

Coaching, however, is not about knowing all the answers, but about listening, empathising and understanding others. Here are some example questions you can use:

  • What is happening in your life and career?
  • What’s going well?
  • Where do you want to be?
  • What do you need to do to get there?
  • What is the first step you would take today?


The last thought I would like to mention here is about giving people time to reflect. Some silent and alone time can yield unexpected results. Our brain is bombarded with enormous amounts of information on a daily basis. Finding time to quiet your mind and slow down can help you to listen to your inner voice of intuition.  This can help you come up with innovative solutions to seemingly unsolvable problems.

Project Planning

What is the difference between two photos below?

fog and planning 2fog and planning

Yes, you are right – without the mist we can see the building more clearly. Something similar is happening with our projects: early in the initiation stage, there is a lot of uncertainty. It is really hard to estimate time and cost requirements, especially when the scope of work is not clearly defined.

However, it is still important to come up with an estimate, even if it is very high-level. Ideally, we have to define a way to manage the scope, schedule, requirements, financials, quality, resources, change, risks, stakeholders, communications, etc. Later in the project we can progressively elaborate on the plan to make it more accurate.

As far as an initial estimate for a timelines goes, even creating a list of activities and understanding dependencies can dramatically reduce the fog.


Try engaging your team members: ask them how long they think certain work packages might take to complete. Organise a workshop to discuss and capture the dependencies and risks. Make sure you have buy-in from your team and everyone is aware of the critical path

Yes, things can and will change, but having a plan helps you to become more aware of the potential impact of this change on budget, scope or quality. Ultimately, a good plan can help project managers put things into perspective and monitor and control projects more effectively.

How to plan and deliver benefits on an information security project


Major changes frequently introduced by security projects might be seen as necessary evils without delivering value to the business. To change this perspective, a project manager should proactively manage benefits and make sure they are achievable and verifiable.

The key objectives of benefits management is to ensure that benefits are identified, defined, and linked to the company’s business strategy.

Realistic planning of benefits is the first step to achieve project success. It is, however, an ongoing activity and requires many iterations. In order to drive the realisation of benefits, the following template can be used to capture potential benefits and measure its impact on the organisation

Benefit Expected benefit outcome Benefit Type Where will the benefit occur? Who will be affected?

Image courtesy of ddpavumba /

Managing Risk on Security-related Projects

All companies have assets. They help them generate profit and hence require protection. Information security professionals help companies to assess and manage risk to these assets and make sure that cost-effective and appropriate response strategies are chosen to address these risks.

Enterprises in turn may decide to implement mitigation strategies in the form of technical, procedural, physical or legal controls. These implementations would have a defined start and end date and would require resources and hence a project rather than an operational activity.

However, such implementations have their own project risks. According to the Guide to the Project Management Body of Knowledgerisk is an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives.

The project risk management process is similar to the information security risk management and consists of four stages:

1. Identification – Log risk, agree and assign an owner

2. Analysis – An owner assesses risk and sets probability and impact

3. Monitoring and Control – An ongoing process of tracking identified risks, monitoring residual risks, identifying new risks, executing risk response plans and evaluating their effectiveness throughout programme.

4. Response planning  – What response will be taken to manage the risk

It is a good practice to involve your team and all relevant stakeholders during the project planning stage to identify the risks and populate the risk log


  • ID – assign a number (e.g. 1, 2, 3)
  • Risk– a specific definition of the risk event.
  • Consequence –what effect each entry has on the business/change programme/projects
  • Trigger – an event which signals the risk occurrence
  • Date Raised – when the risk was initially raised
  • Date Updated – when the risk was updated
  • Owner – a person responsible for monitoring risk event, notifying team, and executing risk response
  • Due Date – when will the actions be completed
  • Probability (on a scale 1-5) – likelihood of the risk occurring
  • Impact (on a scale 1-5) – impact if the risk does occur
  • Risk Score – probability x Impact
  • Response Strategy – a specific agreed actions which will take place to manage the risk (Avoid, Transfer, Mitigate, Accept))
  • Current Status – indicate risk status (Red, Amber, Green, Closed)

During the execution of the project, the risk log should be continuously revised and kept up to date to ensure that project issues, risks and mitigating actions are fully and formally assessed and managed throughout the project lifecycle.

Download a sample risk log

Managing Stakeholders and Communication on Security-related Projects

Enterprises across the world are becoming more and more aware of security-related issues and their impact on the business, making them increasingly willing to address them. Although they are open to listening to the security professionals’ advice, the language the business speaks is different.

It is important for security specialists to understand the business requirements and communicate the value of security accordingly. Managing stakeholders and communication is therefore becoming one of the essential skills of the modern security professional.

One should understand that the earlier people are involved in a security project, the easier it is to get their buy-in. It is useful to spend some time on planning the communication prior to a project kick-off.

As a first step to such planning, a stakeholder register could be created capturing the contact information, expectations about the project, level of influence, and other characteristics, as in the table below.


As soon as the stakeholders are identified, a communication management plan should be created. One can engage the stakeholders to identify the best way of communication, its frequency, responsibility and a reason for sending.


While managing a project, a security professional spends almost all his / her time communicating in various ways. Proper stakeholder engagement and communication planning can make the security-related projects run much smoother. At the end of the day, security professionals are there to help people to make the business more secure. This task can be achieved more easily when people are cooperating with the security professionals rather than trying to sabotage the project.

Tracking the Progress of an Information Security Related Project

A project is, by definition, a goal-driven activity to be completed by a specific deadline. Although many security professionals dedicate most of their time to daily operational tasks, some of the most valuable contributions they can deliver to a company are in the form of security projects. Such projects may include enterprise-wide security solutions implementations, security reviews or risk assessment.

The success of such an exercise will highly depend on the skills and experience of the individual who manages the project. The reasons for which a security project may fail can be countless, but one of the most common ones is the lack of proper tracking.

Let’s imagine, for a second, that all the necessary planning was done, a charter was signed, and a sponsor fully supports the project. How can the project manager know if everything is going according to the plan?

A simple answer is by tracking the progress. There are several measurable indicators a project manager can keep track of, but a crucial one is the schedule.


Tracking the progress according to a schedule helps to identify possible risks and take timely preventive actions, such assigning more resources to the tasks or undertaking some of the activities in parallel.


Project management was never about tools and software, though they may be very helpful. A sample spreadsheet was developed for project tracking which you can use to track the activities on your project. It was created for infrastructure / application hardening programmes and perfectly fits projects with clearly defined scopes of similar tasks.

Download a sample tracker

Improve Your Team’s Productivity


Today’s security professionals must know how to design and implement security transformation programmes on an enterprise-wide scale. In order to be successful at this, not only must they be technically savvy, but they should know how to build, lead and manage a team effectively for this purpose.

When dealing with teams, many people mistakenly assume that some team roles are more important than others, when in reality, all participants are equally essential. The diversity of skills makes a team versatile and is reinforced by the active involvement from all parties. Each role, trade or character type has its own strengths and weaknesses, which should be identified, harnessed and optimized (or reduced, in the latter case) in order to enhance the team’s overall performance. There are several existing resources for thoroughly exploring these complex human dynamics. One of the strongest ones available is the Belbin Model.

Dr. Meredith Belbin designed a personality test, known as the Belbin Team Inventory, in which he defines nine team roles that are necessary for a team’s optimal performance.

Through a 360-degree feedback mechanism (which includes the individual’s as well as the observers’ evaluation, mutually contrasted with one another), this test is designed to identify an individual’s personal behavioural traits and interpersonal strengths. It is not uncommon to see, however, that many people score strong tendencies towards multiple roles.

Based on the assessment of the individual’s behaviour within a team environment, Belbin sorted these nine roles into three main categories which include the action oriented roles, the people oriented roles and the thought oriented roles.

The action oriented roles and their strengths are the following:

  • Shaper: outgoing and dynamic people who help the team improve by finding the best problem-solving methodologies. The Shaper is responsible for keeping track of all the possibilities while avoiding the team’s complacency. Shapers usually welcome complications and unexpected outcomes as challenging opportunities that could lead to great outcomes: they have the courage to take them on when others feel like quitting.
  • Implementer: assumes the role that translates the team’s concepts and ideas into practical action plans. Because implementers are very disciplined, well-organized and work systematically in an efficient way: they are the team member who everyone counts on to get the job done.
  • Completer-Finisher: makes sure that deadlines are met and checks for omissions and errors. Because they tend to be orderly, conscientious perfectionists, they will pay attention to every single detail and ensure the job is completed on time.

The people oriented roles and their assets comprise:

  • Coordinator: who usually assumes the role of the chairman or traditional team-leader. Because they tend to be excellent listeners, they intuitively recognise the intrinsic value each team member can contribute to the group. With this personal strength, along with their calm and good nature, they are able to delegate tasks efficiently and guide the team to what they observe are the main objectives.
  • Team Worker: is the member who takes over the role of the negotiator within the team while providing support and ensuring a productive environment in which everybody may work together effectively. Team workers tend to be charismatic and therefore popular and outgoing, which makes them very capable in facilitating team cohesion while encouraging people to get along.
  • Resource Investigator: assumes the role of identifying and working with external stakeholders in order to enable the team to accomplish its objectives. Resource investigators are typically enthusiastic, extroverted and outgoing making others receptive to their ideas. Because they tend to be curious and innovative, they can easily establish contacts, explore available options and negotiate for resources on behalf of the team.

Finally, the thought oriented roles and their potency characteristics include:

  • Plant: the person who comes up with innovative ideas and methodologies. He/she is usually introverted and might prefer to work in a separate environment from the rest of the team. Plants do, however, thrive on praise and find difficulties in dealing with criticism.
  • MonitorEvaluator: is the objective member every team needs for analysing and evaluating the ideas that other people (usually Plants) come up with. They can easily weigh pros and cons of all the available options before arriving to a decision.
  • Specialists: these are the individuals who possess a specialised knowledge and experience that is required to get the job done. Their contribution to a team-work environment is reserved as the expert in the field, and they are usually fully committed to the area of their expertise. Their priority lies in maintaining their professional status, and they take great pride in their abilities and skills.

One of the core foundations of the Belbin Team Inventory is that a team can be considered well-balanced when all nine roles are present and participate actively. When we recognise our individual role within a given team, we can further develop our strengths and manage our weaknesses in order to improve our contribution to the team.


If several members within a given team have similar behavioural styles or team roles, the team becomes unbalanced and doesn’t function up to its full potential. The underlying cause for this is that similar behaviours imply overlapping strengths, which can foster interpersonal competition rather than cohesion or mutual collaboration. Additionally, similar behaviours mean similar weaknesses, which can be extrapolated as a general weakness of the entire team. Belbin’s nine role definition also includes the identification of the characteristic weaknesses that tend to accompany each team role. These “allowable” weaknesses should be recognised in order to allow for improvement.

The weaknesses of action oriented roles typically include:

  • Shaper: might not always be considerate of other people’s feelings and be argumentative.
  • Implementer: could be rigid and have a hard time changing.
  • Completer-Finisher: might have difficulties in delegating and suffer from unnecessary worry and anxiety.

The weaknesses associated to the people oriented roles are usually the following:

  • Coordinator: may tend to be manipulative in nature and might delegate too much of his/her personal responsibilities away.
  • Team Worker: might struggle to maintain uncommitted positions during decision-making processes or discussions, and have a tendency to be indecisive.
  • Resource Investigator: might me overly optimistic and can quickly lose enthusiasm.

The drawbacks of the thought oriented roles include:

  • Plant: because of their unconventional ideas and suggestions, these may be seen by the rest of the team as impractical. The introverted nature of the Plants can make them poor communicators and might tend to overlook given constraints or parameters.
  • MonitorEvaluator: because they are strategic in their methodologies, as well as critical thinkers, they are usually regarded as unemotional or detached. They might be poor motivators who react to a given circumstance instead of instigating it.
  • Specialist: because their contribution is limited to the field of their expertise, their participation is restricted, which may lead to technicalities and concerns at the expense of a wider scope.

After many years of studying teamwork, Belbin broadly defined a team role as “a tendency to behave, contribute and interrelate with others in a particular way”: a tendency that people normally adopt when they assume a particular team-role. The individual and interpersonal behaviours might, however, depend to some extent on the situation, since it is not only related to one’s own natural style of working, but to the interaction with others and the actual work itself. This means that each one of us may behave and interact quite differently according to the nature of the team members and/or the work we are exposed to.

How to use the Belbin Team Inventory as a tool

The Belbin Team Inventory is a rather handy tool, and can be used in different ways, like in managing interpersonal differences within a given team, for example, or in considering how to construct a balanced team properly before a project starts, or in developing oneself as a team member.

The Belbin model can be used to analyse an existing team, as well as a helpful guide to develop the team’s strengths, and manage its weaknesses. The following tool can be very helpful in analysing team membership, checking for potential strengths and weaknesses within the team:

1.     Observe the individual members of your team over a period of time, to see how they perform individually, contribute and how they conduct themselves within the team.

2.     Make a list of the team members which includes their observable characteristics: both key strengths and weaknesses.

3.     Make a comparison between each team member’s strengths and weakness with the descriptions provided by the Belbin Model. What team role would you say best describes each person more accurately?

4.     Once you feel you have identified each individual’s corresponding role, answer the following questions:

o   Are there any roles missing from the team? Which ones? If so, which are the strengths that are most likely to be missing from the team overall?

o   Is there are prevalent team role that many of the team members share?

When there are teams of people who perform the same job, there will be specific predominant team roles. In a team of business consultants, for example, there might be numerous Shapers and Team Workers, as opposed to a research department which will mainly consist of Plants and Specialists. These are perfect examples of unbalanced teams, which might be lacking key approaches and outlooks.

If the team is considered to be unbalanced, the first step is to identify the overall weakness that results from the team. The following step would be to recognise areas of potential conflict. An example would be an excess of Shapers that might weaken a team if each one wishes to drive the team in different directions.

5.     Once potential weaknesses, areas of conflict and missing strengths have been identified, identify the options you have to improve and change this. Consider:

o   Whether one or more team members could develop or adapt how they work together and with others in order to avoid potential conflict of their natural styles.

o   If an existing team member could compensate by adopting different a team role. Through awareness and intention, this is sometimes possible.

o   Whether new skills need to brought onto the team to compensate for the weaknesses.

The Belbin Team Roles model may introduce more coherence into the team.

It is important to mention, however, that although the Belbin model can be very useful, it should mainly be regarded as a good guide for building a team. One shouldn’t mistake this for depending too heavily on it in order to strive for perfection, which might restrict other potential strengths a team and its members may have. It is basically up to the team leader’s professional intuition to evaluate and decide for him/herself what would be the greatest overall benefit. Perhaps the main concept to learn here today is that in order to have a very high performing team, “the key is BALANCE”.


Images courtesy of digitalart and jannoon028 /