Could Your Project be the Reason for a Data Breach?

Part I: The Challenge and It’s Scale 

A Project Management Office (PMO) leader gets a call from her boss who just found out that a recent web portal service delivered by one of her project teams has been compromised by an ever growing population of cyber attackers.  If this was your project, how would you respond to a call from your PMO leader?  What due diligence can you reference showing that you incorporated essential security practices in protecting a strategic business revenue generating asset?  In USA Today, a title in the Money section of August 12, 2011 reads, “8M Web Pages Hacked, Mined”.  If you think this could not happen to your projects, think again.  Organizations and career professionals who manage and make decisions regarding existing and newly deployed strategic assets must take a different delivery approach to further minimize significant impacts that lead to lost revenue and front page news stories.

Project managers have been traditionally driven by on-time and on-budget performance metrics rather than also including security as a top priority metric for project management deliverables. This results in making an organization’s strategic assets easy targets for cyber attackers.   Out of all data breaches investigated in 2010 by Verizon Business, 96% were avoidable.  (Source: 2011 Verizon Business Data Breach Investigations Report).   Cyber-attacks are real and will continue to target organizations of all sizes, regardless of the industry.  Organizations and project managers must take a different approach in delivering cyber safe assets to the Internet.  New organizational performance metrics for cyber safety will become mandatory in determining overall project and corporate success. Competitive advantage, in the age of cyber threats, will determine success for organizations and career professionals who take a proactive approach to cyber security.

This two part article has been written to begin increasing the level of awareness in organizations and career professionals such as project managers. These professionals need to start developing a security mindset and begin positioning proactive steps in delivering cyber safe solutions.

Cyber Security’s Emerging and Prevalent GAP

The expanding gap for organizations today starts with consumer driven markets and stakeholder pressure to offer differentiated services that grow the bottom and top lines of the business.  In order to stay competitive, many new business and delivery models have leveraged the Internet, outsourcing, offshoring, cloud based services and mobility platforms that continue to outpace the reach of cyber security.  A 2011 CIO cloud survey by CIO.com stated that 71% of enterprises had placed security among their top three concerns related to moving to the cloud.  These strategic business decisions have created invisible windows that have opened gaps in making organizations easy targets for cyber attackers for the assets they deploy.  The model has completely shifted to an open versus closed system, enabling an unprecedented level of access to sensitive information within companies and business partners today.  Most organizations do not have the required visibility, knowledge, talent or capability to ensure cyber safe practices are incorporated throughout the planning, delivery and operating life cycles.  Given the sophisticated techniques used by cyber attackers, organization and career growth will depend on how well companies and career professionals embrace their roles by enhancing their delivery competencies and skills.

Organizations have become more data-dependent.  It has been estimated that just over the last two years, the data footprint used by organizations across the globe has doubled (Berkeley School of Info Management and Systems 2009). Although organizations and business leaders cannot disrupt services to customers, they can take the first step to make cyber security a strategic priority in the planning and delivery process.  Acquiring new knowledge and having an informed mindset is the starting point in combating the new epidemic of cyber threats.  Understand your current mindset by testing your knowledge today with the quick self-assessment below:

 What Do the Numbers of Cyber Threats and Attacks Tell Us

Cyber threats and attacks are real and here to stay. The few statics we have shared below include just some highlights gleaned from thousands of breaches worldwide.  Cyber Attackers may not always have a preference and consider no target too big or too small.  These targets include projects, career professionals and organizations.  One of the many statistics that directly applies to project delivery includes 6,253 new vulnerabilities discovered in 2010 (Published in Apr 2011, Symantec Internet Security Threat Report). 

Many of these vulnerabilities go undetected during the project and software development lifecycle phases.  Data theft reported last year due to these vulnerabilities being compromised has impacted on average 260,000 identities per breach.  (ibid Apr 2011)  Not only market pressure but rising legal precedence with new federal and state regulations has raised the stakes for all organizations and career professionals.  The numbers over the past few years continue to show a rising trend of successful cyber-attacks with no end in sight.  Organizations and career professionals can no longer afford being reactive and must take a proactive approach in delivering their strategic assets cyber safe.

Test Your Cyber Security Knowledge; Answer Yes or No.

1. Do you know what you should track and trace throughout your project delivery regarding cyber security risks and threats?
2. Do you know the difference between cyber threats and attacks?
3. Do you know the techniques cyber attackers use to compromise organizations and assets delivered by projects?
4. As the project leader, can you determine with little effort what data and records may have been exposed by a cyber-attack based on the project data you included in your project delivery plan? 
5. Do you know what your internal incident response team will ask of you?
6. Can you validate to external auditors and investigators that you took the appropriate due diligence in delivering a cyber safe project? 
7. Do you conduct privileged penetration testing to determine if exploitable vulnerabilities may expose sensitive data used in your project solution to cyber threats?

Your response and understanding of these questions begins to illustrate the gaps you may have regarding the level of cyber safe practices in your project, business and career.  If you answered “no” to one or more of these questions, you may have a project already at risk of being compromised by cyber attackers. 

In the second part of this article, we will review our approach to assist career professionals such as project managers on how to begin delivering better cyber safe solutions and the value it delivers to project quality.  Organizations that embrace and apply this new approach will begin to reposition cyber security as a business advantage instead of being reactive to the market causing significant financial loss and consumer trust impacts.

Don’t forget to leave your comments below.

---

Eben Berry is President and Founder of Cyber Inspectors LLC. Mr. Berry formed a new venture enabling companies to have greater preparedness in responding to growing concerns with cyber-attacks.  As a former CISO, his twenty three years of experience across Military, Fortune 1000 and non-profit organizations centered on business, technology and information security. He received his MBA from Northeastern University.

Ehsan Sabaghian is Sr. Director of Business Development at Cyber Inspectors LLC. After receiving his 2^nd master’s degree in information technology management from Clark University, MA, Mr. Sabaghian joined Cyber Inspectors LLC. An information systems expert with extensive background in business management, he emerged as a strong change agent SME on many large IT projects.

---

The information presented in this article is intended as general advice. Specific advice would require a qualified organization to become familiar with the facts of you or your organization’s particular situation.