Cyber Security: Legitimate Project Concern?

We have lots of risks on the projects we manage.  Sometimes we set aside a decent amount of planning time to identify potential risks and plan for their mitigation or better yet, their avoidance.  Sometimes we don’t.  

We should, but we don’t always do it and even when we do we probably don’t spend as much time on risk planning as we should.  I should know!  I speak from 20+ years of experience leading IT projects and initiatives, and while I’ve thankfully been pretty successful and learned lessons along the way, I’m no angel.

There have been quite a few incidents of data breaches, large-scale credit card info thefts from big box change stores and even breaches in government databases over the past 12 months.  These have all received great press, but that doesn’t mean they go away.

 In fact, I think that it just makes it that much more likely – given the publicity – for these same hackers and other hackers to go the extra distance to find new targets and industries to hack.  Sometimes it is done for ransom or to prove a point, and sometimes it is just done for the hacker’s curiosity and enjoyment.

Black Hat Security Conference Relevance

Recently, I attended Black Hat USA 2015 here in Las Vegas and made sure that one of the briefings I attended was the latest findings (aka, “hackings”) of Charlie Miller and Chris Valasek. By the time Black Hat USA 2014 started last year, they had already taken control of a 2014 Jeep Cherokee’s stereo system.  They forced it to play Kanye West very loudly while overriding the dash controls remotely so that the driver was unable to change the station or volume.  Impressive, but they were far from done.  

Related Article: Project Documents: High Value Targets of Cyber Espionage

Miller and Valsasek’s latest hackings had received quite a bit of press about 1-2 weeks before Black Hat, so I was greatly anticipating this show of hacking expertise.  I was not disappointed.  The pair presented the culmination of a year’s worth of effort to take control of a vehicle’s computer system in their briefing “Remote Exploitation of an Unaltered Passenger Vehicle”.  The briefing outlined how they were able to send CAN messages to the vehicle’s computer to make the Jeep speed up, steer without driver input, override the anti-collision mechanism, and drive into a ditch with a nervous reporter inside. I look forward to seeing what they’ve accomplished by Black Hat 2016.  

And just in case you didn’t hear about it, their work directly resulted in Chrysler’s recall of 1.4 million vehicles.  Not bad!

Should we be concerned with data security on our projects?

So, is cyber security a legitimate concern?  After watching a season of CSI: Cyber and attending Black Hat USA for the 4th year in a row, I’m convinced that it is, indeed, a legitimate concern.  It is a huge concern for our data centers, a huge concern for IT shops everywhere, a huge concern for every government agency on the map.  It needs to be a concern and consideration on every project that we manage.  I’m not saying that we have to spend millions or even tens of thousands of dollars on it.  I’m just saying it needs to be a concern and consideration.  Something to which we must give some thoughtful planning and management time.  If we dismiss it because it is not related to our current project, then that is great, but it should be addressed.

What do we do about it?

Assuming we consider it a big enough issue to incorporate into the planning process– which I feel we should – what do we do about it?

Here is a simple three consideration process to go through – at least at a very high level – to determine to what extent that type of security is something we should plan for and expend project dollars.  The detail you give it, and the amount of time and complexity you plan into it is dependent on your organization’s policies, your customer’s needs and preferences, and the type and complexity of the project you are managing.

Consider what you are protecting.  Is the data invaluable? Is it irreplaceable?  Would a hack be devastating to your organization?  Would it affect your customers, clients, or the customers of your clients?  Consider these questions carefully.  The ripple effect is unimaginable in certain situations.  If you or your customer is handling health data and there is a database breach, consider how much data is now available to hackers, the general public, or criminals with ill intent.  Does this need to be protected?  Absolutely, and at just about any cost.

Consider the skills needed.  Look at your organization.  Is there anyone in the organization that can build out the level of protection your specific data will need?  Cyber security experts don’t come cheap.  Hacks now are different than the data issues of 20 or 30 years ago.  As they stated at Black Hat USA 2015, everything can be hacked.  If you say it can’t be hacked, it only makes you a quick target for someone looking to prove you wrong.  

Consider the cost.   Can your project, your client, or your organization afford the expertise and protective measures you are likely going to need?  If you find that it is far more expensive than anyone imagined, then you have two options.  The first is to pass on this opportunity because the potential for loss of any profits is real.  The second option is to reach out to the project client for a change order to cover the cost of bringing in the expertise and technology that will be necessary to protect any sensitive data you will be handling for them.

Here’s the bottom line

If you’re looking out for millions of financial records, then yes, you will need to take some extreme data security measures and probably run every individual through background checks who will even have the remote chance of accessing the data you must protect.  Depending on the projects I’ve led and the organizations where I’ve worked, I have held top-secret FBI security clearances off and on throughout the 30 years that I have been in the IT industry.

What are your thoughts on cyber security from a project management standpoint?  Are you concerned about security?  Has a sensitive database on one of your projects ever been hacked?  What was the outcome?  Please share your thoughts and experiences.