The worlds of information access and information security are inextricably joined, and as such, data must be readily available and accessible to all who need it, yet its confidentiality and integrity simultaneously maintained. As project managers, we have all managed technical change, but the current pace of technological advancements, coupled with an influx of increasingly sophisticated security threats and attacks, as well as the need to comply with a myriad of privacy laws and security protection standards, all but guarantee heightened interaction and benefits to partnering with our local information security group.
Who are these security folks and how do they operate? Simply stated, the role of information security is to balance risk and value toward enablement of the business. Security practitioners understand and communicate risks and provide solutions within the context of business value-creation. Solutions are chosen that reduce risk, and may include any number of security initiatives such as: creating isolated networks to protect critical data, installing intrusion prevention devices, logging and monitoring security events, or achieving compliance with security standards.
Related Article: Diffusing Organizational Risk
Information security groups also exist to provide education and awareness regarding company security policies and procedures while performing real-time threat monitoring and remediation.
Here are four critical areas to focus on and remember when assigned your next Information Security Project:
1. Secure executive sponsorship and formal backing. Executive leadership must be onboard with, scope, objectives, and strategic fit
Involvement and backing from the CSO or senior security leadership as well as the publicized alignment with strategic company initiatives demonstrate to users at large that the project or security initiative is not simply another “nice to have.” This is also particularly important because your project may require folks to participate in security training or to complete a security specific task. In many cases, having ongoing senior leadership support and backing will be your saving grace.
Executive leadership on information security projects is particularly important because the company’s competitive advantage is based largely on ensuring that critical data is protected and accessible. Once leadership acknowledges and embraces this, these projects are no longer viewed as straight costs, but investments in creating and enabling trusted, manageable and scalable information protection and access. While you have the Sponsor’s attention, ask for insight into the overall IT security plan (or strategy). This will provide additional clarification and focus as to the role your project plays in the grand scheme. Also, take this opportunity to learn what you can regarding key resources assigned to your project.
2. Know your Security solution(s)
Researching the security solution to be implemented will not only provide the context necessary for a deeper understanding of matters at hand but demonstrate to your team and stakeholders that you’re invested and success-minded. This diligence should also extend to any contractual agreements and internal working agreements. Without this knowledge, you may face trust issues with the client, as well as an increased lag in overall resolution as they will expect the project manager to be able to handle most issues and questions. Deeper functional understanding may also provide insights into associated operational security projects. To be effective, IT security must be operationalized, and the very best way to get there is through integrated and well-managed projects.
3. Establish a common Risk Management approach
The generally accepted information security approach to risk varies slightly from the standard project management approach. While specific risk events, their probability, and associated impact ring true to project managers, security practitioners tend to think in terms of threats and the possibility of these being exploited to expose particular vulnerabilities. With this method, business assets are typically assigned a value, in order that the threat, and vulnerability, if exposed, can be quantified. Given the slightly different approach to risk management, it will be beneficial to meet as close to project inception as possible to develop a common approach to identifying, documenting, and managing overall risk. This will establish a solid foundation for the often semi-uncomfortable risk discussions and pave the road for necessary assignments and follow-ons.
4. Know your Project Team, Vendors, and Subcontractors
Never underestimate the importance of collaborative planning and communication. The closer the team, the more productive the collaboration and communication can be. Attempt a one-on–one meeting with each team member, vendor or sub-contractor in advance to discuss their role, specific areas of expertise and to air out questions and concerns in a non-threatening environment. This will pave the road for knowledge and experience sharing going forward. During the kickoff meeting, encourage open discussion of individual roles and input items to clarify further each party's interests in and commitment to the project.
Solid executive backing, knowledge of the solution(s) under consideration, a common and agreed upon risk approach and knowledge of team and vendor relationships will greatly increase the chances of your next information security project being a smashing success.