Skip to main content

Author: Eben Berry

Could Your Project be the Reason for a Data Breach?

Written by Eben Berry on . Posted in Articles. 8 Comments on Could Your Project be the Reason for a Data Breach?

Part II: The Solution and Its Value

Viewing Cyber Security as a Business Solution

As a continuation of Part I, although advancements in technology have enabled organizational strategies they came with a price to pay given the rise in cyber breaches.  Cyber security continues to be a moving target with no final technological solution insight. Considering the rate of progress in new technologies and their social prevalence, solutions are now more dependent on a person’s mindset, critical thinking abilities, and an increase in individual responsibility. These facts lead us to believe that the most effective resistance against cyber threats must now be built on shifting an individual’s mindset, adjusting human behavior and evolving legacy methodologies. Cyber security has elevated to become a required attribute for successful organizations and career professionals going forward.  Cyber safe practices require a proactive approach in addressing a new generation of cyber breach challenges associated with strategic asset delivery and survivability. The first step project managers should take is to make cyber security a priority and position cyber safe practices as part of the solution in the upfront initiation and planning processes. Project managers and delivery team professionals such as business analysts should also incorporate cyber security practices into the remaining project phases to ensure traceability of established cyber security requirements.
A Gartner research study conducted in 2010 found that reactive versus proactive investment in cyber security could have up to a 70 to 1 price tag. Many of the cyber security challenges that organizations face today have less to do with a technology problem and more to do with the human element and process approach representing the weakest security link within organizations’ cyber infrastructures.  An older but still relevant report on the leading causes of data loss noted that 1 in 2 events had been caused by human error and 1 in 4 were related to policy violations (Source: IT Policy Compliance Group 2007). This highlights the need for greater awareness, education and a refined business approach to delivering cyber safe strategic assets.

Protecting business assets from the evolving dangers of the Internet and mobility infrastructure requires a unified approach across business, IT and security in maintaining business resistance to cyber threats and attacks. For example, a window in your house protects you from weather damage, heating and cooling costs, and unwanted intruders. For the window to function properly, it requires a set of combined controls that involve human process and technologies. These controls include security controls (i.e., requiring a particular lock be part of the design), IT controls (i.e., incorporating the lock into the window design), and the business controls (i.e., ensuring that a daily routine has been established to shut and lock the windows). Without a unified business approach and controls in place that cover all three areas, organizations are at an increased risk of water damage, higher heating and cooling bills, and intruders with easy access.

A Mindset Shift, Behavior Modification and Methodology Change

To truly challenge the advantage cyber attackers have today, managers and individuals require a shift in their mindset towards cyber safety. Although many see cyber security as a technological problem, data breaches show society that this is more of a human behavior problem. Many organizations continue to rely on their employees as their last line of defense but most non-technical roles in the organization do not have the required awareness and education that is necessary to fully minimize an organization’s exposure to cyber threats and attacks.

Proper cyber safety requires a new business awareness, delivery and operational approach to expand an organization’s capabilities and competencies for both non-technical and technical career professionals such as project managers. A new set of data handling and safeguard skills for all employees and third party vendors for handling sensitive data in cyber space has become a fundamental organizational requirement. Business units, business projects and entire organizations must improve preparation by investing in new cyber safe practices starting with awareness training, education and certification programs. This mindset shift, behavioral modification and methodology changes should be followed up with actionable techniques incorporated into the organizational culture and functional processes.

Creating a New Delivery Model Through Cyber Security

Organizations need to take a proactive approach to cyber security and enhance their existing business delivery models tailored to their industry and organization. This new baseline model places an emphasis on planning, designing, building and delivering secure business solutions rather than reacting to data breaches and exposures that your organization could have avoided.

Cyber security must become part of every career professional’s mindset in further shifting an organization to a security-minded culture. In order to level the playing field and begin building resistance against cyber attacks, asset protection demands a multi-dimensional model that includes individuals, organizations and society. In order to gain significant advantage quickly, a new set of baseline standards must be created for organizations to better evaluate the technology and vendor selection processes to ensure a particular vendor or technology solution does not become the reason for a data breach. This becomes even more critical to organizations that have shifted or are making the shift to mobility platforms to enable new business model innovations. Establishing cyber safe planning and delivery performance metrics, empowering your project teams by making security a priority and incorporating cyber safe practices into your business process designs will put your organization in a more defensible position. 

Cyber Security and Project Management: The Perfect Partnership

Three of the main project management functions are managing resources, managing project risk and managing project quality assurance. Given this, let’s review the potential business risks of cyber threats and attacks during the project delivery life cycle. 

Project Management Functions Cyber Threat & Attack Impacts Cyber Safe Practice Examples
Managing Resources Data loss exposure
Identities and intellectual property stolen		 Incorporate essential practices for project data
Cyber safe data assurance management plan

Managing Project Risk

 Erosion of customer trust Damage to brand image Stakeholder dissatisfaction Establish cyber security priorities Establish cyber safe performance metrics
Managing Project Quality Assurance Low-quality projects: open windows Low-quality deliverables: easy targets Inadequate testing of threats Incorporate scenario-based threat testing Develop cyber deliverables checklist Develop business incident response plan

Table 1.0: PM Functions, Cyber Threat and Attack Impacts, and Cyber Safe Practice Examples

Cyber security must be part of your solution going forward to remain competitive, to retain your constituents’ trust and to attract the top talent necessary to compete in the Internet market. Do not wait until your project or organization’s assets have been compromised by cyber attackers to begin making an essential business practice shift—start establishing and incorporating your delivery process with cyber safe practices today. Minimize your chances of being an easy target and establish cyber safety as a new benchmark for project management success. Organizations and career professionals, including executives, must make cyber security a priority by investing upfront in the strategic planning and delivery process to integrate cyber security as a competitive advantage in the products and services they offer. Project managers armed with cyber security knowledge and techniques will deliver higher quality projects, increase their marketability and help PMOs achieve greater project success.

Don’t forget to leave your comments below.

The information presented in this article is intended as general advice. Specific advice would require a qualified organization to become familiar with the facts of you or your organization’s particular situation. 

Eben Berry is President and Founder of Cyber Inspectors LLC. Mr. Berry formed a new venture enabling companies to have greater preparedness in responding to growing concerns with cyber-attacks.  As a former CISO, his twenty three years of experience across Military, Fortune 1000 and non-profit organizations centered on business, technology and information security. He received his MBA from Northeastern University.

Ehsan Sabaghian is Sr. Director of Business Development at Cyber Inspectors LLC. After receiving his 2nd master’s degree in information technology management from Clark University, MA, Mr. Sabaghian joined Cyber Inspectors LLC. An information systems expert with extensive background in business management, he emerged as a strong change agent SME on many large IT projects.

About Cyber Inspectors™ LLC. Founded in 2011 and based in Burlington, MA, Cyber Inspectors is focused on cyber security and enabling companies to achieve greater organizational preparedness in responding to cyber threats and attacks. Cyber Inspectors has developed a new Business Delivery Assurance Model™ focused on cyber safe essential practices, response capabilities and strategic investment of security.

Could Your Project be the Reason for a Data Breach?

Written by Eben Berry on . Posted in Articles. 8 Comments on Could Your Project be the Reason for a Data Breach?

Part I: The Challenge and It’s Scale 

A Project Management Office (PMO) leader gets a call from her boss who just found out that a recent web portal service delivered by one of her project teams has been compromised by an ever growing population of cyber attackers.  If this was your project, how would you respond to a call from your PMO leader?  What due diligence can you reference showing that you incorporated essential security practices in protecting a strategic business revenue generating asset?  In USA Today, a title in the Money section of August 12, 2011 reads, “8M Web Pages Hacked, Mined”.  If you think this could not happen to your projects, think again.  Organizations and career professionals who manage and make decisions regarding existing and newly deployed strategic assets must take a different delivery approach to further minimize significant impacts that lead to lost revenue and front page news stories.

Project managers have been traditionally driven by on-time and on-budget performance metrics rather than also including security as a top priority metric for project management deliverables. This results in making an organization’s strategic assets easy targets for cyber attackers.   Out of all data breaches investigated in 2010 by Verizon Business, 96% were avoidable.  (Source: 2011 Verizon Business Data Breach Investigations Report).   Cyber-attacks are real and will continue to target organizations of all sizes, regardless of the industry.  Organizations and project managers must take a different approach in delivering cyber safe assets to the Internet.  New organizational performance metrics for cyber safety will become mandatory in determining overall project and corporate success. Competitive advantage, in the age of cyber threats, will determine success for organizations and career professionals who take a proactive approach to cyber security.

This two part article has been written to begin increasing the level of awareness in organizations and career professionals such as project managers. These professionals need to start developing a security mindset and begin positioning proactive steps in delivering cyber safe solutions.

Cyber Security’s Emerging and Prevalent GAP

The expanding gap for organizations today starts with consumer driven markets and stakeholder pressure to offer differentiated services that grow the bottom and top lines of the business.  In order to stay competitive, many new business and delivery models have leveraged the Internet, outsourcing, offshoring, cloud based services and mobility platforms that continue to outpace the reach of cyber security.  A 2011 CIO cloud survey by CIO.com stated that 71% of enterprises had placed security among their top three concerns related to moving to the cloud.  These strategic business decisions have created invisible windows that have opened gaps in making organizations easy targets for cyber attackers for the assets they deploy.  The model has completely shifted to an open versus closed system, enabling an unprecedented level of access to sensitive information within companies and business partners today.  Most organizations do not have the required visibility, knowledge, talent or capability to ensure cyber safe practices are incorporated throughout the planning, delivery and operating life cycles.  Given the sophisticated techniques used by cyber attackers, organization and career growth will depend on how well companies and career professionals embrace their roles by enhancing their delivery competencies and skills.

Organizations have become more data-dependent.  It has been estimated that just over the last two years, the data footprint used by organizations across the globe has doubled (Berkeley School of Info Management and Systems 2009). Although organizations and business leaders cannot disrupt services to customers, they can take the first step to make cyber security a strategic priority in the planning and delivery process.  Acquiring new knowledge and having an informed mindset is the starting point in combating the new epidemic of cyber threats.  Understand your current mindset by testing your knowledge today with the quick self-assessment below:

 What Do the Numbers of Cyber Threats and Attacks Tell Us

Cyber threats and attacks are real and here to stay. The few statics we have shared below include just some highlights gleaned from thousands of breaches worldwide.  Cyber Attackers may not always have a preference and consider no target too big or too small.  These targets include projects, career professionals and organizations.  One of the many statistics that directly applies to project delivery includes 6,253 new vulnerabilities discovered in 2010 (Published in Apr 2011, Symantec Internet Security Threat Report). 

Many of these vulnerabilities go undetected during the project and software development lifecycle phases.  Data theft reported last year due to these vulnerabilities being compromised has impacted on average 260,000 identities per breach.  (ibid Apr 2011)  Not only market pressure but rising legal precedence with new federal and state regulations has raised the stakes for all organizations and career professionals.  The numbers over the past few years continue to show a rising trend of successful cyber-attacks with no end in sight.  Organizations and career professionals can no longer afford being reactive and must take a proactive approach in delivering their strategic assets cyber safe.

Test Your Cyber Security Knowledge; Answer Yes or No.

  1. Do you know what you should track and trace throughout your project delivery regarding cyber security risks and threats?
  2. Do you know the difference between cyber threats and attacks?
  3. Do you know the techniques cyber attackers use to compromise organizations and assets delivered by projects?
  4. As the project leader, can you determine with little effort what data and records may have been exposed by a cyber-attack based on the project data you included in your project delivery plan? 
  5. Do you know what your internal incident response team will ask of you?
  6. Can you validate to external auditors and investigators that you took the appropriate due diligence in delivering a cyber safe project? 
  7. Do you conduct privileged penetration testing to determine if exploitable vulnerabilities may expose sensitive data used in your project solution to cyber threats?

Your response and understanding of these questions begins to illustrate the gaps you may have regarding the level of cyber safe practices in your project, business and career.  If you answered “no” to one or more of these questions, you may have a project already at risk of being compromised by cyber attackers. 

In the second part of this article, we will review our approach to assist career professionals such as project managers on how to begin delivering better cyber safe solutions and the value it delivers to project quality.  Organizations that embrace and apply this new approach will begin to reposition cyber security as a business advantage instead of being reactive to the market causing significant financial loss and consumer trust impacts.

Don’t forget to leave your comments below.

Eben Berry is President and Founder of Cyber Inspectors LLC. Mr. Berry formed a new venture enabling companies to have greater preparedness in responding to growing concerns with cyber-attacks.  As a former CISO, his twenty three years of experience across Military, Fortune 1000 and non-profit organizations centered on business, technology and information security. He received his MBA from Northeastern University.

Ehsan Sabaghian is Sr. Director of Business Development at Cyber Inspectors LLC. After receiving his 2nd master’s degree in information technology management from Clark University, MA, Mr. Sabaghian joined Cyber Inspectors LLC. An information systems expert with extensive background in business management, he emerged as a strong change agent SME on many large IT projects.

The information presented in this article is intended as general advice. Specific advice would require a qualified organization to become familiar with the facts of you or your organization’s particular situation.