In the rapidly evolving world of IT, we frequently hear about vulnerable data being stolen and disseminated from renowned organisations, or businesses reporting disruptive attacks such as Distributed Denial of Service (DDoS) assaults that bring their operations to a halt. While some of these disruptions may stem from a small bug that was not captured during testing, there are instances where the cause is much more serious.
The financial and reputational impact that these attacks have on organisations are huge, often requiring a substantial amount of time and effort for a full recovery. This underscores the importance for the organisation to have project managers who, leveraging their experience from past projects and their background in security training, can effectively assist the project team in recognising common vulnerability points and taking proactive steps to address them.
In recent years, a series of incidents have underscored the necessity of making security a critical aspect of project management. One prominent case is the Anthem Inc. Data Breach.
The Anthem Inc. Case
Elevance Health, formerly known as Anthem Inc. is one of the largest health insurance companies in the United State. Despite the expectations that organisations of a similar size would have invested significantly in security measures, in 2015, the company suffered a major data breach that exposed the personal and medical information of approx. 78.8 million individuals.
Investigations revealed that the cyberattack began through a spear-phishing campaign where cybercriminals used social engineering techniques to send deceptive emails to employees. One employee fell victim to the phishing attack, granting attackers access to Anthem’s database.
Needless to say, this breach had a significant financial impact on the company not only in terms of legal expenses but also in the effort required to strengthen their cybersecurity measures.
Key Takeaways for Project Managers
The Anthem Inc. security breach stands as a compelling example of the consequences when security becomes an afterthought in project management. This breach serves as a reminder of the critical role that project managers play in ensuring enough security considerations are taken into account throughout the course of the project. To this end, project managers should:
- Ensure that a robust risk assessment is conducted not only during the project initiation phase, but also during execution and prior going live. Through these assessments organisations can proactively identify potential security breaches and mitigate them accordingly.
- Advocate for the integration of security measures into project planning with all stakeholders. They need to emphasise the practice of prioritising security-related activities over adherence to predefined timelines.
- Loop in subject matter experts throughout the course of the project to ensure compliance with the right security frameworks and meeting all compliance, regulatory and legal requirements.
- Develop a robust incident response plan as part of the project delivery before the project goes live. This plan should include the identification of key stakeholders and the establishment of procedures and processes to address security incidents.
- Leverage past lessons learned throughout the entire project lifecycle to avoid repeating past mistakes, while replicating good practices.
- Effectively communicate security requirements with all stakeholders, ensuring that these are well understood by everyone involved. Additionally, like all other facets of project management, project managers should also ensure correct and timely reporting of progress.
Exploration of Security Breaches Through Three Lenses
To support project managers in ensuring that key security measures have been considered in their project, I often suggest examining their projects from three different perspectives:
One common source of security breaches arises from internal factors, often originating from disgruntled employees or vulnerabilities within other internal systems or networks. While it is extremely difficult to prevent all potential internal security breaches, as sometimes even the most trusted employee can, for various reasons, become a threat to the project and the organisation, project managers play a pivotal role. Through tools like a Risk and Impact Assessment, they can ensure that people and the interconnected systems have the least-privilege access rights to confidential information, including software code and database itself. A properly constructed Work Breakdown Structure (WBS) and RACI (Responsible, Accountable, Consulted, and Informed) Matrix can be extremely helpful for project managers in determining what type of security privilege should be assigned to whom, when, and under what circumstances.
When organisations involve external parties, the risk for security breaches increases significantly. These breaches are not only tied to theft and copying of trade secrets, but can also be the result of insufficient security controls on the external party’s side. Furthermore, the situation becomes more challenging when the outsourcing company is situated in another country with a different regulatory landscape.
Therefore, project managers should allocate ample testing time within the project timeline. This entails not only conducting well-thought-out and designed integration testing, but also ensuring that robust security testing is performed on both the third-party and overall system.
One approach organisations usually employ to ensure that security testing is conducted effectively, in compliance with the latest security standards, is by utilising the services of externally renowned and specialised security testing companies to perform these tests.
Finally, in cases where the organisation is outsourcing parts of its software, the project manager should ensure that there is an escrow agreement in place to minimise the risk of the company being left without access to the source code in the event that the outsourcing company suddenly folds.
Finally, in a world where everything is interconnected, technology and device-related security breaches frequently occur. In light of this, I recommend that project managers keep a comprehensive list of standard security practices to integrate into every project they undertake. These activities include the key tasks such as: changing of default passwords, configuring firewall settings, testing of third-party hardware and software before connecting with company networks and servers, and ensuring the installation of the latest security patches. By adhering to these security measures, project managers can significantly enhance the protection of their projects and systems in the ever-evolving technological landscape.
In an era where information is power and trust is paramount, security is not an option —it’s an absolute necessity that must be integrated into every step and phase of every project and product’s lifecycle. A security breach isn’t limited to a mere disruption in operations. Besides the financial and reputational aspect, it has the potential to impact lives. Hence, this makes security not an accessory to project management, but rather a fundamental principle that ensures the success, integrity, and trustworthiness of the projects the organisation undertakes.