Manage the Project, Plan Cybersecurity Risk
By Chris Andrews, PMP, CompTIA Security+, Scrum Master, NIST 800-53 Practitioner, and
Susan Parente, PMP, PMI-RMP, PMI-ACP, CISSP, CRISC, RESILIA
This post is Part 2 of a two-part series.
If you read our previous post, “Part 1: Project Manager - Cyber Defender: Pre-empting the Constant Attack on Project Information Assets”, you are likely in agreement that Project Managers play an important part as cyber defenders on the projects they lead.
Now the next challenge…what to do? As a Project Manager (PM), you are a practiced professional, constantly dodging all types of attacks that could sideline your project. Cybersecurity and the implications of its destructive capabilities are yours to manage beside all other aspects. As PMs, we must profoundly comprehend that evil-doers pose an unnerving threat to the staff, budgets, and information managed on projects daily.
Here are five best practices to implement as part of your approach to manage cybersecurity and cybersecurity threats in your project:
1. Educate project teams, stakeholders, and partners regularly. Training, training, training… We can’t emphasize this enough. This is not just PMs getting trained on cybersecurity. This entails all project stakeholders. It's known that 90% of cyber-attacks are successful due to human error and this error is due to insiders (not bad actors on the outside of the organization). And, it’s not a one-time effort, it takes frequent reminders and updates with the constantly changing cybersecurity landscape.
2. Highlight the importance of cybersecurity awareness. Intentionally manage a proactive approach to cybersecurity in your project(s) and across the organization. Promote a culture of investment and importance in your cybersecurity strategy. Ensure team workers know what and how to follow cybersecurity incidents. (Example: The 2019 Verizon Data Breach Investigations Report confirmed that nearly one-third of all cybersecurity breaches involve phishing. Careful what you click! This relates to the above on the relationship between cyber-attacks and human error.) One great way to do this is by hosting team lunch & learns as it not only dedicated time to convey the information but also a great opportunity for teambuilding.
3. Inform your team of cultural expectations, processes, and policies for securing devices and digital presence. Understand your organization’s cybersecurity posture to defend against future attempts to intrude your network and systems. The concept goes beyond PCs in the office, and office-provided laptops. The idea includes personal cybersecurity hygiene that includes personal electronic devices, cell phones, social media posts, the use of Wi-Fi hotspots, etc.
4. Build a relationship with your IT staff and ask questions. Get to know your IT department director, manager and staff. This is your ‘front line’ of defense. Understand where and how project data is stored and managed. Understand COOP plans. Familiarize yourself with data redundancies and off-site backup strategies. Know your organization’s incident response plans and ensure the team knows how to follow them. Also, engage the IT team early in your project life cycle; don’t wait until it’s time for production or the implementation phase of the project. If you delay, you may not be able to meet your production or implementation deadline requirements. 5. Actively engage in increasing your project team’s cybersecurity awareness. As the PM, manage the teams’ awareness of current cybersecurity news and activity. Support training and education, including processes, in the areas of cybersecurity and risk management. Cyber-attacks are here to stay, but this doesn’t mean cybersecurity needs to be at risk for your projects or your organization.
In conclusion, thank you for being up for the challenge! The key to reducing cybersecurity risk, is planning for it as part of managing the project. As PMs, we are responsible to be cyber defenders on the projects we lead. So, what's next? Consider ways to implement the best practices we shared in your project management approach to best manage cybersecurity and cybersecurity threats in your projects. Not only does this add value, it is also invaluable for your projects and organization in today's era.
Read Part 1 of this article.
About the Authors
Chris Andrews is a cybersecurity consultant, speaker, author, and knowledge management mentor with more than 30 years of experience leading small to medium-sized projects spanning multiple industries globally and delivering services for the federal government inclusive of the DoD and for public and private sector organizations. He currently works as a cybersecurity threat analyst (contractor) for the U.S. Department of Defense.
Susan Parente is a project engineer, consultant, speaker, author, and mentor. with more than 25 years of experience leading software and business development projects including large complex IT software implementation projects and establishes Enterprise PMOs in the public and private sectors, including the DoD and other federal government agencies. She is a co-author of “Global Hot Spots: How Project and Enterprise Risk Management Practices Drive Business Results Around the World” and “Hybrid Project Management: Using Agile with Traditional PM Methodologies to Succeed on Modern Projects”.