Coordinating a Successful Information Security Project Management Plan
This article is part 2 of our series “A Comprehensive Guide to Planning Your Cybersecurity Projects”. Read part 1 “ 5 Benefits of Project Management for Cybersecurity.
Are you struggling with managing several cybersecurity projects at the same time? Would you like some guidance when selecting the “right” cybersecurity projects for your business context? Do you have a feeling that you could manage them more effectively, for your own sake and for the sake of your organization?
If you’ve answered yes to any of these questions, we’ve compiled several best practices that can help you manage your cybersecurity projects more effectively:
- Secure executive buy-in
- Align with cybersecurity strategy
- Define SMART goals
- Assign a project manager
- Manage your risks
- Measure your progress
- Evaluate return on investment
*Disclaimer: In this article, we focus on some of the most commonly-cited benefits of project management within the cybersecurity context. This list is not meant to be exhaustive but is intended for guidance only.
Best Practice #1: Secure Executive Buy-In
Related Post: How to Pitch Cybersecurity to the Board
“Organizations that create a deeply rooted culture of security and accountability from the top down will be able to withstand the persistent, dynamic nature of today’s ever-expanding, global cyber threats.” – Securing Executive Buy-In as the Cyber Security Threat Landscape Expands. Information Security Forum (ISF)
Managing a cybersecurity project without executive buy-in is like building a house without the signoff of the homeowner… risky.
Executives and members of the Board of Directors are becoming more and more involved in defining the overall cybersecurity strategy of the organization. Most of all, they need to know what their organization’s current security posture is, whether it is exposed to risks (yes, we all are!) and what can be done to strengthen their defenses and protect their valuable assets against security incidents and data breaches.
If you’re managing the cybersecurity projects in your organization, make sure that your executive team is fully briefed about your projects and is aware why you’re taking them on. By getting executive buy-in for your projects, you are more likely to get the budget you need and build the necessary trust to continue them on a recurring basis.
Best Practice #2: Align with Cybersecurity Strategy
A successful cybersecurity project is aligned to the overall business strategy and goals.
IT and security professionals are facing endless possibilities when it comes to the latest and greatest new security technologies, processes and services. Selecting a cybersecurity project that brings measurable results and strengthens an organization’s security posture can be as hard as finding a needle in a haystack.
The more your cybersecurity project is aligned to your overall cybersecurity strategy, the more successful it will be. Before deciding on a new project, make sure that it:
- Projects your most critical assets
- Strengthens your overall security posture
- Decreases your exposure to cyberthreats
- Helps you manage your risks more effectively
- Brings measurable return on investment
- Focuses on security controls that make sense for your business context
If you don’t have a proper cybersecurity strategy in place, be sure to prioritize drafting a strategy before embarking on specific projects.
Best Practice #3: Define SMART Goals
A cybersecurity project is more likely to succeed if it has clearly-defined SMART goals.
A SMART goal is an objective that a company sets to lead their projects in the direction of what they’d like to accomplish. SMART goals need to be specific, measurable, achievable, relevant and timebound.
- Specific: Your goal is defined as much as possible (who? what? where? why?).
- Measurable: You can track the progress of the project and measure its outcome. (how?).
- Achievable: Your project is reasonable enough to be completed within the specific timeframe and with the available means (personnel, budget, equipment).
- Relevant: Your project is worthwhile executing and will help you get closer to your goals and address your challenges.
- Timebound: Your project has a clear start and end date, as well as milestones to monitor performance along the way (when?).
Figure 1: SMART Goals
Examples for SMART cybersecurity projects include:
- Strengthen your cybersecurity by 10% within 12 months
- Launch a company-wide employee security awareness initiative by March 2019
- Meet annual PCI compliance requirements with regular security testing
- Implement security controls that will mitigate your 5 biggest risks
Best Practice #4: Assign a Project Manager
A cybersecurity project is just as good as the project management team behind it.
Related Post: 5 Benefits of Project Management for Cybersecurity
A dedicated project manager is essential for making sure that your cybersecurity project is well executed, remains within budget and sticks to the agreed-upon schedule. IT and security professionals are often too busy with the day-to-day responsibilities to dedicate enough time to managing their cybersecurity projects closely.
A solid project management practice will alleviate some of their burden, track project performance and keep all involved parties informed about the project outcome. Too often, cybersecurity is still seen as a “necessary evil”, a cost center that does not contribute to the bottom line and does not deliver adequate return on investment.
A project manager can help define how your cybersecurity project has actually contributed to the continued success of your organization, which challenges were addressed and how your cybersecurity posture was strengthened as a result of the project, in addition to optimizing resource allocation and facilitating continuous improvement efforts.
Best Practice #5: Manage Your Risks
For a cybersecurity project to be successful, it must identify, evaluate and manage the various risks associated with the project.
According to the Project Management Institute (PMI), a risk is “an uncertain event or condition that, if it occurs, has a positive or negative effect on a project’s objectives”. Basically, a risk can be anything that could potentially affect your project’s timeline, performance or budget.
You may want to ask yourself a couple of key questions before kicking off your project:
- Risk event: What might happen before, during or after the project that could affect its success?
- Risk type: Are these risks internal risks or external risks?
- Risk timeframe: When are these risks likely to occur?
- Risk probability: What are the chances of the risks happening?
- Risk factors: Which events might forewarn or trigger the risk event?
- Approval instance: Who can approve proceeding with the project, despite the identified risks?
Having a clear idea of your risks will not only help you manage your cybersecurity projects more effectively and securely, but also avoid potential pitfalls down the road.
Best Practice #7: Measure Your Progress
You may very well know that your cybersecurity project is on the right track, but you should not forget documenting your milestones and measuring your progress along the way.
Long-term cybersecurity projects can be overwhelming as they involve many different resources, can take up a lot of your time and eat up your IT security budget. IT and security professionals are often so overwhelmed with their workload that they just want to “get it done” as best and quickly as possible (and they’re not to blame!).
However, your cybersecurity project should be executed according to a clearly-defined plan with concrete milestones every couple of days, weeks or months. This will help your project management to measure your progress against the initial plan, identify shortcomings and accelerate project tasks if need be.
Communicating your project performance to all necessary stakeholders at each milestone will improve clarity and increase confidence in the success of the project.
Best Practice #8: Evaluate Return on Investment
Once your cybersecurity project is completed, you will need to demonstrate its return on investment (ROI) for your team, department or the organization as a whole.
Related Post: How to Optimize Your Security Spend for Maximum ROI
Now is the time to revisit your SMART goals that you established at the beginning of your project and evaluate whether you were able to meet your goals or not. Evaluating your return on investment after a cybersecurity project will not only help you assess project performance, but also pave the way for seeking additional funds going forward.
- For example, you may have improved your cybersecurity posture by 10% following a cybersecurity posture assessment, which may legitimatize additional funds for similar projects in the future.
- You may have conducted a penetration test of your environment, which identified several critical vulnerabilities that may have opened a door for hackers.
- You may have started monitoring your environment on a 24/7 basis, which helped avoid 2 critical security incidents that could have cost you hefty fines, reputational damage and operational downtime.
Tip: Remember to share your finding with your executives and the board. Chances are, they will be especially interested in finding out how your cybersecurity projects have contributed to the continued success of your business.
Managing the cybersecurity projects for your organizations can be quite overwhelming. To make sure that your projects are as effective as possible, there are several best practices that you can follow.
Once you have executive buy-in for your cybersecurity project, make sure that it aligns with your overall cybersecurity strategy and has clearly-defined SMART goals. Then, assign a project manager to ensure smooth project execution, manage risk and improve project performance. Remember to monitor your progress consistently to uncover potential setbacks and keep the project on track and, lastly, don’t forget to evaluate your project’s ROI to secure future investments going that way.
If you follow these basic principles, your cybersecurity projects are well on the way of becoming as effective as they can be.