Are you struggling with managing several cybersecurity projects at the same time? Would you like…
Navigating Your Cybersecurity Projects Through Challenging Times
Are you struggling with managing your cybersecurity projects? Are you facing challenges during your project and don’t know how to deal with them?
We’ve put together several common cybersecurity project challenges and propose solutions for what you can do about them.
- Lack of prioritization across projects
- No clearly-defined scope
- Poor communication
- Strategic misalignment
*Disclaimer: In this article, we focus on some of several commonly-cited challenges that can occur during cybersecurity projects. This list is not meant to be exhaustive but is intended for guidance only.
Challenge #1: Lack of Prioritization Across Projects
“Prioritization at a strategic and operational level is often the difference between success and failure. But many organizations do it badly.” (Harvard Business Review, 2016)
Cybersecurity project managers often complain about the sheer infinite number of projects they must manage within a year… rightfully so. In addition to the cybersecurity skills shortage, today’s IT and security professionals simply have too many priorities on their plate. And with too many priorities comes frustration, lack of focus, the feeling of being overworked and a greater risk for project failure.
It becomes less and less obvious which projects are really a priority for the organization, and which ones just create unnecessary burdens for your team. To avoid a lack of prioritization, you may want to ask yourself a set of qualifying questions before embarking on a new project.
Project Qualifying Questions:
- Does the project help me better protect my critical assets? If so, how?
- Does the project help me manage or mitigate my risks? If so, how?
- Does the project help me strengthen my current cybersecurity posture? If so, how?
- Does the project help me become more confident in my ability to face cyberthreats? If so, how?
- Does the project help me achieve my overall business goals? If so, how?
- Does the project help me meet my compliance requirements? If so, how?
- Is the project aligned with the overall cybersecurity strategy? If so, how?
- Will I be able to measure the return on investment (ROI) of the project? If so, how?
- Will I be able to demonstrate how the projects have positively impacted the organization to my boss/ executive management/ the board of directors? If so, how?
The more qualification criteria your cybersecurity project fulfills, the higher it should be on your priority list.
A “good” cybersecurity project is one that is directly linked to your overall business strategy, supports your principal objectives, effectively protects your organization from cyber risks and delivers measurable ROI.
Related Post: How to Optimize Your Security Spend for Maximum ROI
Challenge #2: No Clearly-Defined Scope
Cybersecurity project managers will know that the scope of a project can change along the way, which can lead to frustration, misalignment or even project failure.
To avoid the phenomenon of scope creep, project managers need to determine, agree on and communicate the scope of the project early on. When defining your project scope, try to take as many elements as possible into account.
Project Scope Elements:
- Roles & responsibilities
- Tasks & subtasks
- Quality assurance
- Elements that are out of scope
For example, you may want to establish a work breakdown structure (WBS) your project into several tasks, subtasks and related deliverables (see figure 1).
According to the Project Management Body of Knowledge (PMBOK), a work breakdown structure is a “deliverable-oriented hierarchical decomposition of the work to be executed by the project team.” Breaking down your project into a more digestible structure helps keep track of deliverables and illustrates the project flow in a more understandable, visual way for all parties involved.
Figure 1: Example of Work Breakdown Structure
With a properly-defined project scope from the get-go, including a clear work breakdown structure, cybersecurity project managers can prevent hiccups and scope creep before challenges unfold.
Related Post: 5 Benefits of Project Management for Cybersecurity
Challenge #3: Poor Communication
According to a recent survey by the Project Management Institute, 30% of all project failures are due to poor communication. In the same way, projects with effective communications are almost twice as likely to successfully deliver on project scope and meet quality standards.
What this means for cybersecurity project managers is that they must prioritize effective communication throughout the duration of the project. The longer poor communications linger, the greater the risk of project failure (see figure 2).
Figure 2: The Price of Poor Communication for Project Outcome
Cybersecurity project managers can facilitate effective communication by identifying and applying the 5Ws (Who, What, When, Where, Why):
- Who do you need to communicate to? Develop a list of all individuals who are involved in the project. All project-related information should be dispatched to the relevant parties. You may want to distinguish between individuals who need to be informed about all project developments vs. individuals who only need to hear about the big-ticket items.
- What do you need to communicate? For communication to be effective, it must follow a similar, easy-to-follow structure and contain relevant information designated to those who need to be informed.
- When do you need to communicate? Successful projects should follow a clear timeline for communications. Establish when and how often you need to spread information (daily, weekly, bi-weekly, monthly?).
- Where do you need to communicate? Depending on your company policy, you may want to share project-related information by email, via chat groups, via your file repository, etc. You can choose between electronic communications, phone communications and in-person meetings. You may also choose to communicate to managers/ team leaders only and let them dispatch the information to their teams.
- Why do you need to communicate? Clearly identify the purpose of your communications when distributing them. Are you sharing an update, are you requesting an action, are you seeking approval? The clearer you are about why you’re communicating, the more effective your messages will be.
Lastly, keep in mind that all communications need to be centralized for continuity and clarity purposes and that you have to stay consistent in your approach to communication throughout all cybersecurity projects.
Challenge #4: Strategic Misalignment
The more your cybersecurity project is aligned to your overall business strategy, the more effective it will be.
“Companies that align their enterprise-wide PMO (project management office) to strategy had 38% more projects meet original goals than those that did not. They also had 33% fewer projects deemed failures.” (PMI Pulse of the Profession Survey, 2017)
Unfortunately, many cybersecurity projects are treated as pure cost centers and as a “necessary evil” as part of corporate cybersecurity hygiene standards. Too often, projects are not aligned to what really matters for the organization – the cybersecurity strategy.
To avoid strategic misalignment, make sure to:
- Familiarize yourself with the overall cybersecurity strategy
- Identify the goals of the cybersecurity projects
- Verify whether the cybersecurity project goals are aligned with overall company goals
- If goals are aligned, proceed with the project
- If goals are aligned, evaluate the project legitimacy prior to kickoff
- Keep track of strategic alignment during the project
- Communicate strategic project results following completion
Following a simple strategy checklist before kicking off the cybersecurity projects will help prevent strategic misalignment further down the road.
Managing cybersecurity projects is no piece of cake. If you’re involved with planning your cybersecurity projects throughout the year, you will know that project hiccups or failures are not as rare as you may hope them to be.
Effective cybersecurity projects are prioritized in accordance with their impact of the organization’s cybersecurity posture and threat exposure, follow a clearly-defined scope from the beginning and are aligned to the overall business strategy and goals. Project milestones, deliverables and updates should be communicated regularly and according to pre-established parameters.
Following these four recommendations will increase your chances of delivering your cybersecurity projects with more ease and confidence.