Cyber Security Projects

July 2018

Cyber Security is the current hot topic of the day. It is hard to pick up a newspaper, watch TV, or listen to the radio, without hearing about some corporation who has had their data hacked, and perhaps shared to the world. Out of ear shot, however, are countless more stories about corporate attacks that encrypted hard disks or LAN shares, demanding payment to restore service. Other types of attacks are becoming all too commonplace. Needless to say, most corporate executives are concerned, scared, or both at the same time. Cyber Security programs have sprung up out of nowhere, obtaining funding in large quantities from nervous governing boards, often with little need for hard justification. However, this funding comes at a price: execs want assurances that all corporate assets will be safe, if the provided funding is put towards Security. Managing a Cyber Security project, from a project manager perspective, has some characteristics that make them both a challenge and a joy to manage at the same time. These characteristics are:

High Profile within the Corporation

Competition for resources, while fierce within a corporation, is a non-factor for a Cyber Security project, unless the other competing projects are also Cyber Security Projects. However, most often, all Cyber Security projects are wrapped up in a Program, and quality resources are most often supplied to this very important program. Quite often, the project team is made up of ‘A’ team members. High-performing staff often request to be assigned to high profile projects, where the risks are great and many, but the career rewards are also abundant. Managing a whole team of people who are normally the best resource on past projects can be a challenge. PMs must have the ability, or learn very fast, to manage egos in order to form these A-listers into a well-oiled machine.

Leading Edge within the Industry

This is certainly a double-edged sword. Having a robust Cyber Security Program may attract quality candidates from within the organization, or quality security candidates from other organizations. Other organizations with strong Cyber Security Programs also tend to attract people from your own organization. Security conferences, seminars and even training courses, while meant to strengthen skills and perhaps even reward exceptional performance, can also be fertile recruiting grounds for other organizations. In any geography, there seem to be a finite number of skilled individuals an organization needs, and for reasons unknown, there seems to be not enough of them to go around for all who need them. Keep these folks engaged in your projects and make them feel valued. Money and certifications certainly do not hurt either. If you are not really nice to them, someone else will surely be.

Important to the Corporation

Cyber Security, as stated in the introduction, is important to the organization. Buying expensive technology, bringing in vendor expertise, and augmenting the project team seem (and in fact are) easier to justify and obtain than they are on non-Security projects. Escalations for things like getting Change Tickets scheduled ahead of others, approvals on Charters, Project Plans, and Change Requests jump to the top of the queue, provided they have the term Cyber Security somewhere in the email subject line. However, this too can be over-used, so using this special card only when you really need it, is the suggested approach. Escalating decisions or actions all the time, like the boy who cried Wolf, loses its effectiveness quickly. One word of caution: getting things done quickly is the hallmark of a Cyber Security project. Extending the project schedule without delivering additional value is often challenged. Extra attention to delivering on planned commitments, in both dollars and time should be at the front of a PM’s mind.

Important to the Corporation

One of the hardest things for a PM to do, especially when in front of peers (inside or outside of the organization) is to tell them very little about what you are doing. Your organization does not want you talking about security insecurities they have, no matter what your team is doing to make things more secure. Loose lips sink ships….good words to live by.