(Post 7 of the 12-week Information Security Management blog series)
Thinking of information security as a single project can result in an ineffective security program that fails to properly address both security and compliance. Most business managers have little-to-no information security education. They may not fully understand how to implement and manage cybersecurity. Though, what many business managers do know is project management. While many principals between information security and project management are similar, managers should consider security separately.
Project Management
The Project Management Institute defines a project as having defined starting and end points. Projects are initiated, planned, developed, implemented, reviewed, and closed. They are limited in scope and should result in accomplishing a specific goal. A project should have clearly defined requirements with measureable deliverables and end with the product that the project was intended to produce.
A Security Project
A cybersecurity program involves developing policies, analyzing risk, selecting and implementing security controls, validating controls, training, auditing, as well as periodically reviewing all of these. While these tasks may seem like the parts of a project at first glance, making that connection would be a fallacy. It makes the assumption that there is a result to be had, such as absolute security or complete compliance with federal and local regulation.
Yes, if an organization doesn’t have a security program to protect their information, it has to start somewhere, but it should not ever end. This is not to say that project management does not play a role in information protection and cybersecurity. It simply must be applied at a different level.
Combining Project Management and Security
True security and compliance is unobtainable. An organization can only be truly secure and compliant at specific points in time so security and compliance must be maintained. Try thinking of cybersecurity as a circular process that involves many recurring projects. For example, the following are several tasks that are important recurring tasks that are part of an overall cybersecurity program:
- Security policies must continually be created, reviewed, revised.
- Disaster recovery and business continuity plans should be tested, reviewed, and revised regularly.
- Change management should constantly evaluate the risk and benefits of each software, hardware, infrastructure, or data change.
- Vulnerability analysis should be conducted regularly because new vulnerabilities are found every day.
- Security controls should be regularly tested to ensure they still have their intended affects.
- Assets change constantly so asset identification and prioritization should be reacomplished at regular intervals.
- Threats and risk can change as technology changes so risk analysis should be conducted every few years to capture these changes.
- People forget what they have been taught and get complacent so user awareness training should be accomplished regularly.
Reducing cybersecurity to a single project can result in failing to properly manage it. Information and computers need to be continually secured. To implement a security program that continues to benefit your organization, address the individual supporting programs and tasks as recurring projects, but make cybersecurity a core business function. It should be considered as a critical program that is continually addressed, properly funded, and fully supported by management.