Happy Together: Security Professionals and Project Managers

August, 2007

In response to today’s increasing threat levels, many companies are increasing their investments in security. Yet many of these same organizations find that their security programs are not effective, as witnessed by the many high-profile security incidents reported by commercial and governmental organizations over the past year.

One important reason that security programs are ineffective is that executives have not fully embraced security as an essential element of project management. Vulnerabilities are often introduced into the organization when things change–and organizational change is generally accomplished by means of projects. Therefore, an important element of project management should be to address the security implications of the changes that are being introduced.

This Research Byte is a summary of our full report, Making Security an Integral Part of Project Management.

In most organizations, the security program and the project management function are unrelated. In such organizations, project plans do not include security requirements, and if security requirements are addressed they often appear much too far downstream. This is not to say that project managers (PMs) do not understand the need for security, but they are often at a loss as to how to integrate security requirements into the project planning process. This is often true even among organizations that have formalized their project management function into a project management office (PMO).

Perceptions and Relationships
When asked whether PMs have a good understanding of security requirements, the majority of our respondents replied in the negative. However, project managers are the least pessimistic about their own knowledge. On the other hand, security professionals have the least confidence in their PMs’ understanding of security. Although there are variances in the confidence level shown by the three groups polled, one thing is clear–they agree that there is a knowledge deficiency on the part of project managers when it comes to security.

ResearchByte Fig1 - Happy Together: Security Professionals and Project Managers

The full version of this report examines the role of security in project management, and how these two disciplines are viewed by security professionals, PMs, and other corporate personnel. Additionally, it reviews the impact that security can have on project management practices.

Computer Economics Viewpoint
Security vulnerabilities are often introduced when changes take place in the organization’s business processes, systems, or facilities. Since these organizational changes are implemented through projects, it is essential for the security program to be tightly integrated with the project management function. However, our survey data shows that many organizations still have a great deal of work to do to ensure that security requirements are integrated into their project management activities.

While there exists some understanding on the part of PMs as to what needs to be done from a security standpoint, detailing these requirements in the project planning process can be a daunting task for them. Security professionals must educate their PMs as to what needs to be defined from a security perspective, and how best to incorporate the requirements in the project plan. This will mean that security requirements must be considered as part of every project plan.

Conversely, a better understanding of the project management discipline on the part of security professionals can smooth this integration by developing an appreciation of the tools and mechanisms employed by project managers. Simply providing a list of things that must be done does not aid the project team in determining how to achieve these goals in the context of the project.

At a minimum, organizations should require basic training in security for all of their project managers. Likewise, security professionals should receive at least a basic course in project management. In addition, some organizational changes may be necessary to tighten the connection between these two disciplines. Although it may not be appropriate to have security professionals report directly to a PMO, it may be worth considering a dotted-line relationship. Representatives from the security program should also play a role in the governance of projects, such as executive steering committees.

Building a tight relationship with project managers is probably the greatest opportunity that exists for security professionals to improve the effectiveness of their security programs. While this may not address existing security shortcomings, it does provide a means of ensuring that all new business initiatives will meet current and future security requirements.

Contributing research analysts Ron Collette and Mike Gentile participated in the survey design and analysis of the survey results for this article. They are co-authors of The CISO Handbook: A Practical Guide to Securing Your Company, published by Auerbach.

This Research Byte is a brief overview of our report on this subject, Making Security an Integral Part of Project Management. The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website at https://avasant.com/report/making-security-an-integral-part-of-project-management-2007/ (click for pricing).