Back in my days of military service I used to enjoy reading a regular aircrew magazine feature entitled “There I was at 30,000 feet.” It was shaggy dog stories of hard learnt lessons where process had fallen down and a pilot would find himself upside down with only one wing and the seat of his pants left for him to get home safely.
While most of my work in Information Security is ground based and non-lethal in it’s outcome, I still find it important – no, essential – to follow a process. It’s those times when the process breaks that security is usually also found to be broken. I’ve recently found myself following the Global Project Management Methodology (GPMM). I have to admit that this was imposed upon me when I commenced my job here and it’s fair to say that I resisted. Slowly and surely my resistance has been worn down and I’m now finding it to be an essential part of managing the governance programme that I’m imposing on the business.
Clearly, any methodology could have been selected. Prince, for instance, would have been just as valid to use, I don’t think that this is so important so long as some formal process is followed. One of the things that it does do is immediately provides me with a measurable metric that I can report against on a regular basis. Even if your security programme is not mature enough to report anything else, GPMM provides a way that you can measure your progress against milestones and indicate success (or not).
Using GPMM also forces me to set realistic timeframes and targets for my programme and estimate how much of my time can be assigned to achieving each of the milestones. With this level of detail documented, new and ad-hoc tasks can be more easily scheduled and management expectations of when they will be delivered managed.
There is a risk in becoming fixated on the plan to the detriment of action. It’s also important to treat plans as a continual process of development. My governance, and consequently also my leadership and management are all benefiting from following a formally defined project management methodology. I recommend it.