Project managers and security professionals are both managers of risk. Project managers deal with a wide range of risks during the project life cycle, whereas security professionals focus on specific security risks, writes Alex Clayton.
Risk management is just one way for project managers to avoid the all-too-frequent problem of half-baked and costly security having to be thrown in at the last minute. The addition of ingredients too late in the mix tends to jeopardise all three principles of project delivery: time, cost and quality.
There are many other techniques, advice and activities that can be used to help project managers work with security professionals to mitigate their own project risks and deliver secure solutions in the most efficient way.
Education, education, education
If the security function has done its job properly it will have established and communicated the company's security policies. These mandatory requirements can be incorporated straight into the project plan.
Project managers need to understand the benefits of implementing good and timely security. Benefits include the prevention of "egg on the face" incidents, the mitigation of project risks and the reduction of cost. If someone understands why something needs to happen, they are more likely to support it.
Bake security into the project process
A pre-agreed process that caters for security removes any argument for its involvement. In this way, security will be a standard feature in every project.
Make liberal use of interpersonal spices
You should use all your pragmatism, as well as your negotiating skills and other people skills, to influence a project. No professional is properly equipped unless they have a spice rack of interpersonal skills guiding them through the minefield of human relationships.
The most successful project manager will be competent at engineering a win-win situation, for example, with all parties feeling they have come away with something positive.
Likewise, it may be possible to negotiate the implementation of a much cheaper security control in one area in exchange for additional security awareness to be plugged into the training programme later in the project. The project manager delivers the project under budget without reducing the overall security.
Don't do a Gordon Ramsay
Consider language, context and terminology when interacting with colleagues. A good communicator is one who is able to gauge the audience and shape their ideas, thoughts and words so that the recipient clearly understands what is being said. For example, "risk" is a word understood by most professionals and this shared vocabulary can be used to cut across different communication barriers. The Gordon Ramsay style of communication is not recommended.
Ingredients cost money
Oscar Wilde once said, "When I was young I used to think that money was the most important thing in life. Now that I am old, I know it is." Money is important, and every project has limited amounts of it. Kneading security into the requirements at the beginning of the project is far cheaper that retro-fitting it at the end. This is a compelling argument for project managers who are managing finite budgets.
Security is a key ingredient in the recipe of project delivery. It helps the project manager bake a pie that is tasty, cooked for the right amount of time, worth every penny and not going to repeat.
Alex Clayton, CISSP, is a security and continuity manager at 3i.