How to Make Your Cyber Security Projects Succeed
Most of us have been there. There’s a big cyber security project underway, and it isn’t going well. You sit down and try to reason out how it got to this state. Back in the day, it would often be because security technology just didn’t live up to its promise: some load balancers and NAC systems from 8-10 years ago come to mind. Sometimes it’s a lack up buy-in and support from executive leadership and all stakeholders. Other times it’s a lack of appropriate skill set and expertise or a lack of proper planning.
What can you do to ensure your cyber security projects succeed?
Executive Support and Buy-In
You must start with a solid business case for the project you want to undertake – otherwise, why is it even on the radar? The business case should begin with the value of assets at risk; analysis and determination of attack vectors that can put that value at risk; and then research into security controls that mitigate that risk.
Perhaps you have data stores of PII/PHI/PCI data that you value at $3.5M should a data breach occur (a modest estimate is given breach cost estimates we’ve seen in the news so far, this year). You determine that if you deploy and manage Carbon Black Defense and Response, you could spot APT that may put that value at risk, in addition to gaining resources for Threat Hunting. For an initial cost of $150,000, you could reduce the probability of breach of that data from 27% to less than 5% over the next 24 months. That’s a pretty strong business case.
Now the CFO is interested. It’s quite important to get C-Suite business sponsorship from the beginning, setting expectations as to the level of their participation that’s needed. Policy needs to be updated to include your new initiative as a system build requirement. Administration of the new systems is needed – consider outsourcing this to MSSP experts for an improved ROI. Have you C-Suite sponsor sit in project meetings weekly and note the improved diligence in all the stakeholders.
As a side note: something we’ve seen in the past 5+ years is a divide growing between corporate SOCs and engineering teams. This is a cultural aspect of having engineers that ultimately report to the CIO while the SOC should report through a CISO to a CFO or CEO. The CIO wants to innovate and bring business value, not invest in protecting things that already exist. Having C-Suite business sponsorship is one way to overcome this: stakeholders play with other more nicely with a C-Suite audience. Keep a timeline with specifically assigned tasks and hold those people accountable for their timeline obligations.
Have Project Management Experts
Many times, engineers and analysts are put into a role of project management where they have a little background. While it would be delightful to have PM embedded in your SOC environment, you may have to use managers that report through Service Delivery that delivers all IT projects – once again the CIO plays a role.
Don’t use a general recruiter to secure PM talent, and invest in the development of your project managers. It may seem costly on the front end, but it helps ensure your project’s success – would project failure cost more?
Of course, if you outsource to an expert-level MSSP, not only do you save in payroll and time-to-value, you get project management that has deployed the solutions you want many times over. It’s an important consideration.
If you’ve worked in web development – or any application development – scope creep is a well-known aspect of project management. Avoid this; it extends timelines, creates colliding priorities, increases costs and threatens a project’s success.
If your project is an application development, freeze the specification at some point until it is achieved. SDLC comes into play after initial development. If it’s our previous Next-Gen Endpoint Protection project, freeze the scope, create policy, send your people to training and simply deploy.
Whatever you do, make sure that you have Change Management in place. Especially during new deployments, it’s critically important to create records of changes being made, with clear back out plans, approved by appropriate authorities. Don’t dig a brand-new hole where you can’t escape!
Staffing and Skillsets
Be honest about the weaknesses on your team. Secure the appropriate skillsets through training, new hires, or outsourcing. Once your new project is stood up, it won’t be of much value if it’s inefficiently or haphazardly administered.
What Threatens Your Cybersecurity Project Success?
These apply to any project, not only security.
- Expectations not aligned with the business
- Implementation before the project is baselined
- Inexperienced or untrained resources
- Inadequate Systems
- Inaccessible Systems
- Team Conflict
- Us vs. Them Mentality
- Misaligned Resources
- Changing Priorities
- Uncontrolled Scope
Dave Rickard is the Technical Director for CIPHER US.