A presentation on how project managers should consider cybersecurity in their project delivery activities. Delivered at the PMI-SOC Cybersecurity workshop on September 26th, 2015, in Toronto.
2. Why Are We Here?
• Security is the new black
• Security is an issue of technical debt
• Challenges
– How to Deliver "Secure"
– How to Deliver "Securely"
– How to Deliver "Security"
Cybersecurity & Project Management - PMI-SOC
Sep 26th, 2015
4. About this talk
• Take a look at where things can go wrong
– Put things into context…
• Please “do” security early!
– Cheaper (maybe)
– More predictable
– But beware externalities…
• SDLC Security != Project Security
• Slides will be up at
http://www.slideshare.net/fsmontenegro
Cybersecurity & Project Management - PMI-SOC
Sep 26th, 2015
7. Human Triggers/Motivation
• “Just get it done…”
– Project Management -> …as planned
– Business -> … to get functionality. [What details?]
– Technical -> .. and move to next task. [What impact?]
– Security -> … so it doesn’t expose us. [What impact?]
– Vendors -> … to keep business going.
• Beware Underlying Economics
• Externalities:
– security imposing controls
– business underscoping actual risks
• Moral hazard:
– Undue assumptions about risk model
Cybersecurity & Project Management - PMI-SOC
Sep 26th, 2015
14. Project Phase: Closing
• Decommission
– Lost Data
– Information Wipe
• Cancel Accounts, change PWs
• Transition to Operations
– Security Operations
Cybersecurity & Project Management - PMI-SOC
Sep 26th, 2015
15. Security Impact on Constraints -
Scope
• Need to understand security across deliverable
• Fixing vulnerabilities adds to scope
• Compliance mandates affect scope
– PCI DSS
Cybersecurity & Project Management - PMI-SOC
Sep 26th, 2015
16. Security Impact on Constraints -
Time
• Extra time to review/fix security findings
• Extra time to find out how things work
• Time pressure to share info
– Externals
Cybersecurity & Project Management - PMI-SOC
Sep 26th, 2015
17. Security Impact on Constraints -
Quality
• Security is a “latent construct”
– Can’t be observed directly, only inferred
• QA != Security
– But can really help…
• Measuring Security is Expensive/Uncertain
– Vulnerability Assessment
– Penetration Test
Cybersecurity & Project Management - PMI-SOC
Sep 26th, 2015