Whether you are working on a new IT initiative in government or you’re a seasoned project manager, at some point you will probably need to work with your agency’s Information Security team. These teams have a huge responsibility on their shoulders because they are ultimately responsible for ensuring that all new programs do not adversely affect the security posture of the organization. For that reason, they can be perceived as difficult to work with, or it may seem like they are there to slow a project down.
But, in reality, they are there to ensure that your project or program isn’t susceptible to hackers, can be recovered during a disaster, and doesn’t expose any confidential data. I asked our staff to provide helpful suggestions on how to improve the interaction between project management and security teams, and they came up with several great tips to make your next project a breeze when it comes to information security.
Get The Security Team Involved On Day One
This is the most important factor to ensure your success, yet I cannot tell you how many times I have heard the phrase, “just have security look at that, before it goes live.” (Even typing those words makes me cringe.) But having a member of the Security team on your project from inception will help ensure that security isn’t applied as an afterthought, and drastically reduce your risk of a slip of schedule due to the work involved to make sure that a solution has the proper safeguards. A subsequent requirement is to ensure that we are quickly connected with other Information Security professionals (not the sales person!) as soon as possible, so that we can talk on a technical level on the work which must be completed before launch.
A project manager may not have a background in Information Security, but we still hope they will ask a lot of questions in regards to the security of the product or service being implemented. The discussion that ensues will help the PM understand how to make the product as secure as possible while still performing the functions it needs to perform. Most importantly, we won’t ever get upset at anyone for asking security questions; it shows that they care and it may even bring up topics the Security professional may not have anticipated.
Ensuring that a product is secure can take a lot of time. And as the project increases in technical complexity, so do the amount of technical safeguards that must be applied. IT Security team members understand that a project manager has deadlines to meet. We are working our hardest to ensure that those deadlines are met, but we need to be sure that the security is adequate for the risks that the new project would incur.
This may be a stereotypical tip for almost everything, but “communication is the key.” The Security professional and the PM should be in constant communication with each other; even if it is a call to ask how things are going, there needs to be daily communication between them. And this expectation is a two-way street, it shouldn’t always be the responsibility of the project manager to reach out; if a Security task is completed, it needs to be communicated to the PM so that he/she can initiate the next milestone.
Don’t Be Afraid To Promote Security
These days, everyone is afraid that a higher project cost is going to raise eyebrows. And, typically, security solutions can add considerable cost to a project. However, many organizations are more than willing (and sometimes required by regulation) to protect the information they maintain. If a solution offers technical safeguards for the product, service, or the data it retains help us communicate that to upper management so that they can make a decision on whether the cost is worth the reduced risk.
People usually roll their eyes at me when I ask, “Has IT Security been involved with your project?” And you’ll notice that I say “been involved” instead of “reviewed.” Because having the team genuinely included on your project will help ensure that security is one of the cornerstones of your project, all while being on-time and on budget. Ultimately, security is everyone’s job in the organization, and we’re all responsible for deploying safe and secure solutions, so these tips will not only help us do our job, but will help you do yours too!
Daniel Hanttula is part of the GovLoop Featured Blogger program, where we feature blog posts by government voices from all across the country (and world!). To see more Featured Blogger posts, click here.
Great tips Dan!