From My Perspective: The Need for Strategic Project Management on Large InfoSec Implementations

By Steve Szewczyk ·

For a majority of Information Security professional services engagements, a classical approach to project management suffices to provide tactical, transactional functions and ensures projects are delivered on time, on budget and as expected.

There are exceptions, however, where the deployment of complex Information Security implementations requires a more strategic approach to project management - a Program Management perspective - one that is based on relationships as much as true classical PM skills. 

The following information highlights a high-level, minimal approach required for a successful engagement and a link to the full white paper is available at the end for a more detailed review.

Classical Project Management

The Project Management Institute (PMI) defines a project as a “…group activity designed to produce a unique product, service or result… having a defined beginning and end time and therefore defined scope and resources.”

At FishNet Security, our Project Management Office (PMO) has defined our project management (delivery) process based on the PMI Project Management Body of Knowledge (PMBOK) framework and on the following activities that our Project Managers perform on larger engagements, at a minimum:

  • Project Initiation & Kickoff
  • Project Plan & Work Breakdown Structure
  • Issue & Risk Identification, Quantification & Mitigation
  • Management Of Project Budget, Schedule, Deliverables & Change Management
  • Project Reporting with full visibility into scope, budget and schedule adherence
  • Project Audits & Milestone Management
  • Project Meetings & Stakeholder Communication
  • Project Close-Out & Final Deliverable Acceptance

This is a successful approach and enables the Project Managers to maintain clear channels of communication with our clients and FishNet Security management team to help deliver project success.

Strategic Project Management

From my perspective, there are times when the deployment of complex Information Security projects, such as Identity and Access Governance (IAG), has a need for a more strategic project management approach, one that is based on “relationships” in addition to traditional project management skills and experience.

To achieve integration and control, relationships have to be established, nurtured and maintained; not just for the initial IAG deployment but for the life of the implementation. I classify these relationships as:

  • Business Relationships - Interpersonal relationships that need to be established and maintained among the various organizational units that will feed or benefit from the IAG deployment.
  • Process Relationships – Interdepartmental business process relationships that need to be defined via business process reengineering and maintained.
  • Technology Relationships - Intersystem technology relationships that need to be established and maintained because an IAG deployment will rely on new technologies to be deployed in addition to interfacing with existing systems and technologies.
  • Data Relationships - Interdepartmental data relationships that need to be defined and maintained since an IAG deployment will rely on data consistency across an organization.

Two takeaways from this relationship building discussion are the need for these relationships to be “inter” or among and the need for these relationships not only to be defined and established but also maintained.

A strategic approach to project management (Program Management) considers the definition, documentation and maintenance of these relationships to be an integral part of Integration Management in addition to Organizational Change Management and establishing a governance process.

Evolution of these relationships is a recurring process throughout the IAG lifecycle and is continually revised and built upon to establish a framework for Program Management as the client’s IAG core competency matures. This framework is reflected in the following diagram:

In closing, a strategic approach to project management focuses on the bigger picture and decisions made within that bigger picture and not just the immediate Statement of Work. This approach of taking the enterprise or “inter-prise” perspective to complex information security deployments like IAG, moves the strategic project manager into more of a program manager role to address the multiple aspects - people, process, technology, data and opinions - that must be defined, managed and controlled.

For more detailed information on how to improve the success of your projects, download the free white paper.