Author: Miki Calero, Information Security Senior, American Electric Power

Within the context of Security, the application of the term convergence is broad. Information Security and Physical Security convergence refers to both the combination of these two functions at an organization, and the merging of information and physical assets with technology solutions in support of Security¹. Technology convergence points to the union of the actual information assets that the Information and Physical Security convergence assets are intended to protect, in support of—possibly converged—Information and Physical Security functions.

While the repetitive use of the term convergence in the above paragraph may have subliminally imprinted the subject of the article, caused blurry vision, or shortness of breath, it was merely intended as segue to an equally suitable, Security context-specific application of term: Security and Project Management convergence.

Security has Common Body of Knowledge (CBK) Domains; Project Management has the Project Management Body of Knowledge (PMBOK). Security Professionals use network diagrams to plan the protection of the connected information assets. Project Managers use network diagrams to display schedule activities and dependencies. Security Professionals start walking right foot forward, Project Managers left…

Closer scrutiny reveals common concepts (e.g. risk management), phases in one that invoke/should involve the other (e.g. requirements gathering), failures in the former attributed to the latter, issues with x contributing to problems in y. The concept of Security and Project Management convergence capitalizes on these commonalities and offers a perspective for success, a basis for integration, union, combination at the most fundamental level.

Sound Security Begets Successful Project Management

In their landmark CHAOS report (CHAOS) published in 1994, the Standish Group found that “only 9% of projects in large companies were successful” (the success rate increased to 16.2% and 28% respectively, for medium and small companies)². The unsettling statistics did not end there. CHAOS established that “for every 100 projects that start, there are 94 restarts.” These restarts resulted in cost overruns, which the report captured as well: 178% for large companies, 182% for medium companies, and 214% for small companies.

Among the top three Project Success Factors, CHAOS listed clarity and completeness of requirements and specifications. Unfortunately, in the context of security, requirements and specifications are most often overlooked. This may in turn account for the estimated 92% of security vulnerabilities NIST³ recently attributed to applications.

Convergence of Security and Project Management can eliminate project restarts and cost overruns caused by unmet security requirements. Based on Gartner’s⁴ analysis, convergence can also improve the overall bottom line, since the cost of resolving security issues during development—the intermediate phase of projects—equals 2% of the total cost of resolving them after the project is complete.

Security processes and the project lifecycle as overlay to the Systems Development Lifecycle (SDLC), appear to be the optimal point for convergence. At this level, Project Managers can work with enough information to monitor and control projects effectively, without Security subject matter expertise.

They can remain in familiar territory, free to develop project tools that integrate Security (e.g. templates). They are able to adhere to project processes to communicate Security issues to project stakeholders and sponsors, based on the appropriate level of knowledge about Security.

The SDLC, focus of attention of current Security integration efforts, is not abandoned. It remains the detailed map used by Project Team Members (e.g. Developers), and Security Professionals managing processes such as Risk Assessments and Security Testing.

Sound Project Management Begets Successful Security

The evolution of Project Management into a field of practice has taken place over the last 20 years. Under the sponsorship of the Project Management Institute (PMI)⁵, project Knowledge, Skills, Tools, and Techniques (KSTTs) have been formalized.

With the explosion of the Internet and its quick adoption into business processes, Security has undergone a revolution. To formalize its own KSTTs under such time constraints, Security has leveraged existing standards and bodies of knowledge.

A sign of this adoption are the numerous references about the importance of Project Management to Security. The Information Security Audit and Control Association (ISACA)⁶ elaborates on this point:

Strong project management skills and effective tools are essential to the success of the overall security program. […] If the organization does not have an established project support function, the information security manager should employ generally accepted project management techniques, such as setting goals, measuring progress, tracking deadlines, and assigning responsibilities in a controlled and repeatable manner. This will help ensure that the security program’s design and implementation will be successful.

Higher learning institutions and security trade organizations have recognized this convergence and begun to add related courses to their curricula. The University of Houston offers a Master of Science in Technology Project Management with an emphasis in Information Security.

The SANS Technology Institute⁷ whose list includes two Master of Science degrees in Information Security, considers Project Management in information technology one of six “management skills that are central to success in information security.”

The Security Industry Association (SIA)⁸ offers training and designation as Certified Security Project Manager (CSPM). It characterizes the program as one that “promotes the professional accreditation of Project Managers involved in the design, specification, and management of security systems. This credential uniquely addresses the role of the Security Project Manager.”

Security and Project Management Convergence into the Future

Security and Project Management convergence is not explicit. Recognized and addressed in specific situations, to meet particular needs, or support limited objectives, this convergence has not been the subject of a unified effort to formalize and standardize it; however, building blocks exist that can enable this effort.

International and National Standards Organizations with documents that cover Security and Project Management—ISO/IEC 27001:2005 (ISMS), ANSI/PMI 99-001-2004 (PMBOK)—subscribe to the Plan, Do, Check, Act (PDCA) model. Two standards, one shared model. One commonality amid many others that discussion forums, knowledge centers, and communities of practice can review, capture, and evaluate.

As a Security and/or Project Management professional, create a wiki (e.g. wikipedia.org) or a “dot.org” / foundation such as the Open Web Application Security Project (OWASP).⁹ If you are a member of PMI, and are interested in the subject, advocate for a Security Specific Interest Group (SIG). As a member of Security and/or Project Management organizations, exert your influence: why not form a partnership along the lines of the Alliance for Enterprise Security Risk Management (AESRM)?¹⁰

¹ opensecurityexchange.org
² standishgroup.com (A company was deemed large if its annual revenue was greater than $500M, medium if revenue was between $200M and $500M, and small from $100M to $200M).
³ nist.gov (National Institute of Standards)
⁴ gartner.com
⁵ pmi.org
⁶ isaca.org
⁷ sans.edu
⁸ siaonline.org
⁹ owasp.org
¹⁰ aesrm.org

© 2006 Miki Calero. All rights reserved.

This entry was posted on Tuesday, October 24th, 2006 at 10:53 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.