//
you're reading...
Information Security, IT & TECHNOLOGY

Three Ways to Make Information Security a Habit During Project Management


ISACA-Logo

With eyeballs rolling, they mumble, “Why do security people insist on stopping our projects?”

As information security (IS) professionals, we have seen this response from project managers (PM), developers, and fill-in-your-favorite-role here, when we have derailed a project due to an unplanned InfoSec issue.

What is an InfoSec Professional to Do?
Police chiefs don’t lock our car doors, nor do CISOs read application teams’ code. Because InfoSec is a lifestyle, not an event, we need a security culture. It takes a village. After reading this post you will have three tips for infusing security habits into a village of project managers.

1. Make it easy. According to BJ Fogg, Ph.D., founder of Persuasive Tech Lab at Stanford University, we are basically lazy. Want to make IS easy (or at least easier) for non-InfoSec professionals? Think like Jeopardy!’s Alex Trebek and get the participants to “ask the question.”

Start with your written InfoSec policies and standards. Summarize one or two into a question and work with your Project Management Office (PMO) to include the questions in a new project checklist to provide guidance.

Examples:

  • Building a mobile app? Refer to “Vulnerability Scan Standard.”;
  • Outsourcing or working with third parties? Refer to “Outsourcing and Third Party Policy.”

2. Make it simple. Did you know that InfoSec training and experiences may yield Continuing Education Units (CEU) for certified project managers? For example, certified Project Management Professionals (PMP®s) may be eligible to earn CEUs if the InfoSec training meets the Project Management Institute’s criteria. Risk management is a knowledge and skills area for the institute, and PMPs need to recertify every three years. If you help PMP®s make that connection, it may mean reduced training costs and time, enhanced careers, and stronger InfoSec advocates; all factors in creating habits and a culture of village security.

3. Make it rewarding. Have a “Village Citizen of the Year” recognize her. Does a PM role model a good InfoSec practice? Take five minutes to recognize the specific behavior (example – uses PMO “New Project” checklist to identify new mobile apps that require vulnerability scans). Fogg identifies “pleasure” (think: positive recognition email to boss) as a core motivator for changing behaviors.

What Next? Start Small. It is as Easy as 1…2…3

  1. Ask your PMO or individual PMs if a Jeopardy! approach would reduce project derailments and make InfoSec adoption easier. Then start with one question for the most frequently overlooked InfoSec standard or policy.
  2. Have an upcoming InfoSec event or activity where InfoSec learning may occur? Include in your invite:  “Did you know that some InfoSec training may serve as CEU for certified or wannabe-certified project managers? Click PMI certifications to learn more.”
  3. Add a five-minute invite to your calendar to “Recognize PM once a month.” Example: To: Boss, cc: PM; “Just wanted to recognize PM for role modeling fill-in-the-blank InfoSec practice or attitude! Our organization, teams, and customers are better because of it. Great job, PM!”

Sources: BJ Fogg, Ph.D.; PMI

Luanne Spiros, CISM, PMP

[ISACA Now Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 121,320 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,358 other followers

Twitter Updates

Archives

December 2016
M T W T F S S
« Nov   Jan »
 1234
567891011
12131415161718
19202122232425
262728293031  
%d bloggers like this: