With eyeballs rolling, they mumble, “Why do security people insist on stopping our projects?”
As information security (IS) professionals, we have seen this response from project managers (PM), developers, and fill-in-your-favorite-role here, when we have derailed a project due to an unplanned InfoSec issue.
What is an InfoSec Professional to Do?
Police chiefs don’t lock our car doors, nor do CISOs read application teams’ code. Because InfoSec is a lifestyle, not an event, we need a security culture. It takes a village. After reading this post you will have three tips for infusing security habits into a village of project managers.
1. Make it easy. According to BJ Fogg, Ph.D., founder of Persuasive Tech Lab at Stanford University, we are basically lazy. Want to make IS easy (or at least easier) for non-InfoSec professionals? Think like Jeopardy!’s Alex Trebek and get the participants to “ask the question.”
Start with your written InfoSec policies and standards. Summarize one or two into a question and work with your Project Management Office (PMO) to include the questions in a new project checklist to provide guidance.
- Building a mobile app? Refer to “Vulnerability Scan Standard.”;
- Outsourcing or working with third parties? Refer to “Outsourcing and Third Party Policy.”
2. Make it simple. Did you know that InfoSec training and experiences may yield Continuing Education Units (CEU) for certified project managers? For example, certified Project Management Professionals (PMP®s) may be eligible to earn CEUs if the InfoSec training meets the Project Management Institute’s criteria. Risk management is a knowledge and skills area for the institute, and PMPs need to recertify every three years. If you help PMP®s make that connection, it may mean reduced training costs and time, enhanced careers, and stronger InfoSec advocates; all factors in creating habits and a culture of village security.
3. Make it rewarding. Have a “Village Citizen of the Year” recognize her. Does a PM role model a good InfoSec practice? Take five minutes to recognize the specific behavior (example – uses PMO “New Project” checklist to identify new mobile apps that require vulnerability scans). Fogg identifies “pleasure” (think: positive recognition email to boss) as a core motivator for changing behaviors.
What Next? Start Small. It is as Easy as 1…2…3
- Ask your PMO or individual PMs if a Jeopardy! approach would reduce project derailments and make InfoSec adoption easier. Then start with one question for the most frequently overlooked InfoSec standard or policy.
- Have an upcoming InfoSec event or activity where InfoSec learning may occur? Include in your invite: “Did you know that some InfoSec training may serve as CEU for certified or wannabe-certified project managers? Click PMI certifications to learn more.”
- Add a five-minute invite to your calendar to “Recognize PM once a month.” Example: To: Boss, cc: PM; “Just wanted to recognize PM for role modeling fill-in-the-blank InfoSec practice or attitude! Our organization, teams, and customers are better because of it. Great job, PM!”
Sources: BJ Fogg, Ph.D.; PMI
Luanne Spiros, CISM, PMP
[ISACA Now Blog]