According to Homer Simpson, there are three kinds of people: those who can count and those who cannot. I must be one of the latter because everyone says there are 10 areas of project management, but I count 12. Let’s see.

First we have integration, where all management is given meaning and a consistent approach. Then there is scope, which focuses on goals, what needs to be done to achieve them and how to do it. Then we have planning, cost management, and risk management, plus quality control, communications and resources (that’s eight). Let’s not forget stakeholders and suppliers, which brings us to 10. And last but not least, we have safety management and innovation management. Twelve in all.

Joking aside, security management and innovation management do not formally appear in their own right in project management frameworks such as the PMBOK and PM² (promoted by the European Commission). Nor do they feature prominently in agile approaches. And yet they are critical to a growing number of projects.

In this article we’ll look at security management, leaving innovation management for a follow-up piece.

Security management

Going digital brings endless opportunities and benefits, but it also makes organizations and users vulnerable to new types of cyberattacks. Mature organizations manage cybersecurity at the corporate level, providing the means for information assurance and business continuity, and training staff in the relevant procedures and best practices. But what about solutions developed internally or for third parties?

Security by default and security by design are two fundamental paradigms in information security. Systems must be designed so that they are secure without the need for additional user intervention (security by default). In addition, security is built into products by design, rather than being added later through third-party products or services (security by design). Both paradigms seek to ensure that systems are secure from the outset and throughout their life cycle. They therefore impact every stage of a project and all areas of project management.

• It must be ensured that tasks and procedures are defined to meet security and privacy requirements, whatever their nature (regulations, standards, customer requirements, etc.), from design to acceptance testing. Security measures must also be commensurate with threat scenarios and risk acceptance tolerance. In other words, it fully influences the project’s scope and risk management.
• Security tasks need to be planned (planning) and their labor and material costs taken into account (cost management).
• Appropriate quality control procedures must be put in place to deliver on the project’s goals, and the project must be audited (from a security point of view) at appropriate intervals.
• The project must have the right resources to carry out security tasks, which usually require a high level of expertise.
• In addition to the team’s own internal communications, the project may involve sensitive or even classified information, which affects the measures that must be taken to meet information security and privacy requirements. In these cases, we should not forget the importance of the Spanish Data Protection Act (LOPD) and the General Data Protection Regulation (GDPR).
• Suppliers also play a key role, as organizations often look to third parties for specialist solutions and advice, or outsource services such as their cybersecurity operations centers.
• Cybersecurity also has its stakeholders. There are many security-specific roles, including chief information security officer (CISO) and data protection officer (DPO), to name a few.

As we’ve seen, security management touches every area of project management in a specific way. So would it not make sense to treat it as a separate area in its own right?

The European Union Agency for the Space Programme (EUSPA) is strengthening the security of major European space programs such as Galileo and EGNOS.  This means that projects associated with these programs must ensure cybersecurity management and internal cybersecurity audits, and have people in charge of these tasks, who would be like the project manager and quality manager, but specifically for cybersecurity. GMV has been providing these services to these programs since 2013. Since then, the tasks and responsibilities of these roles have evolved as the security status of Galileo and EGNOS has matured, with more than notable successes for all parties involved.

Investment in cybersecurity is growing at double-digit rates every year, a symptom of the increasing number of cyberattacks, their consequences, and organizations’ awareness of the need to protect themselves. At the same time, society is moving towards a project economy, as opposed to the traditional operations economy. Digitalization, increasing exposure to threats and the project economy are more than enough reason to elevate cybersecurity to its own category of project management.

Author: Ángel Gavín