If you’ve worked in security for any length of time, you’ll have noticed that there is a vast range of security solutions in the market, and a never-ending supply of vendors ready to sell them to you. Such products are often cited as relatively straight forward to implement into your environment, and that they will quickly solve your security needs. In my experience, the aspect that is often overlooked is how to integrate them into your environment, or how to deliver them effectively, and with minimal disruption to operations.
Security projects are frequently complex. They often involve new technologies or leveraging existing capability in a new way, or there may sometimes be a dependency on another aspect of technology for the product or solution to work. The security program delivery team looks at the broader picture, bringing together these various, disparate and sometimes dependent parts that are needed to be able to deliver your chosen solution successfully. The importance of having a core security delivery team that implement multiple different security solutions to your organization via a cohesive, security program shouldn’t be underestimated.
Here are five reasons why you need a program delivery team within your security function:
1. Organisational context
While your functional security teams have the depth of knowledge and experience in the particular solution they’re interested in, their main concern is on what the product can do for their team. They are generally not aware of (or interested in) the other projects across the organization that may impact the delivery of their chosen product. They also won’t factor in the organizational change element required for the solution they want to deliver.
A good security project manager works out how best to implement various, sometimes complex, security products into your existing environment, in the most efficient manner. They ask the right questions to uncover potential challenges that may need to be considered before they commence delivery of the solution. For example, what are the interdependent parts that are needed for the solution to be used effectively in your environment? How will it work with all the other tools the business area is already using? What training will be needed? How will this change the users’ day job? The non-technical, user impact of delivering security products need to be considered, and a security project manager helps to identify those potential challenges.
2. Dedicated project delivery expertise
A security program delivery team provides a unique blend of project management skills, supported by an understanding of security, and an awareness of the importance of securing the core infrastructure of an organisation and therefore minimizing risk.
The security project manager considers the overall cost of investment for the organisation to implement the solution, including factors such as the people needed to make the change happen, the scale of change to the organization, and the benefits that will be delivered. They bring together the different teams needed to work on the implementation of the product, so that questions are answered early, obtaining an indication of the scale of work ahead, so they can plan delivery. The project management skillset, combined with any security delivery experience or skills they have, helps on time delivery of the solution, within the budget allocated. They ensures your security investment budget is not blown on the latest product, without consideration for how much it will cost to actually deliver and run it.
3. Complement existing security subject matter experts
The project management function complements and supports the existing security subject matter experts (SMEs) by taking the tasks that need to be done for effective delivery, leaving the SMEs to focus on their day job.
By having a core project delivery team embedded within the Security function, the security personnel can focus on the detail and expertise needed to make the right decisions for the solution, while the project manager can focus on the broader picture, including the stakeholder management, change management, communication, financials and resources, which are all fundamental to getting a project delivered effectively and within budget. The security Project Manager is there to make the change smoother for the functional security team, alleviating them of the effort involved in the discovery, planning and delivery of a security product, which is extra effort that the security BAU team doesn’t need to absorb.
4. Prioritise security and risk reduction
Having delivery within IT often results in conflicting priorities. IT is frequently focused on automation and improving efficiency in operational processes, whereas Cyber Security prioritises securing the organization and reducing risk.
A core project delivery team within Security has the focus on cyber security, risk reduction and securing an organization as its priority. They are there to advocate the needs and requirements from a Security perspective. They are going to focus on the objective of securing the organization as a priority, aligning to the security strategy of the organization. Their project delivery focus is on getting the security solutions into the organisation on time so the functional security teams can quickly leverage the benefits of that product.
5. Ability to adapt to changing security priorities
The security landscape is constantly evolving, which means there is a need for solutions and delivery to adapt accordingly. A priority for program delivery one year may be superseded by different priorities or a new solution the next.
With the program delivery team embedded in the security function, it’s easy for the security program to adapt, reprioritize, and respond to changing demand, since they work closely with the security team to understand the need to re-prioritise. They listen to the security stakeholders and can adapt the program needs accordingly, helping align project delivery to the security strategy of the organisation.
So in summary, it’s worth considering these key points when formulating the structure for your security function, so any large-scale security change is managed cohesively, making the most of the various security products you’ve invested. While the security delivery required for an organization can be provided by a centralized program management function, there are multiple real benefits derived from having a core program delivery team at the heart of the security function.
About the Author
Natasha has more than 20 years’ experience in technology, leading IT and Security transformation programs across large financial services institutions and consultancy in the UK and Australia. Natasha is an advocate for the importance of program delivery within the security function to fully realise strategic intent, improve capability and reduce risk. She is currently the Executive Manager of the Cyber Security portfolio at Insurance Australia Group (IAG), delivering multiple projects and programs to improve security solutions and compliance. Natasha holds an MSc in Information Systems and is a Certified Information Security Manager (CISM), as well as having accreditations such as Prince 2 and Agile DSDM certified, ISO27001 and ITIL.