Project management in cyber security
08:30 Friday, 07 January 2022
UK Cyber Security Council
We write all the time about non-cyber skills that are relevant - essential, even - in the field of cyber security. One of the most common non-technical skills we see in IT all the time is managing projects - the organisation framework that leads the process from inception through design, development, testing and deployment, and winds up after handing over to the operational team.
Do these skills belong in cyber security projects? Yes, they absolutely do - why wouldn't they? Cyber projects need just the same rigour as more mainstream IT projects. Should a project manager target cyber security as the niche they want to work in? That question has a much less clear-cut answer.
Why? Easy: the word "niche" sums it up. Every IT project we do (actually, every project we do, either IT or otherwise) will have an element of cyber security that will span all phases of the project. But relatively speaking, we don't do all that many cyber security projects - where the primary focus is on building and implementing a cyber-focused product or service. So, by all means become a "cyber security project manager", but don't expect to be all that busy.
Conceivably, this could be the end of this article: don't be a cyber project manager because there's not much to do. But no: let's turn the concept on its head. If your talent is project management and you're interested in cyber security, but there's not much of a flow of cyber security projects, look at the other point we mentioned earlier: all projects have a cyber element.
This correspondent has done his time as an IT manager before moving into the delights of cyber security. I have worked with project managers of what one might consider varying levels of competence - or, more fairly, varying levels of quality of delivery. And the project managers that have stood out from the crowd, in a positive sense, all had something in common: they understood the concepts, and sometimes the tech, of the projects they were leading. They were not just organising work, assigning jobs, lining up suppliers' engineers to be available at the right time to make a change; they actually understood, to a decent extent, what the people working on the project knew.
If one has ever headed a project for a global Wide Area Network replacement, with a project lead who knows what Quality of Service settings are on network switches, and has configured routers himself prior to deciding to focus purely on project management, one will know just what a bonus this is. If, as a project manager, you know the types of skill that are required for a particular element of a change, this enables you to work with all the parties involved to make sure the right people are on the call to execute that project element. In a long project one gets to know the individuals, and one can't over-estimate the value in your PM being able to say to a key supplier: "Any chance we could have Ken on the call next Monday? He strikes me as the guy who'd be best placed to diagnose the issue if something doesn't go right".
And the same applies to cyber projects. The PM is the person who, more than most, sees all aspects of the project from beginning to end. And the cyber elements should be in there from the beginning and the cyber thread should extend throughout the project and into production. And if the PM knows about cyber security, he or she is perfectly placed to spot something that has been missed, or to question a particular approach, or to ask why a particular technology or protocol has been chosen rather than whatever else could be used. In short, in any project - and particularly in a cyber project where the team are focused on delivering something on time and on budget - a PM with subject matter knowledge has major value.
So, if you're considering a career in cyber project management… perhaps the way to go is into project management in general. Because a PM with cyber knowledge will bring value to any project.