Safeguarding the data treasure
Information can be compromised with the click of a mouse. To keep it safe and sound, security measures must extend across the project life cycle.
BY SARAH FISTER GALE ---- ILLUSTRATION BY OTTO STEININGER
IN today's knowledge-fueled economy, data are a prized possession. If information is lost or stolen, organizations can sacrifice market share, competitive edge and, in the most extreme cases, human lives. And with sensitive data shooting around the world at hyperspeed, companies are constantly at risk. Mobile devices get stolen, employees act carelessly, and hackers have ramped up their efforts, forcing organizations to battle security threats at every level of every project and across multiple borders.
“As technology brings us closer as a global society, IT security also becomes a global issue,” says Jaime Vasquez, chief innovation officer at Uni Bank & Trust Inc., Panama City, Panama. “And it must be dealt with in a global fashion through collaboration with all related parties.”
THE TRUE COST OF SECURITY
of global IT executives said their organization had reduced budgets for IT security capital expenditures over the last year
said their organization had reduced IT security operating expenditures
anticipated growth in security spending for 2011, the highest percentage since 2005.
“Absent another worldwide shock to the global economy, we may see a release of this pent-up demand ‘at the bow’ and an increase in security-related spending on capital and operating expenditures as early as later this year ,” the authors wrote.
Source: 2011 Global State of Information Security Survey, PricewaterhouseCoopers, CIO and CSO. Results based on a study of 12,840 global IT executives surveyed from February to March 2010.
IT security must also align with regulations, business goals and the overall risk appetite of the organization, says Larry Marks, consulting senior program manager at the global security project management office at ADP (Automatic Data Processing Inc.), a human resources outsourcing consultancy in Roseland, New Jersey, USA. “You have to look at security from the point of view of how it fits into the overall business strategy of the firm so that you can identify the gaps.”
And then companies have to figure out how to close those gaps—before it's too late.
Security can't just be a task on a project list. Rather, it must be viewed in the context of organizational risk. “Once you've identified what your risks are, you can determine what will happen if they are not addressed,” Mr. Marks says.
For example, if USB ports aren't locked down on computers, organizations risk losing data, which can sabotage new product launches or give a rival a peek into corporate strategy.
For some organizations, identifying and closing data-security gaps goes well beyond protecting competitive advantage. In some cases it's literally a matter of life or death, says Goran Banjanin, PMP, PgMP, head of the information and communications technology project management and business continuity office at the International Criminal Court (ICC) in The Hague, Netherlands.
The ICC prosecutes individuals for genocide, war crimes and crimes against humanity, and Mr. Banjanin has spent the last several years creating the project management processes used to develop the IT systems that manage, store and protect court data.
Having gone digital since 2007, the ICC handles all court documents and processes through a paperless datamanagement system. Because they contain the names of victims and witnesses, all documents go through a redaction process in which relevant personal data are blacked out to protect identities.
“If the name of a victim or a witness is accidentally disclosed, the leak could be life-threatening,” Mr. Banjanin says. “Properly implemented and monitored security-management processes are vital.”
To ensure data security is a priority across the project life cycle, the court implemented stage-gate reviews and constant security audits. Teams begin by considering compliance issues and data-access requirements that may heighten security risks. Team members then create a governance plan, along with a schedule of audits to ensure compliance requirements are met and user access is strictly controlled.
In addition, Mr. Banjanin's project management office team conducts workshops with staff members to ensure everyone is aware of the sensitivity of the data and knows how to avoid security violations.
“People are always the weakest part of the chain when it comes to data security,” Mr. Banjanin says. “You can have the best technology, but if someone shares their access privileges, all of your security is jeopardized.”
ONLY HUMAN, AFTER ALL
Whether accidental or intentional, human behavior can put projects at risk—and organizations ignore it at their own peril.
Kam Star, CEO and managing director of PlayGen, considers the loss of project team members and the knowledge they hold as the biggest security risk for the computer games and simulations development studio in London, England. The company has developed a number of products around data security that rely on gaming mechanisms to help users better understand the repercussions of their actions.
» Every time there is a change in the system, we look at everything that could introduce a security concern, discuss those risks and make sure they are part of the planning process.
—Andrew Haines, Gain Capital, Bedminster, New Jersey, USA
“In Europe, there are no patents for software, and it's very hard to prove theft—that code developed for one product has ended up in a competitor's product. That means once it's gone, it's gone,” he says. “With software intellectual property, whoever uses it first is the winner. If someone takes your code, repurposes it and sells it, there's little you can do to stop it.”
So the company sticks to 10 or so coders loyal to the company and its products.
“When your most-valued IT asset is your platform and the people who build and maintain it, you've got to cultivate a core team you can trust,” he says. “Anyone on the team has the ability to steal information from you because they built the system. So you've got to build their loyalty and make them feel responsible for what they are doing.”
For PlayGen, that means offering a profit share and frequent team-building activities, from karaoke parties to trips abroad.
Also essential are thorough background checks on all new employees as well as contracts that specifically forbid competitive work.
When you do require extra help, consider giving contract coders only isolated elements of a project to design, with no context as to what they're building.
Even that possibility is too much of a liability for PlayGen. “We no longer work with any external coders, so all work is done internally by our own staff because of these risks,” Mr. Star says. “Freelancers can be the biggest danger in this space, because you end up with people outside your organization holding your code,” he says.
»For some organizations, identifying and closing data-security gaps goes well beyond protecting competitive advantage. In some cases it's literally a matter of life or death.
—Goran Banjanin, PMP, PgMP, International Criminal Court (ICC), The Hague, Netherlands
THE COST OF A GOOD NIGHT'S SLEEP
Whether it's humans or hardware stirring up the drama, security measures must be embedded right from the project start.
At Gain Capital, every new project and every alteration in an existing one gets a thorough security review.
“It's part of our project management process,” says Andrew Haines, CIO of the online foreign-exchange trading and asset-management services provider in Bedminster, New Jersey, USA. “Every time there is a change in the system, we look at everything that could introduce a security concern, discuss those risks and make sure they are part of the planning process.”
For example, if the company installs a new server, it creates a checklist of potential issues, including software updates, patches, content of the data stored on the server and access points. Through this process, the team ensures everything is up to date, and that unnecessary access or inappropriate data are removed or encrypted before the rollout.
“The key is to discuss security early on the project planning process,” Mr. Haines says. “If you wait until the end to do the security review, you are going to be scrambling to solve problems and making compromises to move the project forward on schedule.”
Including an IT security component as part of the work breakdown structure allows specific deliverables related to security to be visible across the course of the project's life cycle. That goes for every IT project, no matter the size or complexity.
“With any project, it is relatively inexpensive to make changes to a design in the planning stages of projects,” Mr. Vasquez says. “Whereas it is very expensive to include IT security if it's brought into the picture as an afterthought.”
No matter when it happens in the project life cycle, though, information security often falls victim to the budgetary ax.
“No one wants to spend money on IT security, but they also have a very low tolerance for problems,” Mr. Haines says. “I could dedicate 20 percent of my project budget on security and not lose sleep over security risks. But if I miss the business opportunity, it's probably not a good decision.”
To find that balance, he relies on a vigilant culture in which the IT team is constantly looking for the next risk or concern.
“There's never an end to this exercise,” Mr. Haines says. “If you let your guard down, if you don't keep patches updated, and do audits and train your employees, it's easy for things to break down.”
WHEN WORMS ATTACK!
Security vigilance doesn't always end when a project is rolled out, says Brian McKeehan, vice president of technology and production for In10sity Interactive, a web design and content management company in Knoxville, Tennessee, USA.
His team regularly conducts post-project reviews to make sure the technology is working and isn't being used in a way that compromises security.
“In the life cycle of a project, the relationship with the client doesn't end when the site is launched,” Mr. McKeehan says. “Once they start using the site, we can see how people interact with it and we can identify areas to tweak or improve.”
During one recent review, for example, the team discovered a client was using a form that stored social security numbers and birthdates in the same database. “That's a big security issue,” he says. His team pointed out the risk and updated the tool to automatically encrypt any fields that require sensitive data.
It's only through such ongoing vigilance that organizations can keep data safe.
“The biggest issue with security is finding what you didn't know you should worry about,” Mr. Haines says. “There's always another worm attack or hole in the system, and the exercise of keeping it safe never ends.” PM
» What's your take on information security? Collaborate with peers in the PMI Information Systems Community of Practice at is.vc.PMI.org.
EXPLORE MORE ON IT SECURITY IN A CLOSER LOOK»
PM NETWORK FEBRUARY 2011 WWW.PMI.ORG