Strategy—Trends in Cybersecurity
The future of project management is changing fast. On Projectified™ with PMI, we’ll help you stay on top of the trends and see what’s really ahead for the profession—and your career.
For an easy way to stay up to date on Projectified™ with PMI, go to iTunes, Stitcher, Google Play music or PMI.org/podcast.
STEPHEN W. MAYE
Hello. I’m Stephen Maye, and this is Projectified with PMI. I’m here with my co-host, Tegan Jones, and today we’re discussing trends in cybersecurity.
One big trend that’s increasing cybersecurity risk is the rise in complexity.
The more complex systems and technology become, the more security vulnerabilities could be introduced.
And when change is happening fast, it’s tough to see where virtual doors may have been left unlocked.
That means the digital transformations a lot of organizations are going through—or have recently completed—open them up to a whole new world of potential cyberattacks.
Whether they’ve moved to the cloud, integrated the internet of things or are just trying to manage the flood of personal devices being used on their networks, there’s a lot for organizations to worry about.
There really is. And one of the top threats that organizations are facing this year is coming from ransomware.
So ransomware, if you’re not familiar, is malicious software that hackers use to deny access to a computer or a system—effectively kidnapping it until a ransom is paid.
So we’ve seen hackers lock up everything from an electricity company’s network to hospital computer systems—really anything they can get their hands on in order to get a payday.
And these attacks are wildly effective. So according to software company Masergy, ransomware is on track to cost victims 11.5 billion U.S. dollars in damage in 2019.
STEPHEN W. MAYE
And as these types of attacks have become more commonplace, more organizations have purchased cyber insurance to potentially reduce their liability if a breach does occur.
I think this trend speaks to a real fear—and a real need in the marketplace.
And that’s probably because threats are coming from so many different directions.
In fact, one of the biggest risk factors every organization has to manage right now is its own employees.
Yeah, that’s true. And a lot of times team members don’t even know that they’re introducing a threat.
STEPHEN W. MAYE
Yeah, I served a global financial services company that regularly sent employees fake phishing messages to determine employee vulnerability but also to help employees develop their own ability to spot cyber risk. I think it was a good idea because these risks have become so real and so common.
And that’s why project teams need to work with their cybersecurity counterparts from the start of any new initiative.
And that’s something we heard a bit about from Kimberly Valentine, the program manager for the office of the CISO at the Brunswick Corp. in the U.S.
Kimberly talked about how she’s integrating cybersecurity into the project planning process—and how she’s helping people across the company see that cybersecurity has to be everyone’s responsibility.
STEPHEN W. MAYE
We’re also going to hear from Greg Touhill, who was the United States’ first CISO—or see-so—during the Obama administration.
Greg is also a retired Air Force brigadier general and currently the president of Cyxtera Federal Group in Washington, D.C.
We discussed what he learned during his time in public service and the biggest cybersecurity threats he’s seeing today. We’ll get to that conversation later in the episode.
First we’re going to hear from Albert Torres, a cybersecurity program manager at Lockheed Martin in San Antonio, Texas in the U.S.
Albert outlined how easy—and how common—it is for cloud-based projects to introduce security risks—as well as what organizations can do to protect themselves.
So let’s go to him now.
The latest and newest vulnerability really would be cloud-based, and those are projects that create many new benefits for companies looking to either migrate existing applications or create new cloud-based applications, but it can also expose new vulnerabilities as well.
Probably the single biggest cybersecurity risk that arises from new cloud projects is in the area of security misconfigurations. There are so many settings in so many areas that can introduce new cybersecurity risks.
It used to be if you misconfigured something, most people still couldn’t see it because most of your clients were probably internal and so there wasn’t a lot of visibility to it. But now when we’re putting more and more applications in the cloud, well the visibility is worldwide at that point. And so if you had a small mistake in the past, it’s only larger now because you’re on a bigger stage.
And needless to say, the stakes are very high. So misconfigurations can happen to a small company and large companies because again, there’s so many different areas and so many different configurations or security settings that we need to be aware of.
Lots of times we need to ask what type of data are they working with, where does the data reside, where is it moving to, and who all would have access to that data. And then also understanding, not only the movement of the data but who has what access to it, whether it’s going to be internal or external. The difficult and challenging part is when someone needs to have say firewalls adjusted or opened. That’s also a great cause for concern, and it’s particular when data is really sensitive. So being able to approach the cybersecurity team and have a risk assessment done on the project early on would be much less painful than having to have it done later when you’ve already done everything. And that’s, I think one of the challenges with any project is that once you’ve already completed certain steps and then you’re having to go back and reexamine those under the microscope of a cybersecurity audit or assessment, it’s going to be much more difficult to try to resolve.
I think one of the highest priority skills for project managers that I’ve learned over time would be building relationships with the corporate cybersecurity teams. This would be beneficial for project managers because in the past cybersecurity was seen as antagonistic, and they would block many projects from moving forward, but they can really help develop strategies that will not only meet the cybersecurity requirements but help you build working solutions.
And you know cybersecurity is still a relatively new field and so there’s a lot of learning that’s been going on and also a lot of relationship building. And so as these teams work closer together over time, they’ll be able to spot the things that have been challenges in the past and be able to learn from those challenges and be able to make projects work a lot smoother.
I know a lot of organizations are currently investing in cloud platforms, so I think it’s great that Albert outlined some of the potential security issues that come along with these systems.
Because the potential costs of a breach can be really high—especially for organizations in the midst of a big change.
So I recently saw a report sponsored by IBM Security that said the global average cost of a data breach is just under 4 million U.S. dollars. But, if an organization was undergoing a major cloud migration at the time of the breach, the average cost was 300 thousand U.S. dollars higher.
STEPHEN W. MAYE
So the risks are real, and like Albert said, having cybersecurity experts review how data is going to be accessed and stored both during and after a cloud migration can help keep sensitive information secure.
And that’s something we heard from Kimberly Valentine, the program manager for the office of the CISO at Brunswick Corp.
Kimberly is also a senior manager overseeing cybersecurity operations, and she is based in Denver.
So, Kimberly has been working to integrate cybersecurity reviews into the project planning process—and she’s had a good deal of success so far.
STEPHEN W. MAYE
I’m interested to hear how she’s changed people’s habits and gotten them to take on extra work that sounds frankly quite technical and could be intimidating to some.
Our contributing editor Hannah Schmidt has the full story. Let’s go to her now.
Kimberly Valentine was with IBM for nearly 20 years before she took a job with Brunswick in 2018. As a lifestyle and recreation company, Brunswick had a different culture—and a different approach to cybersecurity.
A technology company like IBM, we’re building secure technology from the ground up and thinking about that the whole time. But when you move into other sectors, they maybe have not had the time or maybe the awareness to start thinking of cybersecurity across the entire enterprise or across all of their processes.
As I was listening to project management meetings of new projects and technology that were moving through the pipeline, I would raise my hand and say, “Has cybersecurity signed off on this? Do they need to review this?”.
So Kimberly started working with Brunswick’s project management offices to get cybersecurity experts involved earlier in the planning process.
You need to sit down with those different PMOs, and they may have a checklist or some sort of initial planning, series of steps. Just looking at that with them, or saying, “Hey, we need to add cybersecurity into your checklist before that project kicks off,” so the project manager knows that this could elongate the timeline of that project. It could add some extra costs, definitely some cycles for review and approval.
Getting teams across Brunswick on board with this change has taken a lot of collaboration—and a shift in culture.
Sometimes, we can be looked at as the office of no, and that’s not who we want to be. We do want that project to get through successfully, and on time and under budget if possible. But it’s definitely just more marketing and education and awareness across the whole enterprise culture, and you get the buy-in because they just realize it is important. But it takes time.
Kimberly says this upfront step is improving security across the company’s projects and helping everyone at Brunswick become an extension of the cybersecurity team.
I would say we’re doing really well. Yes, we’re very close.
We definitely get engaged because somebody else heard something and they said, “Oh, you better go check in with that cybersecurity team if you haven’t already. They’re going to want to look at this.” So that’s been very helpful.
Changing an organization’s culture is always a challenge. But I think Kimberly made a great point that a cybersecurity expert is a great asset for any project team. While it might require making some changes early on, finding security risks on the front-end of a project is way better than seeing those risks exploited after a project ends.
STEPHEN W. MAYE
That’s so true and building a team of people with the right skills can help make that process a lot smoother. That’s something I discussed with retired Air Force Brigadier Gen. Greg Touhill.
Greg is the president of Cyxtera Federal Group in Washington, D.C.—and he had the honor of being the United States’ first CISO under President Barack Obama.
That position was created after a cyberattack on the U.S. Office of Personnel Management compromised millions of personnel records. Greg was charged with strengthening cyber protections and anticipating and defending against future threats.
And now he’s using that experience to inform his work in the private sector.
Greg certainly has a very unique background, so I’m interested to hear his advice on how organizations can prevent the types of innovative cyberattacks that we’ve been talking about today. So let’s go to that conversation now.
STEPHEN W. MAYE
Greg, when you served as the chief information security officer for the United States under the Obama administration, you became the first CISO in the country’s history. Why was the position created at the time? And what was the mission?
Well, in the aftermath of the OPM breach and several major issues that we had across the United States government at both the dot gov as well as the dot mil, we created a cyber national action plan to address a lot of the shortfalls that we had identified, as well as to look for other areas where we could facilitate an intelligent digital transformation that had security upfront in the process, as opposed to an afterthought or a reactionary approach. And at the top of the list for the cyber national action plan was the creation of a chief information security officer to choreograph all the different activities that were associated with implementing security across the enterprise. We focused on dot gov initially because that’s where our greatest risk exposure was. But really, as we take a look at what we were trying to do by creating the United States government’s chief information security officer was to better manage our risk.
STEPHEN W. MAYE
Prior to that role, you of course served as the deputy assistant secretary for Homeland Security and communication, so you were not new to the space. But as you reflect on that and think about what you’ve learned during that period, what have you carried from there into the work that you’re doing now?
As I pivoted to the private sector upon my retirement from active government service, I kept on seeing the same things in the private sector that I saw in the public sector. First of all, while defense in-depth is great, complexity remains the bane of security. And from a defender’s standpoint, we have layered old antiquated technology, kept on piling on and piling on and piling on new controls and countermeasures. And it’s gotten to the point that for our defenders, that the environment that they’re trying to operate has become too complex for the average cyber operator to operate. And the result is, with that complexity, is things get missed. And that causes problems from a defensive standpoint because it increases your risk surface and your attack surface where folks can come out and attack you.
So what we need to do is really declutter. We need to make our defenses simpler and less complex. And I think the results will be that you’re going to have better security. You’re going to be more effective, efficient and secure. And you’re going to require less people to do that mission set.
STEPHEN W. MAYE
So Greg, you’ve come out of a rich career in cybersecurity starting with the Air Force and moving into these very significant and groundbreaking roles in the U.S. government. And I believe you’ve also had a significant window into the private sector. When you look across that broad landscape, what do you see as the greatest cybersecurity threats that organizations are struggling with now? And has that changed?
So a friend of mine, Andy Ozment, who’s the chief security officer at Goldman Sachs. He and I collaborated on a taxonomy for identifying what I would call the six biggest threats. And I’ll caveat that by saying these are human threats. One are the financially motivated. Those, I’ll call burglars. Those are the folks who want to steal information and then leverage it to make some money. Those are folks that are going to steal your credit card information or try to get into your bank accounts. Money transfers. All of those.
The second I call vandals. And vandals are those folks who are motivated based upon a cause. And they like to vandalize your property. It could be a vandalizing of your web page. You’ve got to plan for that threat. There’s digital muggers that are out there. I would submit that Sony felt like they got mugged by the North Koreans, who were motivated to try to coerce the Sony folks not to release that movie. So you need to plan for muggers and be aware that that’s an active threat factor. Spies are a huge threat. And spies could be nation-state actors. They can also be insiders. And you need to be particularly attuned to folks that are looking to gain a competitive advantage by gaining access to your information. Your information has value.
The fifth is saboteurs. Saboteurs are a special caste because they, once again, could be nation-state actors or a disgruntled insider. And that is a very pernicious threat. So you need to build resiliency in in case there is some sabotage to your systems. And you want to make sure that you don’t have denial of access to your high-value assets and your information when you need it the most. Often a saboteur is not looking to necessarily destroy, but to disrupt. And they can strike at any time, in any moment. But this only represents, based on what I have seen in both my public and private sector experiences, those only represent about 5 percent of the active threats that are out there. About 95 percent, I contend, are careless, negligent or indifferent people within your own ranks. Folks that are task-saturated by an overly complex environment. Or negligent, and don’t do things the way they’re supposed to be doing things. Or just don’t even follow the rules. They’re indifferent. So I think careless, negligent and indifferent personnel are every leader’s challenge and represent the greatest threat environment that we’re seeing right now.
Greg, you can’t turn over a stone without finding something called a “digital transformation” today. So when you think about how common digital transformations are or attempts at digital transformation are, where does that intersect with cybersecurity threats?
Well, Stephen, thank you for the question. Frankly, as a cyber guy, I will confess to you and the audience that I am a geek and pretty proud of it. So I’m going to answer giving an analogy from Back to the Future. If I could go back in time with Doc Brown and Marty McFly in that DeLorean, I would grab some of the program managers that I’ve seen fielding systems and say, “Hey folks, we need to make sure that these systems that we’re trying to field, and these capabilities, have security built in from the start.” I’ve seen throughout my professional career where security is kind of an afterthought and bolted on at the end. You know, so we take a look at the great work that’s been done by PMI, we’ve got a very deliberate process where we’re initiating the program or the project. We’re planning for, we’re executing, monitoring and controlling. And then closing. With a lot of these IT systems—I would say virtually all of them—security should be part of that initiating phase. Right upfront. And that goes for the things like dev ops. It should be sec dev ops. We should be building in security from the beginning.
STEPHEN W. MAYE
Yeah. Yeah. As you think about advising project and program managers today who are interested in really moving more into the cybersecurity space, but perhaps have not been heavily invested there yet, what’s the advice that you give them if they want to be in the thick of things a few years from now?
Well, a couple of things. First of all, make sure that you build the team that you need for not only now, but the future. Make sure that you have a cybersecurity professional—somebody who has the experience as well as the certifications to help advise you and make sure that you are building towards not only the current state but have the resiliency so that you can move forward throughout the entire life cycle.
I also think that it’s really critically important that you make sure that you are taking a look at all your different options when it comes from a cyber standpoint. Make sure that you understand your information, your value at risk, and the like. And make sure that you are advising your customers because often—and I’ve been a program manager in the past—often the customer doesn’t understand exactly everything that they want. And they may come to you with concerns over cost, schedule and performance but not necessarily have security front and center in their mind. So be a good advisor to them, and make sure that you put that security front and center. Because often, your customer may not be as well-educated and not know what they want until they see it. And that’s something most program managers I’ve worked with understand. And I also would recommend that you make sure that you do penetration testing or pen testing. Where you’re bringing in an independent third party to come in and test the efficacy of your security controls. I don’t want to field any particular system that can’t withstand the different threat environments that are out there. So having an independent third-party pen tester, as we call it, is critically important. And then constantly monitoring control, as all through the phases of execution, you want to make sure that as your project or program continues to live that it continues to execute from a security standpoint as well as the other performance measures that are out there.
STEPHEN W. MAYE
And with that, Greg Touhill, president of Cyxtera Federal Group, has the last word. Greg, it has been a pleasure talking with you. I could do this all day. Thank you for joining us.
Thank you, Stephen.
Thank you for listening to Projectified™ with PMI. If you liked this episode, you can subscribe on Apple Podcasts or Google Play Music. We’d love your feedback, so please leave a rating or review.