Data Lockdown: Managing Cybersecurity Risk

Transcript

STEVE HENDERSHOT

We live in a glorious information age, with data flowing freely—fueling unprecedented collaboration and some amazing innovation. Until someone hacks into that data. Then things can get ugly.

MAXINE HOLT

If you’re not looking after your data, then you’re not looking after your organization. Data can be and is often kind of the lifeblood of the organization, so it’s just so important to look after the data. Make sure it’s secure, and make sure you’re following good cyber hygiene practices.

NARRATOR

The world is changing fast. And every day, project professionals are turning ideas into reality—delivering value to their organizations and society as a whole. On Projectified®, we’ll help you stay on top of the trends and see what’s ahead for The Project Economy—and your career.

STEVE HENDERSHOT

This is Projectified®. I’m Steve Hendershot.

There’s no such thing as an impenetrable cyber fortress—as we’ve all become painfully aware. Just this year, attackers have managed to hit Japan’s Narita International Airport, the Colonial fuel pipeline in the U.S. and Ireland’s online healthcare hub. And that can mean a deep hit to the bottom line. The average cost of a data breach in 2021 is 4.24 million U.S. dollars, according to an annual report by IBM. That’s the highest-ever total in the study’s 17-year history.

The ramifications for project teams are far-reaching, as companies launch new projects to fight back against attackers and also look to shore up security practices and protocols within their teams.

Today we’ll visit the front lines of digital defense, beginning with a chat with Tim Hurley, cybersecurity project manager at Sempra in San Diego, California.

MUSICAL TRANSITION
STEVE HENDERSHOT

What’s behind this surge in cyberattacks—have bad actors become more sophisticated?

TIM HURLEY

As a society, I think we’ve become dependent on technology to the extent where a loss of service can have severe consequences. So that raises the stakes and raises the risk profile for having good cybersecurity defense and response capabilities.

Especially if you go back five years even, cyberattacks have increased in number, severity, sophistication. The attack surface has increased. You’ve got a variety of different motivations or interests. You’ve got financial gain, sociopolitical. You’ve got espionage. You’ve got even revenge on companies from disgruntled employees, disruption of services, and you’ve got military applications.

STEVE HENDERSHOT

Where do you begin that process of defense and response? I’m thinking beyond the established recommended practices—how do you game-plan around the risks and vulnerabilities that are specific to your situation?

TIM HURLEY

In a way, you have to think like the bad actors think. You have to think about where you have exposure, what would do the most damage to your organization. Do you have capabilities in place to preclude that or defend for that? It’s very much of a moving target in terms of the threat landscape. It’s always changing. Technology is always changing, so there’s ample opportunity to get behind. So a certain level of vigilance is really important.

STEVE HENDERSHOT

If you’re a team leader trying to run a tight ship, how should you approach security?

TIM HURLEY

It’s incumbent on project leaders to think about security, whether that project leader is building a building or they’re building software. Unfortunately, in cyberspace, it’s a dangerous place. Project leaders need to keep cybersecurity on the radar all the time. How are we securing that environment? What if somebody comes and does this—how are you protecting against that particular situation?

I would encourage project leaders to be mindful of it, and also bring it to the attention of the team. It’s a worthy discussion of whether you have the expertise on the team to address the cybersecurity considerations. If you don’t from a project leadership standpoint, that needs to get onto the action list. That needs to get onto the radar because there’s risk that would be going with that.

STEVE HENDERSHOT

When is the right time to address security over a project’s life cycle?

TIM HURLEY

The answer would be early engagement and then often during the life cycle, to the extent that it’s necessary. There’s going to be some projects that have a much higher cybersecurity risk profile than others.

Let’s say you were going to build software for individuals to do their taxes on that would capture Social Security numbers. The security of that application, particularly if it’s going to be transmitting data over the internet, is really, really critical. How are you going to encrypt it? How are you going to keep it safe in transit, at rest, etc.?

But for another software application, maybe it’s just some kind of little fitness program or something like that, it wouldn’t be storing any specific, sensitive information necessarily. In that case, the cybersecurity considerations would be less. It’s definitely not a one-size-fits-all discussion at all, and it’s very specific to whatever the product or services that’s being offered.

STEVE HENDERSHOT

There’s a natural tension with cybersecurity, because there are inevitably trade-offs between the desire for a free flow of information compared with the value of locking down all your data. How do you think about that tug of war?

TIM HURLEY

I think talking about the potential impact—what’s the worst thing that could happen in relation to this cybersecurity consideration? Is that acceptable? If your data gets locked down or stolen, because you have it backed up somewhere else, is that okay? Those are the kind of conversations. It’s all really about measuring risk. Organizations have completely different risk tolerances.

As far as on projects and on teams, those are the discussions to have still, because if you put up a website and you don’t have the proper safeguards wrapped around that website and the website gets hacked, what are the consequences? Is that a big deal or it doesn’t really matter if your website gets hacked? It’s really having those conversations because cybersecurity is really a function to help everyone to be aware of the risk, calibrate to the risk and then employ appropriate safeguards.

STEVE HENDERSHOT

What’s your advice to project leaders on how to keep their data secure?

TIM HURLEY

First of all, you clearly want to understand the scope of your project. So if the scope of my project is—as I said earlier—I’m going to put a building up downtown, as a project leader, think about what are the security considerations for that building? Is access going to be controlled, or is it going to be open to the public, just as an example.

That same type of thinking, those same dialogues apply to a software development project. So what’s the scope of my project? Well, my project is going to create this really cool web portal that’s going to be able to get into banks and look at people’s accounts and their balances and even do transactions. Oh my gosh. As a project leader, I need to be concerned about security. What kind of security? How’s that going to work? It really depends on the scope. It’s like, “What’s my scope? What do I have to safeguard?”

MUSICAL TRANSITION
STEVE HENDERSHOT

Listing off a few of these high-profile cyberattacks can be enough to provoke risk-management night sweats, but really, there’s a path to a strong cybersecurity foundation, and it starts with some straightforward steps.

Projectified®’s Hannah Schmidt spoke with Maxine Holt, who leads the cybersecurity research team at technology research firm Omdia in London. They discuss why project leaders should be continuously evolving and evaluating their cybersecurity practices—and why that should be done right from the get-go.

MUSICAL TRANSITION
HANNAH SCHMIDT

Companies are facing a myriad of cyber threats—from ransomware to compromised supply chains. How can they best respond?

MAXINE HOLT

That’s such a big question because there is so much to do when it comes to security. The basics I would start with is good cyber hygiene, and that’s quite analogous to COVID, I suppose. Good hygiene when it comes to COVID is regularly washing your hands for so long and all that kind of stuff. Cyber hygiene is very similar. You have some basics that you can put in place to help protect yourself, so things like password changes. Don’t let somebody have the same password for three months or a year. Force regular password changes. Make sure you’re doing plenty of backups. Make sure your people are appropriately trained.

Then I think when we think about projects to help make organizations more secure, for me, it’s about continuous improvement. So we might put cyber hygiene in place, but it’s not one and done. We need to be looking all the time about how we can improve that cyber hygiene. How can we build in when we’re doing some new work in an organization—developing new systems, whatever it might be. We need to be thinking about security and risk upfront. We can’t leave it until later. You can’t bolt it on, if you will. For me, it’s all about having the basics in place and thinking about security continuously, really, or certainly regularly.

HANNAH SCHMIDT

So with this idea of cyber hygiene basics, what role do education and training play?

MAXINE HOLT

It plays a massive role, absolutely huge role. Employees and people—it’s not just your employees. It’s your customers, your partners, your suppliers. But your employees especially are your first and last line of defense. And it’s not just about awareness. Knowing that something could happen doesn’t necessarily change somebody’s behavior to prevent it from happening. We need to focus on awareness education with a view to changing behavior.

So it is about working with employees. They just need help and support to be able to understand what good security practice is and how they can contribute to the security of their organization and their organization’s data. And then, over time, that will gradually help change their behavior. But like everything else I’ve said as well, it’s not one and done. We have to work with individuals continuously. It’s continuous education to make sure that we’re trying to get the message over regularly to these people.

HANNAH SCHMIDT

Identifying and managing risks can also help teams keep data secure. Why is it so critical for that process to start early? And what are some good ways of doing that?

MAXINE HOLT

We need to think about risks very early on in projects because if we don’t understand the risk, then we can’t do anything about the risk. We can’t mitigate that risk. We can’t transfer that risk if we don’t actually understand the risk upfront. Understanding the risk then means you can apply the appropriate security controls as part of the project.

We can’t be doing these things afterward because if you’re doing it afterward, that’s when most of the problems happen, and it costs more money to remediate as well if you’re doing those things afterward. So I would always suggest having risk and security very early on in a project. It’s so much better and less expensive than doing it later and trying to bolt it on.

HANNAH SCHMIDT

I also want to talk about remote and hybrid work. Obviously, this has been increasing, especially during the pandemic. What impact does this have on data security as team members are working from home, off the cloud or using third-party collaboration tools?

MAXINE HOLT

From my perspective as an individual, as a consumer, it shouldn’t matter to me whether somebody has access to that information in their home office or in their work office or in the local Starbucks. I still expect that data to be protected equally.

I think that what happened, as you said, over the last 18 months, two years, with the massive increase in remote working, organizations had to put quite the Band-Aid or sticking plaster over security to make it work as best it could at that time. But because now it looks very much like a hybrid or balanced working model is being adopted broadly, organizations need much more sustainable security for being able to work remotely. You need to have the same level of security irrespective of location.

I do think companies are starting to get to grips now with what they need to be doing. But it’s not easy, either, and it’s not the flick of a switch. It’s layers of security that are being put in place. But certainly, I think that protecting the confidentiality, integrity and availability of information is very much at the core of what organizations are trying to do now.

HANNAH SCHMIDT

And what can project leaders do? How can they make sure that they and their teams are keeping data secure, no matter where they’re working from?

MAXINE HOLT

Sure. So, lead by example. I would always start with that one. To know what your organization’s policies are when it comes to security. But I think as well, engagement with people and thinking about risk. Risk is a really interesting one because quite often what we see are individuals focusing very much on likelihood. So, yeah, that’s not likely to happen so we don’t really think about what the impact might be of that.

But actually, risk is an equation that multiplies likelihood and impact. So even though something might be a very low likelihood on a scale of, I don’t know, one to five—it might be a one, where that’s highly unlikely, but the impact might be a five. If it does happen, then it could be catastrophic. It could lead to business failure even. It could be that level of a catastrophic event, or it could be still hugely impactful on the organization where maybe the share price goes down. Maybe there’s a huge fine coming because there’s been a breach of compliance or whatever it might be.

HANNAH SCHMIDT

This can all be a lot for project leaders if it’s not something they’re used to thinking about. How can they become more comfortable talking about it and leading their teams, as you said, by example?

MAXINE HOLT

Certainly, it can appear overwhelming. Even if you work in security, there’s no way you can know everything about security. It’s just impossible. So I think when it’s not your core role, when it’s not something that you’re that familiar with, I would very much encourage people to just ask questions. And we have this saying in the U.K.—don’t worry about asking a daft question, a silly question, because we all learn. We’re all learning continuously.

So if you’re not sure when you’re doing a project or you’re leading a project and you think, “Well, what’s going to happen to the data at that point?” Or, “What’s going on with the data from the project?” Ask the question about it. Just be inquisitive and don’t be afraid to ask questions.

MUSICAL TRANSITION
STEVE HENDERSHOT

Data is a powerful tool, leading to remarkable insights and cutting-edge innovations. But it can also be a vulnerability. And that’s why project leaders need to keep security top of mind—and not just after a big breach is in the news.

NARRATOR

Thanks for listening to Projectified®. If you like what you heard, please subscribe to the show. And leave a rating or review—we’d love your feedback. To hear more episodes of Projectified®, visit Apple Podcasts, Google Play Music, Stitcher, Spotify or SoundCloud. Or head to PMI.org/podcast.