Cyber and Information Security – How to series
#3 Defining your project plan
A much used saying from my time in the police was “Failing to plan is planning to fail”. And this is an adage that you ignore at your peril.
The first stage of any project is, as we have already covered in our “How to series # 2”, to work out where we are starting from and where we are going to. Your project plan is working out how you get there.
- Define the scope of the project and appoint a Project Manager.
Will the project follow the Gap Analysis already done? Or, if this was business wide, are you going to limit the scope? Focus on the high-risk areas identified via the Gap Analysis first. Before moving onto other less vulnerable areas of the business. Appoint a Project Manager (PM) with enough seniority and gravitas to drive the project and make it happen. Or make it clear that the PM chosen has the authority of the board to make change. IT should not be the project manager. Their job is to make the IT “work”. Information and cyber security are much bigger than just IT alone. Think of this in terms of business resilience. It is a governance, whole business risk issue. The other thing is that by making IT the project manager is that the entire project will be seen by others as an “IT thing” and you will rapidly lose the engagement of everyone else.
- Bring all stakeholders into the project
For a project to succeed, you need to get “buy in” from the whole business. And the way to do that is to get everyone with a stake in the project, involved from the start. It’s all about engagement and empowerment. And this is where the choice of project manager is important. They need to have enough authority within the organisation to drive the project on, sometimes against many other competing priorities. They also need to be able to build a well-functioning team and manage the challenges posed by different personalities and different priorities and quite possibly a challenging budget. If people feel and have a real say in the planning and implementation of a project they will be truly engaged and onboard with what you are trying to achieve, and when you have this the likelihood of success receives a huge boost – No one likes something they are involved to fail!
- Define your deliverables and identify milestones
What are your targets and KPI’s that you will measure progress by? What are the key points along the way that you can point to in order to advertise your success? These need to be clearly identified, with realistic timescales established for achieving them. All parties need to understand what these deliverables and milestones are and what other key dependencies are involved in meeting those targets. i.e. Is one person’s target effected by another’s progress? And importantly, all parties need to “sign up” to and be committed to those targets.
- Regular project update meetings
Communication is key to keeping a project on track and keeping all parties engaged. These project update meetings should involve all parties and be open and transparent. Stakeholders should be held to account and if necessary challenged on the progress of their individual contributions. And if the allocation of resources is insufficient to enable that progress, then resource should be made available or reallocated to support that stakeholder. Try to avoid a “blame game” type environment and you will avoid hidden errors and unreported failings. Being able to admit when things have gone wrong and then being allowed to put it right, with additional support if needed, is the way to build that open and transparent team ethos.
- Celebrate your wins !
When you reach a milestone in your project – shout about it! By celebrating the fact that a milestone has been reached, your team will receive recognition for all their hard work. The organisation will see that the trust placed in the project manager is well founded and that the resources expended are worthwhile – And that the project should be allowed to continue. Success also breeds success. High performing teams will continue to perform well when projects they are involved in succeed.
The next in this series of 10 articles to help you build cyber resilience in your organisation will be “Data Mapping”
Gary Peace is the CEO & Founder of ESID Consulting, specialising in Insider Threat, Cyber / Information Security and e-Discovery. He was for 18 years a Police Officer in New Scotland Yards, Metropolitan Police. Is a former Head of Digital Forensics at the Competition & Markets Authority. And currently serves as a County Councillor and is also Vice Chair of Governors at The Island Free School on the Isle of Wight.
Email: email@example.com Tel 07973 333 106 Website www.esid.co.uk