Security and Project Management
It is usually at the point when some unplanned event or critical failure occurs, that many of us react to and think about the importance of implementing security on our projects. After all, many project managers may not have encountered this particular aspect of implementation in the literature or on a project completed in the past.
Whilst the ISO (International Organization for Standardization) has published a family of standards and requirements which help organizations to bring the security of information under the control of management, the various bodies of knowledge on project management do not specifically or holistically address the issue of security. The organizations responsible for these bodies have however, been holding discussions and seeking the adoption and integration of information security practices and measures throughout its processes - due largely in part to increasing concerns about cybersecurity and other international data protection laws and requirements. Notwithstanding, project managers and organizations are generally left on their own to devise, develop, implement, and monitor appropriate strategies for the management of security on their projects - aligned with their needs and best practice.
Security, in the context of project management, can be defined as the identification of potential risks and implementation of strategies which will protect or preserve the confidentiality, integrity, and availability of project resources. These resources can include personnel, finance, data, communication networks, information, equipment, materials, processes, assets (physical, digital, intellectual, and organizational), and the natural environment. Security is not solely limited to the realms of communications or information technology.
Furthermore, projects are temporary organizations to which resources are assigned to do work to deliver beneficial change (Turner, 2009). Considering this definition and the wide range of limited and invaluable resources that are often assembled and committed toward a project's successful completion, it can become quite evident at that point how critical it is for project managers to safeguard or protect them.
Faced with the collapse of its manufacturing industry, escalating unemployment, a waning population, and severe financial challenges, the city of Flint, Michigan declared a financial state of emergency in 2011. The then Governor appointed an Emergency Manager which was tasked with the responsibility of restructuring the city's troubled finances. As part of that process, a decision was made to undertake a municipal water supply project which aimed to switch Flint's supply from Lake Huron and the Detroit River to the Flint River. Soon after being completed in 2014, residents began to complain about the water’s colour, taste, and odour. They also reported rashes and other serious health concerns.
The city's officials insisted that there was no problem with the water. Over time, evidence was amassed and published which supported the residents' claims of contaminants in the supply. The city failed to properly treat its water, causing lead and other harmful compounds from its ageing pipes and infrastructure to leach into the supply. Almost two years later in 2016, the city switched back to its previous supply amidst public outcry and protests, national and international media coverage, and test results. It was estimated that a subsequent project to replace the lead pipes beneath the city would not be completed until 2020 and at a cost well in excess of the estimated US $5m per year the city was projected to save.
The unwanted costs and adverse impacts associated with this crisis are still being measured today. The project to change the city's water supply and save money, failed to deliver the beneficial change that it was meant to achieve. In hindsight, the failure could be attributed to a number of factors including;
Not thoroughly assessing and analysing the risks and issues related to switching the city's supply of water; particularly in terms of quality, safety, and environmental standards.
Ignoring the warnings raised by the project's key stakeholders and not communicating with them on quality issues and health concerns.
Not addressing clear leadership and governance failures.
An inability by the city to preserve or exceed the expectations of its customers.
Placing greater importance on the financial benefit over that of all others.
Considerations should therefore be incorporated at every project phase from Initiation to Closing and throughout all management areas inclusive of Planning, Scheduling, Risk, Budgeting, Communication, Procurement, Execution, and Control. In doing so, project managers should gain deeper insights into and appreciation of the specific security needs of their projects within the context of their types, aims and objectives, wider operating environments, requirements, available resources, and expected outcomes.
In undertaking risk analyses and the development of strategic security measures, project managers should also be cognizant of vectors or pathways through which a project's security can be compromised. Though not limited to the following, these pathways can include;
Natural disasters and events such as floods, hurricanes, seismic events, wildfires, tsunamis, volcanoes, drought, and the ongoing effects of climate change.
Legal or statutory compliance. Depending on where in the world your project is being executed, there will be laws, regulations, forms of contract (such as FIDIC's), and other statutory obligations which must be observed or followed as they relate to people, data, finances, natural resources, quality and safety standards, communication systems, security, and transparency.
Threats associated with people inclusive of theft, vandalism, malicious intent, breaches in confidentiality, the lack of adherence to policies, procedures, and standards, terrorism, and civil conflict.
Finally, the costs associated with security failures. Whilst there may be no assured way to protect against every security risk, investing in and implementing suitable security policies, standards, controls, and systems can definitely reduce the costs and risk associated with its absence.
Security experts would insist that security is at its core, a people issue. This speaks to the significance of project managers and organizations not only communicating to their teams the link between a project's success and the securing of its resources, but each members' role and responsibilities in carefully aligning the two. Whilst this relationship can be enshrined within a project's scope, contractual relationships with suppliers and subcontractors, policies, project management plans, and risk response strategies, some organizations have gone a step further in hiring experienced executives and managers with security expertise to support the efforts of its project managers.
Additionally, support for a project's security must be sought from and communicated by executive leadership to the rest of the organization. It would in turn, more readily accept, appreciate, and support the security controls, measures, training, and processes which may be implemented.
Earlier this year, we completed a project which required us to develop and implement an appropriate security strategy for protecting the confidentiality and integrity of all related information and communication between key stakeholders. Within it, we looked at several approaches for limiting both physical and digital access. Some of the digital measures ranged from fully password protected computers to whole-device encryption. Physical measures ranged from keeping our assigned work areas in a neat and orderly manner so as to assist in the identification of unauthorized access more easily to having singular points of contact and having offices swept for listening devices on a regular basis. The measures that you may develop and implement on your projects may not be so extreme, but it is important to recognize what may be required in an effort ensure project success and the full satisfaction of its requirements.
Construction projects for example, may need to secure or protect its design and contract documents, records, small tools and equipment, building materials, hazardous chemicals, personnel and staff, points of access unto and off the building site, traffic on and around the site, environment, and the wider public. IT or IS projects may need to secure its data and information, intellectual property, code bases, encryption keys, systems, and computing devices, and limit physical access to any underlying infrastructure and specially designated building areas. On research type projects, managers may also need to look at device encryption, password protected access, locking filing cabinets, ensuring that other storage containers are housed within a locked room, and cloud storage solutions.
Project managers aren't of course expected to be security experts. Through the adoption of a more security minded focus and sighting of the associated risks can we better protect and safeguard the resources entrusted to us in a comprehensive or holistic manner and implement those strategies and measures which ensure that we deliver our projects in a more responsible, secure, and successful manner.
For further reading, we would like to recommend Lead-Laced Water In Flint: A Step-By-Step Look At The Makings Of A Crisis by NPR, The Handbook of Project‑based Management by Rodney Turner, What Project Managers Need To Know About Cyber Security by Information Age, and The Importance Of Physical Security In The Workplace by Infosec Institute.