The average spend on cyber security by large organisations now exceeds $10m per year, with the majority of these organisations only planning to increase this budget further in future years. In addition, the UK government is now in the midst of investing £1.9bn towards Cyber Security programs and initiatives.
Whilst a considerable part of these budgets goes towards running existing operations, the majority of it is invested in new projects and programs.
In a cyber security context, a project is typically established to fix a set of known vulnerabilities through a combination of policy, procedural and technology changes. As a result, the impact of project failure is significant, since the organisation will likely remain open to attack.
With the stakes so high, why do we continue to see many cyber security projects fail to deliver?
Before exploring some of the key reasons why failure occurs, it is worth considering how failure can be identified.
Failed projects do not always expose themselves to senior management with a big red flag. Instead, failure can often be quite subtle.
For example, a project might deliver a fully-functioning vulnerability scanning tool, but over time the effectiveness of the system diminishes. The project may have initially been deemed a success, but the lack of a defined operating model and user training ultimately leads to the project becoming a failure.
The key to identifying failure is maintaining a clear definition of what success looks like and then continually and objectively monitoring progress against this initial definition.
Success Criteria – A.K.A. Objectives – should be documented within a Project Initiation Document (PID) or Program Management Plan (PMP) and be etched upon the wall and minds of all those involved within the project.
Furthermore, for your Success Criteria to be a success(!), they should be:
- SMART: Specific, Measurable, Achievable, Relevant and Timed.
- Considerate of people’s objectives outside the immediate project team.
- Signed-off by all key project stakeholders.
- Monitored and updated over time.
You should review the project’s progress against its objectives on a monthly basis. Often the best way to do this is to perform a peer review, but you may also invite a member of your risk/audit function to cast their eye over progress.
What causes a cyber security project to fail?
Reason 1: Unrealistic targets and timelines
The majority of large scale cyber security programs are established in response to risks and vulnerabilities identified by audit & risk functions.
Whilst audit is undeniably critical to the safeguarding of an organisation’s assets and operations, they do not always fully understand the challenges of implementing a robust cyber security solution.
Standard protocols set by audit (e.g. All “Criticality 1” risks must be resolved within 3 months) can result in technology teams committing to unachievable timelines.
Unachievable timelines result in one of two things:
- Catastrophic failure – significant amounts of money wasted and nothing delivered.
- Delivery of a sub–standard tactical solution – whilst this may do enough to satisfy audit in the short term, it is likely to cause problems in the future.
As professionals, we don’t want to see either of these outcomes come to fruition. So how can we overcome this?
- Present realistic timelines to audit – before agreeing a date with audit, develop a detailed end-to-end plan which takes account of all known dependencies and has been signed by all stakeholders. Also consider inserting additional contingency time into the plan for the inevitable unknowns.
- Split the remediation work into two phases – Phase 1 should implement some quick wins and mitigate initial risks. Follow this up with a longer-term Phase 2 where a full solution is implemented.
- Don’t be afraid to challenge – if you are being pushed to commit to an unachievable deadline, challenge it. Provide robust justification for your concerns and negotiate a new deadline that you know you can meet.
Reason 2. Lack of skilled resources
It was recently reported that 77% of UK CIOs believe they will face more cyber security threats in the next five years. This risk is further exacerbated by the fact that they are unable to recruit the right people to build systems and processes to defend against these risks.
This challenge to find cyber security professionals with the right skills and experience is one that faces many organisations. A recent Cyber Security Workforce Study by (ISC)2 reported that Global IT security skills shortages have now surpassed four million.
Consider the following ways to overcome resourcing issues:
- Be very specific in job adverts – If you need a technical architect who has an understanding of how to build a privileged access management solution for cloud services, then ask for it.
- Ensure you are paying the market rates – with a shortage in skills you have to ensure you are paying the required rates if you want to attract the right talent.
- Train in-house – hire a small number of highly experienced cyber security professionals and then have them train your internal staff.
- Seek specialist support – cyber security consultancies, such as CyPro, have a wide-range of skilled cyber security professionals who can help you deliver projects and build an in-house expert team. Drop us a line to see how we can help.
Reason 3. Poor stakeholder engagement
Most projects are diligent enough to create a stakeholder matrix, which provides an overview the key players and their relevant roles and responsibilities. However, this is not a one-off task and placing a signed-off stakeholder matrix on the shared drive will not cut it.
Projects and programs must continually assess who their current stakeholders are and how well engaged they are. As a project moves through its lifecycle, new stakeholders are inevitably identified whilst others become less critical.
For any change project, stakeholder engagement is key. For a cyber security project it’s even more critical. This is due to the typical dependencies on a large number of different teams and vendors to support and adopt the changes.
In order to achieve effective engagement you should:
- Focus on powerful stakeholders – getting the support of one or two senior stakeholders for your program can make all the difference. The Chief Information Security Officer (CISO) alone is not enough though, you will also need senior sponsorship from other board members and business divisions.
- Listen – the solution you are implementing is unlikely to meet the requirements of all your stakeholders. Listen to their feedback and adapt as needed.
- Communicate – involve your stakeholders wherever possible and keep them well informed. For large programs consider hiring a dedicated communications manager.
What to do next?
There is no single approach that can be adopted to ensure your project is a triumph. However, following the basic principles of setting realistic targets, hiring the right team, involving your stakeholders and accurately measuring progress gives you a fighting chance of success.
If you feel that your current project might be on the path to failure, do not despair, but do TAKE ACTION. Perform a project review as soon as possible, take your findings and concerns to management, and make the necessary changes before it is too late.
If you’re struggling to find the time to perform a project review, or you want some advice before kicking off a new project, please drop us a line to see how we can help make your cyber security projects a success.