My guess is that administrative controls are considered “soft,” focusing on management and training, and it’s pretty enticing to think that technical controls and physical controls will suffice for cyber security defense. Not a good idea, says Art Gilliland, senior vice president and general manager for Hewlett-Packard’s software enterprise security products in a recent issue of Computer World.

“…businesses and government agencies often focus on the next “silver bullet” product, unaware that most cybersecurity problems stem from flawed procedures and human error…invest in your people and process.”

In the broader world of business, success depends on the correct balance of the three main pillars: people, process, and technology. Within information security, are we creating a three-legged stool with one leg (technology) longer than the others? That can’t be good. Technology is an important piece of your arsenal, but insufficient by itself. Having sound policies, defining clear role-based processes and procedures, and providing communications and training for key stakeholders (which may include every employee) will create balance for the three-legged stool of information security. Policies and processes might sound like management overhead, but any organization desiring to provide consistent goods and services must have consistently applied policies and processes—i.e., CMMI, but that’s a topic for another blog.

Unfortunately, many IT areas don’t give communications and change management its proper due, which is why we focus on those areas as part of all of our client engagements. Information Security user awareness and training helps create a faction of employees who understand that they can be either a vehicle for threat actors to enter your environment, or sentries at the gate, raising an alert when something looks suspicious.

A one-legged stool is going to have you end up on the floor. While you are focusing on technical and physical security, your adversaries are busy figuring out how to leverage your employees to breach your environment. Remember, three legs: People, Process, Technology. Don’t shortcut people and process in cyber security.

Does this sound familiar?

If so, take solace in knowing that you are not alone, but things have to change. For many companies, growth has outpaced their policies and processes, which can be a risky situation, especially in cyber security.

In information security, due care means “acting responsibly and doing the right things.” While information security is a very complex field, there are certain basic building blocks that must be in place for every company.

Ask yourself:

Do you know your company’s most important assets, where they are located, and how they are protected?
Do your employees understand their role in information security?
Do you understand the major vulnerabilities within your company?
Do you know the major threats and threat agents to your company / industry?
Do you know how your company would respond in the event of a cyber attack?
When the topic of cyber security comes up, most people think about firewalls, intrusion protection/detection systems, and other technical solutions. While these are inevitably part of the solution space, if you are hesitant or unsure of the answers to any of the questions listed above, you could be negligent in providing “due care” for your company.

You probably understand the things that need to be done to make your company secure from an information perspective. Nevertheless, not taking action—even by doing something as small as raising the issue with your leadership—can be construed as not “acting responsibly.” Knowing what to do and actually doing it are two completely different things. There will always be the “hot,” critical project that needs attention, but ignoring what you know to be absolutely necessary is comparable to a “dereliction of duty.” Taking key resources away from information security operational activities to do project work is shortsighted and negligent, and puts you at risk as a company.

Don’t wait any longer. Now is the time to act and provide your company the level of due care that is necessary and expected.

First, inventory ALL projects and activities that require any kind of IT resources, making sure to include non-obvious ones like SMEs and user training time. According to Gartner, 60% of IT’s budget is spent on operational, “keep the light on” activities, so it is important that these are included to ensure correct allocation of project resources. Projects that pull resources from core operations can create business risk.

Second, decide who will comprise a governance committee, i.e., who will make decisions concerning the portfolio. This should be a mix of IT and business leaders with the authority to make decisions for the organization. The governance committee will determine which projects should continue, which should be delayed, and which should be terminated. These decisions will be made based on determining which projects have the potential to create the most value for the company. Each project in the portfolio should align with business goals and be ranked on the strength of its business case outlining benefits, costs and risk. Keep this simple, but also be on the lookout for project interdependencies. You certainly don’t want a critical project bungled because it relied on deliverables from another project that was killed or delayed.

The importance of strong governance in the portfolio process cannot be overstated. Projects that are nice but not essential drain away resources that could be used more productively. Focus on cutting unnecessary demand and don’t start new projects until you know for certain that existing projects can be completed and meet expected deliverables. This won’t be easy. Every project is “owned” by someone who thinks it is the most important project in the portfolio, so it is essential to let the business case data drive the decision, and not emotions or politics. We can all relate. This time of year I can see myself riding around on a John Deere with 4-wheel steering, a zero turn radius, and a 48-inch mowing deck. Grass cutting would be so much easier (okay, and a little fun). But, with financial resources being what they are, I can’t make the case for its purchase because it will not really provide any material benefit. It’s just a “nice to have.” So, back to my 21” push mower. Sorry, John Deere dealer.

Half the year is gone. As you look at how you will finish out the year and also prepare for next year’s portfolio of projects, the summer months are a great time to review your project portfolio and get the pruning shears out. Since 80% of the benefit usually comes from 20% of the projects, in portfolio management, less is always more.

So, how do you take this paradigm and apply it to the biggest time guzzler in most people’s day—the inefficient meeting?

Here’s how. Every meeting should have an agenda and specific objectives. This information should be communicated to participants well in advance so they arrive prepared. Your meeting should also be run by a facilitator who brings well-formed questions to the table; these are considered time-management “gold.” Every item on your agenda should have specific, corresponding questions that are used to elicit information and move you on to the next item. For example, if your project has the agenda item Risk Planning, some questions might include:

• What are the top risks having the greatest impact to the business? What is the likelihood of occurrence?
• What are the mitigation strategies for each of these high risks? If mitigation is not viable, what is the contingency plan?
• Has every potential risk area been identified (technology, business, project, resource, customer, operational)?

An interesting thing occurs when the objectives and agenda are clear, the participants come prepared, and the facilitator keeps the discussion reined-in through the use of thoughtful questions: meeting objectives are met and meetings are adjourned on-time or early. Participants think, Wow! We finished everything on the agenda and I’ve even got some spare time to put back into my day…I love it. As the meeting owner or facilitator, you might even find participants actually look forward to your meetings as the most productive time of their workday. How cool is that?

– See more at: http://www.transaccelgroup.com/blog/2011/11/15/terminate-the-time-guzzler-inefficient-meetings-2/#sthash.A0bkSWDv.dpuf

1. Understand and communicate the business case for your project.
   This starts with understanding the business strategy and business drivers that prompted your project in the first place. If you don’t understand what the business is trying to accomplish, you have very little chance of your project hitting the mark.Once the business strategy and drivers are clear, identify very specifically—and quantitatively where possible—exactly how your project will provide benefit relative to the business drivers and business strategy.
   • Work with key people in the business area to develop and review the business case to ensure that it is sound and strong.

   Creating a solid, strong business case is the most important factor in not only getting the project approved, but also in ensuring that the project team clearly understands what is to be accomplished, why, and how it will help the business.

2. Identify resourcing needs by role.
   Resources, especially people, are always in high demand, and you need to be very clear about the resources that your project will require (people, facilities, equipment, etc.). Clearly identify your resource needs by being specific. Assuming that your request for two technical analysts you will get you what you actually need might be a mistake. Having the right skills, expertise and individuals detailed on a project can greatly improve the probability of project success.
3. Identify project interdependencies.
   As a good project manager, I expect that you will have identified dependencies within your project as part of your project schedule. With the complex business environment that exists today, you also need to identify dependencies that are outside of your project to make sure that external factors do not inhibit your project’s ability to succeed. For example, if your project requires customer master data to be available—and that is a key deliverable from a different project—you have to identify that interdependency and evaluate the risk to your project if that deliverable does not occur as planned. This allows both projects to understand the dependency and provides greater visibility and increased opportunity to manage and mitigate the risk. The Project Management Office (PMO) will know your project is likely to be well managed when they see the project interdependencies identified.

Additionally, all projects will require identification of project costs, timetables, risks, etc., as is normally requested by governance committees. The above points are not extensive, but are meant to help you differentiate your project from other projects being evaluated.

If you go to the governance committee with these items ready for review, you will not only put yourself in the best position for project approval, but you may also become the model for how other projects should be packaged for governance review.

– See more at: http://www.transaccelgroup.com/blog/2011/10/17/mark-that-project-approved/#sthash.miOosk0N.dpuf