I don't envy IT project managers who have to deal with information security projects in their daily tasks. Being...
a technical person who lives and breathes information security every day is hard enough, especially when trying to keep up with all of the nuances, changes and challenges that crop up in this field. I can't imagine being a project manager with a limited background trying to manage these things on an ongoing basis. Mix in the big egos that run the gamut, and I'm not sure how project managers do it.
No two businesses have the same information security needs. It's all about risk, risk tolerance, culture, politics and money.
It's trial by fire from what I see with the project managers I work with. They jump in headfirst and deal with the issues. Stress, anxiety and other unpleasant side effects go along with managing information security projects. I've had these project managers tell me they know they need to learn more about information security concepts, but they aren't quite sure where to start.
You may not want or need to become a security expert, but maybe you're looking to beef up your skills to talk the talk with engineers and customers, read reports, give feedback on projects and so on. Here are some good areas to focus on for information security projects.
Learn about the basic terminology of information security. There are three main terms to decipher: threats (indications of intent to cause harm that can come from people, malware and so on), vulnerabilities (weaknesses in systems, software, processes and people) and risks (likelihood of a threat exploiting a risk). Wrapping your head around the differences can really help.
Learn how basic technical security controls work. Consider topics such as anti-malware, data loss prevention and intrusion prevention. You can get more information on these technologies from security product vendor websites, YouTube and the like.
Learn about programming languages and platforms. Even if you took fundamental programming courses in college, jump in and learn more about the different available languages and platforms, including Java and C#.
Learn about mobile security concepts and technologies, including mobile device management and full disk encryption. And learn about basic security risks that go undetected or ignored in enterprises.
Learn about how the bad guys think and the hacking methodology they use to attack networks, computers and people.
Learn about corporate compliance. This includes the big regulations: HIPAA, HITECH Act, GLBA and PCI DSS. Reading through the PCI DSS document is one of the best things you can do to learn about fundamental security best practices.
The most important thing to know about managing information security projects is that every single situation is different. It doesn't matter what the security researchers and analysts claim, and it doesn't matter what the security vendors push on you. No two businesses have the same information security needs. It's all about risk, risk tolerance, culture, politics and money. Nothing is black and white in security, but not enough people pay attention to what truly matters.
It may seem overwhelming at first, but if you manage projects involving information security, learning and fine-tuning these skills will no doubt make things easier on you long term. Take the time to educate yourself now and the payoffs can be tremendous down the road.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management and is the author/co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies.