By Chris Andrews, PMP, CompTIA Security+, Scrum Master, NIST 800-53 Practitioner, and
Susan Parente, PMP, PMI-RMP, PMI-ACP, CISSP, CRISC, RESILIA
This post is Part 1 of a two-part series.
Cyber influences the minutes of our days. We have never-ending updates to our online digital world. As you read this, that digital world is under attack. Headlines and Tweets redirect the world’s focus away from our pristine peace to the vulnerability of information. Relentlessly, malicious actors attack our networks and information systems scream an alarm of the importance of cybersecurity. News services write around the clock of illicit cyber-attacks by state-sponsored actors, cyber criminals, headline-hungry hackers, angry netizens and cunning script kiddies[1]. On the defense, the good guys—industry giants, government offices, project managers—are forced to spend time and resources protecting networks against the barrage of attacks occurring by the nano second.
Cyber-attacks—A Daily Part of the Project! Since 1979, when 16-year-old Kevin Mitnick famously hacked into a Digital Equipment Corporation computer, our interconnected world has suffered the burden of cyber-attacks. Websites are dedicated to preserving the memory of these violations [2] and headlines exhaust our production schedules with endless streams of disruption and fear.
Notably, in November 2020, attributed Russian[3] cyber-actors successfully conducted an attack on tens of thousands of government and industry networks in what NPR called a 'worst nightmare' cyber-attack. The attack on the SolarWinds family of network products (Orion) was decisively destructive. The hackers’ ability to deliver code through the ever-trusted software updater ingeniously injected malware in over 18,000 victim networks. Like a digital cancer, the largest supply chain attack ever perpetrated found its way to the backbone of America’s information technology infrastructure.
Early in January 2021, suspected Chinese cyber-actors[4] attacked global Microsoft Exchange Servers. Industry giants, regional enterprise networks with thousands of users, even “mom-and-pop” businesses were victimized. As of late July, the political might of several nations [including North Atlantic Treaty Organization (NATO) countries] has stepped up to publicly attribute these attacks to China.
A now famous, attack in May of this year (2021) on Colonial Pipeline, seized 45% of the supply of American fuel for almost a week. A multi-million-dollar ransom did not quench the assailants’ appetites.[5] Assumed Russian-based criminal groups cyber attacked a major food supply chain on 6 June, following years of warnings, and audaciously repeated similar ransomware attacks over the U.S. 4th of July weekend.[6] [7]
There is no lack of cyber-attacks on organizations. The powerful political, economic, industrial and social competitions of around our globe thankfully have sparred all from battlefield confrontation but have embroiled us in an equally sinister conflict of ‘cyber bombs’ dropped for maximum disruption and destruction.
Actions Taken Due to the bruising one-two cyber punches, there are efforts to push back on the attackers and draw lines in the cyber sand. Beleaguered cyber victims hope for a bronzed muscleman to kick sand back at the bullies. Striking back, as part of the most recent National Defense Authorization Act (NDAA), NSA veteran Chris Inglis was confirmed by the U.S. Senate, as the White House Cyber Czar on June 17th.[8] The new Cyber Czar has an enormous role coordinating Federal agencies’ work on cybersecurity management and overseeing the United States’ digital defense strategy.
That same month, across the Atlantic, at a summit in Geneva, U.S. President Joe Biden and Russian President Vladimir Putin agreed to discuss cybersecurity issues relating to the two countries. The uncertain outcomes will likely be the focus at many levels of diplomatic and industrial discussions for some time to come.[9]
Cybersecurity as Part of the Project
The cantor is, Project Managers (PM) manage projects, not cybersecurity! Isn’t cybersecurity the IT department’s worry? The Chief Technology Officer and IT Department Director are veterans in the industry and know what they are doing. Why should the PM poke their nose in this arena? How do project management and cybersecurity relate? Amazingly, the term cybersecurity does not appear in the current version of the Guide to the Project Management Body of Knowledge (PMBOK® Guide). Should the PM be expected to integrate cybersecurity into the project? Don’t take offense to this if you are a PM. I think we as PMs understand, we are focused on issues, deadlines, budgets, critical paths, risks and our teams. We do not monitor firewalls and intrusion detection lists on our Kanban board or Gantt Chart. The basis of these questions is an assumption that project managers tend to lean upon IT departments or hired-gun incident response companies to manage the ‘cybersecurity’ threats. In general, we all have too much on our plates to have to worry about cybersecurity hacks in our project timelines, right?
Welcome to the new world. Much like raw materials, shipment delays, or dissatisfied stakeholders gnawing at our energies, project managers must now add cybersecurity as a critical project expectation. Consider the threats and rising likelihood of project information being lost, stolen or held for ransom by criminals or state actors. These threat risks are increasing in impact, not just likelihood. An untimely disruption or destruction of data or cyber attacked hardware assets would be catastrophic in the project timeline. Due to this, cybersecurity must be included in every process group of project planning—initiating, planning, executing, monitoring & controlling, and closing.
Compounding the seriousness and complexities of cyber issues facing the project manager, the convenience of teleworking coupled with the rapid adoption of cloud services, exponentially places our project data and associated information at enormous risk. The information technology (IT) departments of organizations work night and day, ensuring the integrity, confidentiality and availability of our project systems and their data. This should serve as an alarm that the accountability of system and data security must be a shared responsibility of the PM and the IT department providing cybersecurity support.
Conclusion
Our hope with this article is that you consider the value and responsibility of the Project Manager as a cyber defender. As such, the PM should proactively identify and manage cybersecurity risks to preempt the constant attack on project information assets and cyber systems.
Part 2 of this article, to be posted later this week, will address several ways project managers can plan for cybersecurity when managing their projects.
About the Authors
Chris Andrews
Chris Andrews is a cybersecurity consultant, speaker, author, and knowledge management mentor with more than 30 years of experience leading small to medium-sized projects spanning multiple industries globally and delivering services for the federal government inclusive of the DoD and for public and private sector organizations. He currently works as a cybersecurity threat analyst (contractor) for the U.S. Department of Defense.
Susan Parente
Susan Parente is a project engineer, consultant, speaker, author, and mentor. with more than 25 years of experience leading software and business development projects including large complex IT software implementation projects and establishes Enterprise PMOs in the public and private sectors, including the DoD and other federal government agencies. She is a co-author of “Global Hot Spots: How Project and Enterprise Risk Management Practices Drive Business Results Around the World” and “Hybrid Project Management: Using Agile with Traditional PM Methodologies to Succeed on Modern Projects”.
[1] https://en.wikipedia.org/wiki/Script_kiddie [2] https://en.wikipedia.org/wiki/List_of_cyberattacks [3] https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack [4] https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ [5] https://www.zdnet.com/article/colonial-pipeline-ransomware-attack-everything-you-need-to-know/ [6] https://www.politico.com/news/2021/06/05/how-ransomware-hackers-came-for-americans-beef-491936 [7] https://www.dailymail.co.uk/news/article-9756079/REvil-ransomware-hackers-demand-70M-Bitcoin-decryption-key.html [8] https://www.politico.com/news/2021/06/17/senate-confirms-chris-inglis-cyber-495075 [9] https://www.diplomacy.edu/blog/what-future-cyber-detente-after-biden-and-putins-geneva-summit
Comments