As a response to our Shelter in Place Lockdown restrictions due to COVID-19, I wanted to express my believe that remote project management is the way to go and will be the new normal for many project managers and project teams across the US and around the world. Click on the image of me at the top of this article to watch the 8 minute video or go here.

Please share your thoughts on this topic and tell me about your experiences working from home these past few weeks. Has it been productive? A failure? And why?

​And please check out my latest book "A Real World Project Manager's Guide to the Successful Project" and the rest of my books at http://www.bradegeland.com/books--white-papers.html. You won't be sorry...

Is the the best way to protect against a hacker to hire one? Find out why organizations are paying “white-hat hackers” to test their network’s protections.

Why would an organization hire hackers to try to infiltrate its systems? Despite the risks involved, an increasing number of organizations are turning to white-hat hackers, also known as ethical hackers, to test their vulnerability to cyberattacks. Provided an organization understands and has prepared for the risks, hiring a hacking service can deliver expert insight into how that organization can effectively enhance the protection of its network and systems.
​
Just as doctors are experts in the medical profession, hackers are considered experts in the field of cybersecurity, or more precisely, in methods of cyber intrusion. Hackers know how to infiltrate a network and gain access to an organization’s valuable data. Ethical hackers understand the methods of a malicious hacker, but are motivated to help organizations identify and secure vulnerabilities rather than exploit them.

The Hacker Hierarchy

As most computer users are aware, some hackers are malicious and untrustworthy. One noteworthy example of a hacker who transitioned from “bad to good” is Kevin Mitnick. Mitnick is a notorious U.S. hacker who spent time in jail for hacking into 40 major corporations, but he is now considered one of the most knowledgeable gray-hat hackers in the nation and has been hired by many organizations to help detect vulnerabilities.

• Script Kiddies – Script kiddies are among the lowest levels of the hacker hierarchy. They are usually young, techsavvy individuals who are more interested in exploring the Darknet and testing their own capabilities than they are in performing targeted attacks. Script kiddies often discover vulnerabilities accidentally by playing around with technology. Once they discover valuable or private information, such as the password of a celebrity, script kiddies will often continue their activities until they’re caught or access is denied.
• White-Hat Hackers – White-hat hackers (also known as ethical hackers) are more skilled than script kiddies and usually more respected. Individuals in this category earn the trust of the public more easily than other hackers because they have no previous involvement in illicit activities. Ethical hackers are focused on using their skills to benefit society rather than causing harm.
• Gray-Hat Hackers – Gray-hat hackers, like Kevin Mitnick, are reformed “bad” hackers who have previously engaged in unauthorized hacking attempts. These hackers once worked on the “dark side” with the intent to harm users through illicit activities, but often due to life-changing events, they now apply their skills to help users and organizations find vulnerabilities in their systems and protect against cyberattacks.
• Black-Hat Hackers – Black-hat hackers focus on breaking the law through their actions of stated intent. This group includes hackers who conduct disruptive activities against businesses, usually for financial gain. These hackers often use their skills for their personal benefit and their agenda is considered criminal or closely related to the actions of criminals.
• Suicide Hackers – Suicide hackers are often associated with terrorist or vigilante groups. One such group is Anonymous, a decentralized international group noted for its attack against governments and other well-known public corporations. This category of hackers assumes an antiestablishment stance with causes that include political, terrorist, or other disruptive activities.

​Is a Hacker Necessary?

Organizational leaders place a lot of trust and confidence in the abilities of their IT department. These departments are full of competent and hard-working individuals dedicated to protecting a company’s systems, so why would leadership feel the need to bring in an outside party?

While IT professionals are often highly skilled at designing and implementing security measures, hackers possess the ability to think outside the box and bypass those security measures. The methods they use may not be on the radar of formally trained IT professionals. Hiring ethical hackers, who share the same natural curiosity and mindset as malicious hackers, can help an organization “test” its network security ahead of a real cyberattack.

This approach, done with the support of the IT department, helps identify vulnerabilities and verify security measures of devices and systems. The information gained can help the IT department enhance its protections.
It’s important that organizational leaders explain that hiring an ethical hacking service is not a test of the capabilities of the IT department, but rather an additional measure to help build the most secure infrastructure possible.

Vetting a Hacker or a Hacking Service

One of the initial hurdles when considering whether or not to hire a hacking service is, first and foremost, if the hackers can be trusted. These individuals will be tasked with identifying a system’s vulnerabilities, which could result in access to highly valuable and sensitive information. This risk must be properly evaluated and hackers carefully vetted. In order to assess and select a hacking service, an organization should consider the following:

The needs of the organization

Is the goal to identify unknown vulnerabilities in the system? Is it to test the cyber readiness of employees? Or is the goal to verify the robustness of the organizational network? Clearly stating the goals and purpose of hiring a hacking service will help determine what skills and services are needed.

Conducting an organization-wide inventory assessment

As part of the preparation process, conduct a thorough inventory of your organizational assets. An organizational inventory assessment identifies all the networked devices within the system, as well as valuable information stored in its systems. This list will help determine what risks (vulnerabilities) are associated with each asset and what devices should be tested by the hackers.

Vetting and reference checks

During this phase, it’s important for an organization to consult with a human resources specialist to ensure proper vetting of the selected individual(s) or service. At a minimum, this process should include a thorough and robust background check, multiple character reference verifications, and past customer recommendations.

Assessing the skills and proficiencies of hackers

As part of the vetting process, organizational leaders should verify the capabilities and skills of candidates to ensure they possess the technical and physical control skills needed to assess the organization’s systems. Technical controls include knowledge of software and hardware devices, such as firewalls and intrusion prevention systems (IPS). The candidates must understand physical control systems that prevent physical entry to buildings. They must also understand the organization’s policies and procedures involving these systems, so they can make recommendations to modify and bolster them.

Legal considerations

It’s also important to involve the organization’s legal team in the selection and vetting process. Personnel performing the ethical hacking process are agents of the corporation, which is liable for any damage that may occur to its system or to outside parties. Monitoring the actions of ethical hackers can assist in the minimization of damage to property and reduce liability. Organizations remain responsible for the actions of any entity representing the organization—this is a responsibility that cannot be delegated and is considered due diligence. Therefore, it is important that organizations thoroughly understand the liabilities associated with actions of an ethical hacking service.

Expected Outcomes from a Hacking Service

What can an organization expect to gain from using an ethical hacking service to discover vulnerabilities? The short answer is peace of mind.

Using a hacking service allows the organization to discover if someone gained improper access to its computers or network. It may also discover that its software has not been properly updated with the latest security patch or is no longer supported by the supplier.

The hacking service can also expose insider threats and weaknesses. Whether intentional or otherwise—employees often expose blind spots within the organization through their daily interactions. A vulnerability scan can discover actions by employees or partners that cause risks to the organization.

One example of the risk of third-party vendors is the massive 2013 data breach of Target, when a subcontractor stole network credentials and accessed more than 40 million customers’ credit and debit cards. This intrusion cost Target $18.5 million. If Target had completed a comprehensive vulnerability assessment and accepted the security recommendations, the likelihood of such a data breach would have been significantly less.
​
The strategic decision to employ an ethical hacking service can be extremely beneficial for an organization, resulting in increased awareness of unknown vulnerabilities and the implementation of stronger security measures and network protections.

Article by Kenneth Williams, Ph.D., is the Executive Director, APUS Center for Cyber Defense (CCD)

THIS ARTICLE IS FEATURED IN THE MAGAZINE, PREVENTING A CYBERATTACK: A GUIDE TO CYBER READINESS. DOWNLOAD IT NOW.By Dr. Kenneth Williams, Executive Director, APUS Center for Cyber Defense (CCD)

Do you have a healthy PMO? Is it run efficiently? Is it constructed for the “now” or for the long haul? Will it be here in this form in 5 years or is it going to need to be rebuilt? Is it scalable? Are you running the right projects with the right people? Do you have the right people to run the projects when you do get them?

If you are a project-centric organization, then a project management office (PMO) that is run effectively, efficiently, productively and focused on delivering great projects from great leaders is what it's all about.

PMO health is all about...

Having the leader at the helm. A PMO that is headed in the right direction has an experienced leader at the helm. This person should have both a project management and resource management background, but this person should only be directing going forward. It is not wise to put a director in charge who will also be leading projects. This stretches that individual too thin – they will find that they are not available for PMO issues at key times and staff development and engagement will suffer in the long run. Indeed, the PMO will suffer greatly and it will likely be doomed to fail.

Selecting the right PPM tool to position your projects for success. Whether you have a project portfolio management (PPM) tool in place presently or not, you need one that fits your organization, project needs and reporting needs. So, if you have one, it may need to be rethought. If you don't have one, you should probably get one. The right PPM will help you analyze and choose the right projects. What technologies is your company equipped to handle this next quarter? What are your revenue goals and do the current projects in the pipeline matchup with those two and other criteria you've setup to help determine what projects to start next or even chase next? Your PPM should be able to help you with those decisions. And beyond PPM – there is such a thing as a hybrid PPM approach which allows you to combine the best of Scaled Agile with all major features of common PM standards including PMI, IPMA and PRINCE2. With a hybrid PPM / project management tool you can work smarter by taking advantage of fully integrated agile methodologies such as Kanban boards complementing proven, traditional tools like WBS and Gantt charts. Is it for your organization? You need to decide that based on your organization's PM methodology.

Making sure you have the available staff ready. Projects are coming – are you ready with seasoned professional project managers and the talented professionals that will be needed with the right experience to make up the project teams to work on them? I worked with one organization who had great people and a great product for the Las Vegas entertainment industry and the California movie industry, but they were selling projects faster than they could staff them. They were failing to get a handle on their resource management and the amount of resources of each kind that were needed to staff all the projects that the CEO was out selling. They brought me in to help them figure out how to understand their resource planning and over utilization and how to forecast resources needs for all the projects that were coming up. This is yet another example of where a PPM for integrated resource management would easily take care of an organization's needs. Once we fixed that together, the growing organization got back on track with planning and prioritizing projects and stopped causing frustrating delays for their very valuable awaiting project clients.

Ensuring the organization's leadership is behind you. Nothing says you’re in it for the long haul like being the baby of someone high up. Of course you need to perform as well. But if your PMO has the buy-in from the leaders at the top of your organization, then the likelihood that it will be well funded and well stocked with competent, seasoned project managers is much higher. You need for important projects to be thrown to the PMO right from inception and that will only happen if you have buy-in for the PMO infrastructure from the leaders of the company. If you don't have that buy-in, then it may be an up hill struggle getting all projects to originate in and be executed by the PMO.

Summary / call for input

A healthy PMO means a healthy PM infrastructure and more successful projects for the organization. That leads to happy management, more revenue, more profitability, more projects, more customers, etc. Stick to these PMO best practices listed here and you're on the right track to a high PMO health score. Check it often, PMOs can struggle at any time – don't get off track.

Readers – what's your take on this list? What struggles are you having with your PMO? Support, staffing, lack of successful projects?

Top Five Ways AR is Impacting Marketing and Advertising...

Enter Real Environments – Marketers can allow their audiences to use AR to enter real environments via their mobile device.  By providing users with a completely immersive 360 degree view, they can get closer to the world that the marketer would like to present. From stadiums, stores and hotel rooms to outdoor venues and even live concerts, AR will help bring consumers closer than ever to the brands they love. An example can be seen at: triggerglobal.com/work/vuforia-tango-keynote

Bring the Brand to Life – By using AR, companies can “overlay” their experience directly into the real world of the consumer, delivering a new level of interaction and opportunity.  When consumers can see their favorite brands and characters right in their own, familiar environments, it provides a deep connection, which can lead to increased brand engagement.  For example, prior to the release of The Last Jedi, fans were able to go to major landmarks around the world, such as the Eiffel Tower, Golden Gate Bridge and Niagara Falls and see a life-sized Star Destroyer in AR hovering above. An example can be seen at: triggerglobal.com/work/star-wars-landmark-ar

A New Level of Social Media Engagement – Brands are always seeking ways to increase their social media engagement with their followers and fans. AR presents a powerful tool to deliver unique experience, visuals and videos that encourage social creation and sharing.  Facebook, Instagram and Snapchat are already using AR to provide new tools for their users.  The more content a brand can provide to its fans, the more buzz it can potentially secure on social media. An example can be seen at: triggerglobal.com/work/Snapchat-lens-studio-partner

Using Location-Based Experiences for Marketing – From retail store and restaurants to hotels and concert venues, many businesses still rely on foot traffic to be successful. By adding AR to the businesses’ marketing mix, they can develop compelling content to bring consumers to their location. These location-based experiences can utilize the existing location’s footprint and add a new layer of interactivity, content and personalization.  By providing unique experiences, such as AR photos with the brands images or compelling games that use the location as the “playing field,” brands can bring in traffic while separating themselves from the competition. An example can be seen at: triggerglobal.com/work/disney-resorts-sw-rebels

Keeping a Brand Fresh – Any brand can create an app, website or Facebook page, but the challenge is developing fresh content to bring consumers back.  AR presents the opportunity to deliver something new and exciting to consumers, while also allowing marketers to continually update the experience, so that consumers will want to see what is next and new.  We are still in the early stages of AR being used for marketing and advertising, but some brands have already done amazing things and the future is bright. An example can be seen at: triggerglobal.com/work/nba-ar-app

AR AND 5G

With the advent of 5G technology, many industries are poised to be reshaped.  From self-driving cars and healthcare to manufacturing and entertainment, 5G will have a major impact on both businesses and consumers. One area that will see a major impact due to 5G is augmented reality (AR).  Jason Yim, CEO of mixed reality agency Trigger, has some great insights into why 5G is the technology that will push AR into the mainstream and how AR can become a part of everyday life.

Here are four reasons Yim sees AR truly taking off after 5G becomes widespread:
​

• Size of content: Basically a “bigger pipe” allows AR creators to push more content to a device.  For example, Volumetric 3D video is a hot topic within the AR industry. Right now that type of content has to be preloaded into an app and is so size prohibitive that content creators have to use it sparingly. Yim believes that if 3D content could be streamed, it would open up many content opportunities in industries including entertainment, sports or even travel and hospitality.

​

• Micropositioning:  Yim states that the anticipated leap in accuracy of indoor positioning with 5G will be a game changer in retail and other locations including airports, museums and theme parks.  Consumers will have access to advanced AR experiences that more accurately allows them to see yet-to-be-purchased furniture in their living room, new clothes on their body before they order, new types of experiences at tourist locations and more.

• Connectivity at events: With 5G, those going to large public arenas, events, concerts and sporting events will no longer be bogged down by the concentrated traffic. Therefore, consumers will be able to take part in amazing, new social experiences that up until now could not be done because of bandwidth

• Speed to the cloud: Some AR experiences hinge not on the size of the file, but the speed of processing and transmission. A Google Lens-type of recognition tool, where for example you point at a flower and get identification back, may only appear to the consumer as a few lines of text, but its usability depends on its speed. Waiting 2 seconds may create a very frustrating user experience, especially over many scans and frequent use vs. an "instantaneous" response.  5G will vastly increase speeds in communicating with the cloud, delivering a much better consumer experience.

Project managers are constantly facing challenges that threaten the success of the projects they lead and the teams that they manage. My list of those challenges based on over 20 years of leading tech projects is never-ending, but I’ve narrowed it down to five for the purpose of this blog. As you read, please consider your own challenges to share and discuss.
​
Financial management/budgeting. Managing budget is a huge challenge for project managers – especially on large, long-term engagements where unchecked, slow, scope creep can eat through a budget almost undetected. That’s when you find yourself three months from go-live with no money left. Try telling a customer that you need more money and see how that sits with them. I’ve had to – and I was monitoring the budget closely. It was with a very large government agency and they were not happy. As the project manager, the best thing you can do is ensure that the budget is closely monitored; that it is in the project team’s, and the customers’, faces at every status meeting. This can be part of the weekly status report and meeting discussion or as a separate weekly report...

Manufacturers, businesses, and other organizations can better secure their IoT devices by following five best practices:

1. Take note of every network endpoint added. Every endpoint added to your network creates more areas through which cybercriminals can attack. Deloitte advises organizations to bring as much of their endpoint footprint as possible under their security management. Spending on IoT endpoint security is expected to rise to more than $630 million in 2021, according to Gartner analysts. Once more of these connected devices are properly managed, integrating security tools can become a more effective process.
2. Align operational technology, IT, and security. In addition to deploying IoT devices, organizations are managing digital transformation projects at the same time. But less than 10% of cyber budgets are allocated to these efforts, according to a "Deloitte Future of Cyber" study. To successfully achieve their goals with their IoT initiatives, companies need to understand the enterprise and cyber risks, create a plan to prioritize and mitigate those risks, and then align the process across all the major stakeholders, including operational technology, IT, and cybersecurity. "IoT spans operational environments as much as it includes wearables, connected cars, and products." Peasley said. "Organizations should proactively plan for how to identify, track, patch, and remediate around how it all could impact their organizations and ecosystems."
3. Know the players in your ecosystem. The interconnectivity of third-party hardware, software, or services could be the source of a security breach. Therefore, organizations need to consider how a connected device interacts with these third parties. Contracts with third, fourth, and fifth parties should address security updates and concerns. Organizations should also set up a third-party risk management program to evaluate the cyber risks of their third-party and supply chain partners
4. Employ artificial intelligence and machine learning to detect anomalies that humans cannot. Artificial intelligence for IT operations (AIOps) has grown from an emerging category into a necessity for IT. AIOps platforms are uniquely suited for establishing a baseline for normal behavior and for detecting subtle deviations, anomalies, and trends. Organizations should take a secure by design approach in tandem with an AIOps approach to prevent and identify cyber attacks.
5. Conduct vulnerability assessments on devices. As cyberattacks continue to grow, organizations should ensure that their connected devices — and the environment in which they're deployed — have been designed, built, and implemented with security in mind. Whether through basic testing or a bug bounty program, testing can provide assurance of the security protections in place for connected devices.

The looming specter of a data breach is enough to give most IT team members nightmares. Other than the potential financial losses that can come with a breach, it could be possible to lose business due to dwindling customer trust. Luckily, vulnerability databases such as the NVD are here to help. Companies can refer to them, identify vulnerabilities in their systems, and patch them before cybercriminals can even get their hands on this information.

Despite the presence of these databases, it is surprising to learn that 80% of enterprise applications still have at least a single unpatched vulnerability. Such a point of weakness is simply the sign of a data breach waiting to happen. With a vulnerability scan, however, your IT department can identify and patch vulnerabilities as well as come up with sustainable solutions.

Here is what to know about vulnerability scans and their use in building a strong cybersecurity posture:

What Is Vulnerability Scanning?In a nutshell, vulnerability scanning involves assessing your business’ systems for security issues. This includes systems like servers, virtual machines, laptops, desktops, firewalls, printers, switches, and containers. A vulnerability scanner will attempt to establish the operating system, software, open ports, and any user accounts that a scanned system contains. 

Once it is done building an inventory of your IT assets, the scanner will then compare every item in the inventory against the data in vulnerability databases to identify if any of these items have vulnerabilities. It is the role of your IT department to work on patching the vulnerabilities that demand attention. The comforting thing is that most of the vulnerabilities in these databases already have a patch, which you can apply to your affected systems.

Vulnerability Scanning Vs. Penetration TestingAlthough they are quite different, it is common for people to confuse vulnerability scanning with penetration testing. A vulnerability scan aims at identifying corporate systems that might be subject to already known vulnerabilities, while a penetration test aims at identifying weaknesses within your organizational processes and practices as well as specific system configurations that could easily be exploited by cybercriminals. Here are some of the practices that are involved in a penetration test, but aren’t done in a vulnerability scan:

• Sending users phishing emails with the aim of accessing their accounts
• Intercepting unencrypted passwords that are shared over the network and using them. 
• Using other social engineering techniques to gain access to corporate accounts and data

The Vulnerability Management ProcessThere are four steps of vulnerability scanning, which include:

1. Identification of Vulnerabilities
In this part of the process, you will need to use a dependable vulnerability scanner to identify vulnerabilities in your system. The efficacy of your scanner will depend on:

• Its ability to locate and gather system information about the different devices, software, and open ports, among other system devices. 
• Its ability to compare this information against the information from one or multiple vulnerability databases

Since a vulnerability scan can easily affect the performance and stability of your system, you should consider configuring the scan to be less intrusive or aggressive. A good solution to this would be to conduct the vulnerability scan outside business hours, although this might limit the chances that employees will have connected their laptops to the network for the scan. 

Among the best ways to circumvent this challenge would be to conduct adaptive vulnerability scanning, which allows the scanner to identify changes to the network, such as when an employee connects their laptop to the system for the first time. In this situation, the scanner will launch automatically to scan the device instead of waiting for the next scan. To be safe, you should also consider creating a culture that makes reporting vulnerabilities easy. 

2. Evaluating the Risks
Vulnerability scans can present IT teams with a large number of vulnerabilities, which can be tiring to patch. Evaluating the risks posed by the vulnerabilities will help your team triage the vulnerabilities to identify those that need the most attention. With enough evaluation, your team will establish:

• The potential impact of a vulnerability
• The effectiveness of current security controls in dealing with the risk posed by the vulnerability
• The practicality of hackers exploiting the vulnerability
• Whether a vulnerability was a false positive or not

Ranking these vulnerabilities also ensure that IT and business resources are used optimally. 

3. Treating the Identified Vulnerabilities
In a perfect world, solving system vulnerabilities would be as easy as applying their ad hoc patches. Unfortunately, this option isn’t always available owing to limited business resources and premature vulnerability patches. Your IT team might need to look for other ways to circumvent the risk posed by the vulnerability. 

For instance, you can stop using the vulnerable system to mitigate the risk. You could also add other security controls to your existing ones to make it tough for hackers to exploit the vulnerability or reduce the impact that a successful exploit could have on your business. If the cost of mitigating the vulnerability is lower than the impact of a successful exploit, you should consider accepting/ignoring the vulnerability.

4. Report the Chosen Treatment Measures
Reporting these measures ensures that they are well-documented. IT teams and employees can refer to these documents whenever they need to access this information. The documents can also help with complying with regulations that require such reports. 
​
Vulnerability databases were created to make it easier for businesses to deal with known vulnerabilities. It would be a shame to have your business maimed by one. For the sake of your security posture, add vulnerability scans to your cybersecurity strategy, and enjoy using secure systems.

​

Is your PM infrastructure doing all it needs to do to promote maximum project success in the organization and for your project customers? Are your project managers growing, expanding their careers, gaining needed training and certifications and mentoring colleagues the way a successful project management office (PMO) should be operating? The focus isn’t about today’s success or needs… It’s about tomorrows needs and growth.
​

When we build a PM infrastructure or project office, the intent is usually to create project stability, ongoing successes and career growth for the project managers involved. All, of course, with an eye towards project delivery excellence and 100% project customer satisfaction. It’s all about repeat customers, reference-able customers and – for your own organization – the increased revenue that comes from an increase in the satisfied customer base...