Watch this - my rundown of the most desirable characteristics of cybersecurity officers for organizations. This position is becoming more necessary and more valuable on a daily basis.
I'm starting a new series here on Project Times – a series of articles on PM tools and services. Basically, I want the leaders at these organizations to tell us in their own words “5 Reasons Why” we should be demo'ing or downloading a free trial or purchasing their software to use for some or all of our project related needs.
Think of it as their “elevator speech” if that's all the time they really had to tell you why their software or service is great and you need to check it out.
I did a series like this for several vendors on my site awhile back and many found it to be of great value to them and their search of that right tool to meet their team's needs.. I wanted to bring it to a bigger stage because there are so many new, small, great players in the genre that many of us have never heard of. And many long-established software and service solutions that we had heard of but never tried. Plus, we are living in a world now that has seen the workforce change in terms of needs for remote work, virtual teams and extreme collaboration. You might find your organization's needs will be met by one of these options...
I hope you find this series a rewarding and informative one to follow... I will be contributing new ones every week so keep an eye out for the next one. For now, we will start out with this great offering from MindGenius – an organization who I have had the pleasure of knowing and working with off and on for the past 5 years so I can vouch for their personnel and say they fully stand behind their product and for the product itself being something that I find to be being able to fill many needs of PM organizations and infrastructures. In fact, I won't be including vendors who I do not personally feel good about or software I don't believe to be worthy of this series.
5 Reasons Why You Should Consider MindGenius For Your Projects In 2021...
Anything and everything can be hacked. You, me, your top competition, your favorite customers. Everyone. And even if you employ one individual running your security, an entire certified staff of cybercrime experts or a 3rd party outside vendor securing your important data and IT processed, don't let any of them convince you that you are 100% safe. You aren't now and you never will be. The best you can probably hope for is about 90% but those percentages mean nothing when hackers find their way into that small 10% opening that you couldn't cover. Trust me – and you can read this anywhere – the hackers are always one step ahead of us all. Everyone is in reactive mode vs. hackers. You can be in what you believe is proactive mode, but you're still covering ground they've already covered. The best you can hope for is that they won't find you to be an easy target and they'll move on to the next company. Just like our house is well lit and always has at least 2 vehicles sitting in front of it or beside it so we would certainly never be a crime of opportunity...anyone just trying to break in to a house would move on to the next one.
I recently checked back in with most of my current and past clients. What I found surprised me a bit. Nearly one in four - almost 25% - had experienced some sort of hack, data breach or security violation in the past 12 months. Almost 25%. The nice thing is a few are asking for my help in making sure 2016 is safer than 2015...but I have to admit that it was not necessarily the way I wanted new consulting business. However, I will not turn down that kind of experience, research and revenue. At the same time, I wonder what is going to be hit next? What will black hats target next that we haven't even thought of? And what about white hats out there who work hard to expose security flaws and backend openings to prove to governments and software or equipment vendors that they have issues that they aren't aware of but need to patch quickly? Those individuals could be targeted next by cybercriminals...just as was the case on the season (and probably, unfortunately, series) finale of CSI Cyber this past week. This knowledge and software code is worth an inconceivable amount of money in the wrong hands. And it puts lives in danger at the same time.
Back to the issue with the 1 in 4 companies experiencing a security breach and what that could or should mean to you. Nothing or everything...it's your choice. At the very least, I highly recommend the following...
Make cybersecurity a top priority in your risk planning. I know we all think it can't happen to us. And it may not. But if it does, just one cybercrime could cost you countless customers, high costs of identify theft of employee information, or worse....though I'm not sure what that might be. Your risk depends more upon the types of clients you have, the types of projects you run, the industry you operate in, the type of data you handle and the size and complexity of the projects you manage. But any size business can be and is at risk. To omit it from your risk planning is crazy in 2016. I am usually working with small to medium sized businesses though I am periodically running projects as a consultant for very large Fortune 500 organizations and government entities like the Department of Defense and others. And yes, sometimes it does involve sensitive information. Risk planning needs to be part of every project and cybercrime and cybersecurity needs to be considered during every risk planning session.
Hire one staff, a department or a consultant. You can hire one staff, you can create a department, or you can just hire a consultant. But it is imperative, I believe, that you do something to prepare your organization for a cybercrime incident in 2016. It may not happen this year, but it is likely to happen soon and the sooner you bring in staff or designate an individual the sooner you can have that person or group ready and productive. You don't really need a large group of certified individuals. You can operate with just one interested tech lead moving into this role and learning as they go. The information and technology for them to research is everywhere...they can get up to speed fast. Just don't put it off any longer.
Attend Black Hat. Seriously. I've been to Black Hat USA in Las Vegas five years running and it is amazing – both in terms of fascination and in terms of understanding the breadth of the security risks we all face. They call it Black Hat, but it is really much more about White Hat work identifying and reporting on security flaws and what cybercriminals are capable of and what these incredibly skilled hackers have discovered over the past year. If cybersecurity is a concern to you – and it needs to be – then this conference is well worth your time and money. If it makes you plan for and mitigate or avoid one breach because you added it to your risk planning process then it will pay for itself 20 times over.
Summary / call for input
Everyone can be hacked. Do I need to repeat that? Everyone can be hacked. And it will likely get worse – not better. I will not be surprised if I conduct a similar client survey in a couple of years and see that number rise to nearly 50%.
What about our readers? Has your organization experienced a data breach or be the victim of a cybercrime...no matter how small? If so, what was your response? How has it changed your risk planning process. Please share your experiences and discuss.
Short video explaining 4 key challenges that Project Management newcomers can expect to encounter. You've been warned...
Watch this - 5 signs your project may be in trouble. Experiencing any of these?
There’s no doubt that we will all be hacked or breached or have our data and identity affected by a breach sooner or later. Most of us already have. I know my Twitter account has been hacked twice and my Facebook account has been hacked at least once. And it seems at least once per week I get a FB friend request from someone I’m already friends with meaning either they’ve been hacked or I’m about to be if I’m stupid enough to accept.
Where am I going with this? I’m pointing out that there are bad people all around us lurking in the shadows meaning to do us harm in a non-physical or non-violent way. They are called hackers and really have nothing against you personally. They are just out to bring chaos to your world, grab sensitive data, possibly sell it or offer it back to you in exchange for money or they just may be doing it all to show that they can. After
If you haven’t been hacked, breached or compromised in some way by a hacker - rest assured you eventually will be and really no amount of avoidance or mitigation planning can completely save you from the affects of hacker actions. Start taking some or all of these steps now to make it happen and keep your organization's corporate head above water, figuratively speaking...
Start somewhere. Please, please, please... start somewhere. It doesn't have to be with a full-fledged cybersecurity staff. But we have to start somewhere. If you are smaller, or a startup or not engaging in large, high visibility, data sensitive projects often, then look for one or more internal resources who are interested in training in cybersecurity and have them take on the part-time or full-time role of cybersecurity lead and have them participate on projects that may need that time of data management, risk evaluation and oversight. Or, if you're smart, you'll have them involved as a part-time resource on every project on an ongoing basis.
Charge everyone to be accountable. Now, I don't mean that everyone in the organization needs to become a cybersecurity expert. Far from it. But they need to have an awareness, an accountability to the company masses and the organization's customer base. Think “bystander apathy” and “bystander awareness.” Don't let the company masses become just bystanders. Get them actively involved in the effort to not leave the organization open to hacking. Think participation rather than hinderance or obstruction. Educate the masses in the organization on the criticality of what it means to have a data risk and breach that potentially cripples the organization and ask everyone to be hyper alert to black hat activities and their own behavior that could cause security holes from an IT perspective.
Make cybersecurity part of every project and customer initiative going forward. Whether you grow a cybersecurity presence and knowledge base from within starting with one more individuals who have an interest or you go full blown with a C-level presence like a Chief Security Officer (CSO), a hired staff of a few cybersecurity certified tech leads and a big staff budget, it is imperative that going forward there is a cybersecurity presence on all data sensitive projects and likely all projects period. This presence may only be during risk identification, but it may also be needed on a weekly basis having a sit-in presence on all weekly project status meetings to offer advice, decision input and to answer staff and customer questions. Trust me, the topic will only be growing in size. And with a project by project security risk presence, there is far less of a chance that something important might fall through the cracks. You never know when a technical decision made by someone less informed could open the organization up to a breach that could be very damaging.
Educate senior management on the probability, liability and exposure. As important as it is to educate the entire enterprise on the cybersecurity risks and enforce awareness and accountability, it is even more important that senior management be aware and buy in to the need for a cybersecurity knowledge base and project involvement within the organization. Funding comes from this group, projects are sometimes prioritized and staffed from this group and as the project teams need to evolve to handle the cybersecurity threats, so does the leadership of the organization. Just as with any program, improvement, or campaign... without the leadership buy in it is going usually fail in the enterprise adoption effort as well. If leadership doesn't back it, it won't usually last.
Compile stats. Try hard to quantify things. From an IT standpoint, you can often tell how many potential breaches have been thwarted by whatever software you have implemented. Include that information in project status reports to teams, clients and senior management. The more benefits you can actually show in numbers – even dollars – the better. This will build fast confidence and buy in to the measure being proposed and taken. Management loves to jump on board with new initiatives that are actually working. And the goal is to show progress fast and early so that enterprise adoption and accountability and participation is a no-brainer and the learning curve is small and behind everyone quickly. Management loves numbers. Customers love numbers – especially positive ones. Figure out how to show numbers and you'll get them on board with the security movement and implementations quickly. And that is important to project protection and survival.
Summary / call for input
The bottom line is this – cybersecurity is an established risk that isn't likely to ever go away. Too many hackers having fun or trying to capture data and identity at the expense of others – sometimes even working to profit from it and not just cause damage. If you have high visibility projects or data sensitive projects or both, you will likely be a future target. We need to be vigilant and prepared.
Readers – what is your take on this list? What experiences have you had with the implementation of a cybersecurity infrastructure? It's rather new to most organizations so any advice we can share will be helpful.
Cybersecurity is an interesting topic – no doubt about it. But it becomes a scary topic if your organization falls victim to a vicious cyberattack that leaves your company's, your clients', or your projects' sensitive data affected or vulnerable. How you are prepared to react and respond may make the difference between no affect, a small affect, or one so costly and high profile it may bring down the company or cost millions to respond to and take corrective action against. If you've been following the large organizations that have been hit – you remember them well because you're first thought was probably “I wonder if I've been affected” because you either shop there, have done business with them, or it's your bank or credit card provider that was hit.
Now that I have your full attention – hopefully - let's consider and discuss what I consider to be five key things you need to know about cybersecurity for yourself, your company and your projects...
It's ok to start small. You don't have to plan out a major cybersecurity response team or infrastructure. Especially if you aren't currently experiencing a major cyber breach major event. What you do need to do is start somewhere and sometime and that time is right now. Whatever someone can do to hack you and your precious employee data or project data or project customer information has already been figured out but you haven't been targeted... yet. Either you aren't on a hacker's radar, or your data isn't important enough yet or whatever. Rest assured that at some point in the not too distant future you will be on their radar
Not if but when. Cybersecurity is not really about “if” you'll need to react, it's more about “when” you'll need to react. Nearly everyone and everything will experience some sort of theft, breach, infection, or infliction of cybercrime or cyberattack in the next decade... and probably sooner. 25% of my own clients – some of which are fairly small – have been affected by a cybersecurity issue in the past two years. The key is to be ready. Hopefully to mitigate, but since that may be futile, at least be ready to respond and fix and close holes and cleanup quickly. You don't need an army of experts to do this – hopefully – but it is best to have one or a few prepared in house to respond and maybe an external expert you've already connected with who could assist depending on the extreme need and available budget.
Read the books - info is abundant. There are books available all the time on cybersecurity. If you are looking to grow an internal staff starting with one or two, then social media and these books are a great way to start. Detailed, expert certification isn't necessary to begin with, just some knowledge, dedicated interest and materials – like books, videos, webinars, seminars, the annual Black Hat conference here in Las Vegas and other locations. All of these will help build awareness and knowledge in your cybersecurity startup staff. Great books, articles and other materials are readily available to help get your response team off the ground and ready – use them.
Start with a consultant. You may not need an expert consultant, but it would be a very good idea to connect with one in case you do. And maybe the expert consultant is the way to go if you're not able to hire or train any staff but would rather pay “through the nose” if and when the need to react to a cybersecurity incident happens. It's not cheap to get an air conditioner repair person on a Sunday in Las Vegas in July when it's 115˚ or a plumber at midnight, and it's not going to be cheap to get an external cybersecurity expert consultant after a breach has occurred. But that may be all you need and whether or not you ever call in an external expert consultant, it's a good idea to have the connection already in place.
It's not always about money. A breach will cost you. You will have to close up the loop somehow and work to ensure that it doesn't happen again. If it happened once it can happen many times. And maybe this time it wasn't about data or revenge or getting sensitive client info or financial info or ransomware. It isn't always about money that someone wants from you or data that they can sell to others. Sometimes you are a random target or it's just about the sport of getting into something you're not supposed to get into. But you must take measures because next time it may be about sensitive data or holding information for ransom. This may have been a test run for something much bigger later. So, the breach – if you experienced one – will cost you so patch it fast and figure out how to not let it happen again... to the best of your ability.
Summary / call for input
I wish I could tell you everything will be alright. True that most people are good, and you really only hear about the bad ones in the news. And there are many good hackers out there – trying to help organizations better prepare by exposing weaknesses and issues – and they are paid handsomely for it. But there are those hackers who are looking to thrive financially or just have fun at your expense. Eventually you are likely to be affected to some degree by one of these and taking some initiative now to be at least ready to respond is your best course of action.
Readers – what are your thoughts? Has your organization – or even your personal self – been affected? How has your organization prepared or responded to concerns of even breaches? Do they see they need to be proactive or just waiting to react as most organizations seem to be doing. Please share and discuss.
Roughly a year into this "new normal," the vast majority of companies are labeling the remote work shift a resounding success — improving productivity and accelerating their digital transformations. But that success comes at a cost: Employees are a whopping 85% more likely to leak sensitive files and data now than they were before the COVID crisis hit, according to the recently released Code42 2021 Data Exposure Report (DER). The report found that 3 in 4 organizations experienced at least one data breach involving the loss of sensitive files in 2020. And while we all read the scary headlines on surging cyberattacks in the wake of the remote work shift, IT security leaders say employees (intentional or otherwise) were the biggest cause of data breaches — ahead of external actors
The biggest change in the IT security world wasn't about where employees were working — it was all about what they’re doing. Workers are connecting remotely (only using the VPN 10% of the time, according to Code42 research), using cloud collaboration and web-based productivity apps to zing files and data back and forth. They're downloading, uploading, emailing, messaging, syncing, sharing, DropBoxing, Google Driving, AirDropping and more — all day, every day. The world will return to normal (someday…), but businesses will hold onto the advantages of a flexible, cloud-collaboration-powered workforce. And that means the Insider Risk problem won't just disappear. The Code42 2021 DER found that 6 in 10 IT security leaders believe Insider Risk will increase, or increase significantly, in the coming years.
A new world of risk — a new paradigm of risk tolerance
The thing is, most CISOs recognize that this shift in the way we work has been percolating for several years now. Organizations are increasingly building competitive advantage through cultures rooted in speed, agility, collaboration and rapid innovation. And this requires a new understanding of risk tolerance — new calculations in balancing the need to empower speed and agility with the need to secure and protect all that fast, agile innovation. The pandemic was just the force accelerator that pushed this paradigm shift past the inflection point. All organizations are now tolerating some level of Insider Risk in order to enable the agility, speed and innovation required to survive and thrive in today’s business climate. Even the U.S. State Department — one of the most conservative, high-security organizations in the country — acknowledged, "We have a risk tolerance now." This has led Gartner to create entirely new category of data security solutions to address this new reality: Insider Risk Management*.
Conventional security infrastructure can't handle the nuance of risk tolerance
For CISOs and IT security leaders, 2020 was a triumph in rapidly adjusting to support remote work and maintain business continuity. But 2020 also laid bare the failure of existing security infrastructure, up and down the stack, to keep up with today's digital workplace. Conventional, policy-based blocking tools like DLP and CASB aren't designed to handle the nuanced game of risk tolerance and Insider Risk Management. Old, black-and-white notions around insider threat prevention are leaving security teams in a lose-lose situation: The 2021 Code42 found most IT security leaders say they’re fielding daily or weekly complaints that employees' legitimate activity is being blocked. At the same time, conventional security tools are leaving blind spots to new ways of moving files and data, and most IT security leaders say they’re not able to see those blind spots.
2021 isn't just for cleaning up — it’s a chance to plan for what’s next
As they clean up the data security risks of the reactive strategies put in place in 2020, security teams should be careful not to take a similarly ad hoc approach to plugging the gaps. We all need to work toward forward-thinking security postures that can keep up with the fast-moving, collaboration-driven culture C-suites are fostering. Security teams need technologies and processes to better identify risky behaviors without inhibiting collaborative culture and employee productivity. We need technologies that flag Insider Risk indicators, such as working off-hours, changing file extensions, having access to the files of a highly confidential project or resigning from the organization.
The key is context. The new paradigm of Insider Risk Management is all about nuance, and security teams need to see the context — around the data, the vector and the user — in order to walk the line between managing Insider Risk and enabling the speed and agility that are critical for their business.
Every feel pressure as a project manager? Some of the time? All of the time? I hope you’re not actually feeling stressed and under pressure 100% of the time – I for one actually do find project management enjoyable much of the time. But it certainly does have its many stressful moments.
Issues are a way of life. But when several critical issues hit at once or we have one of those show-stopping moments on one of our projects – those are the times when we feel the most pressure…when it’s really tempting to hit the panic button or proclaim that the ‘sky is falling!’
Primarily by just learning on my feet, I’ve figured out that in order to stay focused during these critical pressure situations I need to use these three methods to effectively deal with what’s going on and work with my team toward successful resolution….
#1 - Prioritize the issues. An issue can come up that causes critical problems and a decent amount of stress on any project. But often times it’s more than one issue – a series of events or a ‘perfect storm’ of risks and issues hitting at the same time. I’ve found that in order to best handle these, I must prioritize the issues that need to be dealt with. That isn’t a groundbreaking revelation to anyone, I’m sure, but it’s so easy to start attacking several issues at once when you’re in panic mode thinking you’ll get past the critical phase faster. What usually happens is you make little to no progress and you might even create new issues.
Stop, assess, analyze and prioritize the issues. Figure out which ones need addressed first – and if any appear to be of equal importance then attack the ones you can eliminate quickly. Anytime you can quickly shorten the list, that’s a good thing.
#2 - Avoid multi-tasking. As stated in #1, avoid the urge to take on more than one critical issue at once. Too many times we think we can multi-task when we can’t. When we aren’t operating in panic mode it’s fine to multi-task – it’s actually a good thing and it’s expected of skilled, highly productive workers. But when you’re trying to focus on key issues under pressure and make progress toward getting the project back on track, it’s best to attack them one at a time. If not, you may not pay close enough attention to detail, something critical may fall through the cracks, poor decisions may be made, and you may actually create new issues that have to be dealt with by taking action without the extreme focus needed in these high pressure situations.
#3 - Avoid interruptions. Finally, do your best to avoid interruptions when dealing with project issues of a critical nature. Put your team in a war room, lock your office door, announce to everyone that you’re unavailable for ‘x’ amount of time except if someone is bleeding or dying (I use that one on my kids when I’m trying to teach them not to needlessly interrupt when I’m doing something very important). Do whatever you have to do to avoid needless interruptions. The key is to avoid those needless and/or frequent interruptions that can throw you and your team completely off track – turning a one-hour successful brainstorming session into all-day failed operation. If you don’t announce that you are unavailable – but do tell people why and where you are – and make an effort to make yourself unavailable when trying to focus on these issues under pressure and get to a resolution, then you’ll still be inviting the same interruptions that you get every single day that you aren’t even aware are happening.
We all experience showstoppers or very critical issues on our projects from time to time. Pressure situations are a way of life for the project manager and his team. But how we deal with these situations – the processes we go through to keep our focus on getting through them and handling the stress and the pressure - are often the determining factors of whether the project will fail or succeed.
The issue isn't how large of a cybersecurity investment an organization makes, but rather, if it is spending funds properly.
The cost of cybercrime jumped to over $1 trillion in 2020, according to McAfee. That number combines monetary losses (over $900 billion) with the cost of providing cybersecurity (about $145 billion).
To balance the discrepancies between losses and expenditures, cybersecurity spending is expected to jump 10% in 2021. Organizations of all sizes are increasing their security budgets; however, the way they approach spending changed.
"Companies are concerned about cybersecurity breaches, and while fear is still a driving factor, compliance and risk management are taking center stage," said Jenai Marinkovic, vCTO/CISO at Tiro Security and member of ISACA Emerging Trends Working Group.
Because of the pandemic, organizations have to rethink their cybersecurity investment priorities. With the need for cloud services, there is a greater push for cloud security solutions.
The increase in supply chain attacks such as the SolarWinds breach has increased the focus on third-party supplier risk assessments. Data privacy trends shifted focus to investment in AI/ML solutions centered on data protections.
Even as cybersecurity trends and attack vectors have changed, many organizations continue to rely on — and invest in — the same tools and systems they've used for years. While companies may look to increase their cybersecurity budgets, they are actually underinvesting in the solutions needed to meet today's threat landscape.
Attacks will happen no matter how much you spend
Cybersecurity, like IT, is a cost center for companies. It makes sense companies would want to attempt to limit their security efforts to what is necessary.
"For larger organizations especially, it's completely possible to spend every dime a company makes and more on cybersecurity, with diminishing returns, so it's definitely a balancing act," said Mike Wilson, founder and CTO of Enzoic.
However, actual spending more often than not goes toward the bare minimum of what the organization needs to do to stay compliant with industry and government regulations, especially in smaller businesses or those that don't have a dedicated security team.
The compliance-centric security comes despite the constant evolution of attacks. But, even with the best cybersecurity technology and training in place, the most successful attacks take advantage of the human factor and the mistakes people make. That's hard to mitigate, no matter how much you spend.
"While I do think many companies underinvest and more attacks could be thwarted, this is not a problem that is going to go away any more than any other type of crime goes away with better prevention and enforcement," said Wilson.
Spending and cybersecurity posture
The issue isn't how large of an investment in cybersecurity an organization makes, but rather, if it is spending that money properly.
"One of the most overlooked cybersecurity costs is on defending against threats that do not exist anymore," said Ameesh Divatia, co-founder and CEO of cloud data protection company Baffle.
For example, protecting against physical theft of storage was prevalent in the early days of centralized data centers. Due to outdated compliance mandates, that budget allocation still persists, even though it does not impact an organization's security posture.
It is hard to directly correlate cybersecurity spend with a company's security posture. Cybersecurity projects tend to be long-term commitments and it takes time for the value to show up in analysis.
"However, there are certain areas, cybersecurity premiums, for example, that are directly impacted when an organization adopts a new control, such as data-centric protection," said Divatia.
As privacy awareness becomes ubiquitous, another measure of return on cybersecurity investment is how well an organization's brand is impacted by its public data privacy statement that informs consumers of data retention policies and access to customer data.
How security spending has changed
"Over the last five years, we have seen several trends leading to increased security spend," said Marinkovic.
The migration to the cloud drove a transition from capital spending associated with physical systems to expense-based spending. An increase in ransomware and attacker's success in exploiting successful monetization models (such as ransom-based distributed denial of service attacks) has driven insurers to focus on endpoint security, cloud storage security and business continuity.
Understaffing has driven organizations toward engaging consultants or outsourcing entire capabilities, as 66% of respondents say it's difficult to retain cybersecurity talent (an increase from last year), according to the ISACA State of Cybersecurity 2020 study.
These are just a few of the factors driving an increase in overall spending. However, ISACA's report indicated that the rise in cybersecurity budgets remains less than the 64% reported two years ago. Just 58% of respondents anticipated an increase in cybersecurity budgets, an increase of three percentage points from the previous year.
"This increase suggests spending may be leveling out given the five-year trend," said Marinkovic.