One of the most important steps to be taken to ensure a smooth implementation of the cybersecurity program is choosing the best project management approach. Project Management is a entire field that could comprise a website of its own. In terms of implementing a cybersecurity program, we want to focus on choosing the right project management strategy. You will want to consider factors such as available time, the number of people working on implementing the program, and the resources needed to successfully implement the cybersecurity program.

Some small businesses have never really chosen a dedicated project management strategy, instead just going about work on a commonly agreed-upon schedule and style. Since implementing a cybersecurity program is not the main focus of company time, and likely is done after regular work hours, small business owners and their Steering Committee should carefully review existing project management methodologies and select ones that will make the best use of company time and resources.

Waterfall

The Waterfall methodology involves taking a linear and sequential approach to projects, with one phase needing to be completed before the next one can begin. A Waterfall approach to project management puts lots of emphasis on throughout documentation, planning, and scheduling with the goal of making the project implementation as smooth as possible. Most project management professionals recommend the Waterfall model for projects that have a fixed plan and fixed requirements that are unlikely to ever change. Because these components are unlikely to change, Waterfall projects place lots of emphasis on planning. In the case of implementing a cybersecurity program, Waterfall is best suitable for program components that have a clearly defined scope and requirements and must be built sequentially from the bottom up. Some examples of this include:

  • Building and deploying an Active Directory domain
  • Installing new network infrastructure (router, firewall, switches)
  • SIEM system implementation

Agile

The natural opposite of Waterfall, the Agile methodology focuses more on team building and improvement over time. A project done under an Agile methodology breaks the main project down into smaller iterations or sprints. By doing this, the project team can troubleshoot issues and gather feedback for fine-tuning the project components. Agile focuses on continuous improvement rather than strict results. Because of its format, Agile welcomes changing requirements and new ideas even while an iteration of the project is underway. A business cybersecurity program itself is really a giant Agile project, requiring regular iterations and collection of feedback to motivate continuous improvement. However, in terms of implementing individual parts of the cybersecurity program, Agile is best for areas that have a lot of uncertainty and are going to require lots of fine-tuning and trial and error to implement successfully. It is also best for program components that require lots of face-to-face communication with employees and other stakeholders. Some good examples are:

  • Implementing and testing Multifactor Authentication
  • Security Awareness Training materials
  • Changes to websites or frequently used web applications
  • Implementing MDM or other endpoint management strategies

Scrum

The Scrum methodology is a subset of Agile, focusing on breaking down large and complex projects into smaller iterations. Project iterations in the Scrum framework are called "sprints". Scrum is also geared towards smaller teams, usually ones with ten or fewer people. In a lot of ways, Scrum is the perfect project management methodology for implementing a small business cybersecurity program. The use of small sprints gives project teams a lot of room for quickly changing requirements and continuous improvement. Scrum usually emphasizes two-week work cycles with daily morning meetings known as "Daily Scrums". Unlike other project management methodologies, Scrum requires designated roles to be implemented. The three main roles are the Scrum Master, who manages the entire process, the Product Owner who defines the vision for the end product, and the Development Team, which comprises the individuals building the project up. Ideal uses of Scrum in implementing the cybersecurity program include:

  • System enhancements and expansions
  • Large platform migrations
  • Security tool/software development

DevSecOps

While not entirely relevant for building a cybersecurity program, DevSecOps deserves mention due to the critical role security plays in its methodology. While the previous methodologies can be used to manage a variety of different projects, DevSecOps is specifically geared towards software development. DevSecOps seeks to integrate security into every single part of the software development lifecycle. Special focus is placed on collaborative environments with Continuous Integration and Continuous Deployment of software changes. DevSecOps follows the idea that security is everybody's responsibility, and thus, everybody should collaborate on implementing security at each stage of software development. Since software development is not explicitly covered in the CyberLadder framework, it isn't very relevant. However, if you do decide that your organization's cybersecurity program requires the in-house development of software programs or tools, following the DevSecOps approach is highly recommended for the utmost software security.

At this point, you have a pretty good idea of what major project management methodologies exist. You should collaborate with your Steering Committee and all external parties in the cybersecurity program to decide which methodologies should be used for implementing different controls in the program. You will likely use a combination of different methodologies throughout the implementation of the program. For example, you may start with a strictly scheduled and planned Waterfall project in which you build a new secure Local Area Network from scratch and set up an on-site Active Directory domain. In the meantime, another group may use an Agile approach to implementing identity-related security controls and fine-tuning them to meet employees' desires.

It is really up to you and your Steering Committee to decide which project management methodologies will be the most successful and efficient in implementing the new cybersecurity program.