Establishing a Portfolio Approach for Managing Cybersecurity Programs - Part 1

The present decade has seen Cybersecurity breaches across Government, Private, and Non-Profit systems. Needless to mention how it is impacting individual privacy and personal information. Many of us have been the victims of information breaches due to failed Cybersecurity approaches. Agencies and businesses have managed Cybersecurity as ad-hoc reactionary projects, and many government agencies lack a coherent acquisition strategy that aligns with the organization’s Cybersecurity strategy. This ad-hoc approach is not working in today’s environment, especially when considering the massive amounts of data and transactions occurring in areas of Defense and Intelligence, Homeland Security, Healthcare, Regulatory Compliance, Census Information, and Digital Commerce.

We are covering this OnPoint blog in multiple parts. The first part has perspectives on the relevance of Project Portfolio Management, Risk Management, Managing Vulnerabilities, Policy and Compliance in an Enterprise level Cybersecurity Program.

Portfolio Management for the CISO - The constant attention that Cybersecurity demands is changing the role of the Chief Information Security Officer (CISO). Given today’s cyber-threat landscape, evolving Cloud adoption strategies, and edge security requirements, CISOs have multiple simultaneous projects occurring within their portfolio that are necessary for protecting sensitive information and the organization’s high value assets. CISO’s are operating with a shortage of skilled cybersecurity professionals, they're inundated with new requirements, experiencing difficulties balancing resources, and struggling to determine what Cybersecurity services to outsource. To improve some of these operating difficulties, CISO’s are establishing a portfolio approach to managing Cybersecurity programs. Some of the benefits include improvement in the project prioritization and project selection process, better visibility across the Cybersecurity portfolio, and improved alignment of projects with the organization’s business goals. Other benefits include more efficient use of resources, improvements in the accuracy of performance metrics, timelier project deliverables, decreases in project risks, and more informative decision making.

 Risk Management - Today’s CISO faces several types of intangible and tangible risks with potentially negative consequences to the Cybersecurity program as well as the organization, its employees, customers, and stakeholders. The types of risks include project related risks, information security risks and threats to the organization’s systems, engineering and technology risks, risks related to a lack of knowledge or skill gaps, and risks to productivity. Identifying, evaluating, and prioritizing risks to the Cybersecurity program helps the CISO organize projects and allocate resources. Strategies include identifying and evaluating the risks and threats that have the highest negative consequences, and the highest probability of occurring as the topmost priority, and risks and threats with lesser negative consequences or lower probability of occurring as less important priorities. Every CISO requires a disciplined approach to identifying, assessing, and prioritizing risks and threats, as well as well-defined mitigation strategies, and problem management plans that include impact analysis, risk tracking, root cause analysis, lessons learned, and risks reduction plans. Effective risk management for the Cybersecurity program creates value for the organization because the resources expended mitigating risks is less than the consequences of inaction.

Policy and Compliance - An established portfolio and project management approach for the Cybersecurity program provides the CISO with the capability to define and maintain policies, and the necessary process and procedures to comply with and adhere to those policies. The policy management activities involve developing, updating, communicating and maintaining the policies and procedures for the Cybersecurity program and integral in developing more detailed standard operating procedures and project deliverables. Complying with internal and regulatory policies consumes a large percentage of the CISO’s resources which is why integrating the compliance requirements within the project plan, work breakdown structure, and task schedules is required to streamline compliance activities. As the CISO’s policy and compliance requirements expand beyond the Assessment & Authorization (A&A), Authority to Operate (ATO) process, complying with and adhering to the organizations internal approach for Project Life Cycle Management (PLCM), and Systems Development Life Cycle (SDLC) will determine the level of maturity of the Cybersecurity program. Applying portfolio and project management principles to Cybersecurity related projects supporting the Security Information and Event Management (SIEM) system, the Security Operations Center (SOC), and the Network Operations Center (NOC) allows the CISO to more effectively comply with internal processes and regulatory policies and procedures.

Managing Vulnerabilities - The CISO is the owner of the organization’s vulnerability management process, and is responsible for the design and implementation of the process. The vulnerability management activities involve services that continuously assess system vulnerabilities and the process is more effectively implemented using portfolio and project management principles. Establishing a project management approach allows the CISO to organize and schedule resources for preparing and executing vulnerability scans, defining remediation activities, and performing rescans. The CISO defines the scope of the vulnerability management process, which systems are included or excluded and determines the type of scans and schedule. The initial vulnerability scans are executed by the security engineers, the results are recorded and visualization tools are used to review the results and prepare reports. The CISO and asset owner is briefed on the number of vulnerabilities detected, the severity level and risk rating of the identified vulnerabilities and the risk remediation plan. The CISO establishes clear deadlines for remediation activities, and the time frame is aligned with the level of risk detected. Once a vulnerability is remediated, a rescan is required to verify the remediating actions were implemented. The vulnerability management process is part of the organization’s effort to control Cybersecurity risks. The process allows the CISO to continuously review vulnerabilities occurring in the operating environment and assess the level of risks associated with each vulnerability. Managing vulnerabilities utilizing project management best-practices provides the CISO with a mature approach for identifying and mitigating vulnerabilities.