WHITMORE LAKE – Security in the realm of IT is getting a great deal of attention lately. This is great news because IT security has been an ill-considered risk to organizations for too long.

Ever since Open Systems gained prominence, we have been pretending away the often glaring security holes in most organizations’ distributed computer systems and applications. An emphasis on Project Management practices can be effective in remedying this situation by ensuring that changes to IT assets are accompanied by appropriate security practices.

Traditional tactics for addressing IT security risks

The typical approach to improving IT security looks at the configuration of technology at a single moment in time. We perform an audit of computer equipment or applications to identify security holes and then fix any we find. This tranquilizes our sense of current danger until the next scare, and then we do it all over again. While it is valuable to fix the current configuration, it is essential to realize that the minute we are secure the dynamic environment is already changing, creating new holes. The greatest risk to IT security is that people are constantly changing the technology. Only by incorporating an awareness of human practices can we really begin to maintain security over time.

Security vulnerabilities are created by actions of human beings

Our extensive use of tools conditions us to focus on adding more tools to solve problems. This focus on ?things? can mask the real source of problems (and solutions) – the actions of people. As the number of people involved in IT grows, it becomes increasingly unlikely that good intentions will lead automatically to coherent, appropriate action. Standard practices (processes) become essential for predictability and supportability. When an organization is dissatisfied with its level of IT security, then it is new standard practices that are needed, not new tools. Tools are then used to support practices, not the other way around.

Change happens through projects

The current ?container? for organizational change is the Project. Since changes are introduced through projects, this is the place to locate an emphasis on security, rather than in operations. Any successful project changes the practices of human beings. When we emphasize the installation of new equipment and software as the ?deliverables? and objectives of the project, we may lose sight of the real objective, which is to enable new, better practices. When the focus of a project shifts to how human practices change, then it is natural to consider what new practices are required to maintain an appropriate level of security for some new asset (or other assets potentially affected by the project).

Standard projects for the sake of security

To ensure security over time, projects must consider what narratives and practices will be needed when the new assets are installed and include these in the project plan. The narratives of a project are those stories and their backgrounds that enable the people involved in the project to act in the same ?world?. The narratives that we have internalized constrained our actions much like a road map constrains our driving. If we all have a different road map, we will not be able to coordinate our trip. Without coherent and shared project narratives, we can not collaborate effectively in projects.

Project narratives are impacted by the concern for IT security in the following ways:

All project narratives must be consistent with the security policy

The implementation of hard and soft assets must contemplate security concerns

Any new practices required to protect assets must include consideration of existing security practices.

To implement this, project methodologies need to address the following:

Ensure all project participants know the security policy

Identify what soon-to-be-in-place assets must be protected

Identify how other assets could be endangered by the project

Specify practices needed to protect new and impacted assets

Include security practices in project plans

Schedule audits of configuration and practices

Only shifting project emphasis from installing things to changing human practices can an organization create an opportunity for instituting IT practices that minimize vulnerabilities over time. Creating and embodying narratives about security threats and practices relative to new assets produces a cultural structure that constrains action, yet enables IT professionals to be autonomous. With this structure in place, security over time is possible; without this structure, IT can only be secured for short periods of time following a crisis and the response to it.

As the President of Suboski and Company, Kevin Suboski is dedicated to improving the success of Project Professionals through Education, Consulting and Services. eMail Kevin [email protected] Learn about Kevin’s innovative project model for the knowledge age: The Art of Project Leadership by clicking on www.suboski.com