Project Management in Information Security

Why Project Management is Critical to Information Security

One of the needs that most businesses have in today’s fast-paced world is to understand the scope, schedule, and budget of their projects to effectively deliver products and services.

Modern organizations both large and small usually manage these aspects of their projects through a project management office.

So, what is a project management office? And how does it relate to cyber security?

What is a Project Management Office?

At its core, a project management office is the mechanism that an organization uses to manage its work. Project management offices usually manage work by controlling three elements known as the “project management triangle,” or the “iron triangle.” The manner in which this triangle is applied is what determines the quality of a project:

1. Scope: The definition of the work that needs to be performed.
2. Schedule: The amount of time it will take to perform the work.
3. Budget: The cost or required resourcing to perform the work.

If you adjust one side of the triangle, it will also affect the other sides. For example, if you increase the scope of the project, it will also likely increase the schedule and the budget.

The common project management office is charged with managing each of these project triangles for each project in an organization, as well as managing the project portfolio and assigning project managers for each project initiative.

The leader of the project management office is commonly known as the Director of Project Management, or something similar, and generally manages a group of project managers.

There are many best practice standards that different project management office can subscribe to. By far, the most recognized is the Project Management Institute (PMI). This group publishes a set of guidelines known as the Project Management Book of Knowledge (PMBOK) which serves as the most common set of standards.

Why is Project Management Important to Cyber Security?

Project management is critical to cyber security because of the nature of the discipline.

Let’s see how project management relates to cyber security in relation to the three elements of the project management triangle:

Scope: The definition of cyber security is in the eye of the beholder and will vary with each person and each project.

To add even more complexity, roles and responsibilities for security are often not clearly defined so it’s hard to know where a security project starts and an IT projects ends, or vice versa since security touches every aspect of an organization. As a result, it’s crucial that project management fundamentals are used on security projects to establish the project definition and scope.

Schedule: Security projects are often associated with risk reduction for an organization. Risk is all about the likelihood that a threat will expose a vulnerability. In most risk calculation methodologies, the longer a vulnerability exists in an environment, the higher the likelihood that this risk will be exploited by a threat. Often the higher this likelihood, the higher the overall risk.

Since most security projects are designed to correct vulnerabilities in an environment to reduce risk, it makes sense that your organization would want to manage and reduce the duration of security projects in almost every situation. The best way to do this is by using quality project management fundamentals.

Cost: Just about every organization in the world right now is feeling how important this component of the triangle is to security. Cyber security-related costs are spiraling out of control for most organizations. This is occurring because most organizations are not applying sound project management fundamentals to the other two sides of the triangle.

If organizations don’t define their security projects well and set a scope, and these organizations also say that all these projects must be done immediately, then it’s as if these projects never end.

Without a defined scope or a realistic schedule with the availability of resources in mind, then these security projects can quickly spiral out of control and end up unbelievably expensive.


In all security program development methodologies, project management should be at the forefront of what’s implemented.

Project management is often missed by most security professionals because project management requirements aren’t typically included in any of the best practice security frameworks.

Information security experts with 20+ years of combined experience in developing, implementing, and securing highly regulated organizations.