Thursday, December 19, 2013

'IT Project' Management Ramblings

Here a few comments on "IT" Projects. Some were learnt the hard way (and then learnt again and again).

Project Sponsorship
Do you have a sponsor? You Do? Great than everything will work out just fine (and I will win the lottery tomorrow). Are you sure you have the right sponsor? Not so sure anymore? Does the sponsor have the most to win or most to lose? If the project was assigned a project manager before agreeing on the sponsor then that’s a clue that the ride will be bumpy? If you don’t have the right sponsor try your best to change the sponsor. If you can’t then try to get someone else stuck with the project instead of you.

Project Length
Can the project be split-up? Nothing wrong with splitting it up. If you face resistance from people that don’t like splitting up projects give it a positive spin and start talking about a “program”, “roadmap” etc. maybe you can get them to accept your approach.

No, it’s not your Baby!
Don’t get attached to the project. Don’t get too excited about the technology you will get to implement. If you do then please go get a life! Be objective, be stiff. It’s OK to not even be convinced with the project’s value. You have to deliver the deliverables on time, budget and quality. The value is usually someone else’s problem (usually this secretive entity is called “the business”). On the other hand if it turns out that you are the one making the business case and promises of value that can only be realized by the business itself then you likely have setup yourself up to fail.

Project Team
Is everyone who will be assigned a significant task in this project part of the project team? Get them all into the team. They need to become part of “we” else they will be outsiders and you might get to regret that.

Do you suspect someone will be a trouble maker? Every project has someone who isn’t convinced, is too busy, and has more important things to do. Expose them, assign them a task very early on in the project and act according to the results.

If you project team isn’t dedicated to the project then you will constantly compete with others on the attention of your team members. They most likely have other responsibility that are more significant than your own project. Don’t forget that! Your resources will never give you the attention you expect (and they can’t since they are not dedicated to your project). You will need to follow-up not frequently but continuously to keep them on track and pull them back.

No project is too small not to plan for it. You only know that you need or don’t need a plan until you actually start developing one. Bare minimum you need a charter and schedule. Small projects usually turn out to be more problematic than you anticipate.
Eisenhower said “Plans are useless, planning is everything”. No plan is ever final until you achieve your goal. Assuming you don’t have either a crystal ball or a time machine then it’s OK to update the plan.

At the closure of the project we get to declare if it was successful or failed. If it failed, then it most likely did already early on. It’s just not easy to see failure early on. It’s like a parasite on your back, everyone can see it but not you. It will keep growing until it crashes you with its weight. When you acknowledge its existence it’s already too late. Don’t misread the signs, don’t keep hoping things will get better. They probably won’t if you don’t make changes that have impact and address the root causes of your problems.

Wednesday, December 11, 2013

2014 Security Predictions Compilation

I've put together a compilation of the 2014 Security Predictions I could find. You can download the Excel sheet here if you are interested. This tag cloud summarizes the result.

So what do security experts think will keep us busy in 2014?

1. Internet of Things: As if the onslaught of mobile devices wasn't enough to worry about, you will need to look after your fridge, TV, toaster etc. Will there be a patch Tuesday for LG or Samsung appliances? Not underestimating the threat, I don't believe it will be a major concern in 2014. My guess is that it's currently fashionable to talk about "Internet of things" and that's why it pops up so frequently. 
2. Mobile: Mobile threats are on top of the list. Business demands access to corporate services via mobile devices (It seems to be irrelevant which case has actual business value and which doesn't) and your job is to make sure that the demand (should we call it wishes?) is met in a secure matter.
3. Cloud: Cloud uptake might have taken a hit with the NSA revelations. I'm sure Mr. Snowden will keep us busy in 2014 with new revelations but nonetheless demand for the cloud will remain and so does the need to secure it. On one hand you have to work with the business units that resist the cloud due to some security concerns etc. and might be rejecting a valuable service due to a misunderstanding of the risks and on the other hand you have end users who want to make use of every possible cloud service irrespective of those 'made up' risks that IT keeps talking about. You are just keeping them from being productive, from collaborating and communicating etc. all those nice words that the business is unlikely to be actually measuring or attempting to measure.
4. Social Media Exploitation: Not as obvious as the previous points, but we've seen it coming. Criminals will make 'even' better use of social media in targeting their victims.
5. BYOD: It goes hand in hand with number two and three. Are we going to read about cases where BYOD went totally wrong and brought companies to it's knees for rushing into it? Nothing to worry about A dozen or so MDM vendors are lining up to give a helping hand with time proven solutions that quickly adapt to the changing mobile threat landscape (sprinkled with unicorn tears..) You probably will end up using a small subset of the controls that are "reasonable" to implement because your end users don't think it's that reasonable at all. You will probably end up making exceptions because some manager's device won't comply with your policy etc. Maybe another vendor can sell us a system for managing exceptions too?

So it's mostly more of the same, happy 2014!

ISF’s top security threats for 2014
Georgia Institute of Technology: Emerging Cyber Threats Report 2014
Fortinet’s FortiGuard Labs Reveal Top 10 Threat Predictions for 2014
Network Utilities Systems: The Top Five Enterprise Security Threats for 2014 (and what to do about them)
Business News Daily: 7 Cybersecurity Risks for 2014
Palo Alto 2014 Predictions: Cyber Security Trends
Palo Alto 2014 Predictions: Mobile Security
Trend Micro Security Predictions for 2014 and Beyond
Credit Union Times: 5 Cyber Threats Coming at You in 2014
FireEye Top Security Predictions for 2014
Lancope's 2014 Security Predictions
Neohapsis 2014 Predictions
2014 Predictions from Symantec
Websense 2014 Security Predictions
Zscaler 2014 Security Cloud Forecast
5 Key Information security predictions for 2014 (Tarun Kaura, Technology Sales, India SAARC, Symantec)