By Craig Robinson and Todd Doerr
Last week’s RSA 2010 Conference highlighted a host of exciting and innovative technologies within the infosec community. While cutting-edge technology and thought leadership (like much of what was unveiled at RSA) plays a significant role in ensuring the security of your organization’s data, applications, and systems, it’s by no means the most important element. Rather, it’s how your existing IT projects, process, policy, and products are implemented that can make the difference between an effective IT department and one that’s vulnerable to data loss, breaches, and other threats.
To help you avoid common pitfalls within your organization, we’ve outlined our thoughts on today’s most common IT project mistakes and risks:
1. Failure to understand business objectives
It’s surprising how many IT projects seem to exist in a vacuum, driven by IT team preferences or technology, instead of business objectives. These projects are prime candidates for termination or delay. IT executives, managers, and administrators should clearly understand and embrace their corporate business objectives and strategies. They then should present IT projects within this corporate business framework.
Make your own business case, in business terms, so non-IT executives do not need to sift through the technical jargon to develop the case for you. Failure to do this greatly increases the risk of the project getting “lost in translation” and either stopped or delayed.
2. Early insistence on “pet” solutions
We’ve all been a part of team with someone who brings the same ideas and solutions to the table—even though the presented problems are vastly different! Perhaps in some cases we’ve even been that person. We’re all creatures of habit with our own opinions and agendas, and whether it’s intentional or not, as teams and individuals, we can easily fall victim to this one-sided, ineffective approach.
Most of us have technologies, products, or vendors that are of personal interest. Who doesn’t like “neat cool stuff”? IT teams need to understand that the problem should drive the solution—not the other way around. This seems so basic, but CIOs throughout industry can recount numerous IT projects that violated this basic precept.
3. Missing opportunities to revisit old processes
New Technology + Old Process = Expensive Old Process (NT + OP = EOP)
New technology and old process can give IT the equivalent of a rocket-powered horse. Take advantage of new technology initiatives to revisit old processes. You may be surprised by how much of the old process was a workaround to address technology constraints that no longer apply.
4. Lack of tie-in to policies and standards
When IT teams understand corporate policies, standards, and procedures, they can provide good guidance for IT projects. We’ve seen numerous instances where IT teams devoted (wasted?) a lot of time trying to decide how to configure a product (e.g., firewall, intrusion detection system), only to discover that corporate policies and standards provided either direct answers to or, at least, strong clues about the implementations or configurations ultimately acceptable to decision-makers.
Policies and standards exist for a reason—and usually it’s not just to torment IT! Read and understand corporate policies and standards. They can provide a clear map through the project “minefield.”
5. Gold Plating
Risk management. What’s that? IT budgets are tight and probably getting tighter. While IT certainly is responsible for designing and implementing solutions that work, there is little or no extra credit for over-designed solutions that pump up the budget.
Risk is the confluence of assets, vulnerabilities, and threats. IT executives, managers, and teams need to embrace risk management practices to arrive at solutions that provide an appropriate level of performance and security. Risk assessment can yield several approaches that are roughly equivalent in capability, but have widely varying security and cost ramifications. Define the risk management trade space and make sound decisions.
6. Clear sponsorship
Too many IT initiatives suffer because they lack clear sponsorship.
From a vertical perspective, key projects should have an interested, involved executive sponsor. This executive sponsor does not need to be intimately involved in the project details, but should ensure project alignment with corporate business objectives and constraints. The executive sponsor is a great resource for considering policy ramifications of key projects and interpreting corporate policies as necessary.
From a horizontal perspective, IT projects should have representation from the internal customer base. The representatives may be stakeholders drawn directly from the customer organizations or can be IT personnel responsible for interacting directly with customers throughout the project, from inception through final acceptance.
7. Defining objectives or scope
Unclear objectives or scope will unravel even the best intentioned IT projects. Absolute clarity is necessary to define the project deliverables, schedule the right personnel, define funding requirements, and track progress on all fronts.
IT teams should start with a clear set of objectives and scoping parameters. From these, the project teams can focus on the agreed project goals, while also avoiding the mission and scope creep that will void the project plan and greatly increase the risk of failure.
