Removing Project Fear

It’s an interesting fact to think about that the need for security has been around far longer than technology has. Most of us will have heard of the “Ceaser Cipher”, which was created around the time of Julias Ceaser (100BC), and used to protect military plans. Now known as one of the simplest ciphers, at the time it would have been described as ‘State of the art’.

So while technology has only been around (in its current form and use) for around 50 years, the need to protect and secure information and the ability to do so has been with us for well over 2,000 years. So why do so many people run in fear of Information Security?

Any fool can make something complex.

All too often organisations approaching cybersecurity over complicate the topic to such a degree that they (quite understandably) put it to the bottom of the ‘to-do’ list. For those that do consider cybersecurity, they often wait until the very end, and by that time it is too late to implement anything meaningful.

I believe organisations are going wrong on one or both of these points, and this is leaving us exposed. So what can organisations do to remove ‘Project Fear’ from their projects, especially when thinking about cybersecurity? The following is a simple blueprint to improve projects so that this important topic is elevated on the ‘to-do’ list.

1)    Remember that cybersecurity is a Profession

While IT professionals have a lot of knowledge about cybersecurity they are not the sole custodians of the topic.  Dependent upon the project you should seek to understand the cybersecurity issues and concerns from everyone in the project.  Ask the question; “Are we doing anything different with Data?”. This question will move the conversation from being IT-focused, to project outcome-focused.

If you are lucky enough to have a cybersecurity, Information Security, Risk, or Data Protection practitioner in your organisation then you should involve them within your projects. Simply having someone in the room who is looking at the wider implications and helping to drive these conversations can make a significant, positive impact on your project.

2)    Use Risk Management Tools

In any significant project, there will be an element of Risk Assessment and Management, and cybersecurity is one such topic that should be discussed in this area. Running a simple risk workshop to understand the risks involved in the project will prevent the majority of issues we see appearing in projects, including Project Fear.

It is surprising how many projects proceed without conducting a risk workshop of any kind and then run into problems at a later point. These problems occur because something quite simple and avoidable wasn’t identified early enough. It’s often said that our greatest fear, is fear of the unknown. So it makes sense to try and remove as much uncertainty as possible, thereby removing fear from the project.

If your project involves Personal Data, then you should complete a ‘Data Protection Impact Assessment’ (DPIA), as it is a fundamental requirement of the General Data Protection Regulation (GDPR). A DPIA is a process designed to help you systematically analyse, identify and minimise the data protection risks of a project or plan. It is a key part of your accountability and obligation under the GDPR, and templates are available from the ICO’s website, to help you demonstrate that you comply with all your data protection obligations.

3)    Start with the end in mind.

This may sound like ‘new-age-thinking’, but all too often we forget what we are trying to achieve, and over-complicate our cybersecurity by focusing too heavily on technical solutions. But when approaching a project that requires cybersecurity considerations, you should start by asking;

• What are we trying to achieve?
• How can we balance the needs of the organisation against the needs of individuals to protect them?
• What would our customers/shareholders/clients expect of us?

Answering these three questions will give you a good understanding of what you need to do, in relation to cybersecurity.  The answers may or may not be technical in nature, but they will tell you what you need to do to protect the Data people are entrusting you with.

“We have nothing to fear, but fear itself.” – FD Roosevelt.

cybersecurity is not an IT problem; it is a business issue. If we re-frame the topic and see it as a business issue then more people are likely to engage with the topic, and it won’t seem so daunting. If we continue to see it as an IT problem then the topic will never be truly understood and we will continue to make mistakes and continue to fear the topic.

FEAR; False Expectations Appearing Real.

Cybersecurity should not be feared. It should be embraced and understood by the whole business if we are going to remove ‘Project Fear’. So let’s remove false expectations placed on IT and involve everyone in the protection of our organisations.