Why Project Management Expertise Isn’t Enough: Lessons Learned from Security Breaches

How many times have I heard that “a good project manager can manage any project?” Too often for my taste. My biggest issue with the claim is that it begs the question: he statement assumes we all agree that any project manager with a mastery of the profession’s tools and techniques can succeed anywhere.

We’ve finally learned better, and PMI has acknowledged this in its new requirements for PMP continuing education. As PMI itself puts it:

As the global business environment and project management profession evolves, the [certification] program must adapt to provide development of new employer-desired skills…. The ideal skill set — the PMI Talent Triangle — is a combination of technical, leadership, and strategic and business management expertise. (PMI 2015 Continuing Certification Requirements (CCR) Program Updates)

Our pending research on project skill gaps (stay tuned for a webinar invite) shows that executives and senior managers understand this much better than project practitioners. They emphasize strategy, business, and leadership improvements, while practitioners don’t.

Perhaps an example from the current headlines will help. As most of you know, security breaches have wreaked havoc on a number of prominent firms: Target, Home Depot, Sony are simply the most well-known. The sad thing is that the most famous failures could have been prevented.

One of my new favorite podcasts is from Andreessen Horowitz, the venture capital firm. My most recent listen was an interview with Orion Hindawi of Tanium. I recommend listening to the whole thing — it’s less than 30 minutes — as Orion provides some great color to what, where, why, etc. on security attacks and vulnerabilities. The summary hits his sobering message on the head:

The paradox of security is we pretty much know what we are supposed to do most of the time — but we don’t do it. If you examine all the recent high-profile attacks, somebody in the organization knew something was wrong before it happened. They just didn’t have the ability to escalate the problem, or the ability to raise a flag that people took seriously.

In other words, we don’t lack the technical understanding of security risks, or the tools and techniques to mitigate them. We lack the leadership and business savvy to confront the challenge of communicating the risks, then deploying and using our toolkit effectively. The last two sentences show how these skills gaps drive the root causes:

  • Ability to escalate the problem” is a leadership challenge. This suggests that “somebody” wasn’t connected, articulate, or brave enough to get to decision makers.
  • Ability to raise a flag that people took seriously” is a symptom of weak strategy and business skills. If the threat isn’t framed, articulated, and understood in terms serious leaders get, then such warnings are ignored…or even worse, viewed as counterproductive scare mongering.

How to fire someone the right and safe way

It is a sad part of being a leader…some folks will have to be let go.  But when you read the first example in this InfoWorld article on How to Fire an IT Person, you’ll know that sometimes “you gotta do what you gotta do”.

Step 1: Plan for damage control is especially important.  I once took over a group with known performance problems; but I wasn’t sure exactly where to look.  As I asked a few questions of the team, I identified one colleague whose role was confined to “knowing where all our digital data was stored.”  Which this colleague made sure that I understood clearly…he knew where all of our precious data was.  Wouldn’t it be a shame if something happened to it?

While this colleague was clearly not productive and was hurting the morale the rest of my staff, it was essential to protect our digital assets.  I found that using this approach — and its suggested priorities — worked well (emphasis mine):

Therefore, before you plan to terminate someone, you need to figure out what kind of access they have to all the company networks. Find out who else has access to those systems; if no one else does, then add a backup administrator.

[M]anagers will also need to determine how to prepare for a smooth transition to other employees and how to implement new security measures in the wake of the person’s dismissal. “If you don’t have the measures in place to turn everything off and prepare, it’s best to postpone the termination,” [Todd] Stefan, [president of high-tech risk management firm Talon Cyber] says.


Get every new post delivered to your Inbox.

Join 12,812 other followers

%d bloggers like this: