Project workstreams

You're now going to take a closer look at the project management process with a special eye on the stakeholders and their role in implementing the plan.

There are several essential steps to this project management process. These are to create:

Project workstream.
Stakeholder map.
Delegation of authority model.
Work packages.
Security working group.

A project workstream needs to be identified for each component of the plan. In this phase, tasks are given to individual teams to work on. Each workstream needs to be managed individually, with resources allocated to complete them on time and budget.

In order to allocate the tasks to the most appropriate teams you need to create a stakeholder map of the people who have an interest in the outcome. This also helps you get maximum buy-in from the most relevant people.

You then need a delegation of authority model – or DOA – to ensure people with appropriate authority and responsibility are working in the right roles. This should be publicised to ensure all stakeholders are clear on their duty.

You then assign work packages to each of the workstreams so that the deliverables can be managed. For example, a network security workstream might include delivery of firewalls, routers, and switches. This workstream will deliver work packages for each component and will be resourced from technical teams and non-technical personnel like auditors and team leaders.

Finally, a security working group or steering committee should be established to report on progress to senior management. This tracks the success of the security programme and shows the implementation progress being made. The project manager should manage expectations and ensure that there are no surprises for the stakeholders.

Decorative image: Graphic showing elements of Implementing information security: Stakeholder map; DOA; Work packages Security working group.

What do you think?

Before you go on to look at them, what positive benefits do you think will result from implementing the plan?

Think of at least three.

Classification schemes: Positive benefits

There are multiple benefits of executing such a plan. Risk reduction leads to service improvements.

Positive outcomes of operating with the information assurance implementation programme.

Tangible benefits should be communicated to stakeholders in a meaningful way.

Present clear business case to the CEO: 

Cost 
Competitive advantage 
Impact 
Risk 
ROI vs ROSI calculation https://www.enisa.europa.eu/publications/introduction-to-return-on-security-investment/@@download/fullReport

The benefits of the implementation programme should be pitched to management stakeholders in a meaningful way. For example, the finance director will be interested in the monetary value of the risk reduction programme, whilst the COO will be interested in improvements in the network. 

At a basic level, one way of calculating cybersecurity return on investment (ROI) involves taking the average cost of an incident and multiplying that number by how many incidents a business might experience in a given time frame. With an approximation of potential costs, companies can then assess whether the price of the solution and the reduction in incidents it will bring is worth the investment.

In the formula for calculating the Return on Investment in Security (ROSI), the cost of the security awareness solution is the annual expectation of losses derived from the risks. The quantification of the ROSI formula is measured by the impact of the investment on the final result

Classification schemes: Security strategy

In security terms, a strategy refers to high-level plans that illustrates a considerable improvement in security posture over a three to five-year time frame.

The information security strategy needs to be ambitious enough to influence the organisation to invest in short-term actions on the basis that they help them achieve the strategic objectives. For example, an organisation might run three iterations of an information assurance implementation programme in a three-year period, each successively building on the output of the previous programme.

To gain universal buy-in and acceptance from the organisation, the security strategy should:

State the high-level objectives
Explain how the risk profile of the organisation will improve
State how the organisation will benefit from implementing the strategy
Discuss trends in relation to threats and vulnerabilities
Support the organisation strategy
Support the technical strategy
Focus on cost savings

The information security strategy is a visionary document that shows the organisation’s maturity and its depth of understanding of information assurance requirements. It should be written using non-technical language and state the goals of the business in a simple way. This document can also form part of the organisation’s marketing collateral to outline their goals and objectives. This helps display the true direction the organisation is heading in.

Key points

Let’s take a look at some of the key points to take with you as you move through the rest of this Course and lesson:

There are several essential steps to this project management process. These are to create or define:
1. The project workstream.
2. A stakeholder map.
3. The delegation of authority model.
4. Work packages.
5. The security working group.
A delegation of authority model – or DOA – ensures people with appropriate authority and responsibility are working in the right roles.
Return on investment (ROI) calculation is critical as an organisation does not have unlimited resources.

Stakeholder engagement