When was the last time you stepped away from your computer, smartphone, or tablet? During COVID, your reliance on technology has probably magnified 10-fold. Many have already embraced technology dependencies as the new normal, whether working remotely, embracing online learning, or to stay connected with friends and family. Not only is our time allocated to tech increasing, but the breadth of tech is ever-expanding with the evolution of the internet of things, a few obscurities being the Smart Duvet, and the Twettle (the Tweeting teakettle).
The speed at which tech is coming to market has never been faster thanks to cloud and SecDevOps. However we look at it, our dependency on technology is on the rise, and so are the evil twins, malware, and hackers. To better prepare project managers for tech projects and opportunities in the future, let us evolve to become Project ‘Security’ Managers.
Project managers can boost their demand and remain at the forefront by embracing security in the cloud by becoming the new superheroes. It is estimated that the worldwide public cloud market will be worth $331.2 billion by 2022, and by 2025 80 percent of enterprises will have shut down their traditional data centers. Cloud migrations are the new normal, be prepared to embrace the IaaS, PaaS, and SaaS. Project managers that incorporate security will not only be more employable but also better equipped to create sustainable and robust output.
Hackers and Malware
The reality of our global footprint is that hackers are not innocent script kiddies; we need to think beyond the evil of Dennis Nedry from Jurassic Park. We have also evolved since Brain, the first virus released for MS-DOS in January 1986, where the creator listed their names and addresses. Black Hat Hackers are working on an industrial scale, and Ransomware as a Service (RaaS) is gaining momentum. The force of good is still strong as the White Hat Hackers play defense at a Hackathon near you or virtually at Hackerone.com (hack for good). It pays to hack. In 2019 Apple launched a $1 million reward for anyone who could hack an iPhone.
Ransomware Black Hat Hackers can be seen across the globe via major ransomware attacks like WannaCry, the impact was a staggering 300,000 computers. Ransomware is when hackers encrypt files and ask for payment in return to release those files. In WannaCry’s case, $300 – $600 was demanded via bitcoin. WannaCry is just one of many other ransomware players, including Clop Ransomware, Fake Window Updates (Hidden Ransomware) and Zeus Gameover. The cost of ransomware attacks are difficult to estimate, but experts believe they exceeded $7.5 billion in 2019.
With big data, regulation, and compliance, data is the new gold. Companies can be destroyed if they do not take data protection seriously. Some of the largest data breaches in the past few years have been Canva, Equifax, Dubsmash, Marriott International, My Fitness Pal, and Sina Weibo. Under GDPR, companies could face up to a 20 million or four percent of annual global turnover fine, and the impact is not only financial but reputational as well.
How do we, as project managers, take the step to become superheroes? We project ‘security’ manage by ensuring we manage through an information security lens. In this case, continual knowledge is the key; this is an ever-evolving space, but staying up-to-speed might be easier than you think:
1. Get to know your information security policies, standards, and guidelines for your company, your client, and procedures specific to your project. Once you have gained the knowledge, start sharing what you have learned. Teach people as you go by providing security awareness training and examples of social engineering. A great place to start is the acceptable use policy (AUP), an information security management framework policy, and a data protection policy.
2. To get the basics right, start by focusing on encryption, identification, authentication, authorization, and accountability (IAAA) (including multi-factor authentication), and up to date patch management for a full overview of Information Security get to know ISO 27001/27002, the International Standards Organization (ISO). To get the basics for encryption, next time you load a webpage, select the key at the top left corner where you will find the URL, next select show certificates, where you can confirm the validity of the certificate and the details around the type of encryption used.
At the time of writing, a 256-bit key would be considered strong. If you are working on a project that leads you to a site that is not secure, escalate it. Next, have you ever worked on a project document only to find that someone else edited a field by mistake? If so, then the correct access management wasn’t enforced. This same principle applies to cloud management and repositories, to avoid loss of data and intellectual property to ensure strong IAAA is enforced.
3. The Cloud Security Alliance (CSA) is a volunteer organization that publishes standards and tools for cloud security and is an excellent resource. In addition to the points previously mentioned, pay close attention to vulnerability and patch management as once a vulnerability is known, it will not take long for a hacker to exploit it. Do ensure patching is performed often and routinely.
4. Knowing the top web risks will help you stay at the forefront, the Open Web Application Security Project (OWASP) publishes a top 10 list, the top five are: Injection, Broken Authentication, Sensitive Data Exposure, XML External Entities (XXE), and Broken Access Control. Paralleling our second point above, we see that authentication and access controls are in OWASP’s top five.
5. There is no simple answer, hence create layers of defense. Make it simple. That way, people within the organization can understand how you are building a secure environment. Externally use obscurity. Diversify your layers, secure the project, but don’t forget to think about physical security as your business is only as secure as its weakest link.
Embracing security as a fundamental component of project management will allow project managers to embrace the new trends in technology, remain employable in our’ new normal ‘, and secure for a safer tomorrow. From Q, to Batgirl and Ironman, good information security is at the heart of fighting crime and you don’t even need any superpowers for it.
Be a superhero and protect today for a robust tomorrow.
For more information about Capco’s approach to project management, contact Sebastian Ekberg.