Project Management for Geeks

One of the interesting things about the infosec community is how lopsided the skill sets tend to be. Most of the seriously brilliant creative people I know are from this community. Try to get any of these folks to add some soft business skills to their repertoire, though, and they shriek and run like vampires from sunlight. For everyone with a healthy fear of leadership responsibilities, here is a simple primer to translate what you already know into “business-ese”.

1. Define the scope and stick to it. “Scope creep” is not your friend. Projects must have a finite point where they are finished and rolled into production. Even if it’s just one little feature request, you need to evaluate how it will impact your timelines and the importance of the feature to the business before deciding whether to include the feature into your current project or save it for the next release.

2. Break it down. Even where it seems obvious, state the objectives that define the scope of the project. Be sure your objectives are SMART (Specific Measureable Achievable Realistic Time-bound). Then go a step further and define the individual tasks which make up each of these objectives. While the tasks may evolve during the course of the project, especially during design, it is important to be able to track progress within these objectives.

3. Be realistic about timelines. Yes, if you work for 16 hours non-stop, you can totally get that out tomorrow. That’s not realistic. You’re probably working on at least four other projects, half your day is tied up in meetings, and someone is going to do a drive-by with an urgent question that “you can probably answer in five minutes”, but actually takes the rest of your afternoon. If you’re lucky, you’ll get two hours of actual work time in your day. So, if you think it will take you a day or two, estimate a week. If you think it’s a week, you’re probably looking at a month. Account for all of the things that you don’t want to have happen, but inevitably will – Exchange will go down, your browser will crash, and that last code change won’t commit and will disappear into the ether. Underpromise and overdeliver.

4. Know your strengths… and those of everyone else on the project. This one goes double for infosec folks. While you understand the nuances of each area of infrastructure, you’re not an expert in them. Leverage the skills and experiences of those assigned to the project to create a solution that is both secure and meets the needs of the business in the most efficient way. Rather than trying to design solutions with your limited understanding of the technologies available, explain your concerns with the current proposal, ask for recommendations, then work with the infrastructure teams to create threat models of each proposed solution. Creating a collaborative environment and orchestrating contributions from everyone on the team is one of the most critical pieces in leading a successful project.

5. A project without a plan is not a project. This is where the rubber meets the road. Having identified the scope and the action items required to achieve those objectives, reasonable timelines, and the individuals best able to complete each task, it’s time to put that all into a plan. Identify which tasks can be performed concurrently and lay out timelines for each task. While things happen and timelines shift, it’s impossible to gauge progress without a baseline. Having this plan vetted and approved by each team member ensures that you will be able to fall back on the plan when you need to enforce timelines or receive deliverables.

6. A meeting without an agenda is not a meeting. Much like a project plan, your meeting agendas are your key to staying on track. It is important to foster collaboration and allow for the free flow of ideas, but it is equally important to ensure outstanding issues are addressed, decisions are made, and progress is tracked. To go into a meeting without an agenda is to set yourself up for an hour of segues without resolution. Know what you’re trying to accomplish and ensure the rest of the team understands these goals, too.

7. When in doubt, over-communicate. You (and your leadership) can never know too much about your project. You should always be secure in your understanding of where the project is at any given time and be able to communicate that to leadership. Constant communication with the team ensures hurdles are identified early and appropriate resources are allocated before the hurdle becomes a roadblock. This is the most time consuming part of project management and one that is all too often overlooked. Being transparent and ensuring everyone is in the loop facilitates the collaborative environment that breeds success.

8. Wrap it up. As discussed in the first point – a project ends. When you have accomplished the objectives in your scope and everything is nicely deployed, it’s time to hand this off and prepare for the next challenge. By tracking timelines, creating deliverables at each step, and documenting progress, you should have a nice packet prepared for turning over to the team which will be supporting this work moving forward. It feels a lot like reluctantly sending a child off to college, but you have to let it go before you can tackle your next challenge.