Chapter Communications Blog

How to build your cyber resilience

Daniele Pinto

Author: Daniele Pinto, PMP

How to build your cyber resilience

 

Figure 1 Source Pexels.com

The recent issues with Facebook and Twitter highlight that building a strong cyber resilience management system is not easy. We have seen that such a system involves both technical and human aspects.

The scope of this article is to provide a brief overview of cyber resilience management in private organizations and public offices. Let's take a step back and start with the basics.

Definition

Some years ago, we could have thought about cybersecurity like something related to preventing unwanted access to information within the fence of a company. Hence, preventing non-authorized people from accessing company information systems has been historically a “job” for IT personnel. In today’s world the situation is more complicated. Think about BYOD (Bring Your Own Device), or the possibility to cooperate with partners and suppliers. The borders are so extensive that the decision makers should no longer ask the question "if" an accident may happen but "when" will it happen and “how” will the system be able to detect it and quickly recover. Hence, today we talk about cyber resilience as a wide concept that goes beyond IT. Companies and public offices need to establish a management system with a balance of both preventative and persuasive controls along with recovery and repressive controls. Like every management system, it should include IT/IS infrastructure, organizational management, physical infrastructure management, supplier management, partner and customer management.

Cyber resilience management system

There are several standards and best practice collections that can help an organization to project its own cyber resilience system. For example:

  • The ISO 27000 set of standards
  • NIST (National Institute of Standard Technology), cybersecurity session
  • COBIT 5

Most of the cyber security controls are related to IT, therefore, a best practice would be to align the management system with the already established one. The most recognized standard for IT service management is ITIL (Information Technology Infrastructure Library). Axelos, the company that manages it, has developed this approach with the new certification path called "Resilia, Cyber resilience best practices". This article is based on that approach.

If you are new to ITIL, these are the five steps to manage the lifecycle of a generic IT service:

  • Service strategy: the first step is to define the strategy
  • Service design: then the service is designed
  • Service transition: change management processes take place, among other activities, there is the hand over to the operations team
  • Service operations: here all controls are in place and managed by the operations team
  • Continuous improvement: this is where the actual service is reviewed and improve

Strategy

The strategy definition of a cyber resilience management system is something that the CSO (Chief Security Officer) or the program manager needs to develop with senior management and executives. The first step is to gather the requirements and therefore to set the foundation that explains “why” the organization needs such a control system. Here you need to answer other questions including the creation of the mission and vision for cyber resilience.

The output should be the implementation of company policies, people awareness, and governance that includes, for example, the financial side of implementing the cyber resilience management system.

Design

This is the phase where the strategy becomes tangible because it is when the team designs the new controls. The scope of work includes:

  • Business processes
  • Physical system (e.g. access control, endpoints like computers and mobile phones)
  • IT systems and processes
  • An organization with roles and responsibilities
  • Company culture towards cyber resilience 

A gap analysis should be done to understand what the current situation is and the desired status to achieve. The ISO 27001 standard could help with its checklist made by 114 points. There are many areas in the organization to consider, for example:

  • Employment process through the life cycle, from hiring to termination
  • Supplier management
  • Data management (e.g. data access, data modification, data storage, data transmission)
  • Business continuity

Where the IT services need to utilize XaaS type of resources, a useful source of information would be the Cloud Security Alliance.

The deliverables of this phase are the design of the services/controls that will transition into production.

Transition

The scope of this phase is to introduce the designed control in the operational environment. Hence, change management plays a significant role in these activities. Attention should be given to avoid business disruption during the transition phase; risk management will help on this. The deliverables are:

  • Configuration management, including change management
  • Testing, including penetration testing
  • Documentation
  • Training

At this stage, the test protocol should provide feedback about the expected performance.

Operations

Once the controls are in place to protect the organization, the operations team takes care of the day-to-day business. An incident and problem management system together with a request fulfillment system should be in place. The organization manages several types of controls, for example:

  • Preventative controls (e.g. user access controls)
  • Detective controls (e.g. logs)
  • Corrective controls (e.g. backups)
  • Deterrent controls (e.g. term and conditions in the employment contract)
  • Reductive controls (e.g. recovery plan, configuration management system)
  • Repressive controls (e.g. IDPS - Intrusion Detection and Prevention System)
  • Compensatory controls (e.g. built-in redundancy)

One of the tasks for the technical team is to monitor the access log files and the network traffic. The details for log access should be different between a normal user and a superuser. In fact, the latter could normally cause greater damage to the organization. Another aspect to consider is that the organizations are no longer isolated (e.g. process integration with suppliers, e-commerce portal). Hence, a good practice would be to terminate all external connections to a “demilitarized zone” that hosts public information, and then only allowing access to the core network through a firewall that screens traffic.

Continuous improvement

A cyber resilience management system requires being aligned with the changes in technology and business environment (e.g. BYOD). A good practice would be to make a quarterly review of the system and to plan audits (internal and/or external). The source for improvement opportunities can be the incident log, users survey, or audit report. Continuous improvement processes can follow the PDCA (Plan Do Check Act) lifecycle and aim for a maturity level according to a model such as CMMI (Capability Maturity Model Integration).

Conclusions

Cyber resilience is a new way of thinking about cybersecurity. It is no longer a question of "if" but "when" an attack will happen. Hence, the system should be designed to balance the preventative controls with detective and recovery controls. The system should be designed with the respect to “how” the organization can quickly recover after the detection of an incident. Cyber resilience is no longer an issue bounded purely by IT within the “walls of an organization” but it affects employees, suppliers, and partners. Therefore, it is important to plan effective communications, create awareness among the stakeholders and manage risks holistically.

Robotic automation projects - Industry trends and key learnings

May 3rd 2018 PMI Chapter Event: “Robotic automation projects - Industry trends and key learnings”

Author: Edul Nakra

We are living in the new age of AI (Artificial Intelligence) and Robotic Automation. We see this in the consumer product space from Siri and Alexa, to smart devices and self-driving cars. There are also several automation changes happening in back-office functions as well. How do these trends affect us, and what are some of the things that we, as Project Managers, need to know? C:UsersenakraAppDataLocalMicrosoftWindowsINetCacheContent.Word20180503_185525.jpg

These are some of the thoughts we explored in an intriguing presentation by PMI-Switzerland’s very own Mr. Singaravelan Thangavelu (Velan) PMP, PMI-ACP, and Mr. Thorsten Staby, Head of the Business Solution Automation for the Nestlé group.

To start things off, we covered the evolution of automation, and the distinction with AI. This is not really a recent trend – we have been “automating” since prehistoric times. What is striking these days is the rate with which we are now automating.

We saw some interesting studies where the numbers showed more automation in fact led to fewer jobs lost – and the work humans performed moved from repetitive to creative jobs.

Velan explained the concepts of RPA (Robotic Process Automation) and RDA (Robotic Desktop Automation), which are terms that we find used increasingly these days. He also discussed some of the key players in the robotic automation arena.

Key implementation challenges highlighted were the Human Factor, Security and Compliance, Technology (“The Digital Divide”), and project management in a highly fluid business context. Agility and project preparation are key, as well as the application of sound PMI principles such as good process documentation, testing, and measuring ROI.C:UsersenakraAppDataLocalMicrosoftWindowsINetCacheContent.Word20180503_193534.jpg

Further into the presentation, Mr. Staby took questions, and explained the evolution of robotic automation that he has led at Nestlé. He provided useful insights into the different service models and support aspects when implementing such automation projects at Nestlé. Other members also shared their experiences, and there was a lively exchange of ideas in the group.

The event ended with a wonderful apéro – always welcome on a Thursday evening!

Event Report - How Project Management Can Enable Successful Enterprise Digital Transformation

Brandon Satre 100x100

Author: Brandon Satre, PMP

On Thursday, May 17th, the Switzerland chapter of PMI welcomed Ronízia Moura to present “How Project Management can enable successful enterprise Digital Transformation” at the Roche Learning Center in Basel. Ronízia is originally from Brazil where she began working for Roche in 2002. Relocating to Basel in 2012, Ronízia is currently the European Head of Digital at Roche. Given her technical and personal experience in Digital and an honest admission to being a “technology geek” the evening promised to be interesting and insightful. Her skills in working with people and technology in unison were put on display in the hour or so that she presented. It was engaging, refreshing and practical.

Now I don’t know that the relevance of this topic for the PMI community really needs to be spelled out, as a company’s ability to “go Digital” is essential to sustained success and competence in the global marketplace. On the one hand, it becomes clear how important it is to engage people as the primary means for digital transformation. It turns out this can significantly affect the degree of success one obtains in such undertakings.

Digital Transformation2

The evening consisted of experimentation, research, and trial and error. The first experiment: using a live polling application to see how attendees would describe digital transformation in one word. With just under 50 people responding via their smartphones, the top four results (respectively) were: 1. Change 2. Evolution 3. Innovation 4. Technology. But notice that from the top four “people” did not make the cut.

The next experiment: rock, paper, scissors tournament (yes, our experimentation progression took an ironic turn going from digitally-based to “old-fashioned” face-to-face interaction). I will spare the details, but essentially it involved two main teams and everyone in the room experiencing an epic battle of skill-less one-on-one competition until we ended up with two opponents in the coveted championship round. In this silly abstract exercise we realized several insights that describe what one might find in regards to digital transformation projects. The tournament began in confusion and people “dragging their feet” but quickly evolved into understanding and motivation. Why is this? It is because people connected on a personal level with the others on their team and were marching toward a common goal – to put their best foot forward and win. This is just one example that demonstrates the behavior of people and the application of team dynamics in project execution.

Digital Transformation1

How exactly does this all tie-in to digital transformation? This by no means discounts the need to focus on digital technologies. But the point is the digital technologies are only as good and useful as the people who stand behind them. We must not forget to invest ample time in the people who are not only on the project team, but also (and perhaps especially) those who are most affected by the digital transformation. It may end with a digital transformation, but it all starts with people!

What is the value of Diversity and Inclusion on teams and how to leverage this?

Krisztian Sardi

Author: Krisztian Sardi, PMP

26. April, 18:30 - "What is the value of Diversity and Inclusion on teams and how to leverage this?" by Valerie Villiger.
Very engaging session and great presentation by Valerie about Diversity & Inclusion. It`s been very refreshing to see how different every one of us are - based on our personality and behavior preferences - and that there is no right or wrong here. We are all very valuable the way we are and who we are! We all could see that during a 5-minute team exercise, where all of us participants took a stand on the "Introvert - Extrovert - Rational focused - People focused" scale in the meeting room. 
 
PMI Basel Event D and I pic 1
 
I know Valerie for 11 years. We first met in a leadership offsite training in Merten-Muyrez in 2007. There I instantly knew I would like to keep in contact with her as she was and still is an experienced Organizational Development Consultant and Coach who facilitates transformationell learning, innovation and change for leaders, teams and organizations. We have not seen each other for a while and I learned she established herself as a consultant after she had worked for nine years in Global HR and OD roles at a Global Pharmaceutical Company.

PMI Basel Event D and I pic 2
 
Valerie started her presentation with some facts about the diversity of Switzerland. Did you know that 24% of the Swiss population are foreigners, 1/3 have foreign roots and that the working environment for women are rather not so good in Switzerland? Well, after these facts we learned about the definition of diversity and inclusion and its overall goal to work more effectively as (project) teams based on leveraging diversity. Valerie shared with us that "diverse teams outperform teams that are alike" (based on global research). She showed us the "Iceberg model of Diversity", so the drivers of diversity. Then she introduced the DiSC tools, the DiSC model to us by information slides, exercises and through open discussions and/or Q&A. At the end she shared a few "tips and tricks" for project/operational teams based on her many years of experience like the importance of "team agreements".  
 
PMI Basel Event D and I pic 3
 
Why is Diversity & Inclusion important to project management? Well, remember that "diverse teams outperform teams that are alike". As a father, a husband, a son, a brother, a friend, a project manager, a project team member, a colleague I interact and spend time with my family, friends and with colleagues, and when I do so I often realize how different every one of us are, that we all have our own talent, experience, skills, origin, likes & dislikes and that we are all very valuable the way we are and who we are! Understanding the personality / behavioral preferences of my wife, my children, my mother, my friends, my stakeholders and colleagues is very important in my view, so that I do, speak and act with them in the best possible way harnessing their values, talents and uniqueness. Understanding the personality / behavioral preferences of my own self helps me to achieve that. To me these are the key messages of the session, the take-away about diversity and inclusion.
 
PMI Basel Event D and I pic 4
 
What if you wrote this article based on the exact same notes. Would it be better? Possibly. Would it be different? For sure! 
 
See you next time in a PMI Basel event!

Editorial May 2018 Newsletter

Carlos Martinez Arteaga 100x100

Author: Carlos Martinez Arteaga, PMP

Dear Members and Newsletter subscribers,

Spring, sun, warm weather, thunderstorms and wind... unpredictable weather.

In this newsletter I would like to talk a bit about Stakeholder Management, directly linked with effective communication of course.

When trying to achieve an objective, we will soon realise that amongst others, there is always an external factor so called the stakeholders, those people that have an interest and an impact on the way you may reach your objective.

We find stakeholders in all situations, in our house with the family, at work with the project team and those outside directly or indirectly impacted by us, with our friends... all of them are stakeholders that we need to manage if we somehow want to influence them in a way that we can achieve our objective.

I think that there are 5 important considerations to correctly manage our stakeholders:

1.-Identify the stakeholders, and know when to engage them.

2.-If you have a team, assign stakeholders to team members.

3.-Ask for stakeholder feedback, their opinion - engage them. Asking for an opinion makes people feel valued. Consider that if you ask someone for their opinion they will expect that you take it into consideration.

4.-If you do not want to have direct input from the stakeholders and want to make them feel engaged and at the same time gather input, you might want to use a survey, and as a follow up send them back the suggestions that were received.

5.-Finally, treat stakeholders with true interest and respect their ideas. In many cases they will return the favour...

It is not easy to meet everyone's expectations, or to implement everyone's ideas, but if you justify your decisions they will understand, and will know that you have considered their interests.

Consider also that your stakeholders will have their own stakeholders as well, which might make decisions or opinions unstable, like spring...

I hope you enjoy reading the newsletter.

Provide ideas to the team so that they know what your interests are so that they may take them into consideration for future newsletters..

 

Take care.

Carlos