Tuesday, January 29, 2008

Information security management

I just had a revelation. The nature of it is nothing all that special and when you read this, you probably go "well, doh". Still; it works for me, and this is my blog :-)

My line of thought was as follows:

Situation: New job, new meeting where we discuss project management methodology.

Question: Why do people find project management so hard?

Question: Why do we do projects in the first place?

Assertion: We do projects to implement change!

Assertion: Since the goal of all projects is change, all project management is really change management.
Conclusion: Without change management in place, projects can never be managed successfully.
The line of reasoning can be continued:
Assertion: Most security problems are introduced when change occurs.
Now; if we do not have change controls in place, projects cannot be managed successfully and security problems cannot be avoided. Consequently, it seems fair to assume that to achieve an acceptable level of information security, the information security manager must be involved in all projects that involve change in information, information systems or information processes.
Now; project this on the real world.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.