I just had a revelation. The nature of it is nothing all that special and when you read this, you probably go "well, doh". Still; it works for me, and this is my blog :-)

My line of thought was as follows:

Situation: New job, new meeting where we discuss project management methodology.

Question: Why do people find project management so hard?

Question: Why do we do projects in the first place?

Assertion: We do projects to implement change!

Assertion: Since the goal of all projects is change, all project management is really change management.
Conclusion: Without change management in place, projects can never be managed successfully.
The line of reasoning can be continued:
Assertion: Most security problems are introduced when change occurs.
Now; if we do not have change controls in place, projects cannot be managed successfully and security problems cannot be avoided. Consequently, it seems fair to assume that to achieve an acceptable level of information security, the information security manager must be involved in all projects that involve change in information, information systems or information processes.
Now; project this on the real world.