Why do Information Security Projects so often disappoint?
Business expectations for Information Security (InfoSec) investments include outcomes like passing audits more easily, protecting proprietary digital assets, avoiding accidental data disclosure, active or even pro-active data governance, etc. These business results are Level 3 or above in the 5 levels of results of the SecuriThink methodology.
The reason InfoSec projects often disappoint business stakeholders is that project plans rarely extend past deployment, which is a level 2 result. In fairness, a successful technology deployment is often quite complex and challenging but at the end of the day, it probably won’t satisfy the expectations or the needs of the business.
A project strategy that sets out to accomplish results at level 3 or above takes a more wholistic approach. There is business change needed to get full benefit from the technology. When the technology is given center stage, often no one pays attention to the business change. Numerous studies1,2 show a high correlation between business transformation and project success as measured by being on-time, on-budget, and high stakeholder satisfaction.
With SecuriThink methodology, we engage and manage factors too often thought to be outside the authority of a project because many projects are planned for a result level which is lower than that expected by the business.
- Prosci Research Foundation. nine studies 1998-2016
- Helping Employees Embrace Change. J.A. LaClair and R.P.Rao. McKinsey Quarterly 2002 Number 4