PM Network - August 2016

managers’ only recourse is to make risk analysis a central part of the planning process.

“It starts with having good awareness of all the
security threats around the world,” Mr. Hudhud says.
“No one can anticipate all the threats, but a good
awareness will help you forecast what risks you need
to consider while planning.”
Legal and compliance departments are important
collaborators during this process, according to Ms.

Sasportes. “You need to understand what laws and
legal constraints to adhere to for each project,” she
says. “It helps a lot on projects that include data
get o; the ground, she says, due to concerns about
compliance with the Health Insurance Portability
and Accountability Act. ;e law governs healthcare
privacy in the United States. “Once we were ready
to do the work, the CIOs got involved,” Ms. Miller
says. “We had to go through a whole other round of
approvals to ensure security protocols were met.”
;ankfully, the project team was prepared. “We
know going into any project that collects data that
we’re going to have to jump through [security]
hoops,” she says.

But when so many hoops exist, di;cult questions can arise. Each risk assessment can result in new requirements being added to the project’s scope. “;is adds overhead, and when you’re on a limited budget that means you have to start carving o; features to the point where you could end up having conversations about whether the viability of the project is even still there,” says Mr. Denov. Balancing functionality and security is “tricky,” he adds. “Nice-to-have or gold-plating requirements” are the ;rst to go.