managers’ only recourse is to make risk analysis a
central part of the planning process.
“It starts with having good awareness of all the
security threats around the world,” Mr. Hudhud says.
“No one can anticipate all the threats, but a good
awareness will help you forecast what risks you need
to consider while planning.”
Legal and compliance departments are important
collaborators during this process, according to Ms.
Sasportes. “You need to understand what laws and
legal constraints to adhere to for each project,” she
says. “It helps a lot on projects that include data
get o; the ground, she says, due to concerns about
compliance with the Health Insurance Portability
and Accountability Act. ;e law governs healthcare
privacy in the United States. “Once we were ready
to do the work, the CIOs got involved,” Ms. Miller
says. “We had to go through a whole other round of
approvals to ensure security protocols were met.”
;ankfully, the project team was prepared. “We
know going into any project that collects data that
we’re going to have to jump through [security]
hoops,” she says.
But when so many hoops exist, di;cult questions can arise. Each risk assessment can result
in new requirements being added to the project’s
scope. “;is adds overhead, and when you’re on a
limited budget that means you have to start carving
o; features to the point where you could end up
having conversations about whether the viability
of the project is even still there,” says Mr. Denov.
Balancing functionality and security is “tricky,” he
adds. “Nice-to-have or gold-plating requirements”
are the ;rst to go.
Security features are nonnegotiable, so project
“The biggest challenge is to ensure
that once you implement a certain
technology, it’s actually used. I’ve
seen a lot of projects completed on
time and on budget—and then no
one actually uses the technology.”
—Susana Sasportes, PMP, formerly of South West London and St. George’s Mental
Health NHS Trust, London, England
“We know going
into any project
that collects data
that we’re going
to have to jump
through
[security] hoops.”
—Jebi Miller, PMP