Cybersecurity essentials for project and programme managers

With cybercrime set to incur costs of $10 trillion worldwide by 2025, according to Forbes, cybersecurity is a critical concern for organisations across all industries. Project and programme managers play a vital role in ensuring that projects are delivered on time, within scope, and on budget. However, they must also ensure that these projects are secure from cyber threats, especially when the World Economic Forum estimates that 95% of breaches are due to human mistakes.

With the increasing complexity of technology and the growing sophistication of cyber-attacks, project and programme managers need to be well-versed in cybersecurity best practice.

Cybersecurity in project management

Cybersecurity is no longer the sole responsibility of IT departments. As digital technologies become increasingly integrated into business operations, project and programme managers must consider cybersecurity as a fundamental aspect of their roles.

Failing to incorporate cybersecurity into project management can lead to significant risks, including data breaches, financial losses, and reputational damage.

Cybersecurity risks for project teams

Project and programme managers need to be aware of several key cybersecurity risks that can impact their projects:

  • Data breaches: Unauthorised access, theft, or exposure of sensitive project data can have serious consequences, including legal liabilities and loss of customer trust
  • Ransomware: Attacks can lock down critical project files and demand payment for their release, leading to delays and potential financial losses
  • Phishing: Cybercriminals often target project teams with phishing emails or social engineering tactics to gain access to sensitive information
  • Insider threats: Employees or contractors with malicious intent or who inadvertently compromise security can pose significant risks to a project
  • Third-party risks: Projects often involve third-party vendors and partners, who may introduce additional cybersecurity vulnerabilities

Understanding these risks is the first step for project and programme managers in safeguarding their projects.

What are the cybersecurity essentials for project and programme managers?

To effectively manage cybersecurity risks, project and programme managers should adopt the following essential practices:

Incorporate cybersecurity into project planning

Cybersecurity should be integrated into the project planning phase, not as an afterthought but as a core component. This should include a thorough risk assessment that considers the type of data being handled, the technology stack, and the potential impact of a security breach.

During the project planning stage, it also helps to define specific security requirements and objectives for the project. These should be aligned with the organisation's overall cybersecurity policies and industry best practice.

It is also important that the project budget includes provisions for cybersecurity measures, such as encryption tools, security software, and training for team members.

Create a framework for cybersecurity

A cybersecurity framework provides a structured approach to managing and mitigating cyber risks. Project and programme managers should work with cybersecurity experts to develop a framework that includes access controls to protect sensitive project data, ideally with multi-factor authentication (MFA) and data encryption to protect data even if cybercriminals intercept it.

It’s also important to establish procedures for regular security audits and continuous monitoring of project systems. This helps to detect and respond to potential threats in real-time.

Manage third-party risks

Projects often involve collaboration with third-party vendors, partners, or contractors. These relationships can introduce additional cybersecurity risks. With this in mind, it’s important to conduct thorough due diligence on all third-party vendors to ensure they have robust cybersecurity measures in place, including reviewing their security policies, certifications, and past security incidents.

It also helps to include specific cybersecurity requirements in contracts with third parties. This may