EC-Council's Certified CISO program was designed to develop top-level infosec leaders and is the only CISO-specific security certification included in the U.S. Department of Defense's approved baseline certifications per Directive 8140/8570.
The program covers five infosec management domains:
- Governance and Risk Management
- Information Security Controls, Compliance and Audit Management
- Security Program Management & Operations
- Information Security Core Competencies
- Strategic Planning, Finance, Procurement and Vendor Management
To sit for the CCISO exam, candidates must meet one of three experience requirements: self-study, which involves completing five years of experience in each of the five domains; training, which requires taking the official CCISO training and having five years of experience in three of the domains; or the associate CISO program, which includes completing the EC-Council Information Security Manager certification -- a lighter version of the CCISO exam -- as well as official CCISO training and five years of experience in three of the domains.
Once one of the three prerequisites is fulfilled, candidates must achieve a passing score of at least 72% on the multiple-choice, 150-question exam. Test-takers have 2 1/2 hours to complete the exam, which is designed to test three cognitive levels: knowledge, application and analysis.
In CCISO Certified Chief Information Security Officer All-In-One Exam Guide, published by McGraw Hill, authors Steven Bennett and Jordan Genung provide a comprehensive technical and strategic training resource on the roles and responsibilities of a CISO, including practice CCISO exam questions.
The following excerpt of Chapter 3, "Security Program Management and Operations," is a comprehensive guide to security project management -- one of the four main components of security program management which a CISO oversees.
More on CCISO Certified Chief Information Security Officer All-In-One Exam Guide
Download a PDF of Chapter 3 for additional insight on security program management and operations.
In this Q&A, authors Steven Bennet and Jordan Genung discuss the CCISO exam and the changing role of CISO, as well as offer advice for security leaders today.
Project management is the lowest level in the management hierarchy (portfolio, program, and project). The goal of project management is to ensure that every project achieves the desired outcome on time and within budget. Project management includes identifying and controlling resources, measuring progress, and adjusting the plan as needed as progress is made. The CISO may directly serve as the project manager for some or all security projects, or the CISO may delegate others to serves as project managers. In either case, the CISO should be familiar with project management principles and techniques.
It is important to apply good project management practices to projects of all sizes. Some organizations focus project management efforts on large projects and tend to neglect small projects. These small projects can end up costing the organization significant time and resources if they are not properly managed. Project management may not be formalized for all projects. The extent of formalization may be governed by project size or importance; however, good project management principles should be applied to all projects. This includes, at a minimum, identifying the scope, developing criteria for measuring success, monitoring and controlling resources, and documenting these items in a plan. This section discusses some of the fundamental tenants of project management and provides a walkthrough of the project management process.
Project Management Fundamentals
Similar to the CIA triad (confidentiality, integrity, and availability) of information security, project management also has a triad, composed of the following elements:
- Scope: Boundary of work to be performed
- Schedule: Timeline to perform the work
- Budget: Cost and resources required to perform the work
If one of these components changes, the other two components usually are affected. For example, changes to the scope of a project will likely affect the project budget and schedule. The manner in which these elements are applied determines the quality of the project. This interdependency is illustrated in Figure 3-4.
Ultimately, project management as a practice is focused on managing and controlling these three fundamental components to achieve the goals of the project. There is always a trade-off in project management. Decisions around cost, schedule, and scope affect the quality of the project deliverables. Successful projects are completed on time (schedule), within cost expectations (budget), and achieve the technical and business objectives (scope).
CCISO candidates should be familiar with the fundamental project management terms scope, schedule, and budget and understand how these components affect the project.
Project Management Considerations
There is an old saying in project management and software/system development: "Good, fast, or cheap -- pick two." This is a simplistic representation of the situation, but it is an important concept to illustrate. The idea is that while the goal is always to strike a balance between the three principles, sometimes two have to outweigh the other. On every project, some key decisions must be made about what principle is most important. Is the goal an end product that is of high quality (good), inexpensive to develop (cheap), or delivered quickly (fast)? There is always a trade-off to be made, as illustrated in Figure 3-5 and described here:
- Good + cheap = slow to deliver
- Cheap + fast = poor quality
- Fast + good = expensive
- Fast + good + cheap = sweet spot
The ultimate goal is usually to harmonize the three principles. It may not be possible, but it should be the goal.
Project Management Training and Certifications
There are several project management certification bodies; two well-known ones are the Project Management Institute and AXELOS. These organizations provide a range of benefits to the community, including publications, forums, conferences, networking opportunities, and best practice resources, and offer certifications and training for continuous learning.
This section does not present a comprehensive survey of project management training organizations. The organizations introduced here are simply a few of the prevalent ones in the industry, used to illustrate the range of project management training and certifications available.
Project Management Institute
The Project Management Institute (PMI) is a professional association focused on project management certification and education. PMI develops standards, conducts research, produces publications, hosts conferences, and facilitates networking and collaboration for project management professionals. PMI's flagship certification is the Project Management Professional (PMP), but it also provides training and certification for the following:
- Program Management Professional (PgMP)
- Portfolio Management Professional (PfMP)
- Certified Associate in Project Management (CAPM)
- PMI Professional in Business Analysis (PMI-PBA)
- PMI Agile Certified Practitioner (PMI-ACP)
- PMI Risk Management Professional (PMI-RMP)
- PMI Scheduling Professional (PMI-SP)
AXELOS is a global best practice organization that provides certification and training in a variety of subject areas, including project management, IT service management, and cybersecurity. The AXELOS certification tracks include the following:
- IT Service Management (ITIL)
- Cyber Resilience (RESILIA)
- PRojects IN Controlled Environments (PRINCE2)
- PRINCE2 Agile
- Managing Successful Programmes (MSP)
- Management of Risk (M_o_R)
- Portfolio, Programme and Project Offices (P3O)
- Portfolio Management (MoP)
- Management of Value (MoV)
Phases of Project Management
Good project management allows a project to move in the right direction by allocating appropriate resources, providing leadership, and planning for events that may cause the project to drift astray. Projects are made up of one or more phases which collectively represent the activities and tasks involved in a project. Project management should be put in place to ensure that each phase of the project is followed. This is accomplished by choosing and following a project management model. There are many project management models from which to choose. The model outlined in this book is based on the PMI Project Management Body of Knowledge (PMBOK) process groups, outlined in Figure 3-6, which include the following:
- Initiating: Identify the business need and define the project.
- Planning: Develop a plan to ensure the project meets the scope, time, and cost goals.
- Executing: Coordinate resources to execute the project plans.
- Monitoring and Controlling: Measure project performance, monitor deviations, and take corrective actions.
- Closing: Formal acceptance and organized closing of the project.
While these phases are discussed sequentially, in practice they may be implemented sequentially, iteratively, or concurrently. In the model depicted in Figure 3-6, the monitoring and controlling process occurs throughout the project. In practice, the monitoring and controlling process occurs during the executing phase and to some degree in the initiating, planning, and closing phases. In addition, the initiating and planning phases may happen simultaneously in some organizations. The project management process groups can be tailored and customized to fit the organization's needs. In this section we examine project management by breaking down each of these processes and discussing the components of each.
Although the project management model discussed in this section is based on the PMI PMBOK process groups, this section is not intended to align completely with the way PMBOK approaches project management. This section is written based on the authors' experience observing how project management is applied in practice.
Before a project can begin, up-front work must be completed in the initiating phase. First, a business need or problem must be identified, and a potential solution discussed. Depending on the feasibility of the solution, this may warrant the creation of a project. The key initiatives that take place in the initiating phase include the following:
- Collect requirements
- Define the project scope
- Identify and interview stakeholders
- Define assumptions and constraints
- Establish the general project budget and timeline
- Develop the project scope document
Every project must have a set of requirements, a collection of capabilities or items that are required in the final deliverable to meet the project objectives. The requirements provide the foundation for defining the project scope. The work required in collecting the requirements can vary. In some cases, the requirements are provided by the customer or defined prior to the beginning of the project. Other times the requirements are developed as part of the project. The requirements that are provided may vary in detail, and additional information gathering sessions may be required to create clear and complete requirements.
Define the Project Scope
As part of project initiating, it is important to put some kind of boundary on the work to be done. The scope of a project defines the boundary of the project. It is the work that is required to fulfill the customer requirements. The scope should outline what is and is not included in the project. The scope includes the project goals, requirements, stakeholders, schedule, and budget. A well-defined, documented, and monitored scope is an important factor in a project's success. A poorly defined project scope can result in one or more of the following:
- Scope creep: Uncontrolled growth in a project's scope due to the addition of requirements, desires, or targets
- Cost overrun: Unexpected costs incurred during the course of a project that are in excess of budgeted amounts
- Schedule overrun: Unexpected schedule delays incurred during the course of a project
Scope is defined in a project scope document or scope statement, which describes project deliverables and outcomes.
Identify and Interview Stakeholders
As part of project initiating, stakeholders should be identified and interviewed and their needs should be assessed. Stakeholders are people with a vested interest or stake in the project. This includes both internal and external stakeholders.
- Internal stakeholders: Individuals within the organization such as team members, business area managers, senior executives, and so on
- External stakeholders: Individuals external to the organization such as customers, vendors, users, contractors, suppliers, or investors
The stakeholders are identified and their details documented, including, at a minimum, their names, roles, contact information, and areas of interest. For example, some stakeholders may be performing the work, others may be affected by the work, and others may be the recipients, such as a customer, business owner, or investor. Stakeholder identification is typically accomplished through interviews, lessons learned, brainstorming sessions, or utilizing checklists. Stakeholders are sometimes classified based on their influence, interest, and power. Stakeholders with a high degree of influence and interest who can directly affect project output are sometimes referred to as key stakeholders.
The stakeholders are interviewed and assessed to determine their needs, expectations, and definition of success for the project. This information is documented to ensure their requirements are clearly understood.
Define Assumptions and Constraints
In the initiating phase, the possible assumptions and known constraints should be captured and documented. These form the basis for project planning.
- Assumptions: Beliefs or expectations in planning based on knowledge or experience that may not be certain, true, or real (for example, assume that resource X will be available for the duration of the project).
- Constraints: Limitations or restrictions to the project's schedule, resources, quality, budget, scope, or risk that may impact the project during executing (for example, resource X can be tested only during the weekends). Constraints can be business oriented or technically oriented.
Assumptions and constraints are documented at a high level during the initiating phase and should be tracked during the project life cycle. Assumptions are beliefs that may turn out to be false, and constraints are restrictions or barriers to project execution. Both can add to project risk and effect project requirements, which is why it is critical to document, analyze, and monitor them throughout the project.
Establish the General Project Budget and Timeline
The initiating phase includes discussing and estimating the initial budget for the project. The budget may not be very detailed in the initiating phase; however, it is important to have an estimate of what the general budget for the project will be. The project timeline also needs to be discussed and estimated to predict when the results generally need to be delivered.
Develop the Project Scope Document
All the components described in the initiating phase should be captured and the information integrated into a project scope document. The project scope document captures all scope data and high-level decisions regarding the project and typically contains the following, at a minimum:
- Scope definitions
- Stakeholder inputs
- Assumptions and constraints
- Budget and time frame
- Initial schedule and resources
The project scope document may also be referred to as the scope statement. The purpose of the project scope document is to document the boundary of the project. This is used to ensure that there are not deviations in the project that lead to scope creep and that there are well-defined project objectives so that success is tangible.
About the authors
Steven Bennett, CCISO, CISSP, CISA, is an engineer, sportsman, entrepreneur and consultant. He has worked in the IT field for more than 40 years, helping organizations protect their most important assets from criminal threats. Bennett has spent his lifetime studying human and animal behavior in complex systems, relationships between predator and prey, and offensive and defensive survival strategies and tactics observed in business and nature. His information security consulting career includes supporting clients in healthcare, manufacturing, retail, finance, military and government.
Jordan Genung, CCISO, CISSP, CISM, CISA, has served as an information security officer and security advisor for public and private sector organizations. His experience includes security consulting for Fortune 100 companies and government agencies, building information security programs and developing information security curriculum. Genung holds a degree in computer science and information security from the University of Texas at San Antonio, which is a National Security Agency and Department of Homeland Security National Center of Academic Excellence in Cyber Operations, Cyber Defense and Research.