Tracking projects and initiatives within information security is especially difficult. Tools that are useful for more traditional project management may not be as useful in InfoSec, where the landscape is constantly shifting. Emergency patching or incident
response (IR), for example, can shift resources away from a given project. Stakeholders outside the information security team require visibility to see and understand the impact of these interruptions, as well as to visualize the expected completion
times of their upcoming projects.
This piece highlights features to look for in an information security-focused project tracking/management tool and explain why they are important.
Many tools help define projects, but information security requires tools that adapt to rapid changes in schedule. Security initiatives are often preempted by events such as a new zero-day becoming public or responding to an incident, and the tools used
by security must quickly adapt as circumstances change.
Many project tracking tools that seem security-focused are very tailored for governance, risk management and compliance (GRC). These tools should only be adopted if the primary problem is managing GRC operations.
Trying to adapt GRC-focused tools to be maximally useful for security project management is a lot like trying to fit a square peg into a round hole. Using a GRC tool is only recommended when the tool is already deployed and InfoSec lacks the budget for
another tool.
InfoSec Project Management Tools
Tools in this space, although most are generally thought of as IT ticketing systems, include: Jira; ManageEngine; ServiceNow and SharePoint.
Key Features for InfoSec Project Management Tools
To be maximally flexible to security’s needs, any tool used for InfoSec project management should support the following:
- Ticketing to assign tasks, including the ability to link tickets in a parent/child relationship
- Ability to define schemas easily
- Granular role-based access control (RBAC)
- Web-based user-interfaces
- Multifactor authentication (MFA) support for login
- Time tracking functionality to show time budgeted, expended and estimated time remaining
- Customizable dashboards to report different items of concern to stakeholders
- Integrations with external tools
- Attachment support with version tracking
Take a closer look at a select number of key features to consider:
On-Prem Deployment Options
While many tools in this space are software-as-a-service (SaaS) only, Jira also offers options for on-prem deployment. This may be important for some security-focused organizations that cannot store data in the cloud for contractual or regulatory reasons.
In addition, it is common for SaaS deployments to be priced by the number of users, moving to on-prem ensures pricing remains predictable and consistent, regardless of the number of users needing access.
Strong RBAC with Multiple Ticketing Workspaces/Queues
The ability to have multiple queues, each with different permissions, will help ensure the tool is maximally useful. For example, consider use cases where only those in sales can view a certain project, but anyone can view an operations project or vice
versa.
Fully Customizable Workflow and Schema
If your project management tool lets the organization customize the schema with the fields appropriate to a given project it helps ensure maximum use of the tool.
MFA Integration with Duo
Depending on your organization’s threat model, your security team may want everything protected with MFA. As a result, consider a tool that ties into your chosen MFA vendor. This increases confidence on the logging and tracking data, since a simple
credential compromise does not allow access to the project tracking system.
Ability to Bidirectionally Integrate with Communications Tools
Consider integrations with tools used for internal communications about projects such as Slack. This can help remove the need to log into a separate project management system, while maintaining existing process workflows that support productivity levels.
Links to Knowledge Management System
Projects often require management of knowledge that is not appropriate for the project management system itself. However, the knowledge management system may need some view into the document management system (and vice versa). Consider an integration
between with your project management system and knowledge management system.
Bidirectional Email Integration
While it is common for tool to allow for support notifications via email, ingesting data via email is important for some workflows as well. This means any properly formatted email can fill in specific fields in project tickets.
Integrated Dashboard
Dashboards are important for quick and easy status reporting, particularly for those who do not need details of project (such as an executive). The benefit of using an integrated dashboard is that details are immediately available for any item featured.
Challenges for InfoSec Project Management Tools
Dealing with InfoSec project management can be especially difficult. Tools that adapt easily to generic project management do not always lend themselves to the rapid changes required of InfoSec projects. Integrations and customizations matter everywhere,
but in InfoSec people are unlikely to use a tool if it breaks their workflow. This means integrations into existing team workflows is critical.
Selecting an InfoSec Project Management Tool
To get a better handle on project management, security teams should consider tools with the following features, including:
- On-prem deployment options
- Strong RBAC with multiple ticketing workspaces/queues
- Fully customizable workflow and schema
- MFA integration
- Ability to bidirectionally integrate with internal communications tools
- Links to a knowledge management system
- Bidirectional email integration
- Integrated dashboards
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.