Abstract
Many systems that comprise our critical infrastructures – including electricity, transportation, healthcare, and financial systems – are designed and deployed as information technology (IT) projects using project management practices. IT projects provide a one-time opportunity to securely cybersecurity to the IT components of critical infrastructures. The project management maturity models used by organizations today to assess the quality and rigour of IT project management practices do not explicitly consider cybersecurity. This article makes three contributions to address this gap. First, it develops the argument that cybersecurity can and should be a concern of IT project managers and assessed in the same way as other project management capabilities. Second, it examines three widely used cybersecurity maturity models – i) the National Institute of Science and Technology (NIST) framework for improving critical infrastructure cybersecurity, ii) the United States Department of Energy’s Cybersecurity Capability Maturity Model (C2M2), and iii) the CERT Resilience Management Model (CERT RMM) from the Carnegie Mellon Software Engineering Institute – to identify six cybersecurity themes that are salient to IT project management. Third, it proposes a set of cybersecurity extensions to PjM3, a widely-deployed project management maturity model. The extensions take the form of a five-level cybersecurity capability perspective that augments the seven standard perspectives of the PjM3 by explicitly assessing project management capabilities that impact the six themes where IT project management and cybersecurity intersect. This article will be relevant to IT project managers, the top management teams of organizations that design and deploy IT systems for critical infrastructures, and managers at organizations that provide and maintain critical infrastructures. The challenge in the digital economy is that no chain is stronger than its weakest link.
Highlights
Cybersecurity attacks on information technology (IT) systems are becoming increasingly frequent and sophisticated (Bailey et al, 2014)
We have argued that IT projects provide an opportunity to securely “design in” cybersecurity to the information systems components of critical infrastructures; cybersecurity can and should be a main concern of IT project managers
This work is presented here at an early stage and has not yet been proven in the field, we sincerely hope that it sparks a dialogue between IT project practitioners, cybersecurity professionals, and providers of critical infrastructures on how to more effectively secure the systems that are essential for the functioning of our society and our economy
Summary
Cybersecurity attacks on information technology (IT) systems are becoming increasingly frequent and sophisticated (Bailey et al, 2014). Capability maturity models approach an activity as a process and formally compare the characteristics of the process in use against the characteristics of an “ideal” process (Humphrey, 1988) This approach originated in Secure by Design: Cybersecurity Extensions to Project Management Maturity Models for Critical Infrastructure Projects Jay Payette, Esther Anegbe, Erika Caceres, and Steven Muegge software engineering and has been widely applied in many specialized domains, including cybersecurity (Miron & Muita, 2014), capacity to leverage open source software (Carbone, 2007), and enterprise-readiness of open source software projects (Golden, 2008). We grouped the remaining concerns into broad thematic areas, identifying six project-applicable cybersecurity themes:
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
