Cybersecurity project management: A peek behind the curtain

[00:00:09] CS: Welcome to our sixth episode of the Cyber Work Live podcast webinar by InfoSec. As you may know, from our weekly Cyber Work podcast, we've talked with over 200 different industry thought leaders about cyber security trends, the way those trends affect the work of infosec professionals. And we've offered tips for breaking in or moving up the ladder in the cyber security industry. And today, for the sixth time in the year and a half, it is all happening live.

I am Chris Sienko, Cyber Work Live host and InfoSec Director of Online Content. And as you can see, we've got return guests today, and we're doing a familiar topic; Cyber Security Project Management: A Peak Behind the Curtain.

First up, we have Jackie Olshack, Senior Program Manager at Dell Technologies. Jackie Olshack worked almost 20 years as legal secretary or paralegal for multiple patent corporate law firms. As a project manager, Jackie has 15 years of experience of managing and implementing I.T programs successfully. She's an expert on NIST 171 and 853 principles, CMMC and federate process as well. She implements IT compliance programs and leads cross-functional teams working successfully with executive leadership.

Next, please welcome Ginny Morton, Advisory Manager, Identity Access Management at Deloitte Risk and Financial Advisory. Ginny's Morton's career with cyber security spans over 17 years. During this time, she has led teams to improve organization cyber security practice beginning with infrastructure, network, identity, all the way to endpoint security process improvement.

Additionally, Ginny is an expert in program and project management both in waterfall and scale agile. Outside of Deloitte, Ginny is a lieutenant colonel in the U.S Army Reserve and specializes in network and system engineering and security. She actively engages in helping veterans to transition from military to the private sector workforce and participate in many veterans' outreach programs.

Jackie and Ginny, thank you for being here, and welcome to Cyber Work Live.

[00:02:14] JO: Glad to be here.

[00:02:14] GM: Glad to be here.

[00:02:16] CS: Good to see you both again. We will be taking questions from the audience as they come in throughout the event. Feel free to drop them in the chat. But our presentation is also pretty structured around a set of specific questions or topics to be answered.

The first live episode with Jackie and Jenny we dealt with things like getting your foot in the door of cyber security project management, including making a good first impression on your resume, and your interview, and crafting your elevator pitch. But this time we're going to talk about Jackie and Ginny's insights and tips for making cyber security projects run smoothly and with maximum time and cost efficiency.

Our first slide here, putting fears to rest. Yes, non-technical project managers can move into a cyber security or tech space. Right from the lead slide, I want to emphasize that this live event isn't just about project management. This is specifically about project management in a cyber security or related sphere. And I note that because both Jackie and Ginny have received numerous questions of concern from project managers who don't feel that they have sufficient technical background even as veteran PMs to enter the space.

Jackie, I want to start with you. What would you say to the listener with these types of fears?

[00:03:29] JO: I would say, of course, you can do it. I did it. I went from, as you mentioned, being a secretary. I also went from learning and development project management into IT project management. It can be done. But you need to be clear on what you want to do.

And the good thing about project management is if you've got a good environment, someone's going to give you a scope. Someone's going to give you a SOW, a statement of work. Someone's going to tell you what they're trying to do. They're going to set structure and parameters for you. You're going to have scope. You're going to have a timeline. You're going to have a budget. And you're also going to know the type of resources available. That is what a project manager is responsible for.

Take that into the cyberspace. You need to understand what that group, or what that team, or what that initiative is trying to accomplish within that triple constraint. It can be done, but you've got to focus on the scope and ultimately what that group or what that team wants to achieve. What they want the end goal, end product to be.

Ginny, maybe you can add a little more to that? Make it a little more clear?

[00:04:50] GM: Yes. On top of what Jackie said, just to level everybody up. Regardless, you want to be or you're already a project manager, or you might have opportunity in the future. No, you don't need to be technical to be a cyber project manager. But it doesn't mean you don't learn.

What does that mean? Which mean is, on top of what Jackie said, you have your triple constraints. You have to look at, "Okay, what is it I’m implementing?" If you don't know anything. Let's say you don't know anything about cyber security or IT per se, look at the equipment. Talk to your SME, as in what does this stand for in the cyber security world?

I'll give you an example, "Hey, my team want to replace this firewall in general." Okay, good. You know it's a firewall. Maybe you want to do some research on the piece of equipment appliance to understand what it does. And then look more ahead in the future. Okay, what does it do in the organization? Where is it inside the security? Any of the cyber security aspect, knowledge or parameter, you can find it online. And literally, you know cyber security have eight domains. Maybe start from there. What domain it is? Okay, firewall sit in more domain? And then what – Okay, is it network security now? Where is it?

As you get better understanding into this world as a project manager, you will. And I’ll give yourself a go-to. Every time when you project something, at the end of the project, you need to be somewhat of a domain expert of that product. If you can make yourself doing that. I’m not saying you need to learn how to implement or you need to learn how to work that product. That's not what I mean. I mean, "Okay, now I learn firewall." In the future when somebody say firewall, I will be able to tell you the function and everything. What does it do for your organization?

[00:06:49] CS: Yeah, I think there needs to be a distinction when people say, "I’m a project manager, but I don't want to get into cyberspace because I don't have enough tech knowledge." I think there's a big difference between having enough technical knowledge in cyber security to do project management versus the sort of wake up from a nightmare sort of scenario of like telling an interview like, "Oh, yeah, I can completely configure a firewall. Or I can completely build a –" And then have to sit there and go, "I have to learn this over the weekend. It's never going to work." Like, you don't need to be a complete expert in cyber security, right? You just need to understand like a project is a project. You just need to know what the specific nuances of a cyber security project are. Am I sort of summarizing that right?

[00:07:37] JO: Yeah, sure. And I would –

[00:07:39] GM: That's perfect.

[00:07:39] JO: Mm-hmm. That is perfect. I would just add this point. An example, you can run a bakery shop without knowing how to cook, right? If you can understand what you need to produce, when you need to produce it, and what you need to get it done within that time frame, you can do this. If you're a project manager, you have the basic foundational skills to transition into cyber security. I mentioned this before, and I’ll share it again. By no means do I consider myself as a cyber expert. But what I have done is, in the beginning, I would read the Security+ manual, the Network+ manual. And I’ve dug into the CISSP manual not to take the certification. But I want to understand the parameters of what I’m interacting with.

I work with the experts all day long. But I want to be able to understand a little bit about what they're doing and whether or not they're on track. You definitely can do this. It's doable.

[00:08:48] CS: Yeah, I love that. So, we're eight minutes in, and already we've got a question from the listeners here. Thank you very much for your active engagement. [inaudible 00:09:00] says, "How does implementation of a cyber security project work for SMBs where there's limited resources especially in terms of technical expertise and budget? I feel like that was kind of out of the scope of what we're going to say anyway. Let's sort of start with answering that question. Then we can get back to the slides.

[00:09:20] JO: I mean, I don't fully understand how to answer it. At the end of the day, you need to implement something. What is that? Again, that's your scope. I don't know what SMB is.

[00:09:34] CS: Oh, small or medium business.

[00:09:36] GM: Oh, SME, subject matter expert? Oh! Okay. Yeah, I thought –

[00:09:39] JO: It has a B on it.

[00:09:39] CS: Yeah, small or medium business. It's putting a project together where there's limited resources, whether it's money, or in this case, she's saying technical expertise and budget.

[00:09:50] JO: Well, I’m going to let you in on a secret. There's always going to be limited resources and limited budget, right? That's always going to be –

[00:09:56] CS: Yeah, no one's getting everything they want.

[00:10:00] JO: I understand, in Nevada, when you're building casinos, you have an unlimited budget. But anyway, that's always the case. What you need to do or what the sponsor needs to tell you is what does go live look like? At the end of the day, what is the deliverable? What does it need to do? How does it need to function? What do the end users need to be able to do? When you get that, then you determine what the resources and the budget is.

And folks, this may be painful, but your organization relies on you to do this. You've got to let them know whether it's achievable or not. And sometimes you're going to have to say, "We can't do that. We can't give you the quality you want. Where can we tweak? Modify? What trade-off can we make?" So, you've got to assess that and then be willing to have the factual conversation with the sponsor or whoever is putting that initiative in your hands.

[00:11:01] CS: Yeah. I think that's – Oh, go ahead. Sorry. Sorry, Ginny.

[00:11:05] GM: Sorry. I'll add on to it. And it's very true. You will always have resource constraint. It doesn't matter how big or how small your organization is. And funny thing is you're hoping that your end user or your customer know what the end supposed to look like. Most of them don't. What can you do as a project manager?

Everything Jackie said, to summarize, how do you do stakeholder engagement? How do you manage your stakeholder expectation? How do you analyze your resource and to put it in a big picture? Okay, you might want to see. Because from what I’m listening, you might want to see. However, because of this, and you identify factually in an organized fashion, "This is your resource. This issue of constraint. I can do A if I have that. I can do B with this timeline. If you want me to do C, I will need one, two, three, four." If you can successfully identify that, that is called stakeholder management.

[00:12:15] CS: Mm-hmm. I think we – Yeah, Ginny warned us that there's – Okay, here we go. Are you there?

[00:12:26] JO: To piggyback on what she was saying, that's stakeholder management and they are [inaudible 00:12:30].

[00:12:32] GM: Yes. And it will not go. Yes, like Jackie said, your organization rely on you to produce that solution to make sure you always go in with options and solutions. Don't go in just say yes or no.

[00:12:47] JO: Right, right, right, right.

[00:12:49] CS: Yeah, I was going to say, as you were saying before, Jackie. I think when people worry about, "Oh, I don't have enough technical expertise." The skill you really need to to have is the ability to forcefully say, "We cannot give you what you want at this budget and this time frame. But we can give you this instead." I think that's kind of an underrated project management skill is to like be really honest about what you can and can't deliver. And not just keep things on it, but also let them know, "This is how it sort of has to be."

Boy, this question sort of sparked off a bunch of questions. I guess I’m going to pause on the presentation a little bit longer here to ask them. Sasha Hendrickson says, "I am getting certificates in cyber security. But when it comes to project management, companies require PMP as well. What do you think? It's a lot of certificates to enter the industry, although you said it's not so."

Daryl James answered the first person's question about small-medium businesses. He says you can leverage various vendors that have resources to help offset the skills gap, which I think is a good point. There's a lot of sort of people who will hire someone, hire a freelance or a person to do it until you have the in-house skilling. But Ben [inaudible 00:14:06] says, "It's amazing how much certifications or organizations want when seeking a cyber security PM. How do you navigate through such requests with lots of companies out there? Some even go as far as asking for CISSP."

I mean, I think one of the answers to that is if you don't want to get a CISSP, maybe don't apply to that place. But can you talk about the – I’m always sort of sensitive to balancing the discrepancy between what people are experiencing in the world and the experts talking on the show. Can you talk about the sort of certification overload that might be happening with project managers right now?

[00:14:49] JO: I’ll take that. Think about why they're asking for it. The whole reason they're even asking for it is they want the experience behind what those letters suggest you have. In your resume, if you do have that experience, you need to get crystal clear and document that. Don't put a lot of fluff and puff in your resume.

If you have the skills that a CISSP should have, make sure that's articulated very clearly in your resume. Because at the end of the day, that's really what employers want. Not necessarily the alphabet. They want to make sure you have the experience that certification tags you with.

And, folks, I want to be very clear. Certs aren't the end-all be-all. If you can prove your experience, that'll open the door for you. I had a woman contact me from my earlier podcast with you guys, Chris, and she has PMP, Agile Certification, Risk Certification all from PMI. She said, "Jackie, I don't have any project management experience." And I said, you've been certified but you don't have any project management experience? How did you get the cert?" Someway, somehow, she slipped through. And I told her, "That raises an integrity question." But that's another story.

The point I’m trying to make is don't get caught up in the certifications. If you have the experience, you need to build your network. And I think that piece is coming up, and we'll talk about that. But, Ginny, maybe you have something to say on that?

[00:16:30] GM: Demand and supply, right? I want you guys to understand what the intention of the organization is asking. The organization is asking of that because they don't know you. In order to assure the experience, they have to ask that. But Jackie's on point. It's on your resume. How do you advertise yourself? How do you sell yourself? Oh, by the way, when you go on to the interview, how are you selling yourself?

And we talked about it last time, the most difficult question in the interview to be surprised is actually, "Tell me about yourself." How are you able to articulate that? This come from experience. And I did not have a cert, any PMP sir when I become a project manager. But I was able to do the job. I was able to articulate what I was doing in turn to catch people's attention.

It's give and take. The certification does help you getting you into the door? At least get the interview? But you are the reason how you get the job.

[00:17:35] JO: Yes.

[00:17:36] CS: And we talk about this on the podcast all the time, too. Be aware of a job description that asks for an alphabet of certifications and really look at what they're expecting from you. If they say CISSP, what do they actually need from you, that CISSP level? There's always a chance that HR is just throwing high level certs in because they want high level candidates. It doesn't mean you necessarily need CISSP level skills. This is their winnowing mechanism. And I think it's something the whole industry is kind of taking to task, this sort of lazy reflexivity of just asking for elite people for average jobs and so forth. Keep that in mind as well. Unless it's something where you need like really high-level access and you absolutely know how to – Need to know how to sort of build a system from scratch or what have you, then maybe you don't actually need that. Like you said, just show your skills. Show them what they actually want, because they might not know what they want. Either they don't know you or they don't know what the project's going to be. They just think, "If we get someone super qualified, they can do it."

I want to jump on – We're going to sort of structure this, as I said, as like walking through a hypothetical project here. And we'll do our best to keep on course here. The first steps to take once the project is announced and the team is selected, including first day on a project stories. We're going to structure this talk by walking through.

I want to talk about the first day of the project. the project's been announced. The team has been chosen. I’m going to start with Ginny. Why don't you both talk about some of your experiences on the first day of certain projects? I know you said you've had some wild stories here. Can we talk about how to get off on the right foot?

[00:19:23] GM: Sure. No second chance to make a first impression I think is really interesting. But let me tell you something. Sometimes you do have second chance, but it all depends on you. I would say the second chance is actually less when it comes to dealing with your teams. So, you really need to make a first impression. And I can tell you a good story. That was a project I was on. Well, before I was on. The team just hated project managers. They really hate the project manager. They didn't want any project manager. They just wanted to do their own things.

And even my director was kind of struggling to put the right person in. And because there was a task that need to be done, four months later, it wasn't done. And nobody wanted to take it. So, eventually – And I was in cyber security at the time. I was IT. And there was a cyber security project. I just raised my hand. I’m like, "I’ll take it."

I went in there. And the team, when I listened – The first thing I did is I listened to them. I had to. "Hey, what's going on? Where are we at now? Tell me. Talk to me." And they did. They were actually really great. They have a plan. And they have the risk. They identify the risk. And because of me willing to take time to listen to them. And after everything makes sense, and I became the speaker for them. And I was able to use all their technical skills, their configuration, everything, to draft up a plan. But like, "Hey, this is what we need to do. Hey, these are the approval we need to get." And I became their partner to get the approve, to help them get the approval. And in turn, the project was done within two weeks. Can you even believe it? A four-month delayed project was done within two weeks. And later on, we became friends.

The impression is based on – Okay. The first impression is really important. If you think you're a project manager because you have the manager title, right? You go in, you want to start tasking them. You don't listen to them. You don't try to understand what the end goal is, what the goal of the project. What goal lines mean, just like what Jackie said. If you don't understand that, you go in there. But like, "Everybody got to make the deadline." Then you're not going to go anywhere. But if you go in and you listen, you have an open heart, 9 out of 10, you'll be successful.

[00:21:49] CS: Yeah.

[00:21:49] JO: Right. Right. Yeah, I piggyback on what she's saying. You definitely want to listen and you definitely want to – How do I say this? You don't want to – You want it to be collaborative. You want it to be a team. You don't want it to be it's my way or the highway. I’m the project manager. I’m the program manager. I’m the leader. I know what's best. You got to make folks feel like they're part of whatever it is you're doing. If you isolate the folks on your team, the SMEs, the one doing the work, you won't have a successful project.

[00:22:25] CS: For sure. Yeah, and I think, I wonder if Ginny's story about like this team hated project managers and they just want to do their own thing. Was it maybe because they had those kind of my way or the highway type project managers in the past and then sort of – Yeah.

[00:22:41] GM: And sometimes a project manager would listen to the team. And this is one thing is not to do. They listen to the team. However, when they go to a leadership meeting, and leadership was like, "Well, I want A, B, C done right away." And they forget everything. The team tell them. But like, "Okay, we'll do it." And then you go back to the team. But like, "Hey, on this day, on this day, we need to do this." But what happened to everything they just tell you? And you're supposed to be the one developer timeline, "Hey, leadership said that." But, "Hey, because of this, I think the timeline should be like this. This is the reason behind." And if you're able to list the reason, your leadership will listen to you and they'll be like, "All right, let's move the timeline. Let's do that. We baseline." And they will. But if you don't do that, you go in there not understanding what your team trying to tell you. And then when management says, "Yes." And then you said yes. And then you go back to the team. But like, "You need to do this regardless." Then that will be the problem.

[00:23:37] CS: Not enough to listen. You have to actually take what you heard and tell management that – Yeah, action. Jackie, you told me about something we – You talked to me about something we discussed earlier. You mentioned that a tip for project managers was to "network within your organization so everybody knows you well in advance". Can you talk more about this and some strategies for a successful in-office, interdepartmental networking process?

[00:24:04] JO: Right. I mean I think you're only as successful as a project manager as your network is strong or as broad as your network is. And what do I mean by that? I mean, you've got to build, I don't want to say friendships, but I’ll say friendships, alliances. You've got to get to know people. People have to get to know you. Because sometimes you may have a project that needs something. I don't know what the something is. You may need to get an answer. You don't know where to get that answer.

But if you've built a network, you've got folks, resources that you can reach out to and say, "Hey –" And I’m just going to refer to a couple of the questions I see here. You may have a question around costs or resources, right? And you don't know how to figure that out. Maybe you have someone in your network you can pose that question to. But you can't be a successful project manager as an island. It's not just you by yourself.

You've got to be comfortable introducing yourself. You've got to be comfortable making people comfortable sharing with you. Because as a project manager, and particularly in cyber, depending on what area of cyber security you're working on, your company's reputation is at stake. And people on your team, they may have an answer. But if they think you're going to blow up, if you're going to receive the information the wrong way, they may hold off sharing it with you. So, you definitely want to network. You definitely want to be someone people are comfortable coming to with problems.

And what that'll do for you? That'll build your value in the organization, right? Folks will know you as the person they can come to and share problems with. And you can figure out or at least direct them to how to get solutions and answers. But if you're the only one who knows you're a great project manager, if your boss is the only one that knows you are a great project manager, that's not going to help you with your future as a PM and your future at the company, I think. I’m kind of getting long-winded. But, Ginny, I don't know if you have something to add to that?

[00:26:26] GM: I actually see a very interesting question from Monsuro. And I hope I pronounce your name right. And it's like can an introvert can be a project manager? And the answer is absolutely. Let me tell you. Project manager, you don't need to be a social butterfly. And I can tell you, I might be extroverted. But sometimes I can be very introvert.

What I found successful is, as a project manager, on top of what Jackie said, network. But how do you network? You can. Like, Jackie is a very outspoken person. She can go just set up a random meeting to introduce. Well, I’m really proud of her on that. She'd make good relationship. But for me, I don't. Because in this aspect, I’m pretty introverted. I do my job.

However, let's say I need to reach out to Jackie because I have something I need to answer, "Hey, Jackie, how are you? Can you help me with this? This is the situation." And then in turn, we start building a relationship. And it's just a one-on-one. And I’m not going to be like, "Hey, Jackie. How are you doing? It's good to –" You don't need that. Be yourself. Be a person. "Hey, Jackie, I'm having problem with this. You think you can help me?" And when the person helped you after that, and I would say this is very important, show appreciative. "Hey, Jackie, that worked. Thanks. You're awesome. Thank you for helping me." A simple sentence like that will help you establish your network. And that's what I do because it makes me comfortable. I don't reach out to people just to reach out to people because I’m uncomfortable. If I'm comfortable, I’ll do that.

[00:28:03] CS: Right. Yeah. I mean, I can't speak to your particular organizations. But I imagine, like, each of your teams is going to be – Each project is going to have a different team depending on what your deliverable is and so forth. You can't just be friends with the people or connected with people on this team. Like, if you know everyone, then as soon as that next project comes together, you say, "Oh, hey, it's good to see you again. Looking forward to working with you on this thing." And I think it's all part of a larger process of – And also, what a project manager is, is you are sort of the liaison to all these different parts of the company, right?

[00:28:39] GM: Yep. That's for sure.

[00:28:42] CS: Okay. Let's go to slide number three. I’ll make the map. All you have to do is follow it. This next question isn't really cyber security PM specific. But I think it's an important skill to have. And we actually have a question from one of our listeners that relates to it. I think it's definitely on people's minds. How do you make sure that everyone from the team member is responsible for the deadlines to the stakeholders, that ask for those deadlines? Understand what needs to be done? Keep the project on schedule? Do you both build in contingency plans up front if a step starts falling behind? Do you create a buffer in the schedule without telling anyone of course? What do you do? And also, one of our listeners asked, "What is a cyber security project manager's greatest hurdle in order to deliver value to a business? Whether it's budget, innovation, management, buy-in, et cetera?" And I feel like that's also related here. Talk about how we build the timeline, and get the buy-in, and get the real listing deadlines going? So, Ginny, do you want to start with this one?

[00:29:46] GM: Sure. So, yes, you are always going to be the one making the map and making the timeline. And be prepared your timeline is going to fall through and your plan is going to fall through. And you're going to ask, "What's the point of building a plan?" So, let me tell you. Building a plan is when everything fail. You got something to fall back on looking at the plan to try to get yourself back on track maybe with an alternate, updated plan. So, you do need that.

And the second thing is, really, communication and accountability. You're going to have a big team. Teams, they have their day job, which is whoever manager they answer for. And you're a project manager for this particular task. How do you leverage that? Understand what they're working on. If you talk to the team enough, communicate with them enough, if you cannot meet the deadline, please come tell me and give me the reason so I can speak for you.

And if you have people, really, they just can't meet deadlines because of will or skill, that will be a conversation for you between you and his manager. But like, "Hey, how do you coach the person? How do you close the gap and leverage that person up?" Or maybe worst-case scenario, "Give me another resource." That is easy to say. It's very easy for me to say, "Oh, is that right?" And you're probably thinking, "Yeah, it's easy to say that." It is. That require a lot of work on your part to communicate, coordinate, follow up and really understand what needs to be done in order to lead your team into getting the deadline done.

[00:31:32] CS: Yep. Yeah, Jackie, anything to add in terms of the start of the project?

[00:31:39] JO: Well, with regard to timeline I rely on the team. So, depending on what we have to do. This is a bad example. I’ll just use baking a cake. Depending on what kind of cake you want, and you need to know how many eggs. What the ingredients are? What do you set the oven to? How much stirring? How much sifting? Whatever that is. Those are different tasks. You aren't going to do the task. You're going to make sure they get done. You're going to make sure they're done in the proper order. But you need individual, SMEs, to do that. Who's the sifter? Who's going to stir? Whatever that is. They should be able to tell you, those SMEs, how long it's going to take them to do that task. They're the expert. Based on that information, you put your timeline together.

Now, I really don't build wiggle room in a timeline because I want to see exactly what I’m working with. And folks who work with me, they'll tell you, I’ll hold you to that. If you told me you're baking me a one level cake, I want a one level chocolate cake. That's what we're getting. And if it's supposed to be due on Sunday at 3, Sunday, 2:45, I’m expecting that to be delivered.

The reason I say you don't put the timeline together yourself and you rely on the team, because that's how you make it collaborative. You didn't say you have to do this and you give them a timeline. You want them to tell you how long it'll take. Because if they tell you, "I need an entire day to do this," if that pushes the deliverable out past the timeline your sponsor wants, you need to know that, and you need to be able to communicate that to your sponsor so you can say, "We have a risk where it can't be done." How do you know what your risks are if you don't engage the team to get their feedback?

It's not really cut in stone. But as Ginny says, nine times out of ten, you're probably going to have some delay. But, again, I go back to networking and making the team feel collaborative. Because when someone can't do what you're depending on them to do, none of us wants to give bad news, right? So, you want to be the project manager that makes people comfortable sharing, they've got a risk, they have a problem, and you want to be that person that helps them work that out. I mean, I’ve gotten off track there.

[00:34:16] CS: No. I like that, because actually that also jumps into a question that Deborah just asked us. Because you came back to networking, and Deborah asked how do you network in COVID in remote work situations? I think networking obviously works best face to face. But can you give some strategies for how to sort of tie your company together in these sort of remote and maybe a little bit alone sometimes?

[00:34:42] JO: You know what? I’m going to give you realistic things that I do. When I first started at my company, I just sort of – You get hired. You're the new employee. You want to use your newness to your advantage. All of the questions you have, all of the things you need to know to do your job. You want to use that new employee space to get answers to that.

But after I’d been there a while, I wanted to meet other people. And so, I just reach out, however your platform allows you to do that. We have teams. So, I’d reach out, yes, to VPs, senior VPs, senior directors. You better have a plan when you do that. And I just say, "Hey, I’d like to get some time on your calendar. Understand how you got to where you are in the company. And what advice would you give me?" You may say I’d like to have a soft conversation. And just see how they respond.

And I did that to a number of leaders. And you'd be amazed at how many people would give you the time of day. And just give you the lay of the land. What they do? What their pain points are? What works? What doesn't works? You want to understand the culture. Deborah, that's a great question.

I would just say think about who you want to meet, what you want to know, before you reach out to individuals, especially senior leaders. Make sure you understand where they are on the org chart. Read their background on LinkedIn. Some of them blog. Read that. So that when you approach them, you're not just asking, or you have pointed, articulate questions so that it doesn't seem like – You want to appear like you know – You want to appear like you know why you've put time on their calendar. But more importantly, why they should give you that time, right? It's not a question of do I network? You must network. That's how you grow your career. That's how you grow your brand. So, yeah. Yeah, that's what I do.

[00:36:55] CS: All right. Well, you said the word pain point, the magic words here. Number four, unleashing your inner drill sergeant. Some common pain points that a cyber security project manager addresses regularly. We come to the inevitable point where no matter how structured you are or no matter how tightly you run your ships, things start going wrong. Someone gets sick. Or there's an internet outage. Or someone doesn't have access to their computer. Or the dog eat their firewall. Or whatever. But what are some strategies that you've both come up to deal with slowdowns and delays? And also, I want to mention, Elaine Lockhart says, "How do you work with a manager who doesn't want to get into the details in order to truly understand the project that you need their support with?" And that feels like of a piece with that. So, you have like the deficiency of like we just can't do this. Something went wrong. Something broke. And then you have the sort of the management of like, I don't know, just get it done kind of thing. Can you talk about some of these sort of harder discussions that you need to have as a project manager? Do you want to start, Jackie? Or Ginny?

[00:37:56] JO: Yes. Go ahead, Ginny.

[00:38:01] GM: I’m thinking unleashing your drill sergeant. And it sounds serious, right? But think about, it's not really [inaudible 00:38:09] yelling at everybody. It's how do you put it in action? You will have a manager that. – Yeah, you will have most manager that they want to get into the details. And I actually like it. But does that mean you can ask them? You can escalate the point with them. It's based on your communication skill, right? How can you, in two minutes, without getting into the detail, "Oh, the firewall configuration is done. The dog eat my tail." And all of that. Don't mention, "Hey, this is the situation. We're going to be three days of delay because we have this problem." The system is, "I need you to escalate to leadership to do what I need you to do this. But I can do certain things. I can push out the timeline. I will need you to communicate." Or, "This is the timeline. Do you have any questions?" As soon as we can get to the bottom line, we always call the so what. So, what to him? Because you got to make you want to get his attention, right? Since he doesn't want to gain the detail.

Find something that will impact him that you need to convey the message that will impact you. Hey, we can do it. Because of that, this, this, it will stop the deadline in turn it will delay whatever you're doing. It will prevent you from making this amount of dollars. Give him the so what so he'll be like, "Oh, I don't want to lose money. Oh, I don't want to not meet deadline." Then that person will go into. But like, "Okay, tell me what you need." Or, "Why is it not done?" Because at the end of the day, nobody can push and continue to push a team no matter what you're going to get done. This is not a life and death situation. They will try to understand you and try to replan and re-prioritize with you as soon as you communicate and you can lay out what happened.

[00:39:55] GM: I agree with that. I agree with that wholeheartedly. The one thing I would also say is, when folks push you off because they "don't want to get in the details", I wonder how you may have been sharing information with them previously. If you've gotten too wordy, your emails are too long, or you take too long to get to the point, that tends to push people away. Do exactly what Ginny said. You want to be very concise. You want to bullet point the problem in one to three sentences. You want to say what you need from them, "Here's what I need." And you want to share some solutions if you have them.

One of the things I do when I really need someone to respond, I use my [inaudible 00:40:40]. And I may say action required at risk. And I’ll put that in all caps. Or I’ll put that person's name on the subject line, "Please respond by 3 PM with approval or whatever it is you you need." So that folks won't feel like they have to read through a lot of words, then figure it out just to get to what you need them to do. And if you look at it from their perspective, they've got a lot of emails, they're busy, lots of folks are pulling on them for their time. If you can make it as simple for them as possible, you'll find that folks will gladly give you what you need and will help you out. Yeah.

[00:41:29] CS: Yeah, I use the term inner drill sergeant facetiously. But I think there's a lot to be said on those last days, because you're going to have – Like you said, you're going to have unexpected delays and stuff. But I think there's a way of projecting to a team like, "Okay, you all know what you need to do. Now, just do this, this and this. And tell the management, "Okay, they're doing this, this and this," without resorting to saying like, "I don't care how you get it done. You get it." Or something like that. Like, no one responds to that other than with anger, or shame, or whatever. And then, again, it's sort of like breaking up your inner-networkings. You're going to have to work with that person again eventually, right?

[00:42:07] JO: And Chris, something that's – I don't know if it's drill sergeant-esque. But you want to make sure you're giving people what they need. And so, you're in a drill sergeant could be making sure you've got a very crisp, on point agenda. That you've set up proper status meetings that you're "checking in". Because if you have a particular project, whatever it is you're doing, if you just sort of let folks go off on their own and you don't have a recurring cadence with them, you're not following up with meeting minutes, action items, delivery dates and ETAs for when they agree to complete something, then you don't know what you'll get. A ball of spaghetti perhaps?

But if you can be very stringent with your meeting minutes, "Jane Doe, you agreed to do X, Y, Z. You committed to that by one week from today. And you put that down and document it in writing." You have some something to follow up on. Jane Doe has something to refer back to. She knows what you expected from her. That'll make life go very easy for you if you just do those basic things.

[00:43:20] CS: Yeah. Yeah. No, I think that's a really great point here. All right. We're going to – In our in our imaginary project here, we're going to assume that we made it, I got the project done. It was a little late. But we did it anyway. Now we're going to talk about avoiding a family feud. Every project has a wrap up. And every project has a reporting process.

And as we know, the post-project write-up is almost as important as the deliverable itself sometimes, especially if something really got away from the team, or the schedule got out of whack.

Jackie, I'll start with you. Can you talk about the importance of creating a supportive environment where the team can give their honest opinions and feel that they're being heard and taken seriously? Do you have tips or strategies for preventing the end of a project from turning into a team squabble or a family feud?

[00:44:08] JO: Yeah. And we call that lessons learned. And usually, I’ll put together a document. For me, it's usually an Excel. And I’ll just indicate various categories of the project. What went well? What didn't go well? What would you recommend we do differently? What could we have done differently?

But one of the things I do is I say, "Folks, we want this to be objective. We're not here to point fingers. We're not here to make anyone look bad." Because, sometimes, folks get hot under the collar. You may have been waiting for one team that was slow in your opinion. But maybe you didn't give them everything they needed. And so, they couldn't move faster for you. But they don't know that. And you don't know that.

If you set the parameters at the beginning, folks know, "Okay, this isn't me to say, "Jackie, if only you had." They'll rephrase that. But as the project manager, I think it's incumbent on you to set the stage. I want feedback from each of you. I want this to be an objective meeting. How can we do better? What can we improve? If you set the stage in the beginning, when you have that meeting, you'll be surprised. It'll go very well. Let me just say that.

[00:45:35] CS: Mm-hmm. Ginny, are you back there?

[00:45:39] GM: Yes, I’m back. And I totally agree with what Jackie is saying. And sometimes, I think it will help. If you're doing a retrospective or lesson learned, don't get management involved. Let the team – And sometimes let them be a venting session. Just listen. Because they need to vent. Because some of them might work like 15 hours a day. They might not get the result you want. But that doesn't mean they didn't work hard. So, let them. Let them go scream, cry, vent, saying all that. And they eventually calm down. As long as they're not making it personal, they're not attacking each other. If you can open the door, yeah, for the safe environment, they will talk to you. And sometimes they might not even be able to give you action. They just rant, and rent, and rant. But you pay attention during the ranting. Maybe that's right between the line. You might be able to grab the action out of it to help them level up, to help them improve, or help the team.

[00:46:37] CS: Yeah. And I think this probably goes back to what you were saying before, Ginny, about you can't just listen to the team's issues and then go to the board and forget that you heard their concerns and then bring back the board's recommendation. Like you have to have this done by here and here. And they're like, "You listen. But you didn't listen," whatever. I imagine there's got to be a little bit of – Also, a bit of a winnowing mechanism in terms of you need to hear, like you said, the ranting. Some of it is just frustration. Some of it, is was a one-off thing. Can't be helped. But I’m still mad about it. But then also, being able to figure out, "Hey, there might be like a kernel of truth here. This person's genuinely mad that this other person didn't communicate effectively in time." You can't just say, "Okay, I hear you and I understand you." You have to sort of, in your mind, I guess make an action plan to talk to other person and say, "Hey, that's a legitimate complaint. What are we going to do to make that happen in the future?"

[00:47:37] GM: That's very true. Right on point. Thanks, Chris.

[00:47:40] CS: Yeah. Actually, we got a question related to that. That's why I kind of went to that area. But Alexis, or Alena, says, "If a project involves cross-functional work, how do you deal with delays in getting information or assistance from other involved parties?" If I’m reading that correctly, it sounds like that's the issue of like you're writing in and you're saying, "How's this part going? Are you on point to get this done?" And like you said with Ginny, the person, four months later wouldn't write back or whatever. I think this is what they're asking about. Do you have any tips for sort of clearing the line of communication with people who might be a little slow on their Slack or their email?

[00:48:19] GM: This is why project management job is so demanding. And they are always seeking people. It is because of this very issue that you are –

[00:48:30] JO: This very issue.

[00:48:32] GM: It is. Yep, it is a cross-function. And everything you do – And I don't really think even in industrial, or education, or banking, everything you do is cross-function. Let's say I’m trying to build this building. You don't just talk to the people who hit – To have the hammer and put the nails in. You have to talk to the architect. You have to talk to finance people. Make sure budget is on time. You have to talk to human resources. Anything you do is cross-function. That's where you come in. You come in. How do you leverage this communication? What kind of meeting are you setting up? What's your goal? What's your agenda? What do you need to talk to them?

And by the way, four months later this person still don't answer. Or after four emails, this person still don't answer. Maybe it's time to talk to the supervisor. Maybe it's time to talk to this supervisor's supervisors. Those are very easy to say. But for you, as a project manager, actually doing it, it's not easy. Because with 10,000 things coming on to you, and then you still have to write that email, you still have to communicate. But you do. And just so that everybody have the understanding, you are the reason to minimize the issue. You are the point that when people don't communicate, people don't answer, people don't do anything, people delay, you're the one who initially associate the actions of what is going on.

At the end of the day, you will be tired. And that is just the nature of being a project manager and even manager, or management in general, you will have to do that. Yes, the good thing is you don't really have to get your hands dirty to actually configure or get to the hammer and put the nails into the building. But you are the one who is linking all of that together. And those are very hard. It's very important that you actually do that.

[00:50:26] CS: Yeah. Yeah, you mentioned the 10,000 things and I definitely – That leads perfectly into our last main point here, the engineerative plate spinning. Is the work of handling this one project sounded intimidating, understand that most project managers are juggling multiple projects at the same time each with its own struggles, crises and interpersonal issues to deal with?

Yeah, Ginny, let's go back and start with you this time. Yeah. Can you give me some tips and advice for keeping all these plates spinning successfully? Because you basically said, like, this is the job. You're going to be exhausted at the end of the day. But can you tell me how you keep everything going while not over-promising something that can't be delivered or burning yourself out by trying to appear superhuman?

[00:51:15] GM: I can tell you, it's still not easy for me. It's really not. And sometimes I will drop some balls. And sometimes I will be successful. What I do is very – I need to be very organized. And sometimes, one way of organizing my work at the beginning. And then later on you have to find a different way to organize. And I could tell you, I had to do that every day. Because either I have a team of five, or a team of 10, or something. Make sure you're flexible in the way you organize. As saying anything, you might be using Excel Spreadsheet. You might be using a Microsoft Project. It depends on what you're doing. But you need to understand.

And what happened when you need to talk to your end user, your team, your supervisor and your vendor at the same time? And, really, I have one knocks going on. I have teams going on. I have Excel spreadsheet going on. I have my email going on. I have many things going on. And you do the best you can. But the action is the most important thing, is you do it. Don't just [inaudible 00:52:20] too much. And don't write anything down. And I always get on – Anybody that talk to me, after I talk to you for 30 minutes, do you write anything down? Do you type anything down? Maybe you don't have to. You have a good memory. You really want to listen to me. Okay, great.

But afterwards, you try to drop some notes down, try to organize what I just told you or what just happened. If you don't do any of that, you think you go into the meeting, I’m just going to listen, "Oh, I will talk to management about this." Yeah, you might have done the action. But if you're not organized, you don't understand what we're streaming, you're not using OneNote, or Excel, or project, or anything to help you with organizing, you're going to fall apart. It's going to be confusing.

Even I’m using all of that, I can tell you sometimes I feel like I’m falling apart. But then I had that. So, I’m going to slowly put myself together. At the end of the day, after all the meetings, I’m going to look at myself with a stone face, "All right, let's look at what's happening. Let me try to reorganize." It is hard work. No doubt. But it can be done.

[00:53:32] CS: Okay. Jackie, final thoughts here?

[00:53:35] JO: Well, I just think about your bandwidth. Be realistic. And again, if you know you've got eight hours in a day, or ten hours in a day, 40 hours in a week, realistically, what can you accomplish in that week? When you have a project, that is why you go to your team and you get them to tell you what it's going to take to get that work done. They should tell you that. When you put all that together, your SOW, your charter, whatever it is that your company uses to give you a timeline – That triple constraint, the timeline, the scope, and the budget, can you do that within that timeline? If you can't, then that's one plate you might have to give back and say, "We're maxed out. We can't take that on and deliver what you want delivered with the quality standards that you want us to meet."

I think the answer to that question is some project managers take on too much because they don't want to appear as a slacker. But in my opinion, a good project manager understands their bandwidth, understands their team's bandwidth. And you have to make a judgment call. And you bubble that up to the right stakeholders, or sponsors, or however that works in your organization.

[00:54:57] CS: Right. Okay.

[00:54:58] JO: But the worst thing you can do is take on too much and then not get it done. You don't want that reputation.

[00:55:07] CS: Okay. We are just about at the end of the hour. And I’d like to thank everyone who's – This has been one of the most vibrant question, Q&A, sections of a webinar that I’ve hosted so far. We have more questions than we're going to be able to get to in four minutes here. But I have one that just came in from Alexis who spoke before. And I think it's kind of a good place to maybe end on. And if maybe something else in there jumps out at you, Jackie or Ginny, you can answer it as well. But Alexis says, "Looking at the topic from another angle, as a member of a project, how do I support my project manager?" And that almost feels like maybe one or both of you like came in under a pseudo name and it's like ask them how my team can be awesome.

Yeah, do you want to talk about some –

[00:55:57] CS: This is a very nice question. It's really a very nice question. I would love my team member to tell me what they're doing and what's going on. Giving me an update, either on a short email, "Hey, this is what I do this day. And this is the status of my task. And, yes, I’ll be on time. Or I need one more day." And just a simple follow-up will help your project manager a great deal just to let him or her know where you're at and what you're doing.

[00:56:31] CS: Anything to add –

[00:56:33] JO: I saw a question that said how do you transition from IT or Telecom into cyber? If you are a telecom project manager, go to the folks who manage your cyber projects. If you have a PMO, someone's managing your cyber portfolio. Express your interest. You're a project manager. You have those transferable skills. It's just a matter of subject matter. You can do that internally if you have that.

But let's say you don't. Look for the job you want. Map out the skills it's asking for. Where does your skill set align with that? This isn't hard. Project managers manage the triple constraint. You can take that to a different industry.

Regarding the, "As a member of a project, how do I support my project manager?" Depending on what you own in that project, that's the answer, right? If you're a coder producing the code on time or when it's needed. And a good project manager, in my opinion, will have that action item list, will have the meeting minutes that will enable the team to understand what's expected of them and when it's expected of them. Maintaining an up-to-date project plan or however you're managing your stories, issues and tasks, Jira or something like that.

Usually, when you're a member of a team, a project manager is expecting something specific from you. The minute you think that's going to fall behind, the minute you run into a problem, bubble that up to your project manager, because that person can probably remove the roadblocks for you faster. Because a project is basically a business's investment, right? They want that investment to go well. Definitely, keep your project manager in the loop.

[00:58:49] CS: All right. Well, we still have more questions, and we are at time here. We'll get to your questions sort of post event. But thank you all for all of your great inquiries here.

I’d like to just again thank everyone at home or at the office who's listening and watching to today's episode of Cyber Work Live. This was a blast. If you enjoyed today's event and you enjoyed our guests, I’ll point out that new episodes of the Cyber Work podcasts are available every Monday at 1pm Central both on video and our YouTube page and on audio wherever you get your download podcasts.

You can also check out past guests including a whole episode each with Jackie and Ginny, as well as a previous Cyber Work Live on project management from the lens of learning to sell yourself, learning to sell your skills. You can check those all out at infosecinstitute.com/podcast. And we'll also post direct links to these past episodes in the resource section here.

Before we go, we'll be picking today's winner for a free year of InfoSec skills, which includes more than 190 learning paths where you can train for things like incident response, ethical hacking, security management and your project management professional certification. Everyone can go to the link on the screen and get a free seven-day trial. But the winner for the full year is – It is John L. at Principal Financial Services. Congratulations to John L. for that. Be on the lookout for an email with coupon code from us early next week.

And until then, every week on Cyber Work, listeners are asking us the same question, a lot of you in the chat have asked us that as well, what cyber security skills should I learn? Well, try this, go to infosecinstitute.com/free to get your free Cyber Security Talent Development ebook. It's got in-depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. We took notes from employees and employers and a team of subject matter experts to build training plans that align with the most on-demand skills. You can use these plans as is or customize them to create a unique training plan that aligns with your unique career goals.

Once again, go to infosecinstitute.com/free or click the link, which I believe will be in your resources section here to get your free training plans. Plus, many more free resources for our Cyber Work listeners. Do it. Infosecondstitute.com/free.

Lastly, thank you once again to our wonderful panelists, Jackie Olshack and Ginny Morton, for joining us today. And thank you to all of our guests for attending and submitting more great questions and feedback than we knew what to do with. We really appreciate you.

[END]