Cybersecurity project management: Your career starts here

Are you great with details? Do you like juggling multiple projects at once? Is your organization system the topic of awed discussion between your co-workers? Or are you just interested in getting into cybersecurity from a different angle? If so, you might already be a top-notch project manager and not even know it!

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

Join a panel of past Cyber Work Podcast guests as they discuss their tips to become a project management all-star:

  • Jackie Olshack, Senior Program Manager, Dell Technologies
  • Ginny Morton, Advisory Manager, Identity Access Management, Deloitte Risk & Financial Advisory

If you're interested in project management as a long-term career, Jackie and Ginny will discuss their career histories and tips for breaking into the field. If you plan to use project management as a way to learn more about other cybersecurity career paths, we'll also cover how to leverage those skills to transition into roles.

The topics covered include:

  • 0:00 - Intro
  • 0:51 - Meet the panel
  • 3:12 - Why we're talking project management
  • 6:27 - Agenda for this discussion
  • 6:55 - Part 1: Break into cybersecurity project management
  • 7:45 - Resume recommendations for project managers
  • 12:35 - Interview mistakes for project managers
  • 19:22 - Creating your elevator pitch
  • 23:10 - Importance of your LinkedIn page
  • 25:05 - What certifications should I get?
  • 30:38 - Do I need to be technical to be successful?
  • 34:20 - How to build cybersecurity project management skills
  • 38:28 - Part 2: Doing the work of project management
  • 40:47 - Getting team members to lead themselves
  • 44:50 - Dealing with customer ambiguity
  • 47:30 - Part 3: Pivoting out of project management
  • 47:48 - How do I change roles in an organization
  • 51:50 - What's the next step after cybersecurity project manager?
  • 53:43 - How to move from PMing security teams into leading them?
  • 59:05 - Outro

[00:00:06] Chris Sienko: Hello, and welcome to our fourth and final episode for 2021 of Cyber Work Live by InfoSec. As you may know from our weekly Cyber Work Podcast, we've talked with over 175 different industry thought leaders since 2018, about cybersecurity trends, the way those trends affect the work of InfoSec professionals, and we've offered tips for breaking in, or moving up the ladder in the cybersecurity industry.

Today, it is all happening live in front of an attended audience. I am Chris Sienko, Cyber Work Live Host and InfoSec Director of Online Content. As you already know from the title screen, today's topic is Cybersecurity Project Management: Your Career Starts Here. With that, I'd like to introduce you to our esteemed panel of guests today.

First up, we have Jackie Olshack, Senior Program Manager at Dell Technologies. Jackie Olshack worked almost 20 years as legal secretary paralegal for multiple patent corporate law firms. In the late 1990s, she began to recognize that it was becoming harder to break the ceiling on her 58K salary as more and more attorneys were typing their own documents, managing their own calendars and making their own travel arrangements, putting the future of her career in jeopardy.

After some introspection, she decided to go back to college and pursue a science degree. Was planning to go to law school to become a patent attorney, but couldn't get her LSAT higher to even get into a fourth-year law school. She now proudly thanks all those law schools that turned her down, preventing the dreaded 150K to 200K law school debt that she would have incurred.

As a project manager, Jackie's 15 years’ experience of managing and implementing IT program successfully. She's an expert on NIST 171 and 853 principles, CMMC and the FedRAMP process. She implements IT compliance programs and leads cross-functional teams, working successfully with executive leadership.

Next, please welcome Ginny Morton, Advisory Manager, Identity Access Management for Deloitte Risk and Financial Advisory. Ginny Morton's career with cybersecurity spans over 17 years. During this time, she has led teams to improve organizations’ cybersecurity practice, beginning with infrastructure, network identity, all the way to endpoint security process and involvement.

Additionally, Ginny is an expert in program and project management, both in Waterfall and Scale Agile. Outside of Deloitte. Ginny is a Lieutenant Colonel in the US Army Reserve and specializes in network and system engineering and security. She actively engages in helping veterans to transition from military to the private sector workforce, and participates in many Veterans Outreach Programs. I'm sure, we'll be talking about that today as well. Jackie, and Ginny, welcome to Cyber Work Live.

[00:02:44] Jackie Olshack: Thank you. Glad to be here.

[00:02:47] Ginny Morton: Good morning, or good afternoon. Good day, everyone.

[00:02:50] CS: All right. I wanted to talk a little intro at the beginning here, by talking about some of the reasons that you wanted to do this live episode, because this was something that was pitched to me by Jackie and Ginny. I can let you tell me in your own words, why you wanted to do a live episode about project management as a career start?

[00:03:14] JO: Sure. I'll go first. When we did the first podcast, Chris, I noticed immediately after, literally right from, I guess, it was early March through the fall, I've gotten a lot of requests. How did you actually do it, practically, step by step? I got college students saying, “I'm not sure what to do, but I want to do what you're doing. I want to learn how to do what you talked about.” I got lots of questions around, “What search should I pursue?” Or, “I'm in a company. I'm a receptionist. I'm in HR. I'm in X. How do I move into transition to project management, cybersecurity project management specifically?” I found that the requests I were getting, I was getting similar questions over and over again. I thought, it would be great to pull Ginny and myself together and address those on this platform.

[00:04:20] CS: Did you have a similar experience, Ginny? Were you getting people from your episode as well?

[00:04:26] GM: Yes. I get many of the military personnel will contact me. I mean, I on top of that is because when I transitioned out, and I was lost. Even when I did my own research, I didn't know what I was good at, until I was fortunate enough that the army offered me a PMP course. That's when it dawned on me. That's actually my skill set. It doesn't matter what you do in the military. Many of the things, because we want to drive results. We want to get things done. But we don't have a name. Anything we do, we don't have a very intimate label on a skill set. When transitioning out, we don't know what we have, but we actually have a lot to offer.

Now that I'm where I am at, I would love to let more go to veterans, or anybody that is interested in project management, to know, hey, you got the skill. How you get in, listen to the podcast, do research, come talk to me, and I can help you.

[00:05:34] CS: All right, so we're going to be taking questions from the audience as they come in throughout the event. To start with, we have a bunch of great questions that Jackie and Ginny have been asked several times, since their respective appearances on the show. We're going to use those as our framework to carry through the hour. As Jackie Ginny both noted immediately after being on the podcast, they started getting contacts on LinkedIn. I’d like to thank all of our listeners for being that proactive. It'd be very easy to just listen passively to our show. We're very glad that people are taking action. That warms my heart.

At the same time, Jackie and Ginny both noted that they kept getting the same questions over and over. I think, this is going to be a really good place to answer those on a large scale. Because if five people asked, you probably another 50 are thinking, but didn't have the courage to ask about them. Let's see what we can do here.

This event is loosely divided into three sections. The first one here on the slide is breaking into project management. How do I get into cybersecurity project management? Second, we'll move into how do I do cybersecurity project management well? Finally, how do I pivot from project management into other areas of cybersecurity? We have several questions as part of each section. Let's begin with part one here, breaking into project management.

The first question is just about as straightforward as you can get. How do I break in to cybersecurity management? To make this a more manageable topic, Jackie, I think, Jackie is going to be leading the first section on getting into things, although both will be talking. Then Ginny's questions from her listeners came from people who are already in project management that wanted to do it better. Jackie helpfully suggested three main areas of improvement that are necessary to put your best foot forward, and I'm going to just put them on the screen here.

We're going to give tips for updating your resume to catch the hiring manager recruiter’s eye for a cyber project management role, proper conduct and good questions to ask during the interview and creating your elevator pitch about yourself that you can say in less than 90 seconds. Let's start with the first one. Jackie, and then Ginny, do you have any recommendations, or suggesting for changing up your resume to emphasize your natural talents in this area? Also, what are some common mistakes you see that pushes resumes of aspiring project managers to the bottom of the consideration pile? I'll start with you, Jackie.

[00:08:03] JO: Okay. I got this question a few times. Here's the advice I've given. It's actually advice I follow myself. I look at the type of job I want. I find that job, it could be on LinkedIn, it could be Indeed, it could be direct. Someone in the office says, “Look this over. I'd like to consider you for it.” The first thing I do is try to figure out what they want, what they're asking for, because that's going to tell me what's important to them. Then if it's a job I need to submit a resume to, I tweak my specific resume to match that job description.

Now, I'm not saying you falsify anything, but I use the terms, the verbiage that I see in the job description, I make sure it's reflected on my resume. Because what do we want to do? We want that HRIS system that we submit our resume through, we want it to flag us as a resource, that is someone that's a candidate for the job interview. The first thing I would say is, identify specific words from a job description that interests you, and make sure that verbiage is reflected on your resume.

One other point is, I would reach out to folks who would say, “I want cybersecurity, but I don't have a cyber cert. I want cybersecurity project management, but I don't have my PMP.” Folks, this is what I've done. I followed this process for years. Before I got my PMP, my resume said, “Studying for PMP. Prepping for the course X month, X year.” Again, why did I do that? Because PMP would get flagged in the HRIS system. Someone would go, “Well, maybe she doesn't have the cert, but she is studying for it.” I would I recommend, if you don't have a cert, but you're pursuing it, make sure that's reflected on your resume, “Pursuing CISSP. Pursuing CISM, and planning to take the exam X month, X year.”

[00:10:16] CS: Yeah. Actually, be planning to do it, too. Don't just tell them that. Get the study in, folks.

[00:10:24] JO: Absolutely. Absolutely.

[00:10:24] CS: New Year is coming. Time for a resolution.

[00:10:25] JO: Absolutely get the study in. Get the study in.

[00:10:29] CS: There you go. Ginny, anything to add to that?

[00:10:32] GM: Sure. Everything Jackie said, I totally agree with it. That's one point I want. Instead of me coaching you how to do a resume, I want you to understand one thing. I want you to picture yourself walking into a car dealership, and then looking at new cars. The first thing you want to do is looking at the MSRP, what function they have, how much. Because that catch your attention. Just imagine if the MSRP is a whole bunch of words, telling you how great this car is, you're going to walk away. Resume is the same thing. The big key thing is, avoid telling them how awesome you are. Avoid using a lot of adjective.

How you tell them how awesome you are is what you do in that project. What is the result? Numbers matter. Spell out your numbers. When I say spell out, don't say T-W-O, M-I-L-L, I-O-N. Don't do that, literally. 2000, a whole bunch of zeros together. Spell out all your numbers and tell them what the result you have driven. The result can be saving the company however much money, raising your cyber readiness from failing to a 100% passing. Those number matters. For the military folks, you understand how you write your evaluation report. It’s pretty much the same way, but in private sector terminology.

[00:12:02] CS: Yeah. One thing I want to add to that is that we all do lots of different tasks in our job. I think, that's the thing is people get stuck in this idea of, “Well, I have my one resume, and I can't change it.” As you said, Jackie, we're all doing lots of different things. Maybe 10% of the things we do would apply to this job. 30% to that job. Make the resume look like that's the thing that you do, because you do do that, and you can do that. Even if you don't do it all the time, that's how you grow and learn. I think, that's great advice.

Let's move from there to proper conduct and good questions to ask during an interview. Jackie, you said that when you would get current LinkedIn contacts that you would set up a quick five-minute screener on Zoom to talk with people. You said that there were some interview, no no’s that you had. Can you talk a little bit about some changes that would help leave a good impression on the person that either wants to hire you, or that even just wants to help you out?

[00:13:05] JO: Yeah, sure. What I would do is I would give folks a few questions. We’d schedule a 30-minute Zoom, or Google Meet. The questions would be, what are your strengths and weaknesses? Why do you want to be a cybersecurity project manager? Describe to me in one or two sentences a project you've managed and tell me about the outcome.

I would specifically ask for 48 hours to review answers to the questions. I'd ask for a Google invite. I would get folks that would send me a three-hour Google invite. They would write pages and pages of answers to the question. Without fail, I would tell folks as gently as I could, I didn't give you these questions by accident. I'm really trying to figure out, are you paying attention? Because it is critical for project managers to be attentive to detail.

Folks on your project, they may not stay as alert as they are supposed to be getting work done, doing it when it should be done to the level of quality it should be. When they miss that boat, they run to you asking you to get them back on track. You need to know, this is the scope, this is the timeline, this is how much flexibility, wiggle room we have. If you don't adhere to instructions, or requirements, it's going to make it tough for you to be a successful project manager. That was one thing.

Another thing is folks didn't seem to understand that not just are the company and the HM, hiring manager and recruiter interviewing you. You really want to interview them as well. It's great to be called in for a job. At the end of the day, you want to make sure that's a fit for you. You've got some power, too. Folks need to think about, “What am I going to be doing? What's expected of me?” And recognize your value.

The proper conduct and good question I want to reiterate and reinforce, folks think about your strengths and weaknesses. When again, you look at a job description, when you know your strengths and weaknesses, you understand what skills you have that are transferable. I referred back in the first podcast, if you are a school teacher, for the love of God, I get nervous, because I think if a group of school teachers ever make up their mind, they're going to put a lot of project managers out of business. Because they are so versatile. They deal with so much stress.

As a teacher over children, you're dealing with life, little kids, they put things in their mind. Big kids, they get frustrated, they act out. You manage that every day, every week, year in, year out. When you think about your strengths and your weaknesses, understand how that transfers to what a company needs from you, and then raise questions to pose to the hiring manager, or the recruiter.

[00:16:23] CS: Absolutely. Ginny, anything to add to that?

[00:16:27] GM: Sure. I can talk about this all day with Jackie, with everybody over here, but I'm going to try to keep it short. Really, we're talking about conducting in to do why you’re interviewing, how you’re going to leave an impression. I would say, a little bit prep work is make sure you understand the company you’re interviewing. Do some Google research. Google content, website. That's very important.

I can tell you, sometime you can be really good. At the end of the day, at the end of the interview that your interviewer will just ask you a question. “Hey, so what do you think about my company? How do you like the worksite?” If your answer is, “Oh, I'll go check it out.” Instantly, no matter how great you are, they don't hire you.

[00:17:10] JO: That's true.

[00:17:10] GM: That's one thing. The second thing to understand is they are also human. They don't know you. They might be uncomfortable as well. How are you getting yourself confidence and be yourself well enough to make them feel like, “Okay, we’re on camera,” just like I’m right now, I don't see you, but I have to make myself come comfortable, so I can talk. As you know, I have an accent. If I get nervous, my accent amplify 10 times worse, and you won't be able to understand me. How do you condition yourself to understand the human to calm down, be confident, and talk about what you need to talk about?

The second thing is pay attention. When you look in Google, you know many big corporations such as Apple. During the interview, they will be repeatedly asking you dumb questions. They do that on purpose, because they want to know your reaction. They want to know if you're paying attention. The key is pay attention to what they’re asking. If they say some term that you have no idea what it is, write it down. Ask them. When you say this SCADA, I'm just making up an acronym. What do you mean? Ask them that, so they know you're paying attention.

The last thing I want to talk about is when Jackie talked about knowing your weakness. Okay, you know your weakness. How are you going to advertise that weakness, that okay, let's say for example, my weakness is I talk too much. You can just stop there. Well, I talk too much and I realize that. In a good way, that build relationship with other, but sometime I pay attention throughout the year that I learned to stop in the middle of my talk to see – ask question. That way, I improve. Even though it’s still my witness, I am improving. I'm doing better every day. They know, “Okay, this person is good. I can put him in front of the business. I can put her and I know she's listening, so that's good.” Twist your weakness around to become your strength.

[00:19:22] CS: Okay, real quickly, I just want to move on to the third point, creating an elevator pitch about yourself. I think, people use an awful lot of filler words, or things that they've seen on LinkedIn, or whatever. Do you have any tips for crafting an elevator pitch for the first time and what are some cliche phrases to avoid when creating your elevator pitch?

[00:19:45] JO: Again, folks have to think about the image they want a hiring manager, or recruiter to have of them. When I think about an elevator pitch, ask yourself, who am I? What do I do? Why am I important? If I were to get on the elevator, or be in the cafeteria, and I work at Dell, if I see Michael Dell, and he turns around and says, “Hi, who are you? What do you do?” I need to be able to answer that. I need not to be able to take up a lot of time. In 60 to 90 seconds, he should know, “Hi, I'm Jackie Olshack. I manage disaster recovery. If Dell's data center were in those five states that endured a tornado, the work I do means we would be up and running without a blip to our clients, or to our internal stakeholders.”

Right there in less than 90 seconds. “Oh, Jackie Olshack, She's in disaster recovery. I'm so glad to know our data center is protected, and we've got backups, blah, blah, blah, blah, blah.” You don't want to, I don't want to say waste people's time. You need to tell people who you are, why you're important, and what you do. So that when they see you, they have an image of your value. I'll pause there. Maybe Ginny has something to add.

[00:21:11] GM: Sure. This is really good. I’m not going to repeat what Jackie said, because that's what I was going to say. But thank you, Jackie. Then the next thing is, sometime on top of that, I want to make an impression. Because it's elevator, sometimes it’s short and outside of the pitch, if it's not Michael Dell, because everybody know who Michael Dell if you work for Dell, maybe it's somebody that you know is the vice president is the director that's very important. You know what they do, but they have no idea who you are, but they don't have any questions to ask you. What do you do then? Ask them questions. “Hey, I heard you’re in cybersecurity doing this. How do you like it?”

Just, sometimes random question, if they have a cast on their wrist, or they’re wearing a different shoes, I’d be like, “Hey, what happened to your arms?” Just start a casual conversation to make it personable, and that you would know that you're interested in talking about it. “How about the golf game yesterday? Or how about the game yesterday?” Get them talking to you. Eventually, you can get into the business as well.

[00:22:16] CS: Yeah, I think for people who live in their head, as a lot of us do, a there's a multistage aspect to that. It's like, one, stop talking about yourself so much and ask about the other person. Then two, the thing that took me even longer to learn was ask about the other person and then actually care about the answer, because it's one thing to say, “What happened to your arm?” Then immediately go back into your head and think, “I can't wait to tell them what happened to my arm when I was seven-years-old, or whatever.” I think those are great. I think, those are really great points.

It all comes down to a comfort level. I think Jackie said, make them feel comfortable in the interview, because they're uncomfortable as well. You think about that with an author, or an actor, or someone you're being interviewing is, if they make you feel comfortable, you're going to feel good with them. You're going to say, “This person fits well in this role in my head.” That's going to give you such an advantage.

Jackie, I want to ask you a little bit about updating your LinkedIn profile as well. You just noted that here, that you wanted to talk about that. Do you have some specific tips on that?

[00:23:23] JO: Yeah. I wanted to encourage folks to make their LinkedIn page reflect their personality, reflect their strengths and their skills. A few years ago, someone encouraged me to make sure you put a picture up, a vibrant picture. What do you do? At LinkedIn, there's a lot of blank space back there. Use that to your advantage. One other point I want to make is LinkedIn has the functionality, where you can put a blurb across your picture, or your name, and it says, “Open to work.” There are two components to that. It can be broad, where anyone who pulls your profile will see it. Or, you can make it, so that only hiring managers and recruiters see that.

There's another way to market yourself. If your LinkedIn profile reflects your strengths and describes what you do. If you put that little notification on your profile that you're open to work, should an opportunity be available that you wouldn't hear about, or see, you create a opportunity for folks to find you and locate you, based on how you tweak your profile.

[00:24:49] CS: Oh, yeah. Yeah, LinkedIn is so crucial these days. I mean, it's been a butt of jokes for comedians and stuff for years, but there's so much you can do with it. It really is where people are looking for you these days, more so than ever. I want to jump forward. We're going to jump around a little bit, because we actually have gotten a couple of questions from people in the audience. Thank you very much for your questions.

The third point we're going to ask was, what cybersecurity and/or project management certifications should I pursue? The first one we get was from Jordan Perry. Thank you, Jordan. “I'm a human capital consultant through Deloitte, looking to maybe get an AWS cert. Would you advise this, Ginny? As well, I'm a veteran.” We get a lot of questions about getting the right cert, because obviously, everyone's time is precious. There's this fear of if I learned this thing, and I can't use it, then that was time wasted. Can you can you speak a little bit about that, Ginny? Do you think in AWS certification is going to be useful in this area?

[00:25:54] GM: Hey, Jordan. I think I know you by name. I haven't seen you yet, but I think I know you. That's a great question. I will say yes, on any certification. AWS is scary, because you're talking about cloud security. For the listener who are not familiar with AWS, which is Amazon Web Service, is the cloud base – is the cloud Amazon offer, is platform software, and all of that. It’s huge. I will say yes.

As alone, where I'm not trying to advertise, but just for cloud security, the big one is really Amazon, or Azure. Any of these cloud certificate is very good for you to at least get into cybersecurity, or even be more specialized in cloud security. Cloud security is a really wild industry. Wide industry. It is going everywhere. Yes, it is a very good certification to get into.

[00:26:54] JO: A point about AWS is Amazon offers free training, so the very basic, the most foundation. You can pursue that without cost.

[00:27:08] CS: Nice. Always good. Check out any and all free knowledge you can get. It's going to return dividend someday, somehow. Curtis Sweet asks, “I am currently ITIL 4 and Project Plus certified. I'm most interested in cybersecurity project management. Are these certifications useful for bringing into project management and cyber?” These are, I think, more general project oriented things. Curtis wants to know if you can use these in a cybersecurity space. Do either you have these certs, or do you use them on a regular basis?

[00:27:43] JO: ITIL 4. Sorry. Go ahead, Ginny.

[00:27:47] GM: No, no. Go ahead, Jackie. Since you talk about ITIL 4. Yes, first.

[00:27:51] JO: Yeah. I have ITIL 4. I got that late 2019. I'm going to be honest. For me, that doesn't help me from my perspective on a daily basis, manage my projects. What I find and Ginny, I'd love to hear what you think, what I find is, do you have the proper organizational skills? Do you have the proper soft skills? Can you engage your team when things are getting off track? Do you have the ability to pull folks together, get folks on track? When folks are being a bit vague, or aren't sure what to do, do you have the skill set yourself to pull out of them what needs to be done? If they can't do it, then find the resources to do that.

ITIL 4 and the other certs, they are great. Don't get me wrong. It's great to have that knowledge. But for me, it doesn't make or break my success as a project management professional. It enhances it, but it's not a deal breaker for becoming a successful project manager. Ginny.

[00:29:07] GM: Echo to what Jackie is saying. ITIL is good. It will benefit you more if you go to IT project management, or help desk service type, field surfaces type work. ITIL will help you, because it talks about information technology in customer service. How do you service them? For cybersecurity and I see a chat from Jordan, too. I think, he's right on for some of the key term I'm seeing, if you want to break into cybersecurity and you don't have the experience, or the network to get yourself in, on top of what Jackie is saying, your organization, your soft skills, or maybe a PMP cert, some agile certs. Just like what Jordan said, the CISSP and CISL. Those will help you.

Those might be a little bit harder, if you’re just introduction to cybersecurity. There is also a CompTIA Security Plus cert you can get into. At least have something. Jackie mentioned that as well on her podcast. Look at her, showing her book.

[00:30:15] CS: Yeah. There you go.

[00:30:17] GM: That you can get into.

[00:30:18] CS: Never really home without it.

[00:30:22] GM: So that you have something you can show for on the resume. It will give you a better chance of getting an interview. Then you can expand on what you know about cybersecurity.

[00:30:33] CS: Okay, that's a great transition. I want to move to the next slide here. Because I think, there is definitely a strata between people who do project management work, who want to move into cybersecurity, but feel intimidated by the technical baseline of knowledge. Let's talk about what you need to know about cybersecurity to be a successful project manager in the space. Equally importantly, what you don't need to know. Let's start with Jackie here. You said, you moved from administrative and legal space into cybersecurity. How comfortable were you with the space when you started?

[00:31:14] JO: It was hard. I will not lie. I did not have a strong technical background. I started with learning and development projects. I started in technical project management, but on the business side with CVS Health. Then we found ourselves in some – we had some issues around vulnerability management. That's how I got thrown into the technical piece. Fortunately for me, I have a strong organizational skill set. That helped me tremendously. Ginny might be a better person. I don't think you need to be technical.

I showed this book. I do believe it helps you be successful. It helps you with the lingo. You understand what you're SME, subject matter experts in various resources are talking to, complaining about when you do have some insight. For me, I needed to study. I don't think it's a deal breaker. It certainly makes your life easier. Ginny, you probably know more, because you're definitely more technical than me.

[00:32:28] GM: Thank you, Jackie. You really speak so highly of me. I don't think I'm that technical, but thank you. I can tell you a story with one of my experience. Being in the army for so many years, until I worked for Dell before. I can tell you the first year, I was not technical. I can honestly tell you, I did not understand the difference between a switch and a router. I mean, Cisco, not your home router. I did not understand VLAN.

Many people might start laughing, “How can you not understand that?” I just didn’t, but I was successful. Because of my own personal pride, I want to know more and there was an opportunity in the army to put me through a network engineer school. I became a lot more technical. Does it help? Yes. Somewhat, it does help a little. Mainly, I agree with Jackie. It’s more about your soft skills.

The technical skill helped me to understand and to learn faster. You can ask Jackie. It doesn't matter how untechnical you are. As long as you’re organized, you’re willing to learn. When you jump into a project, you will learn some more on the high-level technical expert to help you learn the project. I ask Jackie, and sometimes she know more perfect, identity access management than I do. She's telling me she's not technical, but she actually knows a lot. It's about how you learn and how you adapt, and how curious you are when you see a problem. Yeah, for example –

[00:34:01] CS: Also, learning by doing.

[00:34:05] GM: Exactly.

[00:34:08] CS: I'm sorry, I didn't want to cut you off, Ginny. But I want to keep us moving, because we're 35 minutes in. This is a good transition, I think, into the more general question of your cybersecurity project management skills. A common question Jackie got was, how do I build my cybersecurity project management skills? There's a lot of ways we can go with this one. Let's start with determining what skills you need to build in cybersecurity? Then maybe, we can talk about how to get better at these tasks, where and how to practice and how to stretch yourself into harder and more complex, but impressive tasks, especially if you aren't being given these types of projects in your daily work?

Like you said, it's one thing to get a certification in these areas, but can you talk about, especially if you're not in a project management space, but you want to move there? What are some skills you should be refining and acquiring now that will put you toward that? Because Jackie, you said that you talked to some people and people said, “Well, I've managed hundreds of projects.” What you realize is what they meant is, I've done hundreds of tasks, but that's not necessarily managing a project. Can you talk about some of those distinctions?

[00:35:16] JO: Sure. The first thing I would do is you got to understand what the marketplace means when the term project and project manager is bounced around. The first thing you need to do is get up to speed on the vernacular. What is a project? You need to know that. For me, at the very basic, at the core of it, it's a deliverable that has a defined scope, a start and end date, and it has a budget attached to it. That's a project.

A project manager is someone who manages that scope, make sure whatever that is, if we're building a house, then that house gets built the way we want it built, and the proper resources needed to build that house are available when they're needed, and to the specified budget. You need to know that. You get that information through pmi.org, YouTube, googling.

Now, I will also say this. I didn't have the technical piece, and I didn't have the cybersecurity piece when I was at CVS Health. I had been managing projects on the business side. What I did do is I had a mentor, and I said, “Hey, I really want to do something more complex.” He sent me over to this gentleman runs the PMO there, and he sent me over to the vulnerability management team, or the project team that was managing the vulnerability program at CVS Health.

Sometimes, you're going to have to get out of your comfort zone, network, find out what's going on at your place of employment around cyber and literally ask to do the work. People are always looking for extra hands.

[00:37:16] GM: No, I agree with what Jackie said. Know your environment, go explore. Have inquiry to know more than you should. Another thing is, when I'm looking at a cybersecurity project management skill, as in, when you're gone, can you still communicate with people when say, I say you're gone on your day off, or you cannot be in a meeting, can you communicate to your stakeholder, even either by a PowerPoint, or a spreadsheet, to let them know the progress of your project? It’s easy to say that, but it is really hard to do if you don't understand the project, or you have a challenge on how to express yourself on paper. That's something to dive into, and that’s a skill you can expert. Like Jackie said, look into PMI, or reach out to the PMs that you know you think they are good, or reach out to us.

[00:38:17] CS: Yeah. All right. These are all great answers. I think, that's a good place to end the beginner area. I want to jump into part two, which is doing the work of project management. Both Jackie and Ginny, and especially Ginny sent in questions that she had received from people who, I think, were looking for advice regarding doing project management better. These are people who are in the space, rather than looking to get into this space.

Before we even begin, Stacy Moran, who's listening in right now just asked, how much time and effort is spent in the initial phase of cybersecurity project? I think, that's a question about the front-end. Can you can you speak to that a little bit?

[00:39:08] JO: Ginny, you can take that one piece.

[00:39:10] GM: Sure. It depends. It depends on the nature and the complexity of your project. In the general rule, and I'm going to use the army methodology, is the one-third, two-third moves. You plan for one-third of the time, and then two-thirds of the time, you taught, you communicate, you execute. That's the general term. It really depends on how complex the project is. For example, if you're just doing a storage expansion, all you need to know is the current storage. How much you need and where to order it, and how much people you need to coordinate with. You know data center to get all that stuff. That can be a short planning, but a long implementation.

Let's say, you want to do a network upgrade. Let's say, your equipment’s end of life. You have to bring a whole new set of appliances into the environment to migrate older users. All of a sudden, your planning is going to be really huge. You have to make sure that – I'm not going to go into detail, but the planning is going to be thick.

[00:40:15] CS: Jackie, anything to add to that?

[00:40:16] JO: Well, one thing I would say is ask for a charter. Ask for the SOW. That's going to tell you what you need to deliver. When you see what you need to deliver, that's going to help you understand what's required to get from A to B, to Z. That's going to help you with the planning piece. It's critical as for that charter, ask for the SOW, and I think that'll get you some of the answers you're looking for.

[00:40:47] CS: All right. We've got a question here from a project manager that was sent in in advance. They write, “In an agile world, there is no project manager, but Scrum Masters. Instead of leading the team to get the project done, how do you coach them to understand the big picture, their responsibilities and the impact of their tasks, so they can start leading their work stream, instead of you?” Ginny, what are your thoughts on this? This sounds like it's coming from a frustrated project manager, who feels that they need to hold the hands of everyone on their team, and they're wishing the team help themselves? Is that the right way to think about this problem?

[00:41:21] GM: Yes. I can tell you, traditionally, project manager, in a PMP, or waterfall format is really, you try to understand everything. You're leading the team. “Hey, so and so.” Let's say, I'm just going to use Jordan name, because that's the name that pop up, and Scott. “Jordan and Scott, you need to go do this. You need to go do that. You come by and tell me what's going on.” In the agile world, we can't, because that's no assessed scope of what you're doing.

Many of the things is explore. For example, building a software, you only know the end result. That's no structure. You need to talk to your developer. How you coach the developer as a scrum master is really, have them understand that's the documentation called BRD. What is the business want the outcome is? Have them communicate with them, coach them to understand that first. When they understand, so every single process, they have a team, the developer know what to do. Now, you have to every day – I mean, at first, it might be every day you have to coach them, “Hey, we have a meeting, a short meeting to talk to the team. What do you want to talk about? Do you have an agenda?”

When you coach that person enough to ask them for their agenda, eventually, they will get it, “Okay, it is my meeting. It is my piece. I'm responsible for it.” Just closely monitor, until they get up to speed. Then you can slowly back off a little. At first, you might still be a PM just a little. If you really coach them, they will be able to stand up on their own and lead [inaudible 00:43:01].

[00:43:03] CS: Anything to add to that, Jackie?

[00:43:06] JO: Again, I would find out, what is your obligation? Now, some folks call themselves a scrum master, but they're operating as a project manager. Some companies will say, “We're agile,” and they're still operating in a waterfall environment. If you're doing true scrum master agile work, then you've probably created some stories, or you need to. What are you guys trying to accomplish in those sprints? Asking that question, understanding what the end result is. I think, that in and of itself will help your team, I don't want to say coach themselves, but it will help them understand what they need to accomplish, without you taking the bull by the horns, per se.

To me it all goes, I think of agile, frankly, and no one seems to say this out loud. I think of agile, it's just mini projects. You've got a sprint to me, that's a mini project. You got something you need to complete, a scope a story. We got a start and a finish. Maybe it's two weeks, or a month. That's your time. You've got a restricted budget. Pull the team together. Okay, how are we going to accomplish this? They can usually, if they are a good team, if they – Sometimes, some folks aren't talkative, or collaborative. They can usually go off and do what needs to be done. Sometimes, you may have to act project management like and get them started. I'm not sure if that helps.

[00:44:49] CS: I think, it does. Let's move from there to the other. We talked about agile. Let's talk the other big A word here. Ambiguity. Our next question wants to know about kinds of the ambiguity. They write, “How do you deal with ambiguity when your customers are not even sure what they want, other than a more secure network? How do you coach teams to deal with this ambiguity?” You hear, we get to the crux of an issue with people in PM positions, which is that if your personality type is to make everything a procedure, or a definitive task to be completed, then how do you stop that process, when the only directive coming to you is, “I don't know. Just make it safer”? Ginny, you want to start with that?

[00:45:27] GM: Sure. I'm just going to knock on, stomp on the ground three times to let you know that my [inaudible 00:45:33] attention will be interview questions. Pay attention to this. How do you do ambiguity? Sometimes, yes. I can tell you, it's not sometimes. Most of the times, your customer, or your business don't know what they want other than, “Hey, I want to get it better.” You will experience that.

What you do really, pay attention to what they're saying. Ask a lot of questions. Sometimes, you have to go with what you know. You do. You have to go at what you know, and continue to ask question. You might not get it right the first time, but the more question you ask, the more you get into the project. You understand clearly where this is going. Coach is in the same way. However you learn, coach your team the same way to learn this purpose, learn the process. And document. Documentation is really important. Document each event, what’s going on, what did the customer say? What did my business tell me what they want to do? Have reason of all of the justification demand, or ask that your customer, your business is asking. When you do that, the whole ambiguity will become more clear. You will have more direction to follow, to do the work that your customer, your business want you to do.

[00:46:55] CS: All right. Jackie, anything to add in terms of the ever-dreaded ambiguous project?

[00:47:01] JO: Well, I think Ginny hit it on the head. I like what she said about what does the customer want? At the end of the day, what does the secure network mean to you? What does that look like? Get them to elaborate on that. Because sometimes they don't know. But to Ginny's point, if you dig in and you ask questions, it'll help them frame a picture in their mind, and it will help them communicate it to you. Yep.

[00:47:27] CS: Okay. I want to move into part three here. This is pivoting out of project management and into other areas of cybersecurity. We had a couple questions here from various folks. I want to start with something and I got a little quote from Jackie at the bottom of the slide here. One person asked, “How do I change roles in an organization?” Jackie said, “I was contacted by HR analysts and receptionist, librarians, even a ballet dancer, armed forces personnel, and even a Navy SEAL. My answer to this is always start where you are, that's easiest, because you know the environment.”

Can you give some suggestions for ways that you can find new spots in your own company? How do you do your current work, learn new skills and make yourself available to the company at the same time? What might you say, if you're in a company where they say, “I'm glad you want to try something new with us, but we'd really hate to lose you and your current position, so maybe just stay there instead?” Obviously, sometimes it's not just as easy as intentionality. Sometimes your company is reticent to move things around. We're running out of time a little bit, but talk to me a little bit about trying to move into a project manager, or move from a project management space into something else, if you see another opportunity come up? Jackie, you want to start?

[00:48:50] JO: Going from project management to something else. Ginny, you may have gotten that. I got the reverse. I'm a receptionist. How do I move into project management? I had someone tell me, he worked with their company's vulnerability management team, but he liked to manage projects. I said the same thing. If you have a good relationship with your company, start where you are. Do you have a PMO? Find out what projects are being – cybersecurity projects are on your dashboard. If you don't have that, introduce yourself to folks on the cyber team who work in the IT department. Somebody there is managing a certain area that is of interest to you. Take them to lunch. Put time on their calendar. “I love what you do. Can I talk to you about it? What can I take off your plate to build my skill set?”

Again, folks are always looking for extra hands. There's always the dreaded “My status report is due.” Someone was reaching out to me at work. He wanted to do something and I said, “That guy, he always has to give a two, or three-page status report. If you offered it, take that off his hands.” I said, “That's your way in.” My network, network, network. Ginny, that's probably a question you probably got?

[00:50:16] GM: No, you are correct. I can tell you in many big organization just like Apple, Dell, or the organization I'm working for Deloitte, you can be good at what you do, and you can be a PM or something. Eventually, you want to move forward into getting expertise into something, writing a paper into a field that you’re interested in, or you’re good at to help other people. Back to the role, how do you change role? I can tell you, you can never get off project management, but don't be scared. It’s true, but it's not true at the same time. You can always jump into a specialized field in cybersecurity.

One thing I want you to ask yourself as in, what cybersecurity you want to jump into? Do you understand cybersecurity? Do you understand how many domain there is in cybersecurity? Write on paper anyway. When you understand that, pick a few. Just like, I was all over cybersecurity. I was a portfolio manager and I work with Jackie. Now, I'm strictly in identity access management. I'm still doing some project, but I am also specialized in this field. I'm interested. This is a good field to be in, because I know that I stay here. What do you want? Ask yourself at the end of the day, what do you want? What do you want to go for? How are you going to wake up to it in order to go do that thing?

[00:51:45] CS: Well, that transitions nicely into a fairly open-ended question here that you received. What's the next step after being a cybersecurity project manager and gaining a project manager experience and knowledge? Again, this feels like the person asking you to do their work for them a little bit, but there's a lot of directions you can move out of a project management position. For people really just starting to think about this stuff, what are some common pivots from people who start in project management space before moving into other areas of cybersecurity. Ginny, you mentioned identity access management. Can you talk about some other common transitions out of project management?

[00:52:23] GM: Sure. You can always, if you have a network background, you can go to network security. Just like what Jordan asked. Hey, how about AWS? You can go to cloud security. That's another thing that, or another technologies, set of technologies that's coming out, if you haven't heard of IoT. What is IoT? It’s Internet of Things. What are they? Anything, including your coffee, coffee machine, even it does have an IP address. It’s Internet of Things. Those will require security. It is something you want to work on? Or do you want to be front and center, just more action going into, for example, the Pentagon, to know everything that is happening in the world in the cybersecurity space. If you're interested in that, and you don't mind doing the hard work, that will be the security operation center. We also call it the cyber security incident response organization. You can get into that. It depends on which field you’re really interested, and you have to ask yourself, is that what you want?

[00:53:37] CS: All right. Let me jump to our last question here. We're a little out of time, but someone else asked, how do you go from PMing security teams and deleting them? It feels like, from my novice position, that feels like there are about 16 steps missing in between. For those who are really looking to make the big jump from project manager to the head of a security team, a CISO, or other top tier security management position, do you have any advice? Have you seen any examples of this happening among people that you've worked with?

[00:54:07] GM: Hopefully, while you’re PMing, you're leading your team. This is one of them. You will know, because you're trying to get them finish the task. You're helping them What is leader? Leader is actually you serving at the time. At the same time, you are taking them to success. What does leadership really mean is having somebody do something, not because they have to do it, it’s because they want to do it. The reason is because they want to do a good job, or they don't want to disappoint you. That's leading, and that's part of being a PM.

If you understand you have that and you understand you're coaching your team, your team is getting better, because you're there to finish this task, or they continue to improve, or make a progress. You know you're leading. When you do that, then explore yourself step by step to become a project manager, maybe a portfolio manager, or a domain manager, and then come to really, a people manager and go up from there. Eventually, if you work hard for it, you'll going to become a CISO one day.

[00:55:17] JO: I would just ask, is that really what you want? Because the CISO gets the 2 a.m. and the 3 a.m. phone calls when you have a cyber-attack. I mean, so ask yourself. I would say, find out what you want, but network. Make sure that’s what you want.

[00:55:36] CS: Your role change comes with a sign that says, “The buck stops here.” Yeah.

[00:55:40] JO: Yes, yes. Absolutely.

[00:55:44] CS: Yeah. Okay. Actually, we have one more question that came in from our audience. I think, it's in a similar space, so I saved it for this point here. Another Jordan. It says, “Jordan undefined.” I don't know if that means his name is actually Undefined, or whether he didn't give a last name. Jordan writes, “Hi, I am an IT internal compliance auditor at a health plan. I have an interest in getting my CISSP and CSM alongside my PMP. What roles should I be looking to apply to, just to get my foot in the door?”

This sounds like someone who already from where they are thinking, towards a leadership position. Can you speak to – I mean, that's very ambitious, going CISSP, CISM, PMP. Here's to you, Jordan, for you're making big money moves here and I dig that. Can you talk a little bit about moving into this leadership space and where you start looking in terms of roles, and so forth?

[00:56:43] JO: What's the question? He is presently managing internal audit?

[00:56:47] CS: He’s an IT internal compliance auditor at a health plan. Yes.

[00:56:52] JO: To me, I'm curious why, Jordan, you aren't pursuing the CISA. The audit portion of that, because you already have the compliance experience, the auditing experience. In my head, that would be a easier segue for you. To me, you're already there. What was the question again? What does he want to do?

[00:57:21] CS: Oh, what role should I be looking to apply to just get my foot in the door?

[00:57:27] JO: You're doing internal audit now, compliance at a health plan. Every health plan has a IA internal audit department. They've got projects, because HIPAA, HIPAA, HIPAA, HIPAA again. I think, that's an easy move for you. I would reach out to whoever your IA head is, and get time on their calendar and share exactly what you want him want to achieve. Ginny?

[00:58:00] CS: I think that, wrap up with that, with Ginny here.

[00:58:03] GM: Yeah. What Jackie's really mean to tell you is network. You're in the industry. You have all the advantage. Network. Trust me. Jackie and I do plenty. Reach out to people. People like to talk, as long as you ask the right question, they love talking to you. I know you want to focus on security and cybersecurity role.

When you're doing HIPAA, HIPAA have many cybersecurity people that is have the hands o them. Getting to know them, get their name and let them know what you're doing. Go from there. Or LinkedIn, just like Chris said, used to be butt of the joke, but it's not anymore. Anybody that you reach out to, you introduce yourself. You send them a message, introduce yourself, what you want to do. They will respond.

I can tell you, Jackie told me to reach out to one of the CISO, and why would I think a CISO will have a time of the day to entertain me. Because I reached out, I stayed on my reason, well, I need help on, she responded right away.

[00:59:05] CS: Absolutely That's it. All right. Reach out. That's going to be our final call to action for the audience. With that, I just like to say, thank you to everyone at home, or work, for listening and watching today's episode of Cyber Work Live. If you enjoyed today's event, and you enjoyed our guests, I'll point out that new episodes of the Cyber Work Podcast are available every Monday at 1 p.m. central, both on video at our YouTube page and on audio wherever fine podcasts are downloaded.

You can also check out past guests, including an episode each with Jackie and Ginny at infosecinstitute.com/podcast. We've also posted direct links to Jackie and Ginny's episodes in the resources section of this presentation.

I'm excited to announce that our InfoSec Skills Platform will be releasing a new challenge every month, with three hands-on labs to put your cyber skills to the test. Each month, you'll build new skills ranging from secure coding to penetration testing, to advanced persistent threats and everything in between. Plus, if that's not good enough, we're giving away more than a $1,000 worth of prizes every month. Just go to infosecinstitute.com/challenge and get started right now.

Due to the overwhelming success of our first year of Cyber Work Live, we will be continuing the series once per quarter in 2022. Thank you to all of you who have signed up, asked questions and share the audio and video feeds with your colleagues and teams. The first quarter episode of 2022 has not yet been finalized. If you want to learn more about the event, and many others that are upcoming, just go to infosecinstitute.com/events.

Lastly, I would like to thank again our wonderful panelists, Jackie Olshack and Ginny Morton, for joining us today. Thank you all to all of our guests for attending and submitting more great questions than we ever know what to do with. Thank you, Ginny. Thank you, Jackie.

[01:00:53] JO: Thank you. Thank you.

[01:00:53] GM: Have a great day.

[01:00:55] CS: All right. At the end of this presentation, a very quick survey will appear, if you would like to take just a moment to share your thoughts, appreciated, and will help us to produce more great content in the future. That's it for 2021 Cyber Work Live. Thanks, and have a great day. We'll see you next year.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.

placeholder

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

placeholder

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.

placeholder

Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.