Security PMO

What’s Next: Do Companies Need a Security PMO?

I began my exec search career focused on CIO searches. I learned how to dig deep when defining the CIO’s scope and how to position the CIO’s organization. One of the critical components was the build-out and maintenance of an IT PMO that was primarily IT and Technology project sponsored and funded by the business. The PMO leadership position was a strategic ambassador to the business that often lived under IT. Many companies have been able to transform their IT PMO into an Enterprise PMO within the organization.

First, let’s take a step back. For those of you who aren’t as ancient as I am, or don’t know much about PMOs, a project management office (PMO) is a group — internal or external to a company — that sets, maintains and ensures standards for project management across that organization.

The PMO was born in the mid-90’s as a reactive governance process around managing projects. At that time, projects were deemed unsuccessful at an alarming pace; this still happens today. From a technology timeline, the PMO arrived on the scene around the same time that we moved from mainframes to Client/Server. The IT PMO was born out of the need for the implementation and adoption of technology solutions and/or processes in business projects. These solutions determined the success of the company’s initiative or program. Infrastructure was also important, but the needs in and around Enterprise Applications (SAP, Oracle, Peoplesoft, Baan) primarily drove the creation, flow, and funding of these projects and the formation of the modern day PMO. Essentially, you had a technical solution with business needs and drivers that spawned the need for specialized project managers and business systems analysts who were skilled in the art of translation from Geek to Business.   

PMOs quickly became vital to the company’s success in deploying technology solutions. Today over three-fourths of global enterprises have maintained a PMO for at least five years. PMOs have become the one-stop shop for project principles (Agile, Scrum, etc.) project updates, best practices, policies, and methodology lessons within a company. They are often the primary librarian/gatekeeper of documentation and real-time analytics. And while they are susceptible to economic downturns, the ROI on a well-managed PMO is indisputable.

I was fortunate to have managed several fantastic Head of PMO searches which sold me on the long-term value to a company’s efficiency and culture. I saw that the PMO represented the true intersection between people, process and technology.

Ten years later, Hitch Partners is focused on the CISO’s transformation from InfoSec and Compliance to a highly visible and sales enabled DevSecOps leader. The transformation has led to the creation of many intense and complex Security related business projects. Though IT projects may affect a portion of a company using the new service or tools, security projects affect everyone in a company, its partners, and even the customers. While vendors and service providers are driving implementations within companies, often the company itself is leading many of these projects. Sometimes a company is prepared for this with a treasure trove of talented, disciplined, and subject-matter focused project managers, but this is quite rare. Meanwhile, the rate of new Security project adoption moves forward at a breakneck pace with sponsoring often coming down from the top. With all that said, I often wonder if we will see a revitalization/rebranding of the PMO focused in the Security project space; a Security PMO.

The security market is still in a consolidation phase and within today’s companies, we have an unusually high number of security options between new tools and services being introduced in an ever-changing landscape of expanding technology platforms.  The public cloud providers have opened up new channels and ways of protecting the data collective, resulting in dozens of new projects being sponsored by the business.  While before it was an IT project, today the business is reliant on these projects to manage, grow and differentiate their businesses. Everyone, from the executive team to sales, needs the super geeky security stuff to work, to protect them, to prevent incidents, to scale, and most importantly, to communicate in terms that the average executive will understand. We are talking about security solutions and policies that can, have and will make a massive impact on businesses, yet these are often solutions that less than 1% of the world can really understand and/or explain. It is the perfect environment to grow the value of a PMO; a virtual petri dish of sorts.

One of the challenges in building today's Security programs in a small to midsize company is that we often have highly technical practitioners explaining the business benefits of a security change, tool, or regulation. Frankly, these technical heroes are doing well and holding their own, but as the company and the complexity of their problems increase, this will not last. The business will need to see a greater concentration of disciplined project management professionals to help match the transformation that Security is undergoing. The business needs faster and more accurate translation of the security project value and status. Enter the Security PMO. Another major challenge we face is that PMO organizations require executive level sponsorship in order to be efficient and effective. Given the highly matrix-nature of technology organizations, it is challenging to get resources allocated to corporate cross-organizational projects without visibility of these projects from the executive ranks.

While the concept of the PMO has been around for over 15 years, we are now seeing signs that the concept of a Security PMO may be a reality. With DevSecOps becoming more commonplace, there is a significant need for Security PMOs to exist. So far, there have only been small steps taken in this direction. Just like the original idea around an IT PMO, it will take some time to become mainstream. For most companies, the security program is void of a PMO structure, let alone a budding PMO focused on Security projects.

In 2015, Security projects were still grouped in with IT projects. In 2016, we heard crickets when we brought up the concept of a separate PMO for Security. In 2017, the awareness improved and now in our daily conversations with CISO’s and Security Leaders we are finding that Security-focused Project Managers are being sought after and hired at an increasing pace. Perhaps this will be the year we help a company develop their first versions of a comprehensive Security PMO.