I recently spent time thinking about a software development project I’m managing that had me a bit puzzled.  This is first time in my long experience in project management where there is absolutely no pushback from anyone in the business regarding the project.  No one is questioning the reasons to do it, the scope, or the approach.  The organization is clearly aligned and committed to getting the project done.

I’ve managed software projects for multiple fortune 500 companies, with 8 figure budgets and project teams of 100 plus members.  There has invariably in every project been an individual or group that was either passively or actively opposed to the project.   That is not the case in this project, so what is different?

I reviewed the “Top ten reasons why projects fail” lists to see if there were any clues to why this project is so different.  I’d not looked at any of these lists for some time, and found it interesting how many different variations there are.  The top two on my personal list are having a clear and well defined business case, and the importance of executive sponsorship for the project.  My most difficult projects have been those where the business case was ill-defined and when executive sponsorship was missing.  Most troublesome has been projects where the executive sponsor has changed, or when C-level executives, who are major stakeholders change.  In these situations the business case is often questioned by the new leadership and executive support can disappear. When executive support wavers, passive resistance can turn active quickly.

Below is just one of the top ten lists I came across in my review, and number 1 and number 9 in this list match my personal top two.

The current project that breaks the mold with no one opposing the project has a business case and executive support, much like the majority of the other projects I’ve managed.   Even with these in place, all the other projects still had a level of resistance.

So why is everyone across this business on board and actively supportive?

The conclusion I’ve reached is that it must be the “pain factor” that has everyone aligned.  The system that is currently in place is very old and lacking in functionality.  Business processes are very manual, error prone, and labor intensive.  The pain in using the current system is widespread across the organization and constant.  The entire organization is supporting the project that will ultimately make the pain go away.

My personal list of things that impact the likelihood of project success or failure now has a third major consideration, the pain factor.  The higher the pain factor and the broader it is across the organization, the more likely the organization is to rally behind the project that will make it all better.  Conversely, a project that is not going to impact the organization by relieving a painful situation, may not have as high a likelihood of success, even if there is a strong business case.  When the pain factor is low, all the factors on the top 10 lists become more important.

Successful projects don’t just happen. They require attention to all the factors that can cause projects to fail or not deliver a quality solution to the business. Archetype SC can work with you to identify your top ten risks and the strengths of you organization that will mitigate these risks and insure success in your project delivery.

WHY PROJECTS FAIL – TOP 10 REASONS

Excellent Project Management post by Tom Tsongas.  January 13, 2014.

1. Lack of a Project Charter

• The Project Charter is essentially the ‘what’ portion of the criteria of the project. It dictates exactly what is being built, created or enacted and explains in high level terms the various justification and initial scope for the project.

2. Lack of User Involvement
3. Poorly Defined Requirements (Poor Scope Definition)
4. Scope Creep
5. Inadequate (or non-existent) Testing
6. Lack of Resources
7. Use of New or Unfamiliar Tools
8. Political Infighting

• It exists in companies as well as governments. Functional managers and executives with their own vested interest in specific aspects of the business can often come to blows over new or existing projects.

10. Poor Project Management

Every security professional will tell you the importance of creating unique, long, and strong credentials for all of the accounts you have but that can be a daunting task considering how many accounts most of us have today. While all of humanity waits for something better (ie. Biometrics), the username and password is here to stay and we need to embrace its existence. LastPass is a password manager that has some useful features and while it is not the only password manager on the market, it is the one I use and have used for over 5 years for personal use.

LastPass’s offerings include a free version which is full featured with the exception of mobile devices, a premium version which allows access to your ”vault” from your mobile device and other mobile features for $12 yearly, and an enterprise option adding SSO to web applications and other enterprise password management features at a cost starting at $24 yearly per user. I am a premium user and can honestly say that it is something I use every day and encourage others to as well.

LastPass for your browser comes packaged as an extension and works with all of the major browsers. Once installed it will automatically recognize pages with logins and either suggest that it save that site for future logins or fill with credentials you have in your vault. More importantly though, it can create a unique password for that site and save it for you. Next time you visit that site you need only to put in your LastPass master password and it will automatically log you in using the unique password it created without the need to remember it. When a website is breached and credentials are taken, the first thing criminals will do with that information is try and correlate the stolen credentials with other more important sites like your bank or email accounts. Using a unique password for every site is the easiest way you can protect yourself from being hacked.

LastPass mobile brings your vault to your phone or tablet and comes with other mobile features as well. One of the things I have been pleased with over the five years I’ve used it is its updates. The developers are always adding new and useful features making the $12 yearly investment seem worthwhile. Again it is cross platform with all major phone operating systems and comes as an app. The app is multi-functioned because it gives you access to your vault allowing for copy and paste into other browsers but it also come with its own secure browser. If you need to check your accounts you simply open the app, put in your master password, and you are free to securely move from account to account without having to put in any credentials. It will fill your unique passwords automatically making it a huge time saver especially on a touchscreen.

There are dozens of other features bundled with the product including secure storage of notes, form fill profiles and many more that make it a great addition to your online life but one of the coolest is its security check. LastPass will audit your vault and perform several activities. It will check your email addresses against known breaches to make sure your accounts have not been compromised. It also checks for duplicate, old, weak, and compromised passwords and suggests remediation activities. All of this information is compiled and you are given a score to compare your security posture against other Lastpass users. Just released is the option of a one click password change allowing you to tell LastPass to change passwords for multiple sites and it will do it for you.

In closing, everyone has usernames and passwords that need to be used daily and keeping them unique and strong is almost impossible without a system. Too often the “system” is a post-it note stuck to a computer monitor or using the same credentials for multiple sites. LastPass uses local-only decryption and the key never leaves the device meaning that if their systems were breached your information would not be compromised. The vault is stored on their servers using the AES 256-bit encryption and it is routinely increased to keep everything secure.

Check out www.lastpass.com for the latest information

The CyberSecurity Information Sharing Act of 2015 (CISA), is a law currently circulating through Congress in draft form. In a nutshell it is supposed to allow the sharing of threat indicators both to and from the federal government and private entities and corporations. The bill has been met with opposition, primarily from the ACLU (American Civil Liberties Union) and the EFF (Electronic Frontier Foundation).

The main concern is of course consumer privacy. The bill in its current form provides a blanket authorization for companies to monitor the internet activity of all of their users. That in itself doesn’t seem so bad since companies already have that authority. However, another provision in the bill requires the instantaneous sharing of that information with military and intelligence agencies like the NSA.

Is CISA starting to sound like a “cyber-surveillance” bill yet?

The bill does not require the sanitization of Personally Identifiable Information (PII) prior to transmission to government agencies. CISA also does not limit sharing only of cybersecurity information but also a wider range of offenses including crimes involving any level of physical force without that force causing bodily injury or death. One additional provision permits companies to take action against users (even innocent ones) without regard to the potential harm that could be caused.

The icing on the cake is that the bill also incorporates immunity to corporations from potential lawsuits further increasing the likelihood that the provisions in the bill will be acted on.

The Center for Democracy & Technology has written a letter to the Senate Select Committee on Intelligence outlining the objections of civil society organizations, security experts and academics and it can be viewed here: https://cdt.org/insight/letter-to-senate-select-cmte-on-cisa/

I am all for information sharing in the modern age that allows for the protection of consumer interests. However, how much of our rights to privacy should we throw away in order to “feel” safe?