There is no escaping the need for fundamental project management skills in security. Having a project management framework in place ensures that nothing falls through the cracks. As a security integration technical program manager, one of the most crucial aspects for building security programs is that everyone on the team have a fundamental understanding of project management disciplines. Identifying the similarities between a plan of action and milestones (POAM) and a work breakdown structure (WBS) shows how security and project management often merge.
These are outputs of real and tangible efforts to track the overall work effort. They are also crucial points of quantitative derived metrics and some of the most reliable metrics available for guiding the overall security program effort. The U.S. government requires its contractors to use the POAM, but any project management team should still have these essential processes in place.
Plan of Action and Milestones
There are unfortunately a lot of security professionals without experience working in specific formal frameworks, and because of this, the plan of action and milestones (POAM) can be alien term.
The term plan of action and milestones comes from National Institute of Standards and Technology (NIST) SP800-18, which explains the documentation types that are included in the overall information security plan (ISP).
The two most important parts of the ISP are the roles and responsibility policy and the plan of action and milestones. These are crucial to meeting fundamental best practices, and without them, an organization’s security program will remain suboptimal. So, while occasionally unheard of, security professionals must understand their importance.
The POAM documentation piece tracks a security program’s effort with things like the following:
- Control deficiency/control reference
- Weakness name/weakness description
- Weakness detector source/weakness source identifier
- Asset identifier
- Point of contact
- Implementation resources/operational resources
- Original detection date
- Scheduled completion date
- Planned milestones
- Milestone changes
- Status date
- Original risk rating/adjusted risk rating/risk adjustment
Work Breakdown Structure
On the other hand, a work breakdown structure (WBS) in project management and systems engineering is a deliverable-oriented breakdown of a project into smaller components. It is a key project deliverable that organizes the team's work into manageable sections.
The Project Management Body of Knowledge (PMBOK 5) defines the work breakdown structure as “A hierarchical decomposition of the total scope of work to be carried out by the project team to accomplish the project objectives and create the required deliverables.”
While there are some subtle distinctions between a plan of action and milestones and a work breakdown structure, anyone with a fundamental understanding of project management is going to see the similarities.
What’s the Difference and Why You Need Both
While both the POAM and WBS decompose larger parts of the project into smaller, more manageable pieces, the WBS takes it much further. In healthy and mature security programs, the additional layers of decomposition are usually simple tasks for qualified security professionals.
When it gets down to the individual task level, you want professionals who create their own efficient means to accomplish them. Some security professionals choose to decompose the workload even further and gather metrics on tasks to track their personal efforts – for example, a security analyst tracking that they spend an average of 22.5 hours per week on security information and event management (SIEM)-related controls or 10.5 hours per week on data classification functions. When that happens, your POAM and WBS are basically the same thing.
There are other examples I frequently use, but this one is crucial because it is the second-most important piece of documentation when working on coordinated security efforts next to roles and responsibilities. Therefore, when I put together a security team, I prefer that everyone, whether they’re in a technical role or not, has a fundamental understanding of these project management concepts. I don’t need them to be a project manager, but I do need them to know what a work breakdown schedule is and what it is used for. In today’s workforce, including security and IT operations roles, the likelihood of working in a projectized environment is high. If you are in these technical roles, it is crucial to get your project management fundamentals down.