The purpose of this paper is to provide for the application of project risk management theory to the case study concerning Flayton Electronics: Boss, I Think Someone Stole Our Customer Data. This will happen in four parts. In the portion of the paper we will look at some the Critical Success Factors of the business; address various factors concerning the project of recovering from the issue; develop some project risk recommendations and identify some of the initial risk categories that I see as present in the case study. Background: Flayton Electronics, a second generation family business, has just been notified that there may have been a data breech associated with credit cards used at their stores. The initial reports indicates at least 1500 accounts may have been compromised although this number appears to be growing quickly as more banks and clearing houses are notified of the possible breech. Flayton is a small, regional electronics business with 32 stores in six (6) states. The case study is happening within 24 hours of first notification of the possible breech.
1. Analyze how the Critical Success Factors (CSFs) apply to the facts of the case study. Provide examples to support your analysis. In order to respond to this first requirement we need to ensure we understand the definition of CSF and the categories at which we will be looking. Hillson and Simon (2012) define CSFs as “a condition that is required to ensure success and whose absence leads to failure” (p.236) and Heldman (2005) defines them as “those elements that must be completed in order for the project to be considered a success.” Based on these definitions the following CSFs and possible metrics for measuring and determining the results of the company’s efforts have been determined. Hillson and Simon have noted four categories into which Critical Success Factors (CSFs) fall: Supportive Organization; Competent People; Appropriate Methods, Tools and Techniques; and Simple, Scalable Process. Examples of these CSFs and a possible metric follow: CSF Category
Buy in from all departments
All departments agree to and sign off on plan
Customer must come first
All required personnel made available
External contractual arrangements made
External support requirements identified and implemented IAW with plan Competent People
Skilled, trained and competent staff
Information Security Director position defined and staffed within 30 days
HR and IT meet staffing goals within 45 days of notice
Current personnel not meeting requirements within 6 months of notice released
Temporary, external resources used as required
Training requirements and policies established
Competent internal/external training resources identified and contracted with within 3 months
Annual training and certification of IT personnel
Appropriate Methods, Tools and Techniques
Secure technology infrastructure
Identify and seal current breech point within 48 hours
Upgrade equipment and software within 12 weeks
External contract resources employed until internal needs are met
Maintain 100% secure gateways
Develop policies and procedures
Establish and implement policy(ies) and procedures within 3 months; update as required.
Clear and concise customer notification policies developed with customers notified in writing and on website
Implement security verification procedures
Conduct scheduled (3) and unscheduled security checks and tests annually (98% pass)
Conduct forensic audit by external team to identify extent, cause and fixes within next 2 weeks
Conduct bi-annual security audit
Ensure 100% compliance with industry standards
Simple, Scalable Process
Project plan developed and implement
IAW PMI processes
IAW ITIL v3 where appropriate
Appropriate resources available and supportive
Completed in small, measurable steps
Results in a secure and operational infrastructure supported by policy actions
Completed in 6 months
Let us look at a couple of these CSFs as they apply to the case study. A. Supportive organization – everyone appears to understand the seriousness of the possible data breech and wants it resolved but are looking at different aspects. Brett, the CEO, wants the store protected, his customers protected and taken care of as they are family to him as noted by the pictures on the wall outside his office. Darrell, the long-time lawyer for the firm, wants to let the banks break the news as that will make it appear as if they are at fault but this data breech may not be an area in which he has great knowledge. He also would like let the Secret Service handle the whole thing and wait till they have finished their investigation which could be months or longer. Laurie, the Loss Prevention Specialist, wants to protect the store but realizes this is out of her realm of expertise.
Sergei, as the CIO, is the most at fault. He admits that they were only 75% PIC compliant; that they had new firewalls – software and hardware – being set-up but they were having trouble with them and that one of the firewalls had been down for an unknown period of time. Sergei has the most to lose – his job and his reputation. Ben, the HR director, has identified possible suspects from personnel who have recently left the business but blindly turning names over to the police could expose the company to more liability claims. Sally, the PR person, is just looking for some direction in which way to proceed. Each of these people want what is best for the company but for different reason. Brett needs to ensure that each person agrees fully with his final decision and they will support it going forward. B. Competent People – The company has fallen short in this area.
Darrell appears to have little experience in this arena. The company may wish to hire outside counsel with expertise in this area to help develop a quick response with which both Brett and Darrell can work. Laurie is outside of her skill area to resolve the breech but she should be able to help support policy development. Sergei is the biggest issue. It appears that he has no policies in place for such a problems; that he is not in control of his personnel; that he hasn’t been informing the CEO of the status of his department nor does he appear to have plans in place to implement full net security. Ben appears to be doing his job but now must focus on quickly finding both temporary and permanent hire personnel to help resolve the issue. Sally needs to more investigate options available and present a short briefing concerning the options and possible results.
Brett, as the CEO, has been relying too much on people doing their jobs and hasn’t spent enough time checking to see if they are. C. Appropriate Methods, Tools and Techniques – The company needs to move quickly, but smartly, in this area. It needs to bring outside contract help to quickly define and establish a secure network. It needs to define supportable and legal policies to define the work environment, jobs skill and training requirements, etc. Between Brett, Darrell, and Sally, with some input from Sergei and Laurie, they need to develop a communication’s policy that looks at responds to incidents such as this. D. Simple, Scalable Process – The company needs to develop an overall project plan to achieve the CSFs defined above. The plan should be built in sections as related to each department and integrated into one plan.
The company may need to bring in an outside PM to manage the overall plan with a project leader to handle to the smaller section plans. Brett must ensure that each department and department head is fully supportive of the plan. Brett himself must be the Champion of the overall plan with the department heads championing their plans. 2. Determine the project benefits, organizational readiness, and risk culture of the company in the case study. A. Some of the benefits associated with a project aligned with the CSFs as they laid out are: a. The company develops a secure and PIC compliant network and internet portal thereby reducing their legal liability for future breeches. b. With a secure network, the company can regain their customer’s trust. c. The entire company is moving forward in the same direction. d. Company personnel gain an understanding that the company will do what is required to remain a viable business.
Company personnel gain an understanding of their job is and that, through training and policy guidance, the company will work towards what is the best for all of them. B. The organizational readiness of the company to meet the CSFs is lagging and very suspect. The IT department does not have the personnel available to handle the required upgrades. This is evident in the inability to establish a functional firewall, in the inability to determine when the firewall was taken down, etc. They also do not appear to be set up to handle project planning and implementation as defined by the Project Management Institute or ITIL process. Between the IT and HR department they have failed to secure the resources required to support company IT functions.
This is also indicated by the CIO lack of awareness. Their legal counsel and PR department are also unprepared for this type of event. However, they should be able to recover more quickly than the other departments. Given the shock that they have had based on this incident and depending on the final direction that the CEO, Brett, decides on, the department heads and at least a couple of the departments should be raring to go as they should feel the need to prove themselves. But overall, at this point, none of them appear ready to move forward in great leaps and bounds. C. The risk culture of the organization, especially the IT department, appears to be bordering on risk denial. As noted by Hillson and Simon (p.17), “Denial results in important risks being ignored, and decisions being made without cognizance of the associated risks.”
This is most evident in the IT department concerning the firewall being down and the other issues associated with the firewall and IT personnel. It also shows in the Darrell’s response to let the banks, as first reporters, bear the brunt of the fallout and in Brett’s not knowing about and supposedly not questioning the state of the IT upgrade effort. Brett’s attitude where the customers are concerned appears to be risk adverse as he wants nothing to affect the company’s relationship with them. So Sergei could bear all of the fallout if the issue is not properly handled with minimal losses to the customers and the company. 3. Develop at least three (3) project risk recommendations based on the analysis from criteria number 1 and 2 of this assignment. In order to resolve the risk associated with this case study as presented in items 1 and 2 above I recommend that the following items be completed. A. An external forensic IT team be brought in to work with the current IT personnel to identify and resolve current IT fail points.
This would help eliminate or greatly reduce current exposure and help identify where the breech occurred. It would also help the company’s IT personnel grow their skill sets and identify to them what skills they need to further develop. The forensic team should also be contracted to develop recommendations for future upgrades to the IT system to include hardware, software, and system policies. It should also be requested that the audit team identify those skill sets needed to support, manage and grow the system. B. To help resolve future risks associated with upgrades to the IT system and associated company policies it is recommended that the company CIO, Loss Prevention Officer and CEO develop a Statement of Work based on the forensic team’s recommendations with associated milestones, acceptance criteria and funding data as determined by the CIO and finance director.
C. An external Program Manager be brought in to manage the IT upgrade with the CIO and CEO as champions. The PM’s charter should also include the task of working with internal team leaders to develop their project planning skills with the idea of them then seeking external skill development and training under the company’s auspices. D. The company to should bring in an external policy development expert to work with department heads to develop policies that reflect the cultural and legal needs of the company. E. Upon completion of the IT upgrade and policy development projects the company should bring in a different audit team to review the system and policies.
This will eliminate any conflict of interest. Following these recommendations should greatly reduce the risk the associated with the CSFs noted above. It will do so by bringing in knowledgeable, external experts with deal with the majority of the issues while starting the training and upgrading of internal personnel’s skills. It should also go a go distance in reassuring the company’s customers that it has their “welfare” as its driving goal and thereby reduce the possibility of lawsuits. However, this will only happen if the company informs its customers of it plans and actions.
4. Identify the initial categories of risk (RBS Level 1 and 2) that you see as being present in the case study using the Example Risk Checklist (Figure A-2, Hillson & Simon text). Organizations use risk breakdown structures (RBSs) in conjunction with work breakdown structures (WBSs) to help management teams identify and eventually analyze risks. … The focus at the beginning should be on risks that can affect the whole project as opposed to a specific section of the project or network. (Larson & Gray, 2012).
Heldman, Kim (2005). Project Manager’s Spotlight on Risk Management. San Francisco, CA: Jossey-Bass: Wiley Hillson, D. and Simon, P. (2012). Practical Project Risk Management: The ATOM Methodology. 2nd ed, Tysons Corner, VA: Management Concepts Press. Larson, E.W. and Gray, C.F. (2012, p. 214). Project Management: The Managerial Process, 5th Ed. McGraw-Hill Learning Solutions. Boston, MA.