Recently, on DevSecOops podcast; Hosts Tom Walker, James Vincent, and Scott Fletcher bring on a guest a special guest Natalie Haslam, an industry veteran with 25 years of project management experience within traditional IT, application development, and more recently, cybersecurity.
Natalie’s reflection on the challenges of delivering cyber projects in the high-speed project delivery world. Despite investment in tech, human behaviour often poses a more significant risk. Culture, communication, and buy-in from people on the ground can make or break a cyber initiative.
As Natalie put it, “Without communication, all the technology in the world is not going to save us.”
Involving operational teams from the very start of any project is key to driving the right outcomes. Natalie, Tom, and Scott all advocated for integrating BAU (business as usual) teams into project delivery, citing that disjointed handovers or sidelining ops can derail outcomes. Managing resources who juggle BAU and projects is complex, requiring relationship management, transparent priorities, and contingency planning.
Interestingly, it was discussed about what happens when a cyber incident surfaces mid-implementation…a surprisingly common scenario. Marked by uncertainty and shifting priorities, Natalie detailed the need for built-in contingency, fast impact assessments, and agile governance. Unlike traditional projects, cyber demands quick decision cycles and a heightened focus on risk tolerance.
While agile methodologies have become the industry standard, Natalie noted that many companies, especially those with mature financial models (like utilities or OT), still prefer a waterfall approach for budget certainty. But most agree the reality is hybrid; combining the predictability of waterfall with the iterative benefits of agile. The key is to adapt the approach to the organisation’s culture and project needs, not the other way around.
Managing stakeholders is another hard task faced by many cybersecurity’s ‘opinionated’ voices or conservative OT stakeholders. Natalie’s advice? Lean into empathy. Take the time to truly understand concerns, open honest dialogue, and where possible engage skeptics as active participants. Turning a critic into an advocate can yield healthier results for both project and organisational culture.
James raised the perennial question… how do we measure value in cyber projects when, even with massive investment – breaches keep occurring? Scott reflected on the asymmetry between attackers and defenders, and the need to test both positive and negative use cases. It’s not enough to deliver to the requirements; organisations must anticipate what happens when controls fail, too. And, they do fail.
Natalie provided practical indicators of project health, the red and green flags that PM’s face day to day.
Red flags:
Ceremonies or documents for their own sake, overly long business cases, or ‘promise the world’ leadership.
Green flags:
Clearly articulated outcomes, a team that backs each other, and a culture of psychological safety.
The growth around project management has been noticed from command and control to servant leadership and collaboration. Today’s project managers serve as facilitators, helping technical experts do their best work. The consensus was that no matter how advanced the tech, or even if AI eventually takes over, the core of delivery will always be about people, empathy, and communication.
Key Takeaways:
– Involve operational teams early and often
– Prioritise communication and empathy to manage change and stakeholder concerns
– Build realistic timeframes and contingency for the ‘unknown unknowns’
– Test both successful and failure scenarios
– Appreciate and leverage the strengths of each delivery role
