A Proven Cybersecurity Plan: Lessons, Insights, and Best Practices.
Managing cybersecurity projects requires more than technical expertise. It requires clear goals, team collaboration, and processes that align with the organization's needs.
Over the years, I’ve learned a lot from leading projects, making mistakes, and adapting my approach. Today, I want to share how I manage cybersecurity plans and the framework I’ve developed to help other professionals refine their own processes.
Starting with Clear Objectives and Goals
Every project begins with well-defined objectives and a clear timeline. Without these, the team can lose focus, and stakeholders may struggle to understand what success looks like. As the manager, I make it a point to review the objectives, offer guidance, and brainstorm solutions with my team. These sessions encourage critical thinking and help us identify potential roadblocks early on, which is invaluable for the project’s success.
Empowering Team Members with Ownership
One of the best decisions I’ve made is assigning a project owner for each major task. This isn’t just about delegation; it’s about giving someone the responsibility and independence to lead.
It helps team members grow their leadership skills and ensures a clear point of accountability. I also hold regular one-on-one meetings with team members. These conversations go beyond the project—they’re an opportunity to align on goals, address challenges, and build stronger connections.
Learning from Challenges: A Security System Incident
There’s no better teacher than experience, and one of the biggest lessons I learned came from a security system configuration change. The adjustment was technically sound, but it caused 50 IT support tickets because we didn’t communicate the change with the IT team beforehand. This incident taught me the importance of coordination and transparency when implementing changes that impact other departments.
To address this, I introduced an approval table for all major projects. This table ensures every stakeholder reviews and approves critical steps before moving forward.
I also added a special mark, like a fire symbol 🔥, to flag particularly risky steps. This simple addition highlights areas that require deeper discussions with management or stakeholders, helping us avoid surprises and reduce risk.
Why I Added a Section for Architecture Diagrams
One thing I’ve noticed is how easily confusion can spread when people don’t have a clear visual of the project. That’s why I created a dedicated section for architecture diagrams in all our plans. These diagrams give everyone — whether they’re technical or not — a straightforward overview of how everything fits together. Since making this change, communication has been much smoother, and it’s easier to get everyone aligned.
The CTO’s Insight: A Dedicated Testing Phase
Another major improvement came from a suggestion by my CTO. Initially, we included testing as part of each phase, but he recommended creating a separate dedicated testing phase instead. This required more work, including setting up a second testing tenant with an additional cost, but the results were worth it.
With a standalone testing phase, we could validate the entire project in a controlled environment, catch potential issues early, and share results with stakeholders before full implementation. This not only improved project reliability but also increased stakeholder confidence.
I now consider this step non-negotiable for complex projects, even if it costs a little more.
Staying Organized with Documentation
A solid project needs solid documentation. I use Confluence to centralize all our plans, approvals, and updates. It keeps everything organized and accessible to the team. While Confluence works well for us, any tool that fits your workflow can do the job. The key is having one place where all critical information lives.
My Cybersecurity Plan Framework
After refining my approach over the years, I’ve developed a framework that works well for my team. I want to share it with you in case it helps you improve your own process:
🔥 Special Mark: Use a fire symbol or another visual indicator to highlight risky steps that require detailed discussions.
1. Approval Table
• Include all relevant stakeholders for review and approval.
2. Contractors and External Parties
• Clearly define roles, responsibilities, and access levels.
3. Architecture Diagram
• Add a dedicated section for visualizing the project’s structure and flow.
4. Plan for Securing Access to Corporate Resources
• Detail how corporate resources will be protected throughout the project.
5. Objectives
• Clearly state the project’s goals and intended outcomes.
6. Implementation Time Plan
• Include a timeline with milestones and deadlines.
7. Testing Phase
• Create a separate testing phase with its own tenant and resources.
• Validate all components in a controlled environment before deployment.
8. Phase 1: Conditional Access for Windows Devices
9. Phase 2: Conditional Access for Mac Devices
10. Phase 3: Conditional Access for Non-Managed Devices (Mobile)
11. Phase 4: Future Improvements
• Outline updates or enhancements to be made after the project is live.
12. Notes and Considerations
- Document lessons learned, key decisions, and any recommendations for improvement.
Final Thoughts
Managing cybersecurity projects is about more than getting the technical side right. It’s about fostering communication, building accountability, and creating a framework supporting the team and the organization.
The lessons I’ve learned — from introducing architecture diagrams to implementing a dedicated testing phase — have significantly improved our processes.
Providing this framework can inspire ideas for your projects. If you choose to use or adapt it, I would love to hear about your experiences.
