TY - JOUR T1 - Secure by Design: Cybersecurity Extensions to Project Management Maturity Models for Critical Infrastructure Projects JF - Technology Innovation Management Review Y1 - 2015 A1 - Jay Payette A1 - Esther Anegbe A1 - Erika Caceres A1 - Steven Muegge KW - C2M2 KW - capability maturity models KW - CERT RMM KW - critical infrastructures KW - cybersecurity KW - NIST KW - P3M3 KW - PjM3 KW - project management AB - Many systems that comprise our critical infrastructures – including electricity, transportation, healthcare, and financial systems – are designed and deployed as information technology (IT) projects using project management practices. IT projects provide a one-time opportunity to securely "design in" cybersecurity to the IT components of critical infrastructures. The project management maturity models used by organizations today to assess the quality and rigour of IT project management practices do not explicitly consider cybersecurity. This article makes three contributions to address this gap. First, it develops the argument that cybersecurity can and should be a concern of IT project managers and assessed in the same way as other project management capabilities. Second, it examines three widely used cybersecurity maturity models – i) the National Institute of Science and Technology (NIST) framework for improving critical infrastructure cybersecurity, ii) the United States Department of Energy’s Cybersecurity Capability Maturity Model (C2M2), and iii) the CERT Resilience Management Model (CERT RMM) from the Carnegie Mellon Software Engineering Institute – to identify six cybersecurity themes that are salient to IT project management. Third, it proposes a set of cybersecurity extensions to PjM3, a widely-deployed project management maturity model. The extensions take the form of a five-level cybersecurity capability perspective that augments the seven standard perspectives of the PjM3 by explicitly assessing project management capabilities that impact the six themes where IT project management and cybersecurity intersect. This article will be relevant to IT project managers, the top management teams of organizations that design and deploy IT systems for critical infrastructures, and managers at organizations that provide and maintain critical infrastructures. PB - Talent First Network CY - Ottawa VL - 5 UR - http://timreview.ca/article/904 IS - 6 U1 - Carleton University Jay Payette is a graduate student in the Masters of Design program at Carleton University in Ottawa, Canada, and is the Managing Principal of Payette Consulting. Jay founded Payette Consulting in 2011 to help clients balance the consistent results of repeatable business processes and analytic decision making, with the fuzzy world of creativity. His research has focused on applying design-thinking principles to business model generation, strategy, and project delivery. Prior to founding Payette Consulting, Jay worked for the Canadian consulting practice of Accenture and as an independent IT Project Manager. U2 - Carleton University Esther Anegbe is a graduate student in the Technology Innovation Management (TIM) program at Carleton University in Ottawa, Canada. She also holds a Bachelor's degree in Computer Engineering from Ladoke Akintola University of Technology in Nigeria. She worked as a Technology Analyst with a leading Investment Management Firm in Lagos, Nigeria (Sankore Global Investments), where she formed part of the technology team that developed, deployed, and provided support for the financial software projects that expanded the market reach of the firm’s stock brokerage and wealth management subsidiaries. She is currently working on a startup (Tech Wits) to provide enterprise solutions and services to startups in their accelerators and incubators. U3 - Carleton University Erika Caceres is a graduate student in the Technology Innovation Management (TIM) program at Carleton University in Ottawa, Canada. She holds a Bachelor's degree in Technology Information Management from The University of Yucatan, Mexico. She previous worked as an innovation consultant at I+D+i Hub, a leading technology transfer office in Merida, Mexico, where she formed part of the management team to produce innovation projects that were submitted for funding to the government to help accelerate the economy in the south of Mexico. She is currently working on Volunteer Safe, an online startup that pre-screens and licenses volunteers and connects them to volunteer opportunities aligned to their profile. U4 - Carleton University Steven Muegge is an Assistant Professor at the Sprott School of Business at Carleton University in Ottawa, Canada, where he teaches and leads a research program within Carleton’s Technology Innovation Management (TIM) program. His research, teaching, and community service interests include technology entrepreneurship and commercialization, non-traditional settings for innovation and entrepreneurship (business ecosystems, communities, platforms, and interconnected systems that combine these elements), and business models of technology entrepreneurs (especially in non-traditional settings). ER -