Are Project Managers to Blame for Software Security Threats?

Categories: Management Tips, Resource Planning

Software developers and project managers seem to have turned out to be natural enemies. Who hasn’t heard at least one anecdote about project managers job description being drawing up charts and asking the programmers how far along are they with their task. And of course  – wondering if the task that usually takes two weeks to complete could be completed with 2 hours. Software security isn’t an exception. r/Programmerhumor is filled with stories dripping in sarcasm about managers that would ditch security in a second when the project could be finished any sooner by doing so.

My personal favorite is this one where a Reddit user is debating over why developers use https.

reddit post about how https has the s to represent slow in the acronym

Or maybe this one where the user is worried about the health of developers and is thus promoting a low sodium diet. Another one is urging them to stay clear of hash browns.  I’m mean – we all know how terrible snacks can be for your health.

reddit post about project managers are following a low sodium diet

Unfortunately, being a project manager is the kind of a job that always makes you look like the bad guy. Or – if you are really good at your job – no one notices that you are doing anything at all. If you do your job well, you are useless. If you – or the team members in general – make a mistake, you are useless. You simply can’t win.

Many situations where the project managers seem to hit the wall are sadly stemming from a much deeper place than the project manager being bad at their job. It’s the company culture.

Making security a priority

While blaming the project manager for pressuring programmers to take shortcuts when it comes to security might be the easy way of dealing with the problem, it’s far from being the solution. That’s simply because project managers’ actions in the project management environment are rarely a reflection of their own values. While one can argue that’s BS when it comes to management or leadership, it holds ground when it comes to security.

Yes, the project manager is the one that’s telling the programmer to go live as soon as possible but it’s likely they aren’t doing it for personal glory. What’s so glorious about taking the fall when it all goes south anyway?

It’s more likely that the company culture is to blame and the project manager is simply a reflection of what is lacking in the culture.

The project manager is a buffer between the stakeholders and the team. Project manager’s duty is to make sure that everyone gets to do their job with the highest possible efficiency. They have to make sure that the programmer can write code in a way that the outcome would satisfy the (internal or external) stakeholders.

While completing the project fast and within the budget might bring the project manager personal gains, overlooking security doesn’t. That’s on the stakeholders.

When software security isn’t a priority to the stakeholders, the project manager has only so little wiggle room to make them understand that the task is going to take much longer to complete to implement all the necessary security procedures.

Again, yes – it can be argued that the stakeholders do not have to be the experts that should know how developing a secure software application should go. However, it isn’t really the project manager’s job to sell the stakeholders on security. It should be a company-wide policy that cannot be overwritten.

To be fair, I do think that change should start somewhere, and when software security isn’t a priority in the organization, maybe a project manager could be the intermediary that connects the concerns of the programmers to the goals of the stakeholders. Nevertheless, implementing such change is a choice and not one project manager should feel that it’s their sole responsibility.

However, what should be the responsibility of a project manager, is making sure that once the priority is established, the way that the resources are planned would reflect it.

Planning for security

If the company has made software security their priority but the project manager isn’t planning time for it, there aren’t any excuses for the project manager to barge into the developers' room to talk about milestones and deadlines when they are the ones that have set unrealistic goals.

Chris Eng, the Vice President of Research at Veracode wrote for TechBeacon:

“For companies to better secure software, however, they need to take two parallel paths: Empower developers to write less buggy code, and incorporate testing and feedback into the software development lifecycle (SDLC).”

The latter is screaming for the project managers to step in. Developing secure software takes more time than developing software. Since developing secure software sits in the people-process-technology triangle, there first have to be resources that are capable of implementing security procedures and then those resources have to be planned in a way that it would be possible to perform security activities and there would be enough time to fix the bugs.

Security should be a part of every software development phase. And enough time should be planned for it. A quality code doesn’t equal secure code. While the project manager doesn’t have to have the competencies to evaluate if the code is secure or not, they should make it possible for the experts to do their job.

Security issues should have separate milestones. For testing. For fixing. And testing again. Those kinds of milestones should be set whenever a new project is taken on. If security isn’t planned, it will become an afterthought because of the time constraints. Not only by the project manager but also by the programmers.

As a mediator, the project manager can avoid such things from happening. If the organization has decided that they won’t go live with a code that has not been tested, the project manager has a responsibility to make the client understand why the development should take more time.

As Liisa Past, the Chief Research Officer of the cybersecurity branch of the Estonian Information System Authority stated in her policy review about Estonian i-elections: no technology is 100% secure 100% of the time. However, without secure development lifecycles planned out by project managers, it isn’t anywhere near 100%.

So. Are project managers to blame for software security threats? No. Software security should never be one person’s responsibility. Thus, project managers should not be blamed for security threats. However, they seem to play a pretty important role as a gatekeeper.