Projects Sanity Check

hello hi everybody this is adele farhadian and i'm here to talk to you about project sanity and especially in the security world and um how i've learned to do this and and maybe hopefully it becomes something that you would like to do as well and you don't have so much time today together so i'm just gonna jump right into it so yeah and so yeah project sanity check um that's and that's a name of this um talk um and um i just wanted to start by telling you a little bit about myself um obviously my name is adelfarhadyan and you probably have seen my bio already in the in the registration and everything else on the schedules of besides vancouver

and but in any case i'll give you just a little short background i've been in security for almost 16 years now and in cyber security slash compliance slash governance slash vulnerability assessments penetration testing all kinds of stuff um and i've had my own company my own incorporation company since 2015. it's it's called infosec assured and um and i've served many many clients um mostly public and public companies and government and sometimes also like smaller private companies i've also worked with um some very and you know unique startups that um you know where we're just getting their sas products and stuff like that and i have my own mba so this talk is also geared towards

some business discussions in security um i have a whole bunch of certifications and like cssp and ccsp and g webs and ch whole bunch of stuff and i've got two cats they're crazy they're all over the place right now so they may jump on my lap at any time i also do some acting i don't know if you care about it at all or not but i thought you know it makes it a bit personal um okay so yeah um this is a silent problem i think that a lot of times happens where um the goal or the objective of the actual initiative gets lost in translation or throughout the time or the or the

lifetime of the project or it just gets um miscommunicated sometimes there's a lot of different different things that in the project gets defined in the very beginning and then um and it just loses its meaning sometimes um and it leads to failure of the project and so there's a lot of times and that i just find that we need to do some sanity check and in different phases of the project too and sometimes you know i i come on board or i get involved in the project very early on in the project and sometimes i get involved like in the implementation phasers or even post implementation phase and which you know it's about operationalizing the

project so for me every time that i just get started in a project i question everything i do want to question everything i just want to understand everything that we have already decided about and decided on in this part um so i just want to make sure that i first of all i understand that so i can do a proper job um in the project or whatever my role is usually my role isn't is the security architect but sometimes i just cannot even um and you know understand why we're doing this why are we doing this why aren't we doing it some other way something maybe more efficient something you know different so because a lot of times you know and we we don't

really talk about the problems we have um we have projects that um fail and miserably so so based on um some statistics like i was um i was able to gather from pmi for example 31 of projects don't even meet their objectives 43 exceed their budget and 49 were just late and so there are different things that would lead into a death right but um but at any time i think questioning it and um and be able to to you know still bring some new ideas would be very helpful to these projects and maybe they will just not fail or if they fail it's a good thing that they failed and then i don't really call it a failure i call it

you know seizing while it's still you know worth it so um failure of it project costs uh in the us alone and is usually costs uh about 50 to 150 billion dollars annually and that's also by her word so you can tell that this actually does happen um so the discussion today is about you know first of all identifying what the problem is and then um i will tell you how i deal with it and um so hopefully you can use them too and then how to communicate it how to bypass all the political issues right because of course there is a lot of course makes sense so what is the problem again there is a

better way to do it um if we if we for example if it's a pci project if we if we and you know eliminate or sm or make this scope even smaller uh it's better uh it's a lot less cost and you know and it's more efficient um if you know the project already may be in the implementation phase so i think that oh yeah there is another thing that i could do or we could do about this and we could make it better and but i don't really want to say anything because it's already in the implementation phase and the requirements have already been gathered all the stakeholders have signed off on it we know exactly how we're going to do

this and now we're in implementation so you know it's just ridiculous for me to talk about it talk about any fresh ideas or something else you could do so i'm not going to talk about it or um i sometimes think oh no it's not really my job like i thought the stakeholders and the project manager and you know budget experts finance i don't know all of those people can can actually um you know make this decision the goal no goal decision or make the decision of and you know how much budget we need for this and um you know at the very initial of the of the initial phases of the project they've already gathered all that

information and based on some solid information they made some decisions so that's not really my job now as a security architect to go in the project and say hey you know like there's other ways and and maybe in the very beginning if you have made um something else as a requirement as well we wouldn't be making this solution our solution you would have a more like a smarter solution a more efficient solution and um so again because of that uh i'm not uh speaking up or a lot of times that i'm going to talk about my um my uh uh example here is that we already actually bought the gear so this example is about um about a

company that i worked at and it was a government company and we wanted to implement design and implement a an unmanned unsupervised and credit card processing um solution okay and so there was a lot of other reasons and why and the team who had the security architect before me and already came up with solution a and solution a had a whole lot of and you know pci um costs obviously and so when i came in and i started asking a lot of questions because again i just wanted to do the proper job right so i asked a lot of questions and i realized that we don't have enough reason to actually start a credit card processing and

also we don't have enough reason to um to make all this cost for the company so why are we doing this right why are we doing this so i came back i went i went back all the way to the actual requirements we've gathered and tried to understand okay where is a good requirement for this and and show me i need evidence to see and that that there is an actual requirement for credit card processing and an unmanned credit card processing and um so but i couldn't find anything so that was the problem for me it was a huge problem because of course um you know i i wasn't true i couldn't be true to the

solution i was implementing although it was um you know it was designed by other architects before me um i didn't feel that i'm doing my due diligence for the company i didn't feel that i am being um truthful to the company to the benefit i can bring to the company so i decided i want to dig in a little bit more so to that end i thought okay you know what um i have to go and really gather some information some real fact concrete facts to make sure i'm actually right and this is not just a hunch um so i went back to the history of the project and mind you this project was a two and

a half year old project uh had a lot of problems in the in the course of their lifetime of the project and and because of that there were many different security architects that came and went and during the lifetime of this project and so i went all the way back to the original requirements and then i figured out how these requirements changed over time then i figured out how the design changed over time and how even pci requirements pci rules changed on us a little bit over time and as i put all of this together i realized that yes this isn't a hunch this is for real this is there is no real reason behind this

so then i started thinking business i started thinking okay give me some numbers give me some concrete numbers and what what what were we doing before this okay we were um processing cash and because of that we were losing some money and because a lot of times you would just um let the customer um and get the product they needed but then and because of the credit they had with us we would and charge them later and so sometimes this was just not happening a lot of times the charge later on wouldn't go through so we were losing some money but nowhere in our requirement gathering did we ever say that how much were we losing money

so i decided okay i'm gonna dig even deeper so i said okay this like um this was just a swag shop let's call it that so i said okay this is not our real business this is our swag shop so we can and we are making good money elsewhere with our real business model but this is a just a tiny bit of revenue so i asked how much revenue are we making well it's only about 80 grand a year okay and this is a billion dollar company 80 grand a year i said okay and what is the cost of what we were doing originally the cash right cash um payments or and you know and later charges or checks

and whatever i said okay what is the cost of processing this today and what i realized was mind boggling so there was this um lady who worked at a particular site that lady um was charging um you know was an employee of the company and a 60 grand a year employee that was her um that was her salary 60 grand a year out of her um you know five days a week 40 hours a week time she had to spend 10 hours a week out of the out of her 40 hours a week she had to spend 10 hours a week to be able to process and cash and that was it and let's say i was just gonna say that okay

our revenue is eighty thousand dollars i'm going to say we just just that's just a yes or you know an overestimated guess i'm gonna say 20 000 we are that we are losing in revenue because of you know the cash gets lost or whatever or you can't charge them later on that the the you know the um the charges later on don't go through and so okay um let's say we are losing 20 grand so meaning that our company could make 100 grand out of this a year but now we're making 80 instead and our the benefit the real benefit you're getting from this swag shop is not the money the real benefit we're getting from this

workshop is making a fun um fan club or you know we are making a community and you know we want to get more contributions from our fans and from our and customers okay so i'm thinking money business so and that's when i did my sanity check and i thought this really doesn't make any sense and i do see a whole bunch of people have signed off on this and they're all very very senior they actually went all the way to um a few of the chiefs of the company but still didn't make any sense and that was in my in my mind was because some of these numbers that i dug up by myself were not

originally and discussed and so when i started communicating it so i started socializing it with some of my really good peers and that understand business they understand they have business mind mindset they know when to pull out the plug and say no this doesn't make sense and we should just stop and you know absorb all the costs we had so far and just not move forward with this anymore right so i started socializing i got their ideas and then i um you know i kept telling a whole bunch of people i made some really good connections for this i went and you know from my connection to their connection to their connection within the within the corporate um um

environment and i like for example i didn't know a lot of people in finance they put me in touch with some finance people we talked through this we talked through the budget and and i and i explained to them the whole situation and they could understand that they backed it up they they even told me you know what other details i may need to look at before i start actually communicating it to the to my own chief that i was reporting to and um and you know make it a report a real report so what i did at the end was i made a powerpoint two-pager kept it very very short and just explained and what this project is because a lot

of times you know the senior management may just not know i said what the what the project is all about and what's the current state and what are the problems i see today no name calling no nothing you're not judging anything what are the problems i see today why do i think that's a problem right and now how do i think we can fix this and i gave them a few options option one was cease and go back to cash i mean that was the best and um option two was and you know was um have a hybrid situation instead of and and completely unmet um supervision without supervision solution an unmanned solution i told them that even if you even if you

hire supervisors to and you know supervise this shop um on an ongoing basis it's still going to cost you this much and so you know this you know would still make sense and but the cost of and the compliance cost of that unmanned solution was so high and that didn't make any sense it would be much better to have you know somebody supervising this solution and then at least have a simpler solution because of that so i gave some options pros and cons of the options and again the right content for the right audience numbers numbers numbers money money money the the higher up you go the higher up you talk to the more money

you have to talk and it has to be a money discussion and so um what they decided to do at the end was and to seize the project and go back to cash um and and cash processing and i have to tell you that although it was tough um but i got really good feedback even from people who um you know were were already originally gathered all the requirements and originally made some comments and and um you know made and made the design um all of them you know people i'm talking about people who didn't pick this up before me right and but everybody was happy at the end and that there's a better solution for this now

and so the conclusion is stay business focused at all times regardless of what your role is and always think business because we are here to enable the business and and make sure business moves forward and makes money in a secure manner that's all we're doing um trust the decision makers if they say yes to your presentation at the end uh be happy but if they say no still this it is their decision and so try to be a team player trust them and move forward don't get stuck and say no no this is wrong i can't even do this i can't even do this blah blah wow this doesn't make sense because at the end of the day you have to make your

due diligence but it's their decision to make it's their risk to take and but what you can do in in that case is keep an eye out for any opportunities in the future where you can bring this up again and say hey i still think this is the case and things may have changed by then so that was the presentation of the day we're going to um do some live q a right now and you have my contact information on the screen as well i'll see you in a little bit and i'm very happy to be here very very happy thanks so much i appreciate that