Securing project management organisations in giga-projects

Written By fra juniper

Executive Summary

  • Mega- and giga-projects typically require the creation of integrated project management organisations combining project owners, tier one suppliers, and other stakeholders.

  • These organisations are temporary, unique to each project, and have highly specific security requirements that must be addressed to ensure the security of the project. 

  • Securing project management organisations requires a flexible and adaptive approach that can rapidly scale as project management organisations are formed and grow. 


Large-scale projects present unique management and security challenges. Typical mega-projects include transport infrastructure, urban developments, and major sporting events. These projects are challenging to deliver successfully, face elevated security threats, and have inherent vulnerabilities emerging from their scale and complexity. 

Project delivery involves capabilities and processes that are distinct from those required for the ongoing management and operation of the project deliverable. Until the 1990s, mega-projects (projects valued at over USD1Bn) were consistently delivered over budget, late, and under expectations. It took the development of new project management and delivery techniques to successfully deliver projects on that scale. 

These best practices and lessons learned are now being applied to a set of unprecedented ‘giga’-scale projects (valued over USD100Bn). Learning how to secure projects at this scale will require collaboration, information exchange, and continuous improvement. In that spirit, this brief provides high-level guidance on the management of security for large-scale projects. 

Best practices for large-scale project delivery

Best practices for the management of mega-projects were developed in the 1990s and 2000s, drawing on the experience of successful projects such as Heathrow Terminal 5 and Crossrail in the UK. These best practices are now being applied to giga-projects, where they will very likely require further adaptation and refinement. These best practices dictate the shape and activities of project management organisations, with implications for security requirements for project management organisations. 

  • Risk held by project owner:

    Best practice is for the project owner to hold risk, while working collaboratively with suppliers in an integrated project management organisation.

  • Creation of an integrated project management organisations:

    Best practice is to form an integrated project management organisation, bringing together the project owner(s) with tier one suppliers and other stakeholders.

  • Use of a project gateway process:
    Best practice is to manage projects through a series of gateways (checkpoints, milestones) where the project requires approval to move forward. 

Project management organisation security

Project management organisations for large-scale projects face significant threats and carry risk for project owners, stakeholders and suppliers, and national authorities. These teams are necessarily temporary; internal structures and governance processes have to be developed ‘on the fly’ as the project is progressing. 

While temporary, project management organisations may nonetheless exist for years, with large, complex supply chains to meet their own delivery requirements. On very large scale projects, the project management organisation itself will be larger and more complex than many companies. 

Securing these organisations requires the development of a flexible security wrapper for large teams bringing together people from multiple organisations. 

Project security strategy:

  • The project management organisation should develop a project security strategy.

  • The project security strategy will be distinct from the security strategy for the project deliverable when it is operational.

  • This strategy should set out:

    • How the critical project information and assets will be identified.

    • How the project management organisation itself will be secured.

    • How the project will be secured while in development.

    • How the security handoff from the project management organisation to the operator is envisaged.

  • Project teams should use provisional security policies and processes in the interim before a complete project security strategy is developed.

  • The project management organisation security strategy should be aligned with the project gateway process. 

    • The project security requirements will differ by project stage, reflecting changes in the project status and risk assessment.

    • Project security should be among the requirements for gate approval. 

Security challenges

Project management organisations should adopt a protective security approach to project security, encompassing the full range of threat vectors (including physical, information, cyber, personnel) in a holistic manner. Managing different threat vectors in isolation risks the creation of duplication and silos within the project management organisation. 

Generic guidance and frameworks must be tailored to the specific requirements of the project and the project management organisation. These requirements emerge from the idiosyncratic security challenges that project management organisations face. These include:

Physical security:

  • Project management organisations will often lack permanent working facilities of their own at the beginning of a project, creating dependence on borrowed or newly acquired working spaces. 

  • The project management organisation will similarly need to develop secure working facilities, as well as appropriate security zoning to ensure the protection of critical information and assets.

  • Due to their scale, prominence, and physical dispersion, large-scale projects can present attractive targets for political violence and kinetic threats. 

  • Access control and perimeter security can be technically challenging and resource intensive endeavours for large-scale projects involving large numbers of workers and just-in-time supply chains. 

Information security:

  • Project owners will attach a high level of sensitivity to information related to the development of projects that are likely to be prominent endeavours. 

  • Projects will immediately begin producing sensitive information, underlining the importance of adopting provisional information security policies and processes.

  • Information classification and handling policies and processes must balance multiple, potentially conflicting requirements from external partners and stakeholders,

  • This complexity needs to be managed without inappropriately limiting information sharing to the detriment of project delivery.

Cyber security:

  • The creation of a project management organisation will involve establishing, potentially from scratch, digital estate on a scale equivalent to large companies.

  • By the nature of its work, the project management organisation will necessarily need to interface with the systems of multiple stakeholders, suppliers, consultants etc

  • The number of interconnected technology systems and devices in large-scale projects creates numerous cyber security vulnerabilities, offering threat actors multiple opportunities for exploitation.

  • The scale and visibility of mega- and giga-projects makes them attractive targets for cyber threat actors. 

  • The dependence of modern construction projects on the use of building information modelling and digital twins creates a critical dependency on these digital models. 

Personnel security:

  • Integration of personnel from different organisations with different security policies and processes presents challenges.

  • Personnel vetting can be difficult in integrated teams, particularly where team members are from different countries and cultures.

  • Personnel often require temporary access to sensitive information, posing challenges for project management organisations in regulating and securing this access while maintaining operational efficiency.

  • Project management organisation personnel will have high levels of access to sensitive information making them attractive targets for multiple threat actors.  

  • The intent of the project management organisation is to change employee incentives and interests (‘leaving your companies at the door’) but this brings risks. 

  • Projects will often involve large numbers of temporary workers and consultants, which can test insider threat mitigation processes. 

Project security best practices

Project management organisations face a diverse range of risks across multiple threat vectors throughout the lifecycles of large-scale projects. Traditional, siloed security approaches have proved ineffective, as threats increasingly intersect, compounding risks and amplifying their impacts on projects. 

Adopting a holistic set of best practices for protective security for large-scale projects can more effectively mitigate threats. Some best practices include:

Integrate protective security assessment into project gateways:

  • Protective security reassessments should be embedded into project gateways, evaluating the security of the project holistically across the full threat spectrum. 

  • As threat and risk landscapes continuously evolve, regularly reassessing the likelihood and impact of project risks is critical. 

  • This approach integrates a cohesive and proactive security posture into the core decision making process, enhancing the project’s overall resilience and adaptability at the strategic level.

Ensure strategic alignment on security strategy:

  • There should be regular meetings between protective security stakeholders and project directors to ensure strategic alignment.

  • This promotes a continuous alignment of security efforts with the evolving needs of the project on the strategic level. 

  • This drives increased collaboration across security teams, timely risk identification and response, and a holistic security overview throughout the project lifecycle.

Conclusion

Sourcing and retaining the select few individuals globally with the skills and experience for successful delivery of mega- and giga-projects is a challenge. Security is one of these critical specialisations. 

Analysis of successful projects has emphasised the importance of balancing expertise, collaboration, and a positive working culture, where protective security is effectively interwoven at every level.

There is a clear need for continuous improvement. Instead of treating protective security for large-scale projects as a ‘blank sheet of paper’ for each venture, best practices must be developed through practical experience and real-world application. Lessons learned from each project should be integrated into a standardised and comprehensive approach.

However, this does not mean that one project’s security approach can simply be transplanted to another. Effective protective security approaches must be agile and flexible to the unique context of each project, while simultaneously capturing and deploying successful innovations. 

SECURED is an NPSA-approved research body specialising in providing security assessments for research institutions, businesses, and investors. We have consulted on the development of mega- and giga-scale projects, providing expert guidance and advice on the development of holistic protective security programmes. 

SECURED is part of Tyburn St Raphael, a boutique security consultancy.

If you have any questions or would like to get in touch, please contact hello@secured-research.com.

fra juniper
Next

North Korean IT workers scam likely to be increasingly adopted by organised criminal groups