Can you tell me the difference among the cybersecurity strategy, cybersecurity program, and cybersecurity project?” This is a popular question asked when you are interviewed for a cybersecurity management position.

Many people including some executives are not very clear about the dividing lines of strategy, program, and project. They often mess with these terms in their communication, which inevitably send some confusing messages to other team members.

I find the best way to explain some complex concepts is to use an analogy. So, people can quickly relate to some concrete things in our daily life and get the core ideas. Now, let me try to explain strategy, program, and project as follows:

  • The project is like a container ship. The captain (project manager) needs to work closely with the crew (project members) to deliver the goods (project objectives) on time (project schedule), with no or acceptable damage (project quality). The ship is equipped with limited fuel, food, water (project resource and cost). So, the team has to use them wisely.
  • The program is like a port control tower. It directs hundreds of ships (projects) in and out of the port. The tower controller (program manager) clearly understands the design and capacity of the dock. He/she carefully coordinates with multiple ship captains (project managers) to work together seamlessly. In case of emergency, the control tower will make the necessary adjustment and escalate the situation to the authority.
  • The strategy is like a shipping company. It wants to make money as a business. Meanwhile, it cares about the fleet safety, customer service, company reputation etc. The company may use multiple ports (programs) and have hundreds of ships (projects) running in a given time.

In a nutshell, the company executives set up an overall strategy, then build multiple programs to implement the strategy. A program can be further divided into many projects with specific project time, cost, and scope.

Now let’s add the word “Cybersecurity” before the strategy, program, and project, then we will get:

  • Cybersecurity Strategy – part of the cyber risk strategy for a company to run the business securely. It often starts with the understanding of the company’s risk tolerance and the current risk posture. Then the executives will make some informed decisions on the overall cybersecurity goals, budgets, and approaches for the next 1 to 5 years.
  • Cybersecurity Program – the way to fulfill the cybersecurity strategy. It often refers to some industry frameworks, standards, or best practices. For example, ISO/IEC 27000 Family, NIST Cybersecurity Framework, COBIT, PCI/DSS. Considering the specific business context, the cybersecurity program can include multiple workstreams such as Security and Risk Management, Security Governance, Security Policy, Asset Management, Identity and Access Management, Security Operations, Application Security, Incident Response, Disaster Recovery, Security Awareness Training etc.
  • Cybersecurity Project – the work to achieve a specific cybersecurity objective. For example, adopting a new IDS/IPS solution, conducting a penetration test for critical systems, providing the awareness training to all corporate employees. The project usually has a defined time, scope, and cost.

Now you should know the difference among cybersecurity strategy, cybersecurity program, and cybersecurity project. The thorough understanding of these concepts will help you not only communicate with others accurately but also build a solid foundation of your whole cybersecurity structure.