Accounting for Security in Website Projects

Many know very little about me, my past what I used to do, most just know me for my time in security. There was a time though that I spent as Project / Program Manager for a couple different organizations. I even dabbled in a WordPress centric design / development shop called CubicTwo in early 2010.

The scale of the projects and programs I was involved in ranged from $50,000 to over $6,000,000 (multiple at any given time) and varied in complexity (these weren’t simple websites, they were enterprise level systems). While different in size and scale, they did hold similarities to what most website projects today look like, just at a very different level. I fortunately had the luxury that my stakeholders didn’t require any education on the importance of security, being they were municipalities or government entities, the security discussion was a lot easier.

This however is not the case for everyday website projects, and worth taking some time to discuss.

The Importance of Maintenance/Sustainability

The biggest difference in the projects I used to work in and the type of projects most work in today comes down to audience. Frankly put, I don’t envy many of you.

You likely work with very challenging clients (stakeholders). They don’t know what they want, have no appreciation for value, but know they want everything they see on another website. They all have a cousin, sibling, friend that could do it for cheaper and faster. There are also unrealistic expectations they set, both in their minds and in their understanding of technology. This coupled with the inefficiencies that plague the domain is a recipe for disaster.

In my time working with development/design shops there are a couple of things I have noticed as chronic issues with Website development and design shops:

1. Understanding of Project Management.
2. Awareness of your own Value.
3. Improper Management of Expectations.
4. Poor project communication.
5. Establishing project requirements and establishing a cycle for change.
6. Moving beyond project completion.

I place special emphasis on what happens after project completion, because what makes a project a project is that it has a start and end, so what happens after the end? The answer should be the next phase, the next project.

I often categorize this phase as the maintenance and sustainment phase. Many don’t realize it but it’s a critical phase of your project and a project within itself. Some of the biggest deals I was able to negotiate in the past came from this phase of the project. Some of the advantages of this phase included:

1. Continued engagement with the client.
2. Showing value to the client.
3. Opportunity to identify new requirements.
4. Cementing yourself as a needed asset to the business.
5. Creating residual, recurring, income.

The Maintenance and Sustainment Strategy

The biggest mistake I have seen and done myself when engaging clients is poorly setting expectations and improper communication. What I learned early on was the value in clearly delineating between what will happen now and what will happen later, with special attention to what will happen later. Attention should not be confused with emphasis or priority.

Too often we find ourselves eager to account for everything immediately, “The more we do now the more they will value our work.” But this mindset is incorrect. It begins to degrade your effectiveness and more importantly your value to the client.

1. Introduce the idea of Maintenance / Sustainment Early

By the time I got to the end of my project management days I found myself starting most of my engagements with something along the lines of…

Ok, Phase I of this project will have us building out X solution, which will satisfy any number of Y requirements and from there we’ll move into Phase II which will account for A, B and C.

What I learned was the earlier I set the tone, the easier it was for the team ( by team I mean my team and the clients). The completion of the project was actually the wrong time to introduce the idea of a Phase II, it was too late.

2. Emphasize the Importance of Security

This is one of those things that helps emphasize the importance of a next phase. Unlike the clients I used to have, the clients most of you have are those shops that have no appreciation for the complexities of technology, outside of it’s immediate value to getting their content out and / or generating income.

It’s the age we live in.

Most clients will understand and appreciate that security should be a concern, but they are unlikely to act on it. Be sure to ask the following questions:

1. What happens if you get hacked?
2. What controls are you putting in place to avoid getting hacked?
3. What happens in the event of a catastrophic failure?
4. What happens if you get blacklisted and clients can no longer access your website?
5. Who do you go to in the event of a security event?

These questions are designed to encourage your clients to think beyond the immediate state of things. This is where it’s important to educate the clients.

Some of the obvious responses will include:

1. Well you built it, it’s secure, right?
2. Can’t I just come to you as the developer of the site?
3. You’re responsible, you built the site!
4. My host will take care of it.
5. I will take care of it myself.

In these situations, I recommend clearly stipulating, in your contract what will and will not be covered if you offer any kinds of warranties with your work. Clearly state, in the event of a compromise, etc.. we are not liable and will not provide additional support without a sustainment contract.

Your client has every right to make to take matters into their own hands, but you have a responsibility to 1) define your role and responsibilities and 2) clearly set your clients expectations on what happens next.

You will find though that with a little discussion, you can often lead your client down the right path.

3. Clearly Outline What This Phase Means

I recently gave a talk on website security and was asked, “What if the client has the right to install their own plugins / themes?”

My response was very clear and concise, “Then you’re failing your client as you are not really doing them any justice.” This likely came off a bit curt, but it was the reality of the situation. Sometimes there is no real easy way to say things.

If you are responsible for administering and sustaining their website, then do just that. One of the biggest challenges we face in website security is poor administration, if we’d do a better job of that we’d make a much bigger impact on the online threats. This is especially true if your sustainment / maintenance contract includes a security component.

You can’t provide security if you are not really administering the website.

With every website, someone has a role, define what those roles are and stick to them. Your client wants an online presence, they want to be able to put content out, gain followers, or run an ecommerce site. Great, remind them of that.

If they don’t want to follow the rules, wish them luck and move on. Don’t be afraid to fire a client if it doesn’t fit.

4. Establish the right Value

Whether you leverage a third-party vendor to support the various administrative aspects of the site, figure out if you want to offer a monthly or recurring setup. Don’t make the mistake to think that cheapest is always the right approach or that you have to do it yourself.

Regardless of the platform you’re on, there are various resources and products at your disposal designed to help you in your various task. Things to help you stay current, perform backups, administer users and apply good security protocols.

Don’t forget your time as well, just because you leverage tools to help you in the process doesn’t mean your time isn’t worth something. Calculate a rough estimate, based on the tools and time frame of the engagement and try to forecast your efforts. I guarantee they will be wrong, so burden them appropriately.

When it’s done, make sure you leave qualifiers in the agreement that talk to circumstances that will require additional support.

Examples might include:

1. New feature requests – the biggest mistake we make is thinking that sustainment means ongoing development support.
2. Development required to account for conflicts between technologies – in other words, assume you use a platform like WordPress and the latest release requires certain things to be refactored etc… this is not part of the fixed fees you’ve negotiated, make that clear.
3. Events outside of your controls – Say a catastrophic event of some sort, whether it’s environmental or not. Say the client deletes all the backups and the site for some unforeseen event, they just right clicked and delete. These are circumstances that no one could account for and would likely require a lot more time and energy than ever anticipated, be clear about that.

The sustainment / maintenance is not designed to be a phase in which all your value is undercut, no instead it’s meant to maintain continued operations.

It all comes down to clear expectations and communication, so start the discussion today.