Security Compliance PMO

Alf Raju

March 5, 2023

Introduction to Security Compliance PMO

Although IT projects generally affect a portion of an organization using a new service or tools, security projects affect everyone, including partners. The shift in the C-Suite to include a Chief Information Security Officer (CISO) has become a meaningful change, and the emergence and even commonplace of DevSecOps are leading a further change.

As a result, Security Compliance PMOs are becoming a reality and will be a fundamental part of achieving successful outcomes.

PMOs have been around since the 90s. In general, they do not focus on security projects in most companies. While companies may have security talent and resources, it is pretty rare that they also have all the management skills necessary. Thus the security program is left void of the necessary PMO structure.

Today’s Cybersecurity State

Organizations face increasing cyber risk today by working from home, using potentially unsecured devices, or using out-of-date virus protection. The onset of public cloud capabilities has led to vendors creating new channels and ways of protecting data, followed swiftly by businesses sponsoring many new projects. There are also many security options between new tools and services adoption in an ever-changing landscape of expanding technology platforms.

These new security solutions and policies can and will make a massive impact on businesses, yet these are often solutions that very few people understand and can explain. Quite often, highly technical practitioners fail to explain the business benefits of a security change, tool, or regulation.

Like any other business transformation, security transformation requires a disciplined project management approach to realize the expected benefits across an organization. Today’s business needs to visualize the value delivered by these security projects and or programs.

6 Aspects of a Cyber-Resilient Organization

How to address Security and Compliance

Security and compliance are linked because assets, infrastructure, and data are not located in a single on-premise data center. The organization model relies on different technical teams to work together. It is relevant in the business setting because collaboration between technical teams allows for the following:

  • Accurate visibility and coverage to understand the risk landscape of digital communications
  • Toolsets rationalized and consolidated
  • Cost efficiencies
  • Business growth through transformational change

With the ongoing remote and hybrid work, a unified approach is essential to manage vulnerabilities such as cloud usage, network infrastructure, personal device use, real risks with unvetted apps/platforms, and new vulnerabilities in existing apps or platforms.

These risks are present and very real, and the threats at hand endanger an organization’s security and compliance. An adequate security and compliance PMO can empower enterprises to implement the following principles:

  • Toolsets are the same across the enterprise
  • Communication on expected roles and responsibilities

One of the challenges to manage is the high matrix nature of technology organizations; allocating resources to corporate cross-organizational projects is difficult. Therefore, establishing the Security and Compliance PMO is necessary, and organizations also require executive-level sponsorship to be efficient and effective. Here, the Security and Compliance PMO can provide the conduit between the IT PMO organization and the business.

We are seeing an increase in the need for security-focused Project Managers looking for a dedicated PMO function to support the ever-challenging IT environment to deliver Cyber Security projects successfully.

Security and Compliance PMO Setup

The definition of a PMO does not change – a PMO is an organizational structure used to standardize the portfolio, program, or project-related governance processes and facilitate sharing of resources, methodologies, tools, and techniques.

A Security & Compliance PMO has many key benefits, such as:

  • Structured governance with improved transparency and communication.
  • Well-organized data to keep projects on track and report on the status.
  • Relevant tools for reporting and managing shared resources.
  • Strategy with a customer focus.
  • People and cultural sensitivity.
  • Clear processes.
  • Will improve the overall project success rate through alignment with the business strategy.

It will also need to work with an understanding of Cyber Security Frameworks (CSF) such as NISTISO27001, and ITIL.

A Cybersecurity PMO comprises six major components: Risk Management, Compliance, Policy and Procedure Management, Vulnerability Management, Security Project Management, and Knowledge Management.

6 Elements of a Cybersecurity PMO

In addition to these components, setting up a Security and Compliance PMO must follow a well-established approach. To get started, take stock of assets essential to the business and understand the risk to those assets. If the security team is overwhelmed with day-to-day issues, and the only board reporting is on how the month’s problems will be resolved, set up a cybersecurity PMO to help restructure and manage the program.

Most importantly, the cybersecurity PMO can address the core pillars of Responsibility, Accountability, Transparency, Integrity, Awareness, Availability, Confidentiality, Performance, and Authenticity.

Contact us for more information about how to set up your Security & Compliance PMO, where we will provide more details on our suggested approach:

  • Cyber Security PMO Maturity Assessment (current state assessment)
  • Cyber Security PMO Strategy (Offensive vs. Defensive)
  • Cyber-Risk Analytics (for dashboards on KPIs)
  • Cyber Security Operations Management (Acquisition, Recovery, Retention, SLA-Service Level Agreements, User/Access Management)

The Security and Compliance Operating Model

The CSF (Cyber Security Framework) focuses on cybersecurity decision-making as a function of business risk and defines the primary functions of a cybersecurity program as Identify, Protect, Detect, Respond and Recover.

Once business assets and risks are understood, measures can be implemented to mitigate business risks inherent to the operational environment. Protective measures include activities such as:

  • Limiting access to authorized users, processes, or devices and to authorized activities and transactions.
  • Establishing security policies, processes, and procedures/guidelines.
  • Cybersecurity procedures and policies training.
  • Ensuring information is managed consistently with the company’s risk strategy.

An example of projects that would be managed through the Security and Compliance PMO are as follows:

  • Security Governance Program
  • Vulnerability Management Program
  • Incident Response and Lessons Learned
  • High-Value Assets
  • Product Security
  • Cloud Security Strategy
  • Mergers & Acquisitions Due Diligence and Transition Plan

The Security and Compliance Operating Model will connect to the IT Operating Model to support Business growth.


Regardless of size, every organization needs a cybersecurity program focused on business success. Structuring around the NIST CSF and using the cybersecurity PMO organizational construct, every business can move cybersecurity from an unknown business risk to a business asset.

Don’t wait until after a significant breach to begin thinking about the structure of your program. For large businesses, doing nothing could be very costly, resulting in lost profits, productivity, and reputation.


CORTAC Group is a wholly owned subsidiary of MI-GSO|PCUBED. MI-GSO|PCUBED Group, with 3000 employees in over 15 countries, pursues its development and strategy as the leader and pioneer in PMO and PPM consulting. Since the early 90s, MI-GSO|PCUBED has provided best-in-class services to R&D, IT and transformation projects.