Unit 3. Part 3. Project Planning and Lessons Learned

Horizon image [Quarterly Bolg. Gov.UK]. https://quarterly.blog.gov.uk/2016/01/25/horizon-scanning-helping-policy-makers-in-an-uncertain-world/
It was two years ago when cybersecurity awareness and education program became one of the top priorities in my organization. As the security infrastructure and architecture were being rebuilt, so does the beginning of a 14-month journey to develop the cybersecurity awareness program.  A core team was established to lead the project, which comprised of staff from security, project management, communication, and education – all bringing their expertise on the table.  The organization identified the need to develop staff’s cybersecurity resiliency through awareness and education due to the increase of cybersecurity threats in healthcare organizations (UHN internal report, personal communication, 2018). Hence, the organization developed a sense of urgency – the first step in Kotter’s change model (Biech, 2007), and this was the beginning of a journey filled with challenges, building relationships, and reflection. We followed Kotter’s eight-step change model, and we had a project plan. The project plan, managed by the project manager, consists of activities, such as procurement, budget, costs, timelines, and resources.

Our subject matter experts were the security officers in our team, orienting us to the world of security and cyber threats and attacks. Although this was a new subject for the education team, I was confident that we could develop the eLearning program internally and save the cost of purchasing from a vendor. The education team developed a business case, and in the end, the decision was to buy from a vendor.  You might ask what happened.

The project was complex with lots of moving targets and different ideas of how to reach the goal of becoming a “cyber-savvy organization” (UHN Cyber Security, personal communication, 2018). Tasks and responsibilities span across multiple departments and hence decisions were made in various areas and sometimes with different agendas in mind. According to Cormier (2017), this is what you call “matrix decision making” (para.7).

Cormier’s blog post on his lessons learned from developing the digital strategy at the PEI department (Cormier, 2017, para. 3) inspired me to create my version of lessons I learned being part of the cybersecurity core team.

  1. Ask the right questions. I was focused on creating an in-house program because I was confident this is the right solution and failed to empathize with the business of why there was hesitancy in this proposal. Rather than going with my intuition, I could have provided robust data that presented a stronger case. Zettelmeyer (2015) underscored the importance of integrating data analytics in the business processes and one of the critical skills she identified for managers is knowing their data and not just thinking about it. Lesson learned – back my proposal with lots of useful data.
  2. Decision-making. Although we all share the same vision and goals, the decision was not an easy process. Our core team had to report to a committee comprised of leaders from different departments and disciplines, and with different perspectives and understanding of the issues. Cormier (2017) described this as “matrix decision-making.” Lesson learned – do my homework and study the group dynamics and their motivation.
  3. Continuous improvement. We rolled-out the eLearning program to all staff, and the training compliance rate, in the beginning, was average and not meeting our target for training compliance. We had to be flexible with our training approach and provided face-to-face sessions. Along the way was feedback- some were great, and some were not. We knew that our product is not perfect and by the way- no product is ever perfect! Lesson learned – change my mindset about perfection. Iteration is part of the strategy. The feedback that we received from staff allowed us to improve the cybersecurity awareness and education training program. We monitored and evaluated the feedback continuously and applied the necessary changes.

A year after implementing the training program, we are revamping the course, and my team is developing the enhanced version. What changed? We gathered the data from our evaluation survey, including anecdotal feedback, presented my team’s proposal using data and a project plan, and applied the lessons I learned from the previous implementation.  And here we are almost at the finish line with implementing an integrated approach to educating staff on privacy and cybersecurity awareness.


Biech, E. (2007). Models of Change. Thriving through change: a leader’s practical guide to change mastery [E-book version]. Alexandria, VA: Association for Talent Development. Retrieved from Royal Roads Skillport Database

Cormier, D. (2017, December 8). Our schools aren’t broken, they’re hard [Blog post]. Retrieved from http://davecormier.com/edblog/2017/12/08/our-schools-arent-broken-theyre-hard/

Zettelmeyer, F. (2015, May 1).  A Leader’s Guide to Data Analytics: A working knowledge of data science can help you lead with confidence. KelloggInsight. Retrieved from https://insight.kellogg.northwestern.edu/article/a-leaders-guide-to-data-analytics/

Leave a Reply

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This site uses Akismet to reduce spam. Learn how your comment data is processed.