The Iron Triangle: Cost, Quality, and Time

There’s a humorous sign frequently seen in various kinds of offices and workshops around North America. It says simply, “Fast, Good, or Cheap: Choose Two!” It’s a simple but useful model demonstrating the tradeoff between the constraints of quality, time, and cost. In project management, its known as the Iron Triangle(Ogunlana, 2010, p. 229). The idea is that the three are linked in an inverse relationship with an increase in one requires a decrease in another of the constraints. To increase quality, the tradeoff will either be an increase in time or an increase in cost(Kim, Kang, & Hwang, 2012, p. 264).

• Cost: The cost of a security control implementation is the total required resources allocated to accomplish the entire project. There are five types of costs.

1. Direct: the cost of doing the required work that comes out of the project budget.
2. Indirect: related costs not in the project budget such as shared facility costs.
3. Fixed: costs that don’t change as variations occur.
4. Variable: non-fixed costs that may fluctuate.
5. Sunk: costs that are already incurred.

• In relation to cyber security efforts, quality can have varied performance measures. It could mean fewer security incidents, less data compromised, or less loss of availability. It could also mean less financial loss, less assessed penalties, or less executive jail sentences(Ogunlana, 2010, p. 232).
• Cybersecurity projects can have a very long time table due to their complex nature coupled with the required input from many stakeholders. However, the hackers won’t wait for the new IPS implementation before compromising your classified server. Obviously shorter is better.

The most important of the three constraints to cybersecurity is quality, if quality is defined as a correct implementation of required security controls. This is due to three reasons.

1. The first reason is that security controls are required by law and the business may not operate without safeguarding the personally identifiable data. They must be in place or severe civil liability and legal penalties can be levied. Including penalties of prison sentences for executives.
2. To be effective, network security must be a complete solution. It only takes a single exploitable vulnerability to allow an attacker to gain a foothold in the system, and then leverage that into deeper network access(Moore, Dynes, & Chang, 2015). An incomplete security architecture would be analogous to the construction of a bank vault with state of the art vault door while leaving a six-foot gap in the rear vault wall. Poor quality of an incomplete solution is no solution.
3. Business ethics requires that personally identifiable information be protected from disclosure. This requires a quality solution of security controls.

Project management is a business process that organizes and coordinates the complex steps needed to guide a project to completion(Kerzner & Kerzner, 2017, p. 3). It improves the quality and reduces time and cost of projects by an increase in efficiency and reduction in waste(Sanchez, Terlizzi, & de Moraes, 2017). This is vital to cybersecurity projects because of the complex nature inherent in the infrastructure and the need to be vulnerability free. Project management assists in finding the correct balance between the three constraints of Quality, Cost and Time.

References

Kerzner, H., & Kerzner, H. R. (2017). Project management: a systems approach to planning, scheduling, and controlling: John Wiley & Sons.

Kim, J., Kang, C., & Hwang, I. (2012). A practical approach to project scheduling: considering the potential quality loss cost in the time–cost tradeoff problem. International journal of project management, 30(2), 264-272. doi: https://doi.org/10.1016/j.ijproman.2011.05.004

Moore, T., Dynes, S., & Chang, F. R. (2015). Identifying how firms manage cybersecurity investment. Available: Southern Methodist University. Available at: http://blog. smu. edu/research/files/2015/10/SMU-IBM. pdf (Accessed 2015-12-14), 32.

Ogunlana, S. O. (2010). Beyond the ‘iron triangle’: Stakeholder perception of key performance indicators (KPIs) for large-scale public sector development projects. International journal of project management, 28(3), 228-236.

Sanchez, O. P., Terlizzi, M. A., & de Moraes, H. R. d. O. C. (2017). Cost and time project management success factors for information systems development projects. International journal of project management, 35(8), 1608-1626. doi: https://doi.org/10.1016/j.ijproman.2017.09.007