Cybersecurity: 5 IT Security Projects to Outsource with an Interim PMO

Why outsource the management of a cybersecurity project?

A threat that is intensifying and becoming more professional

The ANSSI’s 2024 Cyber Threat Panorama describes three categories of dominant attackers: organized cybercriminals, state actors, hacktivists. Supply chains, local authorities, industrial mid-caps and healthcare players are now the focus of as much attention as the major accounts. According to the 2023 Hiscox Report taken up by data.gouv.fr, 53% of companies have suffered an attack compared to 48% the previous year, an increase of 5 points in one year.

A chronic shortage of cyber skills

Recruiting an in-house security project manager with a high level of experience takes several months. According to an estimate by Wavestone, more than 15,000 cyber positions remain unfilled in France, i.e. 25% of jobs in the field. The transitional PMO bridges this tension: it arrives operational, without a long learning curve, and leaves once the device is transmitted.

The Distinctive Role of the Transitional PMO

The cybersecurity PMO (Project Management Office) is not a substitute for the CISO or the CIO. He orchestrates. He keeps the workload plan, leads the committees, secures budgetary arbitrations, documents decisions, manages service providers, and guarantees that the project delivers what he has promised within the deadlines announced to the Executive Committee. On a subject as cross-cutting as security — which affects the IT department, compliance, business, purchasing, legal — this function is often the missing link.

Generic business case : a cybersecurity project led by an experienced PMO limits schedule and budget drifts, makes the deliverables required by regulators more reliable and accelerates decision-making in the Executive Committee. It is the gap between a program that is sleeping in a roadmap and a system that is actually deployed.

1. NIS2 compliance

Why it has become a priority

The European NIS2 directive has profoundly broadened the scope of cyber obligations. Nearly 15,000 French entities are concerned, compared to a few hundred under NIS1. The deadline for European transposition was set for 17 October 2024, with the first obligations coming into force in 2025 and an enhanced level of maturity expected in 2027. In France, the transposition law was adopted by the Senate on 12 March 2025 and still needs to be examined by the National Assembly.

The scope of an NIS2 PMO

• Mapping of the group’s entities and “essential” or “important” qualification
• Gap analysis with ANSSI requirements
• Remediation plan quantified, prioritized, sequenced
• Implementation of the incident notification system
• Governance: executive involvement, board training, traceability of decisions

Business case

A multi-site industrial mid-sized group, exposed as a major entity, mobilizes a transitional PMO over twelve months to manage its compliance. The PMO structures the workshops with the IT department, the legal department and the plant management, delivers the risk analysis file and coordinates the audit providers. At the end, the Executive Committee has a readable NIS2 dashboard and a validated investment plan.

To learn more about the regulatory dimension and the associated internal control, see our article SOX compliance: checklist and internal control law.

2. Deploying a SOC and SIEM

Why a SIEM project often fails without a PMO

A SIEM (Security Information and Event Management) collects, correlates, and alerts on security events. Poorly managed, the project quickly turns into a never-ending construction site: unconnected sources, detection rules that are too noisy, SOC teams overwhelmed with false positives. The PMO imposes the discipline of a batch connection plan, a catalog of prioritized use cases, and regular detection effectiveness reviews.

To understand how SIEM works, consult our SIEM file: roles, challenges and deployment in companies.

Business case

A retail mid-sized company deploys a cloud SIEM coupled with a managed SOC. The interim PMO sequences the project in waves (Active Directory, critical workstations, ERP, e-commerce applications), builds the investigation runbooks, organizes the table-top exercises and negotiates the SLAs of the SOC provider. In the monthly steering committee, the DG monitors the detection coverage and the average time taken to qualify an alert.

3. The redesign of identity and access management (IAM)

The most political project of cyber

IAM affects all employees, all providers, all systems. It is a subject that is both technical (directory, SSO, MFA, PAM) and organizational (account life cycle, accreditation reviews, separation of duties). A poorly framed IAM project slips on the perimeter, pitting the IT department against the business lines and ends up in half-delivery.

What the transitional PMO puts in place

• Directory, Application, and Population Mapping
• Definition of the role model (RBAC) in relation to the HR department and the business lines
• Application-by-application failover plan, with pilot phase
• Deploying strong authentication (MFA) on sensitive access
• Implementation of periodic accreditation reviews

Business case : A financial services group overhauls its IAM after an audit reveals dormant privileged accounts. The transition PMO drives convergence to a single directory, MFA deployment, and the creation of a bastion of administration. The internal audit department has a repository of authorisations that can be used for its reviews.

4. The security audit and remediation plan

From the audit to the action plan executed

Many organizations commission audits — pentests, ISO 27001 organizational audits, architecture audits — without the ability to turn recommendations into actual projects. The report piled up, the vulnerabilities persisted, and the next audit found the same points.

The interim PMO takes over the audit report, qualifies each recommendation (criticality, effort, dependency), builds a quantified and quarterly remediation plan, and then manages its execution. On the audit methodology, see our article 5 Types of Industrial Audits and Their Objectives.

Business case

A multi-site industrial group discovers, after an audit, several dozen critical assets not listed in the CMDB and several critical vulnerabilities exposed on the Internet. The transitional PMO coordinates urgent fixes, updating the CMDB, shutting down uncontrolled external access and formalizing a plan to gradually harden industrial systems over a six-month period.

5. Cyber crisis management and the continuity plan

Anticipating the inevitable

No matter how mature the defense, the scenario of a successful attack must be prepared. The “crisis management + BCP/DRP” project covers response doctrine, scenario playbooks (ransomware, exfiltration, denial of service), simulation exercises and recovery of critical systems. Wayden develops this topic in detail in how to manage a cyber crisis.

The role of the PMO

• Facilitation of scoping workshops with CEO, CIO, CISO, communication, legal
• Production of playbooks and the standard crisis unit
• Organization of simulation exercises (table-top, technical)
• Management of the IT disaster recovery plan and its regular tests
• Post-year funding and continuous improvement plan

TO DOActually test the restoration of backups to an isolated environment. Document the effective time frame for getting back up and running. TO AVOIDTo be satisfied with a PCA on the shelf, never played in practice. An untested plan is a plan that doesn’t exist.

Framing the mission of a cybersecurity PMO with Wayden

A cybersecurity transition PMO is not a generic project manager. He is a senior profile, who speaks both the language of the Executive Committee and that of the SOC, who knows how to arbitrate between an urgent fix and a strategic project, who knows the regulators and the market service providers. Wayden selects these profiles from a narrow pool, with a strong requirement on references and ethics. On the distinct role of the CIO and the CISO in these transformations, see the challenges of the interim CIO and outsourced CIO: for which transition missions.

A critical cybersecurity project to structure or unlock?

Wayden mobilizes an experienced interim PMO within two weeks, capable of taking control of your NIS2, SOC, IAM, audit or crisis management program.

Talk to a Wayden expert

FAQs — Cybersecurity Project and Transition PMO

What is the difference between a transition PMO and an interim CISO?

The CISO is responsible for the security strategy and operational responsibility on a daily basis. The interim PMO manages one or more cyber projects over a fixed period of time: he or she delivers projects, he or she does not hold the CISO function over the long term. The two can coexist, with the PMO working for the incumbent CISO.

How long does a cybersecurity PMO mission last?

The usual range is between six and eighteen months depending on the size of the program: NIS2 compliance, SOC/SIEM deployment or IAM redesign are rarely measured in weeks.

What are the first deliverables expected from a cyber PMO?

Detailed project plan, stakeholder mapping, project risk register, comitology, progress dashboard and consolidated budget. All this in the first four to six weeks.

Does NIS2 really affect my company?

The Directive now covers a very wide spectrum of organisations in essential and important sectors. The eligibility test combines industry, size and turnover. A scoping of a few days led by a PMO makes it possible to decide.

How to measure the ROI of a cybersecurity project?

Reduction in the number of qualified incidents, reduction in average detection and response time, coverage rate of critical assets, compliance with legal obligations, optimized cyber insurance premium. The PMO formalises these indicators from the framework stage.