Locking down data security with a PMO

To be a ‘data-driven organisation’ is no longer optional. Along with automation and AI, data is setting the tone for the future of our industry. This is a reflection of the role big data plays in supporting informed and insightful decision making, driving efficiency and aligning teams towards common and clear goals which, in turn, is the cause of an overwhelmingly positive narrative associated with data and its many benefits.

Yet, while it is vital that organisations embrace data, there are risks associated with its storage and use, and the necessary checks and balances must not be cast aside as inconveniences. Access to data must be considered a responsibility; something for which a person or organisation must feel accountable for safekeeping. There are few environments where this is more important than in highly secure sectors, such as defence, writes Graham Seage, Head of Defence and National Security, UK & Europe.

Trust your tools

Handling large quantities of sensitive data across big teams presents obvious security challenges. Whether it’s the personal information of your people or the detailed plans for a new piece of Critical National Infrastructure, data breaches can result in harm to organisations and their stakeholders, and this risk needs to be mitigated early on. One way of doing this is by implementing effective and robust data management tools that consider all requirements in a holistic way. At Mace, we do this through our PMO (Programme Management Office).

Within the PMO, data management is considered through a POPIT lens, factoring in the need to be diligent across People, Organisation, Process, Information and Technology – a weakness in any one of these will result in a risk to the data environment.

A PMO provides many things, but at its core is the provision of management tools and the processes and procedures that wrap around them. Crucially, while our PMO tools have been built off the back of decades of learning, drawing on programmes from different sectors around the world, they are also under constant review in order to incorporate new developments and ensure they remain adaptable. Being able to tailor tools to suit a specific need ensures that appropriate security measures can be built into the system.

Processes, procedures and people

Having tools you can trust is an essential starting point, but how they’re used is just as important. For all aspects of a programme, the PMO sets out processes, procedures and frameworks for governance. These are underpinned by a maturity assessment of existing capabilities – considering all elements of POPIT – early on in the programme, with enhancements made and knowledge transferred to client teams so that sustainable improvements can be made for both the delivery of the programme and long-term benefit of the organisation.

In the context of handling sensitive data, people must be upskilled and processes reviewed and updated as required, with changes communicated and compliance monitored, to give a team clarity on critical requirements such as classification levels, control of access, encryption standards, data retention, and compliance. Having colleagues who have a history working in secure environments is also important. For instance, we’ve got a healthy and growing community of ex-military colleagues at Mace who are able to bring their implicit understanding of handling sensitive information onto high-security programmes.

A huge amount of the data we handle comes in the form of documents and drawings. A process to manage version control along with clearly defined, and secure, configuration and storage systems is essential. Performance information must be securely stored, assured for accuracy and analysed to inform timely decision making. Storing it once for intelligent use many times through automated reporting systems helps to maintain the integrity, currency and security of the data.

Underpinning these processes should be a commitment to train and refresh the colleagues that are using the systems. Regular updates to training, drawing on lessons learned from the programme and beyond, as well as responding to general data policy, helps to keep this important requirement front of mind. 

Placing PMO at the heart

By setting up a PMO early on in a programme lifecycle and emphasising its role at the heart of the organisation, you’ll set the foundations for long-term, robust data management. Crucially, to achieve this, you have to go beyond the literal data-secure environment and embed a culture that drives the right behaviours.

Maintaining data security, in addition to protecting the client and your own organisation, provides operational confidence among the team. It ensures clarity and facilitates ease of access to the right data at the right time across the client and supply chain, which not only empowers decision makers but holds them accountable for performance against security, risk, schedule, cost, quality, opportunities, benefits, innovation, automation, culture and wellbeing – everything that feeds into successful project and programme delivery.


data centres