Project management for lean security teams

How small security teams can deliver improvement work without drowning in project management overhead

Post feature image

Project management is critical for cybersecurity improvement work. This is especially true for small security teams that need to keep daily operations running while also improving processes, tooling and controls.

The challenge is that most project management frameworks are not designed for this environment.

A lean security team may only have four or five people. The team may operate mainly through ChatOps, move quickly between operational tasks, support incidents, answer compliance questions and still be expected to deliver meaningful improvements. In this context, adopting a heavyweight delivery framework can easily create more friction than value.

This does not mean lean security teams should avoid project management. It means they need a version that fits how they actually work.

For many teams, the natural first step is to look at software delivery methods such as Scrum, Agile Cybersecurity and Shape Up. This makes sense. Small security teams are cross-functional, face changing priorities, have limited capacity and need clear ways to prioritise work and show progress. Their improvement work can often be broken into smaller increments, improved through feedback and managed through backlogs, time boxes and retrospectives.

At first glance, these methods seem like a good fit. Cybersecurity work is full of interrupts, incidents, compliance pressure and risk-reduction tasks that do not fit neatly into a waterfall delivery model. Incremental delivery feels right for a profession where operations can easily take over everything.

However, the fit is not always as clean as it looks.

Why standard frameworks often fail

Scrum, Agile and Shape Up can all provide useful ideas. The problem begins when a lean security team adopts one of these frameworks too literally.

Scrum is a common example. It is meant to be lightweight, but in many organisations it quickly becomes meeting-heavy and process-heavy. Sprint planning, backlog refinement, daily stand-ups and retrospectives can all be useful. However, when a company already has a poor meeting culture, adding a framework that depends on recurring ceremonies can make the problem worse.

This is not necessarily a flaw in Scrum itself. The issue is the interaction between the framework and the operating environment. A small security team with constant interrupts may not benefit from a strict two-week rhythm if half the sprint is consumed by incidents, urgent reviews or compliance escalations.

There is also a bureaucracy risk. Backlogs must be created, refined and prioritised. Work must be estimated. Tasks must be broken down so they fit neatly into the sprint. Stand-ups must be attended. Tickets must be updated. If the team becomes too canonical about Scrum, the framework can start consuming the capacity it was supposed to protect.

Shape Up has a different appeal. Its focus on shaping work before building is valuable. Instead of sending vague ideas directly into delivery, the team first develops a clearer understanding of the problem, the appetite for solving it and the rough shape of the solution. This is especially useful for security improvement work, where the initial request is often ambiguous.

The fixed six-week cycle can also be helpful. It gives teams enough time to make meaningful progress without allowing projects to drift endlessly. The emphasis on autonomous small teams is also attractive because it tries to intentionally eliminate any risk of over-managing.

However, Shape Up can also be difficult to adopt directly. It was developed in a specific product environment and assumes a certain level of maturity in shaping, pitching and selecting work. Inexperienced teams may find the method too vague at first. Without practice, shape-up documents can become either too thin to guide delivery or too detailed to stay lightweight.

The takeaway is simple: lean security teams should not adopt a framework as a belief system. They should borrow what works and discard what creates unnecessary drag.

Start by defining the team's delivery focus

The first step is to define what the team will use project management for.

This sounds obvious, but it is often skipped. Small security teams are usually drowning in operational work, which makes it hard to distinguish between operations and improvement projects. Without an explicit distinction, everything risks being treated as a project, making it harder to allocate team attention precisely.

The team should sit down and agree what counts as operational work and what counts as improvement work.

Operational work is the work required to keep the function running. This includes alerts, incidents, access reviews, support requests, compliance responses, vulnerability triage and the normal flow of security questions from the business.

Improvement work is different. It changes the way the team operates. It removes recurring pain, improves tooling, reduces waste, closes operational gaps and makes future work easier.

Once this distinction is clear, the team should commit to managing only two types of improvement projects.

The first type is a shaping project. The goal of a shaping project is to investigate a recurring bottleneck, define the problem and describe a practical solution. The output is not code, a new process or a deployed tool. The output is a shaped proposal that gives the team enough clarity to decide whether the work is worth delivering.

The second type is a delivery project. This is where the team takes a shaped proposal and builds the solution. The work may involve scripting, process design, tooling configuration, documentation, training or control implementation. The important point is that delivery begins from a shaped problem, not from a vague idea.

This separation is useful because it prevents teams from pretending that they understand the work before they actually do. It also creates a natural path from operational pain to improvement delivery:

  1. The team notices a recurring problem
  2. Someone shapes the problem and a possible solution
  3. The team decides whether to invest delivery time
  4. A small group delivers the improvement within a fixed window

The team should also define its delivery window. For lean security teams, this should usually be no shorter than six weeks and no longer than one quarter. The window must be long enough to produce meaningful change, but short enough to force scope decisions.

The rule should be clear: whatever is working one week before the deadline is prepared for release, and the rest is dropped or moved into a future shape-up. This prevents improvement projects from becoming permanent background noise.

Define basic project management needs

The second step is to define what the team actually needs from their own project management framework.

Most lean teams do not need a complex delivery system. They need a small number of practices that help them stay aligned while protecting time for execution. At a basic level, the team has three needs.

First, the team needs clarity on goals. It needs to know what it is trying to improve this year and what matters this quarter. Without this, project selection becomes reactive. The loudest request wins, or the team defaults to whichever problem is most painful that week.

Second, the team needs clarity on tasks. Once a project is selected, the team needs to know what must be done, who owns each part and what decisions are still open. This does not require an elaborate ticket hierarchy. It does require a shared understanding of the work.

Third, the team needs progress tracking. The goal is not management theatre. The goal is to maintain momentum, identify blockers and decide when to cut scope. Small teams do not have the luxury of discovering late that a project has drifted.

Explicitly defining these needs matters because otherwise each team member carries a different project management model in their head. One person expects detailed reporting. Another expects autonomy. Another expects weekly updates. Another assumes work will be coordinated through Slack messages. This creates interpretation drift and potential frustration.

When the team agrees what project management is supposed to provide, it becomes easier to choose the minimum practices and tools required.

Tailor artifacts, meetings and tools to needs

The third step is to design the smallest operating model that satisfies the team's needs.

Tooling minimalism should be the default. Lean teams should use the fewest tools needed to create clarity, because every additional tool creates maintenance, context switching and process overhead.

For goal clarity, Objectives and Key Results (OKRs), as a definitional tool, are usually sufficient. The team can define annual security improvement objectives and then select quarterly key results that move those objectives forward. The exact OKR format matters less than the discipline of using it as a compass for project selection.

The meeting structure can also stay simple. At a minimum, the team needs one annual planning session to set improvement objectives and one quarterly planning session to define key results. A short retrospective should be attached to each quarterly planning cycle so the team can improve the way it manages work.

The tool can be a single shared document. At the top, it lists the annual objectives. Below that, it breaks the year into quarterly key results. The document becomes the reference point for deciding which shaping and delivery projects deserve attention.

For task clarity, the team should avoid creating more structure than it can maintain. A lightweight task list inside Slack, embedded in a team channel, or another ChatOps platform may be enough. This keeps the work visible where the team already operates and avoids the friction of maintaining a separate project management system for a small number of people.

Another benefit of keeping task lists inside Slack is that manager can interrogate progress and receive status updates via connected Large Language Model chatbots such as ChatGPT.

The team can then use shaping practices from Shape Up to manage ambiguity. Instead of breaking everything into detailed tasks too early, the team gives a small group ownership of the shaped project. That group maps the scope, identifies unknowns and decides how to move from ambiguity to delivery.

Scope mapping is useful here because it gives the team a way to expose the real shape of the work without turning everything into premature micro-tasks. The goal is to understand the main parts of the solution, the difficult areas, the nice-to-haves and the parts that can be cut if time becomes tight.

For progress tracking, a weekly progress meeting is usually better than a daily stand-up. Daily stand-ups can make sense in some delivery environments, but they are often too expensive for small security teams with high operational load.

The weekly meeting should not be a status theatre session. Task owners should update the shared task list before the meeting with what has been completed, what is next and where they are blocked. The meeting should then focus on three questions:

  1. What changed since last week?
  2. What must happen before next week?
  3. What scope should we cut or stop pursuing?

Progress hills from Shape Up can be useful for this discussion. They help the team distinguish between work that is still being figured out and work that is already understood and being executed. This matters because not all "in progress" work is equal. A task that is still uncertain carries different risk from a task that is simply being completed.

The meeting should be time-boxed and focused on decisions. The team should leave knowing what needs to happen next, who owns it and whether the project is still likely to ship inside the delivery window.

A lightweight model for lean teams

Putting this together, a lean security team can run a practical project management system with only a few moving parts:

  • Annual objectives and quarterly key results
  • Shaping projects to investigate and define improvement opportunities
  • Delivery projects to build selected improvements
  • A shared task list in the team's ChatOps environment
  • Weekly progress reviews focused on blockers, scope and next steps
  • Quarterly retrospectives to improve the system

This gives the team enough structure to deliver without forcing it into a full Scrum operating model or a strict Shape Up implementation. It also keeps project management close to the way the team already works.

While the system is simple, the benefit is lean execution.

Lean security teams need project management because improvement work does not happen by accident. However, they also need to avoid the trap of spending more time managing work than doing it. The right approach is to define the team's needs, borrow the useful parts of existing frameworks and keep tooling as minimal and as focused as possible on existing practices that demonstrably work.

The best project management system for a lean security team is the one the team can actually sustain during a normal operational week. If it gives clear goals, visible tasks and honest progress tracking without creating bureaucracy, it is good enough to start. From there, the team can improve it quarter by quarter.