PPM Security: Protecting Your Project Portfolio Management Data in an Era of Rising Cyber Threats

Project portfolio management software stores some of your organization's most sensitive data, from project financial information to strategic plans and resource allocations. As cybersecurity threats continue to escalate, protecting this data has become a top priority for PMO leaders and executives alike. 

 At Cora Connect 2025, Alan Jue Liu, CTO of Cora Systems, presented eye-opening statistics that underscore the need for serious attention to PPM security. The numbers tell a compelling story about the state of cybersecurity and what organizations need from their PPM tools to stay protected. 

Key Takeaways on Project Portfolio Management Security 

1. Human error causes 67% of security breaches. Two-thirds of all cybersecurity incidents in 2024 resulted from human touchpoints, not software glitches. Training and awareness programs are as critical as technical controls. 

1. Security breaches happen in under a minute. It takes just 27 seconds for someone to click a malicious link, and another 28 seconds for sensitive data to be transmitted to unauthorized locations. 

1. Cybercrime costs $11 trillion annually. If global cybercrime were an economy, it would rank as the third largest in the world. The average cost per affected organization is $4.8 million. 

1. PPM software requires specialized security certifications. SOC 1, SOC 2 Type 2, Cyber Essentials Plus, and FedRAMP readiness demonstrate that a vendor takes security seriously. 

1. Supply chain security is the second most significant risk factor. Your PPM solution is only as secure as its weakest vendor. Third-party risk assessment and continuous monitoring are non-negotiable. 

Why Portfolio Management Security Has Never Been More Critical 

The statistics presented at Cora Connect 2025 paint a stark picture of the current threat landscape. During his presentation, Alan Jue Liu shared a startling fact: the global cost of cybersecurity breaches in 2024 reached $11 trillion, larger than the economies of Japan and Germany combined. 

"If you represent it as an economy, it would be the third largest and would be bigger than the fourth and fifth combined,"

Liu explained to attendees. 

For organizations relying on portfolio management solutions to track strategic initiatives, this data underscores a simple truth: security cannot be an afterthought. Project portfolio management systems contain information about budget allocations, resource assignments, strategic priorities, and vendor relationships, all prime targets for cybercriminals. 

Understanding the Human Element in Data Security 

One of the most striking revelations from Liu's presentation focused on the role of human error in security incidents. According to his analysis, 67% of all cybersecurity breaches in 2024 were caused by people failing to follow processes, not by sophisticated software exploits. 

"Human touchpoint is really the weakest link in the whole security lifecycle," Liu noted. "We constantly invest in our people to make sure they understand what they do and the implications if they don't." 

This finding has significant implications for teams managing risk across their portfolios. Even the most sophisticated PPM tools with advanced risk registers and analysis capabilities cannot compensate for users who click on phishing links or share credentials inappropriately. 

 The speed at which breaches occur makes the problem even more acute. Liu revealed that the average time to a breach after a user makes a poor decision is just 27 seconds. Within 28 more seconds, sensitive data can be transmitted to unauthorized locations. That's less than a minute from decision to data loss. 

How Cora Approaches PPM Software Security Operations 

For organizations evaluating project management solutions, understanding a vendor's security posture is paramount. Liu outlined Cora's multi-layered approach to security operations, which addresses both internal processes and customer-facing systems. 

Industry-Leading Compliance Certifications 

Cora Systems holds SOC 1 and SOC 2 Type 2 certifications, providing independent validation of security controls. Liu explained what this means in practice: 

"How we build software, the traceability of how we build it, from requirements all the way to code, how it's tested, is auditable. For every feature that you use, we have a record of who designed it, who coded it, and which testers tested it." 

FedRAMP Ready Architecture for Government and Defense 

For aerospace and defense organizations and US federal government contractors, Cora's FedRAMP Ready status represents a significant differentiator. Liu emphasized that Cora is one of the only PPM solutions operating at this level. 

"The software went through a full 12 months of evaluation by the office of PMO to make sure that when it goes into the right environment, it will be FedRAMP ready,"

Liu explained. 

This certification validates that Cora meets the stringent SDLC and secure architecture standards demanded by the US Government, a consideration for any program working with sensitive government information. 

Managing Risk Through Continuous Security Monitoring 

Effective security isn't a one-time implementation, it requires ongoing vigilance. Cora's approach includes SIEM (Security Information and Event Management) and MDR (Managed Detection and Response) solutions that monitor systems around the clock. 

"These are frameworks that monitor our systems, not just automatic processes, but human processes 24/7. When it detects a breach, it gets flagged and our security officer will take action,"

Liu explained. 

What makes this approach particularly valuable is that the SIEM monitoring extends beyond Cora's internal systems to customer instances as well. The system monitors for: 

• Connections from unfamiliar IP addresses 

• Large exports or data transmissions to unknown destinations 

• Unusual user behavior patterns that might indicate compromised accounts 

• Potential intrusion attempts across customer instances 

 This proactive stance helps organizations stay ahead of risks before they escalate into full-scale security incidents. 

Supply Chain Security and Third-Party Risk Assessment 

Liu's presentation highlighted supply chain vulnerabilities as the second biggest cybersecurity risk factor, a point that resonates strongly with organizations managing complex vendor ecosystems through their PPM tools. 

"We're only really as good as the weakest link when it comes to security," Liu stated. "Not only do we follow SOC 1 and 2 and best industry standards, all the vendors that come into us have to do the same." 

For vendors providing code libraries, Cora runs code scans through their code. For managed services, the focus shifts to availability guarantees, business continuity capabilities, and documentation for penetration testing. Liu summarized the approach: 

"We would expect them to have the same standard we apply to ourselves basically." 

Secure Software Development and Hosting for Project Financial Data 

Beyond operational security, the way PPM software is built and hosted plays a critical role in protecting sensitive information management. Cora's approach incorporates multiple layers of technical safeguards. 

Regular Code Scanning with Veracode 

Cora PPM undergoes regular Veracode scans, the industry standard for code security analysis. These scans identify out-of-date libraries, dependency vulnerabilities, and code patterns that could serve as attack vectors. 

"We get a report at the end, and we have to address the criticals and highs within 24 hours. The mediums and lows we address within 31 days," Liu explained. "Every quarterly release has to go through this process." 

External Penetration Testing 

Working with external partners like Integrity360, Cora PPM undergoes regular penetration testing. These tests simulate real-world attack scenarios from an external perspective, targeting APIs and user interfaces without access to source code. 

 Several customers, including Honeywell, also conduct their own independent penetration testing and share results, adding another layer of security validation for the solutions teams rely on. 

Isolated Cloud Infrastructure on Microsoft Azure 

Unlike multi-tenant solutions where customers share infrastructure, Cora provides each customer with their own isolated instance. Liu explained the significance: 

"Your infrastructure is completely decoupled with each other. It's isolated at the database level and the application level. Nobody can see or access each other's data." 

This architecture, hosted on Microsoft Azure with E5-level security configurations, provides multiple advantages. Data can be provisioned in Azure data centers around the world to meet geographic and regulatory requirements. Customers benefit from Rapid7 MDR monitoring and Azure Defender protection on their instances. 

Business Continuity: Protecting Security Projects and Strategic Data 

Business continuity forms a critical component of any cybersecurity strategy for teams managing organization-wide portfolios. Liu outlined Cora's approach: 

• Daily backups with multi-week retention 

• Data replicated and stored in two geographic locations 

• 4-hour restore capability for catastrophic local disasters 

• 24-hour recovery for complete destruction of a single Azure site (triple-site replicated) 

"In the event of a data center blowing up physically in a place, your site will be restored within 24 hours from the secondary sites,"

Liu assured attendees. 

Choosing PPM Software That Takes Security Seriously 

The $11 trillion annual cost of cybercrime isn't just a statistic; it represents real organizations suffering real consequences from inadequate security measures. For PMO leaders and transformation executives selecting management software for their portfolios, security should rank among the top evaluation criteria. 

 As Liu emphasized throughout his presentation, adequate security requires a multi-layered approach. It starts with industry certifications and extends through secure development practices, continuous monitoring, supply chain risk assessment, and robust business continuity planning. No single measure provides complete protection, but a strategic combination of controls significantly reduces risks. 

 For organizations in aerospace, defense, or working with US federal government contracts, the stakes are even higher. FedRAMP readiness isn't just a checkbox; it represents 12 months of rigorous evaluation against some of the most demanding security standards in the industry. 

 Cora Systems' approach demonstrates what enterprise-grade PPM security looks like: independent certifications, 24/7 monitoring, isolated customer instances, regular penetration testing, and business continuity measures designed to keep operations running even in worst-case scenarios. For teams responsible for protecting sensitive project and portfolio data, these capabilities aren't optional; they're the foundation of trustworthy project portfolio management. 

Ready to see how Cora's security-first approach can protect your portfolio data? Contact our team to discuss your organization's specific security requirements and learn more about our FedRAMP-ready architecture.