SERVICE: HARD + HUMAN SKILLS TRAINING
Empowered a Technology Consulting Firm to Work With Project Managers to Prioritize Crucial Security Controls
Case Study Summary
When a global technology enterprise was hit by a security breach in mid-2019, the firm decided to implement a strategic initiative to reinforce its systems internally and bring their learnings to clients. The company created a cross-disciplinary team tasked with identifying and solving the core security problem. Leaders discovered that eight different security controls needed to be integrated into products to fortify them against hacks. But project managers (PMs) who were responsible for building security into products didn’t fully understand all of the controls, and as a consequence, failed to prioritize them in product development roadmaps. The firm engaged Turquoise to help PMs understand all aspects of the security controls and develop a user-centric method and process to help propagate a “security mindset” among the PMs, encourage compliance and reduce risk. As a result of the engagement, the organization experienced significant growth in full integration of security controls in its products.
The Challenge
Client: A Global Technology Consultancy
When a global technology enterprise was hit by a security breach in mid-2019, the firm decided to implement a strategic initiative to reinforce its systems internally and bring their learnings to clients. The company created a cross-disciplinary team tasked with identifying and solving the core security problem. The team discovered that eight different security controls needed to be integrated into products to fortify them against hacks. But project managers (PMs) who were responsible for building security into products didn’t fully understand all of the controls, and as a consequence, failed to prioritize them in product development roadmaps. The cross-disciplinary leaders were tasked with helping PMs understand all aspects of the security controls. They needed a user-centric method and process to help propagate a “security mindset” among the PMs, encourage compliance and reduce risk.
Analysis & Diagnosis
The technology organization engaged Turquoise Consulting to find and implement a solution. Turquoise launched the project with a series of user interviews to identify specific barriers that PMs faced in implementing security. The firm initially asked Turquoise to help organize an educational expo on security, to be attended by PMs from the firm’s international markets. But during the discovery and research phase, Turquoise quickly identified a less costly, more efficient strategy that combined workshops for technology and PM leaders, an online program for a wider PM audience and one-on-one coaching for executives. In addition, Turquoise would provide a “train the trainer” model so the organization could continue to advance the initiative after the engagement ended. When the project sponsors reviewed the plan, they agreed it was a better, more targeted approach.
The Solution
In Phase 1 of the project, Turquoise focused on the roll out of two of the eight controls as “proof-points,” to provide learning and the ability to pivot to ensure success for the other six controls. Turquoise framed the initial workshop as an experiment, so leaders would be more open and willing to take risks. There were numerous questions around how to ensure effective adoption and change behaviors around workflow and prioritization. Turquoise helped technology leaders craft compelling messages so that PMs could understand the tools, resources and processes needed to embed security controls into their products and reprioritize the work, positioning it at the top of roadmaps. Rather than creating messaging to mandate or coerce compliance, Turquoise designed an engaging online working session with the PMs and tech leads to develop “storyselling” skills -- storytelling with a call to action that people would more willingly adopt.
Rather than creating messaging to mandate or coerce compliance, Turquoise designed an engaging online working session with the PMs and tech leads to develop “storyselling” skills – storytelling with a call to action that people would more willingly adopt.
The Impact
The combination of leadership workshops, online training sessions and one-on-one coaching designed by Turquoise made a significant impact and delivered tangible value to the department and firm as whole:
Teams gained the space to unlock their creativity and expand their thinking, stretching everyone’s idea of what was possible.
Leaders came away from the sessions immersed in their audiences’ perspectives, with a deep understanding of the security blockers and enablers for the PMs and tech leads.
Leaders enhanced their skills in co-creative problem solving and developed a strategy and method to prioritize problems with clear action plans for implementation.
PMs refreshed their team dynamic, embracing the idea that individual success was deeply tied to the collective efforts of the group, and no one could succeed in isolation.
Leaders learned that guidance and education would be more powerful and effective than command-and-control tactics and used their training to create compelling storyselling around security.
Communication improved as cross-disciplinary leaders developed a shared operating language that enabled PMs to comprehend the urgency around security and prioritize it accordingly.
Leadership modified goals to be more realistic and feasible and came away with a clear plan to achieve them by the end of the year -- well ahead of the schedule they had presumed was possible.
Finally, Turquoise worked with PMs to create wireframes for a website so everyone could access a central platform that explained the security controls. The website was intuitively designed with multiple entry points so that people further along in the training could quickly access the information they needed to move forward without having to sift through material they already knew. The engagement gave the organization a robust process and set of tools for ideation, enabling leaders to approach challenges from a user-centric point of view in the future. As a result of the engagement, the organization experienced significant growth in full integration of security controls in its products.
Illustrations by Chris Nowak