Roadmap meetings: Turn three conversations into one

Karl Palachuk

Most clients have at least three distinct personality types working in their business. As a service provider, you end up working with all three – sometimes toward different goals. I always advise managed service providers to hold “roadmap” meetings with clients to plan out their technology future and make sure everyone’s in agreement on where you’re going.

Roadmaps are also a way to make sure that the various personalities at your client are all agreed on some rules around technology. Here’s an example from a very real client of mine. The names have been changed . . . blah blah blah.

The challenge

Alice is in charge of finances, personnel records, payroll, and pretty much all of the sensitive data in the company. She’s also our primary contact and the de facto decision maker. Her boss will make her justify a decision, but he’s going to do whatever she says.

Alice isn’t sure about the security of moving to a cloud-based backup solution. “How do we know our data’s secure? How come I’ve never heard of this company? How is our data separated from everyone else’s? Is it encrypted at rest? Is it encrypted while moving from here to there? Who controls those encryption keys? Why is it more secure than our current backup?”

And so forth. You get the idea here: Security; security; security.

Bill is in charge of sales for the big annual show. He’s constantly sending and receiving large files, manipulating them from home and work, and making changes. All he cares about is speed and access to his files.

Bill gets a new machine and wants Dropbox installed on it. “Why,” I ask. Because he puts all of his working files on Dropbox and wants easy access from home or work. I try to explain that he’s already got a drive on the server, accessible through a VPN from home or work. And he has access to the company’s SharePoint site if he wants it. Both are backed up. Both are secure. Both are company-approved, and a free Dropbox account is not.

Bill says just do it anyway.

Chelsea has to access her desktop computer remotely in order to use a company line of business application that doesn’t work well over terminal server or VPN. So we set her up with a Team Viewer access that allows her to get to her desktop anytime.

But she doesn’t like the long, complicated passwords. Her favorite password is five letters. She’s fine with the “hassles” of passwords, just not long ones.

This is not an unusual scenario in the 21st century. It’s a little like Goldie Locks and the Three Bears. One person wants lots of security, one wants some security, and one wants very little security. They just want to do their jobs.

But you’re stuck with the job of making all three of them happy, if that’s possible. And here’s the hard truth: It may not be possible. At some point there needs to be a company understanding about the minimum level of acceptable security and the optimal level of security.

If Alice has her way, Bill will put everything on the server (no matter how slow), with very complex passwords. And you can be sure that Chelsea will have a password of 12 random characters just to teach her a lesson. Bill will simply do what he wants without permission, if he thinks it’s justified. Chelsea will change her password to something easy to remember and guess.

Enter the Roadmap Meeting

Roadmap meetings are quarterly meetings to look at how things are going and talk about where they’re going in the future. Is the company growing or shrinking? Are there major events coming up? Are there new technologies they should be aware of?

And… what are the company policies around technology? Where are employees allowed to store data? How will this be enforced? What are minimum password policies? How are passwords stored? Which outside software and services are allowed? How do these fit with the company’s policies around security? If an employee leaves (or takes an extended leave of absence), how do you document where data is stored and which services are in use?

I’m not going to spell out a “solution” to the scenario above. That’s not the point. There are many solutions. For one company, the solution is to put everything on the server and send all connections through the server. Period. For another company, a wide variety of options will be used, but each will be monitored and documented. For some companies, the IT consultant will say nothing about what they find. For others, the consultant will move all data to the server without asking and has total enforcement authority. Most companies are in the middle somewhere.

The Roadmap Meeting is an ideal place to talk about these things. Ideally, the conversation will take place in the abstract, before any specific individuals request exceptions to the rules. Some of these policies, like password complexity, are easy to implement. You simply ask a client how long passwords need to be, how often they expire, whether they need to be complex, and how many passwords will be remembered by the system.

Establishing policies

Other policies are a little more difficult to anticipate. There are dozens of remote storage and remote access options. How do you determine which are allowed? Just like the BYOD (bring your own device) question, you have to figure this out before people start uploading company data all over the Internet. Is there an approved list of vendors? How does it change? How will it be monitored?

As you can see, this isn’t really a “technology” discussion. It’s a discussion of company policies that involve some element of technology. Your role as the outsourced CIO is to guide these discussions, help the client make good choices, execute the decisions, and document all of it.

There are many advantages to holding regular Roadmap meetings with clients. Perhaps the greatest is to help create good policies before they’re needed. That way, when a client asks how to handle something, you can say, “Well, your company policy says . . ..”