The Challenge
A global manufacturing organization had recently developed a comprehensive cybersecurity strategy with four strategic initiatives, one focused on driving a culture where "cybersecurity is everybody's responsibility." This represented forward-thinking leadership commitment to security transformation.
However, a careful review of their foundational documents revealed a significant tension. Their security awareness policy, approved just six months earlier, positioned employees as the "human firewall" with strong emphasis on individual accountability, consequences for failures, and defensive responsibilities. The strategy document called for building a "security partnership culture" through collaboration, empowerment, and shared ownership.
Both documents were well-intentioned and addressed legitimate organizational concerns, but they were fundamentally pulling in different directions. The policy reflected compliance requirements and audit findings. The strategy reflected research on sustainable behavior change and cultural transformation. Nobody had explicitly asked whether these approaches were compatible or how they would coexist in practice.
The Discovery
During the initial engagement, a systematic review of the organization's documentation surfaced this contradiction. When brought to the attention of the VP of Cybersecurity, her response was telling:
"I've been feeling uncomfortable about something in how we're approaching this, but I couldn't quite articulate what it was. I think you just named it for me."
This represents the classic value of external diagnostic perspective. Internal teams are often too close to their own situation to see contradictions clearly. They wrote both documents solving real problems at different times, but nobody had the designated responsibility to step back and ask how all the pieces fit together.
Key Insight
Apparent strategic contradictions often aren't contradictions at all—they're incomplete frameworks that need to be developed more fully and integrated more thoughtfully.
The Collaborative Roadmapping Session
Once the tension was identified, the question became: could accountability and partnership coexist, or did the organization need to choose one direction over the other?
Strategic tensions often look like binary choices when discussed abstractly. But when you start mapping out what a program actually looks like in practice—with specific initiatives sequenced over time—the apparent contradiction often dissolves. A three-hour collaborative working session with the core security awareness team used visual roadmapping to work through the integration systematically.
Building the Program Architecture
The session began by identifying major program components: strategy and vision, policies and standards, training delivery, awareness campaigns, accountability framework, metrics and measurement, stakeholder engagement, and communication strategy. Each became a swimlane in the roadmap.
The team then organized work using a "Crawl-Walk-Run" maturity model they were already familiar with, defining what each program component would look like at different maturity stages over a two-to-three-year horizon.
The Floor and Ceiling Breakthrough
As deliverables were added to the crawl phase, an important insight emerged. The team initially wanted to load the first phase entirely with accountability mechanisms—phishing tests, failure tracking, consequences documentation. These felt urgent because they related to risk and compliance.
A pause and reflection question surfaced the cultural implication: if the entire first phase delivered only accountability and consequences, what message would that send? The team realized they would be building exactly the "human firewall" program, undermining the partnership strategy before it even started.
Partnership elements were added to the same phase—positive awareness campaigns, security tip programs, recognition mechanisms for people who report suspicious activity. Not instead of accountability mechanisms, but alongside them.
Team Realization
"The accountability framework sets the floor—it addresses egregious failures and creates baseline expectations. The awareness and recognition programs raise the ceiling—they focus on capability-building and engagement. They're not contradictory. They're complementary."
Surfacing Hidden Dependencies
The visual roadmap revealed dependencies that weren't apparent from discussion alone. When someone suggested implementing role-based training for IT staff in the crawl phase, a clarifying question emerged: what specific security standards would this training cover?
The standards weren't documented yet—they existed as scattered guidance documents and tribal knowledge, but not in comprehensive form that training could be built from. The roadmap showed the dependency chain visually: role-based training required documented standards, which required finalized policies.
This forced a strategic decision: accelerate documentation work to enable earlier training, or accept that role-based training belonged in the walk phase after foundational documentation was solid. The team chose realistic sequencing over rushed activity.
VP's Observation
"We've been confusing urgency with priority. Role-based training feels urgent because IT is high-risk. But the roadmap shows us the actual priority is getting foundational documentation right first."
Executive Alignment
When presented to executive leadership, the visual roadmap became a powerful alignment tool. The CFO, concerned about accountability, could see specific mechanisms in each phase—automated tracking in crawl, graduated response framework in walk, integration with HR processes in run.
Because these elements were clearly visible and sequenced, he could evaluate their robustness without requiring trust in narrative explanations. His conclusion: "You're not getting soft on accountability—you're making it more sophisticated. And I can see how the recognition programs work alongside this rather than contradicting it."
The Results
From confusion to clarity in a single working session
Integrated program architecture spanning all key areas
Crawl-Walk-Run progression with clear deliverables
Executive alignment on integrated approach
Tangible Deliverables
- Visual Roadmap: Complete three-year transformation plan showing how accountability and partnership elements integrate across all phases
- Program Architecture: Eight major components with clear phasing and dependencies
- Accountability Framework: Graduated, transparent approach that strengthens partnership rather than undermining it
- Executive Confidence: Leadership alignment on the integrated approach with visible mechanisms addressing their concerns
- Shared Understanding: Team clarity on sequencing, dependencies, and how to communicate the integrated vision
Key Takeaways
1. Diagnosis Precedes Resolution
The most valuable initial contribution wasn't facilitation—it was identifying a strategic contradiction that internal teams couldn't see because they were too close to their own documents. External diagnostic perspective surfaced a tension that had been creating ambient confusion without being explicitly recognized.
2. Visual Roadmapping Enables Different Conversations
Abstract strategic discussion couldn't resolve the accountability-partnership tension. Making it concrete—specific deliverables, realistic timelines, visible dependencies—enabled insights that wouldn't have emerged otherwise. The roadmap didn't provide answers; it made the right questions visible.
3. Apparent Contradictions Often Reflect Incomplete Frameworks
The tension between human firewall and security partnership dissolved once the team could see how accountability mechanisms could be redesigned to support partnership rather than undermine it. Both approaches contained important truths that needed thoughtful integration, not binary choice.
4. Dependencies Drive Realistic Sequencing
Distinguishing between what feels urgent and what's strategically prior requires seeing how work actually sequences. Visual dependencies forced more realistic planning—training couldn't happen before standards were documented, regardless of how urgent it felt.
5. Collaborative Planning Creates Ownership
Building the roadmap together rather than presenting a pre-determined plan created shared understanding and ownership. The team experienced the thinking process, not just the conclusion, which meant they could explain and defend the approach when challenged.
The Broader Lesson
Strategy becomes actionable when you can visualize dependencies, model scenarios, and collaborate on sequencing decisions. The gap between "here's where we want to go" and "here's what we do on Monday" is much larger than it appears because strategy lives at a level of abstraction that obscures the messy reality of coordinated execution.
Visual roadmapping doesn't just document plans—it enables a different quality of strategic conversation because it makes abstract concepts concrete, surfaces hidden assumptions, and creates shared understanding of what's being built together.
In this case, three hours of collaborative roadmapping resolved a fundamental strategic tension that could have undermined years of implementation effort. That's the power of making strategy visible.
Ready to Transform Your Security Awareness Program?
See how strategic assessment and collaborative roadmapping can help you identify contradictions, align stakeholders, and build executable transformation plans.