Capstone: Remediation Roadmap ============================= Slide 1: Capstone: Remediation Roadmap Narration Anna: Welcome to the remediation roadmap workshop—the moment where all that red-team adrenaline turns into a plan people will actually follow. Greg: Exactly, and we’re keeping it grounded in Sarah’s startup so you can see how each idea plays out in a real company, not a textbook fantasy. Anna: By the end you’ll have a reusable template, plus a few jokes to disarm tense stakeholders when the topic turns to breaches before breakfast. On-screen text Capstone: Remediation Roadmap Take-home planning and reflection prompts Note: - 30 seconds. Welcome learners and flag that this session produces a tangible plan they can reuse. Slide 2: Why a remediation roadmap? Narration Anna: Let’s kick off with the “why.” Without a roadmap, all those red sticky notes become that gym membership you bought in January—great intentions, zero follow-through. Greg: And Sarah’s investors don’t care about sticky notes; they want to know who’s fixing the unlogged database access and when it’ll be safe to brag about it in board meetings. Anna: Stick with us and we’ll turn the chaos into sequenced, funded work everyone can champion. On-screen text Why a remediation roadmap? Without a roadmap, your security findings become that gym membership you bought in January—great intentions, zero follow-through. We translate red-team evidence into funded, sequenced improvements that Sarah can show to investors, auditors and her customer success team without scrambling. The document also gives engineering, ops, GTM and finance a common script so nobody wonders who is fixing the production database exposure or how much headcount is needed. Finally, the roadmap anchors reflection: we capture what surprised us, which assumptions fell over, and where we must keep experimenting so the capstone evolves into an ongoing learning habit rather than a once-a-year panic drill. Note: - 2 minutes. Emphasise the “why” and share the gym membership line with a smile to break the ice. Slide 3: Inputs to capture before planning Narration Anna: Before we rush into solutions, consolidate every artifact from the drill—risk rankings, quotes from the red team, that horrifying clip where customer support browsed production. Greg: Right, the richer the inputs, the easier it is to answer executives later without scrambling for context. Anna: Take a minute now to flag unanswered questions for the MSP, SOC or legal folks so nothing slips between cracks once we leave the room. On-screen text Inputs to capture before planning Start by consolidating everything we already surfaced: top risks across people, process, technology and vendors; severity, likelihood and blast-radius notes from each tabletop; and the pod’s maturity scores. Add the qualitative color too—quotes from the red team, customer anecdotes, or the moment we realised customer support can reach production data with no logging. Log open questions for MSPs, SOC analysts, legal counsel and finance so that diligence follow-ups have named owners. The more complete this input pack, the less time we spend reinventing context when an executive, auditor or potential acquirer asks for proof that we understand our own gaps. Note: - 2 minutes. Encourage teams to screenshot findings and paste links rather than retype everything. Slide 4: Structuring the backlog Narration Anna: Let’s carve the backlog into Stabilise, Reinforce and Scale so the urgent fixes don’t drown out the long-term bets. Greg: For Sarah that means Stabilise covers MFA and database access, Reinforce adds automated backup testing, and Scale explores a SIEM pilot. Anna: Capture owners, collaborators and success metrics while you go—it saves so many “who’s on this?” messages later. On-screen text Structuring the backlog We organise the backlog into three swimlanes. Stabilise handles the immediate fires—enable MFA for all admin accounts, patch the critical vulnerabilities from the last 30 days, refresh the on-call contact tree. Reinforce locks in better habits: implement automated backup testing, stand up a vendor security review checklist, publish post-mortem templates. Scale funds the longer-term bets such as deploying a SIEM, negotiating enterprise support with key SaaS vendors, or rolling out company-wide security awareness training. Each item lists an owner, collaborators, budget cues and a success metric (e.g., “Security Lead, partner with Support Manager, target zero unlogged prod access within 45 days”). Sarah can now see how actions align to product delivery, customer support and compliance obligations. Note: - 3 minutes. Ask teams to label each backlog item before moving on. Slide 5: Prioritisation & due diligence prompts Narration Anna: Scoring time. Rank impact, regulatory exposure, customer promises and effort—don’t just default to “critical” for everything. Greg: Yeah, when everything is critical, nothing gets done. Ask what your most skeptical investor would grill you on and let that sharpen the order. Anna: Capture the due diligence questions right beside the work so the finance or legal follow-ups have a clear home. On-screen text Prioritisation & due diligence prompts Prioritisation blends rigor and pragmatism. Score each backlog item for business impact, regulatory exposure, customer promise, effort and sequencing constraints. When in doubt, ask, “What would our most risk-averse board member or biggest customer interrogate?” That lens often bumps data-handling controls higher than a cool automation experiment. Capture due diligence prompts alongside the work: “How do we verify MSP patch compliance?” “Where do we store customer PII backups?” “What’s the cost of SOC coverage after hours?” If everything is “critical,” nothing is—your startup can’t fix all the things in week one, no matter how caffeinated engineering feels. We name dependencies early so finance, legal and platform teams have time to respond. Note: - 3 minutes. Invite pods to draft one diligence question per backlog item. Slide 6: 30-60-90 action horizon Narration Anna: Let’s layer in time horizons—what lands in the first 30 days versus 60 or 90 so the plan feels achievable. Greg: In Sarah’s case the “30” bucket is the production database fix and MFA clean-up, while the “60” bucket covers runbook refreshes and due diligence trackers. Anna: Exactly, and anything needing contracts or new tools probably lives in the 90-day lane so leaders see budget bumps coming. On-screen text 30-60-90 action horizon Time-boxing keeps the plan believable. In the first 30 days we chase the “keep Sarah out of the headlines” tasks—close MFA gaps, restrict prod database access, document emergency contacts, and send investor-ready summaries. Days 31-60 focus on process: refresh runbooks, formalise tabletop cadences, stand up a due diligence tracker in ServiceNow or Airtable. Days 61-90 fund the strategic moves like piloting a SIEM, renegotiating SOC contracts or aligning resilience OKRs. Each action notes prerequisites—purchase orders, legal reviews, headcount approvals—so delays are transparent. This horizon also feeds the budget conversation: executives see when cash leaves the bank and what risk drops as a result. Note: - 3 minutes. Highlight that teams can reframe to 15-30-45 if that cadence matches their sprint rhythm. Slide 7: Ownership, accountability & communication Narration Anna: Ownership time—every item needs an executive sponsor, a delivery lead and supporting squad, plus a ritual where status gets checked. Greg: Otherwise we’ve just made someone captain of a ship without handing them the steering wheel, and Sarah’s team doesn’t have time for that. Anna: Build the communication plan now—think quick Loom updates, investor-ready bullets and which customer advocates should preview changes. On-screen text Ownership, accountability & communication Assign every item an executive sponsor, a delivery lead and a supporting squad. We document where progress will be reviewed—Monday ops stand-up, monthly security council, quarterly board pack—and which artefacts count as “done” (tickets, policy diffs, evidence screenshots). Customer-facing voices stay in the loop so rollout comms land well. And yes, assigning ownership without accountability is like making someone captain of a ship but not giving them the steering wheel. We also script how Sarah will brief investors or clients: short Loom updates, dashboard snapshots, and proactive notes about trade-offs to keep trust high. Note: - 3 minutes. Encourage teams to rehearse their investor one-liner about progress. Slide 8: Risk communication playbook Narration Anna: Now let’s talk risk communication—executives need a one-page story that connects technical jargon to customer impact, cost and compliance. Greg: So for Sarah we highlight that the database exposure risks GDPR fines and investor confidence, then pair it with the mitigation plan and price tag. Anna: Practice saying “We eliminated X risk this month; Y is next in line” so you can answer “Are we safe?” without bluffing. On-screen text Risk communication playbook Security storytelling matters. Start with an executive summary that translates tech jargon into customer impact, cost exposure and compliance obligations. Use a simple heat-map or RAG dashboard to highlight where Sarah’s team is burning risk down. Pair every finding with a proposed mitigation, owner and estimated cost so leaders are choosing between options, not drowning in problems. Have a one-page leave-behind for investors with the three biggest risks, financial implications, and the date they will hear the next update. Rehearse how you will answer, “Are we safe today?”—the honest response anchors on trend lines (“We eliminated unlogged prod access this month; phishing resilience is now our top risk”). Note: - 3 minutes. Suggest teams screenshot dashboards or draft them in FigJam/Canva quickly. Slide 9: Change management tactics Narration Anna: Change management is where good plans go to live or die, so map the stakeholders and what they secretly worry about. Greg: For example, engineering fears surprise workloads, support wants proof customer comms won’t break, and finance wants to see cost avoidance. Anna: Meet them where they are with Loom explainers, office hours and training so adoption beats compliance theater. On-screen text Change management tactics Even the best roadmap fails without hearts and minds. Start by mapping stakeholders—engineering, support, sales, finance, MSP partners—and their likely worries. Prepare tailored messaging: support hears how tighter access protects customers, finance sees the cost avoidance, engineers get clarity on workload. Anticipate resistance (“Do we really need another approval step?”) and decide where to flex. Use lightweight enablement like five-minute Loom walkthroughs, office hours and quickstart guides. Pair policy changes with training commitments so people feel set up to succeed. Celebrate early adopters publicly, and give laggards a path to catch up without shame. The goal is adoption, not compliance theater. Note: - 3 minutes. Prompt pods to script one message per stakeholder group. Slide 10: Measurement, reporting & celebration Narration Anna: Measurement keeps momentum, so set up a dashboard—even if it’s Google Sheets—that tracks risk burn down, spend and blockers. Greg: Celebrate the green lights too; ring a Slack bell when Sarah’s team locks down the prod database or crushes a diligence interview. Anna: And when something slips, log the lesson learned and next experiment so you don’t lose trust with leadership. On-screen text Measurement, reporting & celebration What gets measured gets maintained. Stand up a lightweight dashboard—Airtable, Notion, ServiceNow or even Google Sheets—that tracks status, burndown of risk scores, spend versus budget, and outstanding dependencies. Define leading indicators (MFA enrolment rate, time-to-close vendor tickets) and lagging ones (reduction in unlogged prod access, MTTR). Schedule cadences: weekly squad syncs, monthly executive readouts, quarterly retros. Close the loop by documenting lessons learned and celebrating wins—ring a Slack bell when Sarah’s team retires a high-risk finding or nails a due diligence interview. When setbacks happen, log what we learned and the next experiment so momentum is never lost. Note: - 3 minutes. Show example dashboards if available; otherwise describe metrics in detail. Slide 11: Reflection prompts to close the capstone Narration Anna: Reflection isn’t fluff—capturing surprises and broken assumptions shows investors you’re learning, not just reacting. Greg: Let’s pose it to the room: what did Sarah’s team get wrong about vendor coverage, and what support do they need to keep momentum? Anna: Encourage them to log those answers with the backlog so leadership sees the human side of resilience work. On-screen text Reflection prompts to close the capstone End with curiosity. What surprised us about our resilience posture compared with expectations? Which assumptions about vendors, tooling or people broke under pressure, and what did that teach us about the startup’s culture? How will we maintain psychological safety while still holding people accountable? Where do we need leadership support—budget, headcount, MSP upgrades—to keep the roadmap alive? Encourage pods to capture these reflections alongside their backlog; investors and auditors love to see that learning loop, and it keeps the team honest about progress. Note: - 2 minutes. Invite a quick round-robin share from each pod. Slide 12: Workshop & take-home assignment Narration Anna: Time to build—open the template and draft Sarah’s roadmap with five concrete actions, metrics and a review date. Greg: Don’t forget a mini risk register entry and an executive summary paragraph; those pieces make the homework instantly useful. Anna: We’ll circle the room, answer questions, and line up five-minute readouts for next session—one risk retired, one still nagging, one follow-up call booked. On-screen text Workshop & take-home assignment Before leaving the room, each pod drafts a sample roadmap for Sarah’s startup using the provided template. Document the context, top five actions, success measures and next review date. Add a mini risk register entry for at least one item, plus an executive brief paragraph that could drop into a board deck tomorrow. Schedule 5-minute readouts for the next session—one risk retired, one still open, one open question for an MSP or legal partner. Homework: line up follow-up interviews, update the due diligence tracker, and bring the lessons to your next investor update or client renewal call. Note: - 3 minutes setup + 15-minute working time. Circulate to coach teams while they build their draft. Slide 13: Templates & companion resources Narration Anna: Quick reminder on resources—you’ve got the backlog spreadsheet, executive summary template and the risk register from earlier sessions. Greg: Plus links to ServiceNow, Jira or Linear examples, and the Part 5 communication plan so cadence rituals stay aligned. Anna: Bookmark them now; nothing kills momentum like hunting for a template five minutes before an investor call. On-screen text Templates & companion resources You have access to a remediation backlog spreadsheet, a one-page executive summary template, and a risk register pulled from earlier capstone materials. Reuse the tabletop maturity rubric to baseline progress after 30 and 90 days. For tooling inspiration, check ServiceNow for incident tracking, Jira or Linear for task execution, and Okta for MFA rollout tracking. Link your roadmap to the earlier vendor diligence checklist so Sarah can answer investor questions with confidence. Bookmark the communication plan template from Part 5 to keep cadence rituals aligned. Note: - 2 minutes. Show where templates live in the shared drive or LMS. Slide 14: Key takeaway Narration Anna: Let’s land the plane—a good roadmap keeps the capstone energy alive and proves progress with evidence. Greg: Publish your draft within 48 hours, celebrate the first win loudly, and be honest about the next big risk on deck. Anna: Do that and Sarah’s team—and yours—will keep improving long after the exercise ends. On-screen text Key takeaway A remediation roadmap turns the capstone from a one-off adrenaline rush into a continuous improvement flywheel. By sequencing actions, naming owners, capturing diligence questions and communicating clearly, teams leave ready to advocate for investment and prove progress with evidence. The roadmap also sparks better habits—celebrating wins, learning from setbacks, and keeping stakeholders looped in—so Sarah’s company (and yours) keeps resilience front of mind long after the workshop ends. Note: - 1 minute. Close with a call-to-action: publish the roadmap draft within 48 hours.