Defining Cyber PMM Tactics, Techniques and Procedures (TTPs)
The Setting a Vision for Cyber PMMs post introduced the background behind why we should be thinking about vision at the outset. In short, it’s the best place to start any effort because we have to have a destination in mind, or we’d get lost quickly.
First things first – we need to define our standard tactics, techniques and procedures (TTPs), or as I like to call them – our Tetris shapes. Why? All indicators suggest we are heading into a future (or it’s already arrived) where AI assistants will be our trusty companions in executing routine PMM tasks. Cyber PMMs that embrace GenAI will become more productive; those ignoring GenAI will be left in the dust. Imagine having an always-on assistant that never gets tired, fully at your disposal to carry out any PMM task for you.
Need an example? Think along these lines: “Create a 500-word Product Brief using this template, and pull from this Messaging Brief for guidance.” But let’s not sugar-coat it—this won’t happen overnight. We have to start with process definition first. Notice how this prompt required an existing template for guidance. We have to train the assistants first.
We Need a Mr. Miyagi for Cyber PMMs
I’ll provide more information on the new GPTs feature from OpenAI in my next post since I’m training a Cyber PMM GPTs but it’s nowhere near ready yet. In order for me to train it I will first need to have standard processes to train on. It’s like being a Karate master and having a school with new students that need training. But if you don’t know how to throw a punch or do a roundhouse kick, it’s pretty useless to try and train them. Remember how the Karate Kid had Mr. Miyagi? We need a “Mr. Miyagi” for Cyber PMMs by first defining our processes.
The other reason building a ‘Miyagi’ is important is that PMM leaders have become more subjective in their definition of success. Very few managerial discussions use science to define quality Cyber PMM work. For example, if a Cyber PMM on your team sends a Slack message at 3am, or is working on the weekend, his manager might say, “wow, he’s really working hard.” But what if he just has terrible time management skills, is spending 70% of his time on a side hustle like building an AirBnB, and is actually a terrible manager? Way too often, appearing productive has been the definition of success. We need a Miyagi to put an end to this – crane kick style.
Yes, Cyber is “Special”
Now, you might wonder, “Can’t we just apply PMM processes from other industries?” Well, yes and no. I see well-intentioned PMMs from other industries sharing tips on LinkedIn that just don’t quite fit in the cyber world. It’s similar to the training courses I’ve done – while well-meaning, it seems to be unrealistic in terms of actual implementation on the job. It’s very rare to take a training course, and then actually apply it in Cyber. I wish it were that easy. Getting trained in Karate is great, but it probably won’t help you win a Kung Fu tournament.
Here’s the thing: cybersecurity is a unique industry beast with its quirks and idiosyncrasies. Sure, you might have templates that work like a charm in manufacturing, healthcare, or finance, but will they fly in cyber? Most likely, they won’t. I might be proven wrong on this after building more templates. Maybe IT has some more usable templates to draw insight from. But anyway, that’s not the point so please don’t think I’m saying any industry is better or worse here. We can borrow some ingredients from all standards to spice up our unique recipe. But lazily copying and pasting processes from elsewhere won’t cut it.
So, the first part of our vision is to set up standard Cyber PMM tactics, techniques and procedures that cover a wide range of tasks we handle. I call these our “Tetris shapes”, because as anyone that’s been in the game long enough knows, being a PMM is unpredictable and we never do things in an exact sequence. The shapes fall at random in an unpredictable way in many cases, and we have to be ready to fit them into a dynamic puzzle rapidly. On Monday we’re working on messaging; Tuesday we’re building an event keynote; Wednesday we’re briefing analysts; and on and on. No two days are alike. But in the end, the shapes should not change which should drive some predictability in terms of execution. There are ways to put definitions around our deliverables that define what good looks like. They all have a defined shape.
Defining Our Shapes
So what are these shapes? I am putting forward a list of places to start with these definitions, to be more fully fleshed out in the future:
- Market Understanding: Understanding the markets our products compete in is foundational to successful messaging. We need to define some processes required to perform research on market dynamics, customer challenges, and the latest trends. Much of this data is published so that we don’t need to contract this out and wait for the information from a third party. Let’s create a process that trains a GPT to generate a cyber market understanding in seconds, not weeks or months.
- Persona Definitions: This is about creating standard persona definitions instead of carrying out the same drawn out PPT refresh exercise every year. Is it really necessary to contract this out to an agency and spend loads of cash? “Here’s a Security Analyst persona document, we’ll take your $15,000 now.” Those days are (or should be) over. All persona definitions are widely available these days and the actual personas are publicly sharing a ton of information on social platforms, so we don’t need primary research on them. I wonder how we can create and leverage a scalable method for persona definitions instead of waiting 3-4 months for a PowerPoint to be polished off year after year.
- Persona Prioritization: Next, we should include a process for mapping a product to a persona priority score across various predefined personas, from CISOs to Compliance Managers to SOC Directors to Security Engineers to Security Analysts. Which persona are you specifically talking to? This will impact the rest of what you do. I must give a shout to the training team at Forrester, Inc. (or perhaps the originators were from SiriusDecisions, not sure) for training me on a useful Persona Prioritization Matrix exercise that I have found useful in a practical way at work. We need something like this, just not in a static document – we need to think about training a GPT to produce persona prioritization based on a simple prompt.
- Messaging Templates: This will define a library of templates that can tackle any messaging situation, whether it’s about messaging a product, a feature, or an entire portfolio. These should be complete with target personas, word counts, layouts, and value pillars to steer content production in the right direction. Also, these should be based on a 3×3 messaging template – the top 3 customer challenges, the 3 solutions we offer to solve each challenge, and 3 value statements that summarize our proposed value. The output should be 3 value pillars that become a message source for your product. I have found the “law of 3’s” to be the most effective messaging technique out there, and I’m happy to be proven wrong if there are better methods.
- Message Testing: It’s one thing to think you have a great message when it’s just you and the document, and you get to pat yourself on the back while alone. But wait until you start sharing it – that’s when the “fun” starts. Aside from the mounds of edits you’ll get internally, we all know the fun process of meeting industry analysts and having them tear you apart in front of your peers. Instead, a GPT could be trained to do message testing at a fraction of the time, and a fraction of the heartburn! Do we really need to schedule calls with analyst firms if we can just train a GPT to provide messaging feedback by taking the stance of, “you’re a sales executive with very little time to spare, tear apart my messaging.” And, “you’re an expert industry analyst from Gartner, do your best to criticize my messaging and be as brutal as Gordon Ramsay. And yes, I want you to use a British sense of humor while doing this.” See where this is heading? Let’s get creative here.
- Buyer’s Journey Maps: Before jumping into content production, we have to understand what buyer’s need. What do they need to read, listen to, watch or attend? What data do you have to support this mapping? We all know that this is best defined within a a Buyer’s Journey Map (again, credit to the experts that invented this process) but what is the easiest way to create this? Many times, I’ve seen these maps treated as a luxury on the job. Situations look like this, “hey team, I created a buyer’s journey map for my product and defined a plan that maps to actual buyer needs.” Responses after scanning the doc for 3 seconds: “oooh, nice map – but you really didn’t need to do that. Get back to work!” When aligned to persona prioritization you will have a model that aligns your target persona with content that they will use to move farther along the journey. I don’t see how this isn’t worth the time and effort as a PMM. It’s amazing to me how often we neglect this process – is it because it’s too impractical? Or maybe we just need to figure out how to simplify it.
- Content Templates: Once market understanding, messaging, testing, persona prioritization and buyer’s journey mapping are completed, then what? We can define a content mix with each content item having a template that lays out word counts, layout, and design guidance. Imagine generating an entire mix of content in a single prompt? “Generate a content mix for Product XYZ based on all the updated information in Source XYZ.” Let’s aim for this, but I’m not holding my breath until I can actually see this in action.
- Production Workflows: I don’t see a clear path yet to transforming GPT outputs into creative outputs, but I haven’t spent enough time researching this yet. Today, this is where content actually gets generated, whether directly using an agency, directly in Adobe’s suite, or via tools like Canva. The end goal is to define a workflow that moves a Cyber PMM away from wasting time and money, and burns as little calories as possible in the actual production process. We can do better here. I’m pretty intent on figuring this one out in particular because I have personally gone through so many production cycles and been astounded at the time and costs associated with content production, that I think this will be a game-changer if we can figure out the TTPs around this and invent a new production process.
This really is like a complex game of Tetris – just with a larger screen, more shapes, and more obstacles. Defining our processes is like defining the shapes that move down the screen. There are only a limited number of shapes we can play with, but we should define those shapes. For you Lego fans, it’s like playing with Legos. For musicians, it’s your set of notes. For carpenters, it’s the set of materials and tools you have. For chemists it’s the periodic table. And on and on. Each profession has some set of limited variables to work with. Why should it be different for Cyber PMMs? Let’s start defining the variables we work with.