Bottom Line:
CMMC compliance is not just a regulatory hurdle—it’s an opportunity to strengthen your organization’s security posture and stand out in the defense contracting space. Start early, build a culture of compliance, and leverage expert guidance to ensure success.

###

About the Author

ProStratus is a CMMC Level 2 certified managed security service provider, delivering secure IT solutions across the Defense Industrial Base. Thomas Saul is the Director of Security and Compliance for ProStratus and is a Certified CMMC Assessor (CCA) who specializes in helping organizations operationalize compliance and building cybersecurity into daily operations.

Navigating the Shift to Smarter, Self-Running Experiences

Customer experience, or CX, is the sum of every interaction a customer has with your brand, from the first app notification to the final thank-you email. It's not confined to call centers; it's the seamless thread weaving through every touchpoint in a business, shaping loyalty in an era where expectations soar. Imagine a world where these experiences don't just react to needs. They anticipate them, resolve hiccups before they arise, and evolve effortlessly without endless human intervention. That is the autonomous CX landscape on the horizon, where AI doesn't replace people but amplifies them, touching every corner of operations in retail, finance, healthcare, education, and beyond. As industries race toward this future, four foundational pillars—strategic vision, quality assurance, training rigor, and mechanical integration—stand out as the blueprint for success. This is not just theory. It is an unfolding story of transformation, from today's reactive support to tomorrow's predictive powerhouses across all customer-facing channels. Let's dive in, exploring how these pillars build resilient, engaging journeys that keep your audience hooked and your operations ahead.

Pillar 1: Strategic Vision, Charting the Course Beyond the Budget

Every great shift starts with a map. In the rush to AI, too many leaders fixate on tools and costs, missing the bigger picture: Where is your CX headed in an autonomous era? Strategic vision demands asking bold questions. How will AI evolve your client interactions across apps, in-store visits, and virtual consultations? What seamless experiences will set you apart by 2030?

Picture customer hubs evolving from fragmented silos into dynamic ecosystems, where normalized, profiled information fuels multi-agent systems. Front-line AI handles routine queries in chatbots or kiosks, escalating to specialized "supervisors" that tap deeper insights, handing off to humans only when nuance calls for it. This is not about slashing expenses. It is about directional transformation, prioritizing long-term client loyalty over short-term wins in every business domain. Without this north star, deployments falter into chaos. Engage your teams by co-creating these roadmaps. Start with workshops that paint vivid "day-in-the-life" scenarios, turning abstract strategy into tangible excitement for non-technical staff and data-driven insights for technical experts.

Pillar 2: Quality Assurance, The Glue Holding It All Together

In an autonomous world, consistency is not optional. It is the heartbeat of trust. Quality assurance ensures every AI interaction feels polished, reliable, and human-touched, even when it is not, whether in a drive-thru order or a personalized email campaign. Think real-time coaching: Scripts, prompts, and oversight that mirror elite outsourcing teams, grading interactions on sentiment, flow, and resolution.

Envision transcribing 100 percent of interactions to forge knowledge repositories, not just for compliance, but to train behaviors that delight across channels. In high-stakes sectors like finance or education, this pillar prevents drift. Tools for consistent reporting flag anomalies early, like a customer's frustration spiking mid-conversation on a mobile app. The payoff? Frictionless experiences that boost retention business-wide. To keep readers riveted, frame quality as a narrative hero. Share anonymized "before-and-after" stories in your internal comms, showing how one overlooked metric turned a complaint cascade into rave reviews, resonating with CXOs eyeing ROI and frontline teams craving simplicity.

Pillar 3: Training Rigor, Building AI That Learns Like Humans

Autonomy thrives on adaptability, and that is where training rigor shines. Gone are static models. Enter AI that ingests personas—style guides and prompts tailored for customer-facing finesse—while undergoing relentless coaching cycles. It is like raising a digital apprentice: Start with zero knowledge base, feed it transcribed dialogues, regional dialects (hello, Southern US inflections), and iterative feedback to refine accuracy in emails, chats, or voice assistants.

This pillar powers the story's turning point: From clunky bots to intuitive agents that personalize on the fly, like suggesting "your usual sausage biscuit" based on geolocation and past orders during an in-app upsell. For resource-strapped teams, like nonprofits dodging DIY pitfalls, lean on accessible platforms for workflow training and agent licenses, bypassing unguided tools that promise quick fixes but deliver frustration. Make training engaging by gamifying it. Leaderboards for "best anomaly hunts" (spotting order errors via license plates) turn compliance into collaboration, preparing workforces for a job market craving self-motivated learners over rote specialists—appealing to technical builders and visionary leaders alike.

Pillar 4: Mechanical Integration, The Engines of Seamless Automation

No autonomous tale is complete without the machinery that makes it hum. Mechanical integration weaves robotics and edge tech into the fabric of CX, handling the grunt work so humans focus on magic, from warehouse fulfillment to personalized retail recommendations. Dual cameras spotting menu items with yes/no precision? Edge-localized machine learning slashing voice latency to milliseconds? Headset analytics canceling noise while monitoring volume trends? These are not gadgets. They are the plot devices propelling us forward.

From burger-flipping arms streamlining prep to shelf-scanning bots enforcing planograms with image-code smarts, this pillar scales repetition into reliability across supply chains and service desks. Autonomous prototypes in quick-service spots run end-to-end robotic ops, while manufacturing cameras enforce glove checks for safety. Early costs are low, but watch for upticks as efficiencies compound, like cloud trends on steroids. Hook your audience with demos. Virtual tours of edge-powered point-of-sale systems surviving outages prove how mechanical muscle delivers outage-proof speed and sparks innovation across retail, healthcare tele-health, or beyond, bridging the gap for non-technical users with visuals and CXOs with scalability metrics.

Weaving the Pillars into Your Autonomous Story

These four pillars are not silos. They interlock to narrate a compelling arc: From data chaos to predictive bliss, reactive fixes to proactive delight in every customer touchpoint. High-level steps to get started? First, audit your data for strategic alignment. Second, pilot quality-focused transcriptions in one channel. Third, roll out persona training with regional tweaks. Fourth, integrate mechanical pilots for latency-sensitive tasks. Fifth, cycle through refinements, benchmarking against 5-year adoption curves.

The risks? Deepfakes from mere minutes of media, fraud via unchecked access, or cost swings from unchecked scaling. Counter with multi-factor authentication, anomaly detection, and vigilant oversight. The reward? Unified channels yielding hyper-personalized, resilient CX that captivates customers and empowers teams, positioning every forward-thinking business for enduring success.

As we edge toward this autonomous horizon, the question is not if, but how boldly you will lead the change. Dive deeper into these pillars to craft your organization's next chapter one where CX isn't a department, but the defining edge of your entire enterprise.

####

About The Author

Bill Magnuson is a seasoned leader in technology transformation, with a strong background in driving innovation, strategic growth, and operational excellence. He combines business acumen with tech expertise to help organizations modernize, scale sustainably, and deliver greater value to customers.

• Organizations tend to think that if they deploy EDR (Endpoint Detection and Response) solutions on their workstations, they are “safe” from malware. While EDR is a powerful tool in detecting and responding to threats, it’s only one piece of a much larger cybersecurity puzzle.

  True Cybersecurity isn’t just about technology—it’s about governance, process, and accountability. Compliance frameworks like NIST, HIPAA, PCI and GDPR aren’t just bureaucratic checkboxes; they provide structured approaches to managing risk, protecting data, and ensuring resilience. Even your basic Cyber Insurance policy requires your thoughtful responses to Self-Assessment Applications and proof of compliance. Risk management, meanwhile, helps organizations identify vulnerabilities beyond the technical layer—such as third-party risks, insider threats, and operational weaknesses.

  Without a strong compliance and risk management foundation, even the best technical defenses can fall short. Cybersecurity must be holistic, integrating people, processes, and technology. Organizations that treat compliance and risk management as core components of their security strategy are better positioned to prevent breaches, respond effectively, and maintain trust. 

  Why are we so concerned about Cybersecurity?

  We all hear the headlines about data breaches and the pain they cause in terms of lost privacy, lost revenue while systems are recovered, and expensive recovery costs.  Look at these recent statistics, and just think of the recent major breach in our own backyard with Kettering Health Network:

• • “It takes organizations an average of 204 days to IDENTIFY a data breach and 73 days to CONTAIN it” (Bonnie). In the case of Kettering Health Network, the breach may have gone undetected for up to six weeks (Bruce), and back to full operation in 3 weeks (Alder).
  • “74% of all breaches include the human element” (Bonnie).
  • “12% of employees took sensitive IP with them when they left an organization, including customer data, employee data, health records, and sales contracts” (Bonnie).

• The reality in today’s environment is that email-based “Business Email Compromise” (BEC), or “Phishing” now causes 36% of Cybersecurity breaches (Spys). These types of compromises are aimed at getting a user to divulge the username and password for a critical resource like their email. In many environments that depend on a cloud-based infrastructure like Microsoft 365 (or Google Workspace among others), gaining access to your email also gives access to OneDrive and Sharepoint data the user has access to.  Premises-based systems with on-site servers are not immune to compromise either. Attackers target these systems with downloaded documents or programs designed to deceive users into opening or executing them.

  Note above that “74% of data breaches involve the human element.” Thus, we need to protect the resources that users have access to and train them how to detect and respond to these compromise attempts.

  So what’s the right path?

  As an MSP, we recommend a layered approach to security and compliance for overall risk management. Even the way cloud resources such as Microsoft 365 are implemented is important to the overall security of an organization.

  Before moving into advanced Compliance and Risk-Management solutions, it’s important to first review the workstation and server basics that serve as the foundation for enhanced security, compliance, and risk management.

  Workstation (Endpoint) Basics:

  Microsoft 365 Premium or equivalent accounts for advanced security and compliance features such as Microsoft Defender, Purview, Azure Active Directory and Intune.

  Patch Management – MSP Management provides additional oversight into Patch Management to better control the patch process and allow oversight and additional approval for those occasional times when Microsoft releases patches with unexpected side-effects.

  Endpoint Detection and Response (EDR) -- continuously monitors endpoints for evidence of threats and performs automatic actions to help mitigate them. Do note that EDR is only monitoring the endpoints themselves.

  Backup for Microsoft 365 Email, OneDrive and SharePoint. By default, Microsoft provides no “backup” of your Microsoft 365 data (email, SharePoint and OneDrive) -- only a guaranteed level of service. Thus, a backup solution is needed to protect your data.

  Server Basics

  For clients still using servers, those resources need to be protected as well – to at least the same degree of protection as the workstations. Servers need to be deployed with similar Patch Management, EDR and backup solutions. Servers should have complete immutable and secure backups to enable granular file restores as well as “bare-metal” restores for disaster recovery.

  Better Security

  Protecting the “network”

  Building on the basic protections at the workstation and server level, additional protections need to be deployed to further protect your resources. While EDR-based solutions will detect and respond to a great majority of “downloaded” compromises, EDR won’t detect those cases where an attacker gains access to your cloud-based data, or other important external websites.

  MDR/XDR solutions add to the “endpoint” EDR. MDR is “Managed Detection and Recovery” and adds real-time analysis of cloud-based environments as well as integration with EDR and other devices such as firewalls and other network devices. MDR digests data from all these platforms in real-time, analyzes and provides automated and human response as necessary. Thus, MDR solutions provide a much more proactive, real-time solution for a much broader view of the entire network.

  Web Filtering

  Web Filtering solutions provide the ability to “categorize” web activities and allow or deny access to categories of websites based on an organization's needs. Most solutions also have the built-in capability to automatically deny access to known “command and control” or known infected systems that are a primary source of actual malware. The web filtering solutions thus provide an additional level of protection by preventing access to a malicious website that a user may inadvertently access through an email link or document that references an external site to download malware.

  Protecting the Human Resources

  Since the Human Element is still a primary weak point in Cybersecurity defense, we suggest training and testing the users, to provide them the knowledge tools they need to combat breach attempts. Regular Cybersecurity awareness training generally leads to a 70% reduction in security-related risks (Keepnet).  A regular regime of monthly targeted short training videos, slide decks or other web-based materials on pertinent topics such as how to spot phishing attempts, social engineering, safe surfing and password management helps keep people more aware and less apt to fall for a phishing or other breach attempt. Furthermore, regular simulated phish messages, configured to bypass filtering  can test the users to see how they actually perform against phishing attempts.

  So where does Compliance and Risk Management come into play?

  All the above topics relate primarily to prevention. All this is fine and good until the prevention measures fall short. At some point, no matter how many blocks are put in place against malware, something will slip by. A breach to almost any organization can prove catastrophic.

  Cyber Insurance is becoming almost mandatory for any business to protect their assets in the event of any sort of breach. The challenge is that many organizations complete the Cyber Insurance questionnaire by checking boxes—without confirming that proper procedures or evidence are actually in place. For example, a common question is: “Have you implemented strong password policies?” Simply telling employees to use strong passwords isn’t enough to qualify as a valid “yes.”

  If a breach occurs, your insurance provider will expect proof that all conditions were met. Without it, your claim will likely be denied.

  Recent studies show that more than 40% of Cyber Insurance claims go unpaid—most often because of incomplete, inaccurate, or misleading information provided on the application (Asaff).

  The Cyber Insurance questionnaires are treated as factual statements. If discrepancies are discovered during a claim review, they can become grounds for denial of coverage.

  Going further than Cyber Insurance, many organizations are subject to federal, state, and industry regulations that put further compliance requirements on organizations. For instance, any organization dealing with medical data is subject to stringent HIPAA regulations. Any financial-related organization is subject to FTC Safeguard regulations. Any organization that handles credit cards is subject to PCI requirements. Many of these regulations carry very stiff penalties for non-compliance and in the event of a breach, can be disastrous to the organizations if they aren’t diligent in their policies, procedures, controls and evidence.

  So how do you ensure compliance?

  To fully protect your organization, any Cyber Insurance policy requirements as well as further federal, state and industry regulations must be strictly met. The various protections mentioned earlier for endpoints, servers and network are only a starting point. Compliance is more than just completing a checklist saying you are doing everything needed. Organizations must have clear policies in place, acknowledged by all relevant employees, along with procedures and controls that put those policies into action. Equally important is maintaining ongoing evidence to demonstrate that these measures are effective.

  Compliance isn’t a one-time task—it’s an ongoing process that requires continuous testing, monitoring, and review to ensure lasting protection and effectiveness.

  Regular network scans (quarterly is best, or at minimum annually) that automatically analyze the environment for Patch Management, stored personal information (PII), weak passwords or poor password management, and out-of-date software can provide excellent data on a regular basis. Automated analysis of a cloud-based environment provides valuable information for further review or action.

  Additionally, maintaining a regular cadence of policy creation, review, and employee acknowledgment ensures that the entire organization has clear documentation and procedures in place. Recommended or required policies may include:

• • Acceptable Use Policy
  • Access Control Policy
  • Remote Access (work from home) Policy
  • Backup and Recovery Policy
  • Vendor Risk Management Policy
  • Security Awareness Policy

One of the most important policies then becomes an Incident Response Policy and Procedure (IRPP) that defines how your organization will respond to a variety of incidents as well as a Written Information Security Plan (WISP) that provides the full suite of documentation that can be used to prove compliance to any regulations that apply to the organization.

These policies need to be backed up with procedures and acceptance/acknowledgement by all pertinent staff members

A platform that combines appropriate regulation selection, their required policies and controls, automated third-party scanning (internal and external vulnerability analysis including endpoints, cloud environment and internet interfaces), accepted policy templates, automatic policy acceptances, automated and manual evidence collection and WISP creation makes compliance and risk management easier, faster, and far less stressful for your organization.

Conclusion

There are not many companies or organizations that can truly say they don’t need Cyber Insurance at a minimum. Many organizations are subject to further regulatory requirements (HIPAA, PCI DSS, CMMC, FTC Safeguards and others) that require not only the very basic Cybersecurity protections but also require further compliance with very specific controls to ensure the IT environment is always as secure as possible. Compliance can be very difficult, but the risk of non-compliance is huge, whereas non-compliance can put many companies out of business.

About the Author

Barry Hassler is the founder and President of Hassler Communication Systems Technology, Inc (HCST), a business IT Managed Services Provider based in Beavercreek OH. HCST serves the greater Dayton and Springfield Ohio area (and beyond), specializing in managed IT services, Cybersecurity and risk management, Microsoft 365 cloud services, backup solutions and disaster recovery, and Voice-over-IP (VoIP) telecommunications. Barry is a certified compliance consultant.

References and Supplementary Materials 

Hoffman, Zack. “Cyber Insurance Challenges: Why Premiums Are Rising, and Coverage Is Harder to Obtain | CyberMaxx.” CyberMaxx, 23 Oct. 2024, www.cybermaxx.com/resources/cyber-insurance-challenges-why-premiums-are-rising-and-coverage-is-harder-to-obtain.

Scroxton, Alex. “Data Breach Class Action Costs Mount Up.” ComputerWeekly.com, 24 Apr. 2025, www.computerweekly.com/news/366622911/Data-breach-class-action-costs-mount-up.

Palatty, Nivedita James. “64 Cyber Insurance Claims Statistics 2025.” Astra, 27 June 2025, https://www.getastra.com/blog/security-audit/cyber-insurance-claims-statistics/.

Palatty, Nivedita James. “81 Phishing Attack Statistics 2025: The Ultimate Insight.” Astra, 19 August 2025, https://www.getastra.com/blog/security-audit/phishing-attack-statistics/.

Bonnie, Emily. “110+ of the Latest Data Breach Statistics [Updated 2025].” Secureframe, 3 January 2025, https://secureframe.com/blog/data-breach-statistics.

Spys, Denys. “Phishing Statistics in 2025: The Ultimate Insight | TechMagic.” Blog | TechMagic, 4 Aug. 2025, www.techmagic.co/blog/blog-phishing-attack-statistics.

Alder, Steve. “Kettering Health Resumes Normal Operations for Key Services Following Ransomware Attack.” HIPAA Journal, 13 June 2025, www.hipaajournal.com/kettering-health-ransomware-attack.

Bruce, Giles. “Kettering Health Says Data Breached in Ransomware Attack.” Becker’s Hospital Review | Healthcare News & Analysis, 28 July 2025, www.beckershospitalreview.com/healthcare-information-technology/cybersecurity/kettering-health-says-data-breached-in-ransomware-attack.

Keepnet Labs. “2025 Security Awareness Training Statistics.” Keepnet Labs, 23 July 2025, keepnetlabs.com/blog/security-awareness-training-statistics.

Khalil, Mohammed. “Cyber Insurance Claims Statistics: Inside the Stats on Denials, Costs, and Coverage Gaps.” DeepStrike, 29 June 2025, deepstrike.io/blog/cyber-insurance-claims-statistics.

Asaff, Kate. “Think You’Re Covered? 40% of Cyber Insurance Claims Say Otherwise.” Portnox, 23 May 2025, www.portnox.com/blog/compliance-regulations/think-youre-covered-40-of-cyber-insurance-claims-say-otherwise.

Software leaders face immense pressure. You’re expected to deliver high-quality products under tight deadlines, all while managing costs and keeping your team from burning out. Bugs, missed deadlines, scope creep, and unrealistic demands are often seen as part of the job.

If this sounds familiar, you’re not alone. In a recent Lighthouse Technologies survey of 110 software leaders, 27% reported experiencing burnout—a direct result of constant rework, late nights, and endless firefighting.

Many leaders accept this as the status quo, but it doesn’t have to be your reality. There is a better way! You can transform your team’s productivity and restore their work-life balance, allowing them to focus on what truly matters most—both at work and at home. Sound too good to be true? Here are three steps to get started.

1.   Stop Managing Symptoms. Start Uncovering Root Causes.

Quality issues, missed schedules, and productivity challenges aren’t solved by throwing more people or hours at them; they’re solved by uncovering and addressing the root causes.

Consider a 250-person development team we worked with. They were five years into a two-year project—stuck in beta, drowning in open defects, and unable to release. Frustration was high for everyone, from customers to developers to executives.

Our initial Root Cause Analysis uncovered a shocking number of findings — 475 to be exact. One of the most critical? A high volume of overly complex code. Cyclomatic complexity, a measure of the number of unique paths through a piece of code, is a leading indicator of risk. Fragile code with high complexity is difficult to test, hard to maintain, and a breeding ground for bugs, and this complexity is a core reason that when a developer goes in to fix a bug or make an enhancement they likely break something that previously worked.

This client had 1,655 complex modules, representing 9.5% of their entire system. This wasn’t just a technical problem; it was a business problem.

ACTIONABLE INSIGHT: Complex code = Fragile code.

Use tools like SonarQube to regularly monitor cyclomatic complexity. A good goal is less than 1.5% of your software modules have complexity greater than 10.

2. Close the Defect Loop & Restore Confidence

The same team was discovering 22.1 new defects per day—but fixing only 20.3 per day. To make matters worse, their bad-fix rate was 25%, meaning every fourth “fix” broke something else.

The result? An ever-growing backlog of bugs and sinking delivery confidence. This isn’t just about an overloaded team; it’s about a broken system that erodes customer trust, developer morale, and leadership’s confidence in their team.

ACTIONABLE INSIGHT: Track your defect backlog and bad-fix rate over time. A high bad-fix percentage signals broken processes that need urgent attention—not just more testing.

3. Establish clear release exit criteria

Why does release readiness matter? We all want to know how well the software will work once it is released and how many issues our customers are likely to discover. Most companies simply plan 30 days of testing for major releases regardless of the number of defects being discovered. If you imagine that your team found 10 defects/day for the last 5 days, it’s bloody likely they will find 10 more defects on the 31^st day (if they are allowed to continue). To improve release readiness, we need to track and report on defect data so management can make informed release decisions.

As an example, the below graph shows the team's predicted defects—worst case (blue), best case (green), and actual (black). By their scheduled release date (Feb 19 – the vertical, black dotted line), the team had discovered far fewer defects than expected. In fact, they had been discovering 5 defects/day for the past two weeks and the rate was steady. Additionally, they were approximately 100 defects short of the plan. Fewer bugs might sound good, but it’s often a red flag for insufficient testing.

Without this data, the client would have released a bug-ridden product, leading to customer frustration and more firefighting. Instead, they used the data to justify pushing the release and empowering their team to get creative with testing (see the blue oval).

The result? They released a system their customers loved, and the team not only got to celebrate their first win in what felt like forever, but also reclaimed their nights and weekends.

ACTIONABLE INSIGHT: Whether doing manual or automated testing, a tester’s job is not to execute test cases; it's to find unique defects. Encourage your team to think creatively and critically. This will empower your team, improve company culture, and lead to better software!

You Can’t Manage What You Don’t Measure

This transformation didn’t happen by chance. It happened because the team stopped guessing and started measuring. By shining a light on the root causes—not just the symptoms—they were able to:

You don’t have to choose between delivering great software and protecting your team’s work-life balance. With the right data and processes, you can achieve both. That’s why at Lighthouse Technologies we live by the principle: you can’t manage what you don’t measure. If you’d like to improve your quality, schedule, productivity and work-life balance, let’s have a conversation and explore this together. 

Special Opportunity for Technology First Members

Project managers know the triple constraints of quality, schedule, and cost are inextricably tied together. As we have helped software teams improve for the past twenty years, we realized that culture also plays a crucial role – the team must have psychological safety to raise issues and bring ideas forward. Our Software Performance Benchmark is designed to baseline your team’s current quality, schedule, cost, effort, and culture Key Performance Indicators (KPIs). From there, we baseline these KPIs against industry data to help you identify opportunities for improvement and chart a data-driven path forward to success. Remember – You can’t manage what you don’t measure.

The Software Performance Benchmark is normally only $10,000, but for Technology First members, we are offering it at a 50% discount. Not only that, if we don’t find at least a 20% improvement, it’s a full money-back guarantee. If you're ready to stop managing symptoms and start solving problems, reach out to us at team@lighthousetechnologies.com!

About the author:  After nearly two decades as a software developer and test engineer for the U.S. Air Force, where he built automated testing platforms and helped his team achieve CMM-3 certification, Jeff Van Fleet discovered his passion for transforming how software teams work. He founded Lighthouse Technologies to help organizations boost productivity, rescue struggling projects, and manage complex implementations through streamlined processes and agile practices. Outside of work, he enjoys hiking, baking bread, telling Dad jokes, and cheering for Penn State and the Pittsburgh Steelers—all while prioritizing balance as a husband and father.

I am experienced in delivering value to companies via projects and programs.  This profession has led me to be extremely involved in the Project Management Institute (PMI) organization.  As the Co-Chairman of developing the PMI Business Analysis Practice Guide 2.0, I led a team charged with defining and refining how skills and competencies shape professional excellence.  I worked with an international team and led a lot of interesting discussions about roles and how the skills needed to perform were ever changing.  We ended up with a document that complements other PMI standards by providing detailed techniques that can be used in conjunction with broader project management frameworks.  This has led to several thoughtful discussions with like-mined professionals on “how do we develop the Workforce?” to meet ever changing environments to deliver value.

But in applying those Business Analysis practices in real-world technology and business environments, I realized there was a missing piece. Skills and competencies — while critical — don’t fully explain why some professionals excel and others plateau. The difference often lies in personal attributes: the enduring qualities like adaptability, resilience, and integrity that influence how a person learns, applies, and sustains their capabilities.

The strength of an organization’s workforce is not built on skills alone. It’s the synergy between personal attributes, competencies, and technical and soft skills, all working within the framework of a strong corporate culture, which drives lasting success.  If you want to develop a workforce, you must foster an environment that thrives on personal growth. 

Understanding the Three Building Blocks

Figure 1 Building Blocks Illustrates the relationship between Individual skills, competencies, and personal attributes.  The center of this relationship is the corporate culture.  If you do not live daily value of personal growth and workforce development.  We can break down these building blocks into 3 categories.

Figure 1 Building Blocks

 
1. Skills – The Practical Abilities

Skills are the specific, teachable abilities that can be measured and improved. They can be technical (e.g., cloud architecture, data analytics) or soft (e.g., negotiation, presentation skills). While essential, skills alone don’t ensure role success — they need to be applied within the right context.

This is the basis for a change management skills gap analysis exercise.  It can include technical skills, people skills, and business acumen.  Acquiring literacy of an external domain (such as AI) may also represent an opportunity for workforce development.

2. Competencies – The Integrated Capabilities

Competencies are broader than skills, combining knowledge, technical ability, and behaviors. For example, the competency of cybersecurity leadership includes threat analysis, incident response, communication under pressure, and ethical judgment. Competencies reflect not just what someone can do, but how they consistently perform.

This is an area where roles don’t matter, but the functions do.  For example, a person may be assigned a role as a project manager but performs a lot of business analysis in defining the project “definition of done”.  Sending the person to training on business analysis will help their overall competencies as a change agent for the organization.

3. Personal Attributes – Human Foundation

Attributes such as resilience, curiosity, empathy, and integrity influence how individuals approach challenges, adapt to change, and engage with others. These traits are often more difficult to teach, but they determine how effectively a person develops and applies both skills and competencies.

This is an individual trait, and you cannot teach it or force it on an individual.  What you can do is encourage it.  Critical attributes in workforce development might include individual commitment to personal and professional growth, curiosity, and relating something that seem extraneous to their personal sphere of influence.

The Corporate Culture Connection

Corporate culture shapes — and is shaped by — the way these three elements interact.

When culture and development are aligned, organizations create a self-reinforcing cycle: employees gain the capabilities they need, apply them effectively, and model behaviors that strengthen the culture for the next generation of talent.

Why It Matters for Workforce Development

Workforce development is important for evolving your team to meet challenges in the workplace.  Investing in the team, both formally and informally, is an intangible benefit.  While pursing a production issue, the team feels free to relate previous like experiences can generate a story that illustrates the problem better than volumes of technical documentation and YouTube video.  Some of these intangible benefits include:

Practical Steps for Leaders

Steps for your workforce development really need to be a conscious sustainable activity.  It’s not just putting together bullet points in January to sit on a shelf gathering dust until the next January when you dust them off and change a few words and you’re good to go.  And it doesn’t have to involve an elaborate HR campaign.  I recommend you work with each member of the team and fill out a simple 4-quadrant card.

Review this quarterly, or maybe even monthly.  This is not a career pathing exercise, it is a personal growth exercise.

Many corporations punt on growth by telling individuals you are in charge of your career and we won’t give you a career path.  This approach to workforce development is how to grow yourself.  And to you nay-sayers that argue “if we develop them, they might quit and go to another company”.  That is a risk, but they may do that to go to another company because they don’t feel valued due to lack of development.

The End Goal

My journey from writing about skills and competencies in the PMI Business Analysis Practice Guide 2.0 to exploring their interplay with personal attributes reinforced a vital truth: technical excellence alone isn’t enough.

You can be taught technical tools and various business processes, but to develop the workforce, you need to develop a corporate culture that considers skills, competencies, and personal attributes.  Not consider workforce development but as an investment.  AI can’t replace personal attributes of curiosity and telling a story of an experience to clarify a situation.

The real magic happens when an organization intentionally aligns skills, competencies, and personal attributes within a culture that values and develops all three. That’s where capability meets commitment — and where organizations create lasting impact.  To quote the Ohio State Football Legend Woody Hayes, “You Win with People”.  Your organization needs that perspective when it comes to Workforce development.

About the author:  David Davis is a recognized thought leader and seasoned Program/Project Manager with over 20 years’ experience leading large-scale business transformation, process improvement, and change management initiatives. He is skilled at bridging strategy and execution, fostering stakeholder trust, and driving measurable benefits through disciplined agile practices, benefits realization, and cross-functional collaboration.

• There’s lots of “noise” about this newest and latest change to the program… the 2^nd in 18 months… so lots to unpack……

  1. Potential Service Disruption

  Many smaller VMware Cloud Services Providers (VCSPs) are being removed from the program unless directly invited by Broadcom.

  Only 14 providers in the U.S. remain in the program.

  If your current provider wasn’t invited, they can’t renew or extend contracts after October 31, 2025. If you are still in contract, then you are fine until the contract expiration… then the statement above takes effect.

  Depending on your renewal date, this could result in an urgent need to migrate or risk service termination if you're with an unapproved provider.

  2. Increased Costs

  Broadcom has already made major pricing changes this year.

  • Minimum core purchases jumped from 16 to 96
  • Late renewals now face a 20% penalty

  Customers may now be forced to switch to larger, authorized partners, who may charge higher prices or minimum commitments that smaller users can't justify.

  3. Forced Migrations or Consolidation

  If your provider is no longer supported, you may need to:

  • Migrate to an authorized VCSP,
  • Rebuild parts of your environment if white-labeled services were used (these end Oct. 31),
  • Switch platforms, such as:
  • 1. Hyperscalers: Azure, AWS, GCP
    2. Alternatives: Nutanix, OpenStack, KVM

Each of these paths carries operational risk, potential downtime, and cost.

• 4. Loss of Trusted Relationships

  Many customers built long-term relationships with regional or boutique partners who offered:

• • Custom support
  • Flexible pricing
  • Tailored cloud environments

• Now, many of those partners are excluded from the VMware ecosystem—leaving clients scrambling for alternatives.

   5. Confusion & Uncertainty

  Broadcom has made several changes in rapid succession (product packaging, licensing, now partners).

• • Customers are struggling to keep up and are unsure:
  • Who their provider reports to now
  • What future pricing or support looks like
  • Whether staying on VMware is sustainable

•  
  In Summary:

  If you're a VMware user, especially through a small or regional partner—you may be impacted by:

• • Contract expiration with no renewal option
  • Rising licensing and support costs
  • Migration headaches
  • The need to quickly find a new, approved provider

Next Steps:

Work with a trusted partner to understand ALL your options to start planning a transition or evaluating alternatives before October 31, 2025.

About the author: Seth Marsh brings over 30 years of hands-on IT industry experience, having lived through transformative eras—from the rise of mobile and cloud to the evolution of the OPEX model. His well-rounded background spans the full spectrum of tech sales, including leadership roles at a global security provider, VAR and manufacturer representation, and direct sales—giving him rare insight into every side of the channel.

In Ohio’s evolving tech landscape, organizations face a common and growing challenge: finding and retaining skilled STEM talent. STEM represents fields in Science, Technology, Engineering and Mathematics. Disciplines within these fields are varied and may include jobs in management information systems (MIS), artificial intelligence (AI), cybersecurity, analytics, supply chain management (SCM), economics, computer science, and engineering.

Ohio employers can overcome this talent-gap hurdle by critically considering a rich and readily available talent pool among international students from local universities with STEM degrees. Employers’ hesitation usually emanates from concerns about visa limitations or perceived short-term employment windows. However, as someone who works closely with these students, I’ll dispel these myths and explain their long-term value.

The Facts: Nearly Four Years of Work Eligibility Without H-1B Sponsorship

At Wright State University for instance, we graduate several international students each year from our STEM-designated programs and currently have over 1,000 graduates on Optional Practical Training (OPT). These students are not just academically strong; they are fluent in global business practices, technologically skilled, and eager to contribute to the state’s economy.

More importantly, they are legally eligible to work in the U.S. for nearly four years after enrollment without needing an H-1B visa initially. Here’s how:

• Curricular Practical Training (CPT) allows students to intern with local businesses in the Miami Valley region prior to graduation for up to 12 months.
• Optional Practical Training (OPT) provides 12 months of full-time work authorization post-graduation.
• STEM OPT Extension grants an additional 24 months to graduates of STEM-designated programs like MIS.

That adds up to three years of full-time post-graduation work, plus internship time during their degree. All of this can be managed without H-1B sponsorship, a key point many employers overlook.

Local Talent, Global Perspective

These students are already here in Ohio and live in our communities. They study and work under the guidance of faculty and staff committed to equipping them with cutting-edge, career-ready skills. I’ve watched these students excel in hands-on analytics projects, design complex systems, and solve real-world problems through internships and capstones with local companies.

Also, they bring onboard a global mindset, linguistic diversity, and cross-cultural competency. These are qualities that are increasingly vital as Ohio’s businesses expand into new markets and serve increasingly diverse customer bases.

Myth-Busting 1: “Are there jobs in Southwest Ohio for International Students”?

A common misconception in southwest Ohio is that job opportunities, especially for international students are limited to government-related work at the Wright-Patterson Air Force Base, which typically requires only U.S. citizenship. However, this region is home to a growing number of private sector employers in IT, biotech, manufacturing, logistics, and healthcare, many of whom actively seek skilled talent regardless of nationality. Startups, mid-sized companies, and global firms across the Miami Valley region could benefit from international graduates’ talents. International students on STEM OPT are eligible to work for most private sector employers, provided the role is related to their field of study.

Myth-Busting 2: "But They’ll Leave Soon, Right?"

This is perhaps the most common misconception I encounter in conversations with Ohio business leaders: the belief that international students are only a temporary solution because of visa expiration or immigration hurdles.

Here’s the reality: most young professionals regardless of nationality change jobs every 2 to 4 years. According to the U.S. Bureau of Labor Statistics, the median tenure for employees aged 25 to 34 is under three years. Hence, even if an international graduate works for your organization during their full OPT period and then moves on, you are still receiving a better-than-average, return on investment. Furthermore, international students often demonstrate greater loyalty to companies that give them their first professional opportunity, especially in regions like Ohio, where the tech community is tight-knit and supportive.

Myth Busting 3: “Should I Sponsor visa immediately after hiring”

Many small and medium-sized organizations worry that hiring international graduates means immediately navigating the complexities of visa sponsorship. This is not the case. With up to three years of STEM OPT, you have ample time to assess an employee’s fit and performance. During that period, if you decide that the individual is indispensable, you can choose to sponsor them for an H-1B visa or green card. The most important insight is that that decision does not need to be made on day one or soon after hiring.

This “hire first, sponsor later if needed” approach gives Ohio companies flexibility and minimizes risk.

Why This Matters for Ohio’s Economic Growth

As Ohio continues to attract major investments in manufacturing, semiconductors, IT services, and logistics, the demand for specialized talent will only intensify. Companies like Intel are already transforming the employment landscape, and that ripple effect will be felt across the state.

Hiring international graduates from local institutions offers a homegrown solution to national workforce shortages. These students are trained here, adapted to Ohio work and social culture, and eager to stay and contribute. They represent a ready-to-deploy workforce that understands both global dynamics and local needs.

Practical Steps for Employers

• Contact University Career Centers: Ohio universities have dedicated units such as Wright State’s Career Hub that assists employers with hiring students and understanding CPT/OPT processes.
• Launch Internships via CPT: Hosting a student during their academic program gives you a no-pressure trial run and introduces your organization to emerging talent.
• Educate Your HR Teams: Ensure recruiters and hiring managers are familiar with the work authorization options available to STEM students through CPT and OPT.

Final Thoughts: It’s a win-win for Ohio

Your company’s next data scientist, AI expert, or cybersecurity specialist, may already be in a classroom at your local university, learning, contributing, and ready to prove themselves.

Ohio educates thousands of brilliant international students each year, yet many leave the state after graduation for opportunities in tech hubs like California, North Carolina, and Texas. If we want to grow Ohio’s economy and compete nationally, we must work to retain this talent.

Hiring international graduates isn’t about replacing domestic workers. It’s about complementing the workforce and filling urgent skill gaps. These students bring innovation, drive, and a global mindset to local companies. Let’s give them a chance to help build Ohio!

About the author: Dr. Daniel Asamoah is the Chair and Professor of the School of Finance, Accountancy, MIS, and Economics at Wright State University. An expert in business analytics, big data applications, decision support systems in healthcare, and operations management, Dr. Asamoah has spoken at numerous conferences, including the annual meetings of the Decision Sciences Institute. His research has been featured in various prestigious journals, such as Decision Support Systems and Simulation.

As we step into summer, I’ve been reflecting on a simple, yet powerful truth: community is everything. Especially in technology—an industry that moves fast and transforms faster—being part of something bigger than ourselves is what keeps us not just informed but inspired.

Who are we?
We’re Technology First. A collective of professionals, innovators, educators, and leaders who believe that tech is not just about tools—it’s about people. We are the minds behind the solutions, the hands that build systems, and the hearts that understand how deeply technology shapes lives.

What do we do?
We connect. We share. We learn. Whether it's through our events, professional development programs, peer groups, or just the everyday conversations that happen between members, we create a space where ideas thrive, and careers grow. We support each other, we celebrate each other, and yes—we challenge each other to lead with courage and curiosity.

We're proud to play a part in moving the Dayton region’s technology community forward—helping organizations and individuals alike navigate change, spark innovation, and build a more connected future.

Why does it matter?
Because in this digital age, no one should have to navigate the complexities of technology alone. Whether you're a seasoned leader or just starting out, there is a place for you here. A place to ask bold questions. A place to find answers. A place to belong.

So, if you've ever found yourself wondering—How do I get more involved? How do I find my people in tech? —you're in the right place. Come to an event. Join a peer group. Volunteer. Reach out. There’s room at the table, and your voice matters.

In the energetic and ever-evolving world of technology, the importance of community cannot be overstated. As a professional in the tech industry, I have always believed in the power of collaboration and support. This belief has driven my commitment to volunteer with Technology First, an organization dedicated to connecting, strengthening, and championing the tech community in the Dayton region.

Over past few years, I have had the honor of participating and volunteering at several conferences hosted by Technology First, including:

Ohio Information Security Conference (OISC) – A gathering of security professionals, analysts, and IT leaders discuss emerging threats, risk mitigation and compliance. A community that addresses security urgency head on.

Taste of IT – An energetic conference highlighting tech trends, innovations, and strategic insights. With multiple sessions that span everything from cloud computing to leadership development, it’s a place where innovation meets opportunity.

Dayton AI Day – Launched in 2025, Dayton AI Day looks into the future: artificial intelligence, machine learning, and data-driven transformation.

Volunteering at these events gave me the opportunity to explore sessions I might never attend otherwise. It’s been an experience that strengthens my technical insight and interpersonal communication.

The sense of belonging I’ve found through Technology First has provided me with a profound sense of empowerment. As tech professionals, we often find ourselves focused on our specific roles and department. But through this organization, I’ve connected with a diverse network of individuals who share a common goal: to advance technology. This commitment to education and access aligns with my belief that knowledge is power.

Networking and Collaboration Networking is a vital aspect of professional development, and Technology First excels in building these connections. It is a platform for attendees to engage in meaningful conversations, share their experiences, and explore potential partnerships. As a volunteer, I had the chance to facilitate introductions and witness latest ideas and collaborations. Connections that often lead to mentorship and career opportunities.

Continuous Learning and Growth Volunteering is not just about giving back; it’s also about personal and professional growth. Each event offers me a chance to learn about the latest innovations and challenges shaping the tech industry today. I continue to broaden my perspective and deepen my commitment to staying informed and adaptable.

Diversity and Inclusion are more than buzzwords; they are essential for innovation and resilience in technology. Technology First actively promotes these values, and my participation in events hosted by Technology First’s Women 4 Technology Peer Group has deepened my understanding of their importance. By volunteering, I help foster a more inclusive environment where everyone, regardless of gender, background, or identity, has the opportunity to thrive in technology.

My journey as a volunteer with Technology First has been deeply fulfilling. It has reinforced my belief in the power of community, education, and collaboration. By investing my time in this organization, I am not only supporting the growth of the technology in Dayton, but also helping others recognize their potential. I encourage my fellow tech professionals to consider volunteering. Together, we can create a vibrant and inclusive technology community that champions innovation and success.

Zhali Mejia is a GRC Analyst at CareSource with extensive experience in cyber risk management. Passionate about technology and community engagement, Zhali blends technical insight with a people-first approach to strengthen the organization's security posture. With a commitment to fostering collaboration and understanding among stakeholders, Zhali ensures that security measures are effectively communicated and implemented across all levels of the organization.

Over the past two decades in the IT world, holding various positions from programmer to IT leader, one constant has been the unrelenting pace of change. According to McKinsey, over 50% of organizations have now adopted AI in at least one business unit, and that number continues to climb each year. The recent resurgence of AI in the past few years has only accelerated this trend, bringing both promise and confusion.  Amid the noise it can be difficult to know where to start and easy to get distracted by the latest “shiny object”.   This is why taking an outcomes-based approach to AI and technology adoption is more important than ever. Aligning your investments with clear business objectives not only drives meaningful value but also ensures you’re working with the right partners and tools to protect your long-term technology investment.

Ramifications of Poorly Planned Tech Investments

Most organizations fixate on upfront costs such as licensing and implementation but also try to force solutions using tools they’ve already invested in, even when those tools are likely not the right fit. This mindset often leads to misalignment with business strategy, low user adoption and growing technical debt.  According to a Boston Consulting Group study, 70% of digital transformation efforts fail to meet their stated objectives, often due to poor planning, lack of alignment, or underestimating the complexity of integrating new capabilities into outdated environments. We’ve seen platforms deployed without clear ownership, analytics tools that go unused because no one trusts the data, and entire initiatives stalled due to poor change management. These hidden costs don’t show up on day on, however they compound quickly. Protecting your investment means thinking beyond delivery day and building with the end in mind and ensuring your teams are equipped to evolve with the tools that they use.

Data Analytics – Harnessing the Power

Data Analytics and subsequent AI enablement is both a foundational capability and a force multiplier for any technology investment.  Yet too often, it’s treated as an afterthought, something to “get to later” once systems are live. That approach leaves organizations with fragmented insights and missed opportunities. In my experiences, companies that emphasize that data must be intentionally designed around business outcomes from the start are always the most successful.  This includes things like building scalable pipelines, establishing clear ownership, creating a culture of data literacy and fluency, and ensuring that the data is usable by those who need it.  A mature analytics approach doesn’t just support reporting, it fuels agility, drives innovation and turns platforms like AI or cloud infrastructure into truly strategic assets. Protecting your investment means ensuring that your data strategy is built to deliver value now and evolve over time.

Case Studies – Current Client Examples

We are currently working with several companies in various capacities to help them navigate these rapidly increasing technology changes.  In one example, there is a new CFO who quickly surfaced deep frustrations with a lack of reporting flexibility causing inaccurate financial reporting. This was mainly triggered by inaccurate data, with internal teams struggling to deliver timely and trusted insights.  As a result, they are consolidating and modernizing their data architecture and ingestion standards to accommodate better internal and external reporting as well as centralize on a platform for future AI usage.  This protected investment will enable them to also reduce technical debt, saving crucial dollars as they pivot to an outcomes-based model. We partnered with the office of the CFO to implement a new “Ways of Working” framework to increase the time to market, increasing reporting cycle times with more accuracy, and with alignment of the needs of executive leadership. More importantly, the organization is building a foundation for ongoing agility, one where data and delivery practices move in lockstep to support informed decision-making.

Myths that Commonly Undermine Technology ROI

Even with the best intentions, many organizations fall victim to myths that tend to erode the anticipated value of their technology investments.  Three of these common myths are outlined below:

• If we build it, they will come…

Launching a new platform or dashboard does not always guarantee adoption. Without clear communications, planning, user training and ongoing engagement, even the most well-designed solutions can sit unused. Adoption must be a part of the delivery plan from Day One!

• Our data is so messy, we have no choice but to manipulate it…

This mindset stops progress before it even begins. The reality is: messy data is normal, and waiting for it to be perfect is a losing game. The real opportunity lies in embracing the mess, by putting the right strategy, standards, and tools in place to transform raw data into trusted, business-ready insights. Progress starts with what you have and engaging with your current data, however imperfect, is what drives maturity, trust and value. Every successful data journey begins with taking inventory, finding out what is actually useful and committing to iterative improvement.

• We’ll add analytics in later, this project is too large

Deferring analytics to the end of a large initiative is one of the fastest ways to lose momentum and miss early wins. Embedding analytics from the beginning helps guide decisions, demonstrate progress, and ensure the final product delivers actionable insights, not just functionality.

Conclusion – Build with Purpose, Protect with Discipline

By: Brian Henn – Sr. VP of Solutions Delivery and Data Practice Director at Vaco by Highspring