process – Bredemarket

Chris Allsop Asks, Then Asks, Then Asks Again

You already know how Bredemarket launches a content project with a client.

Bredemarket asks seven questions.

But Bredemarket may not be the source of all knowledge.

Let’s look at Chris Allsop’s process to launch a writing project.

“Step 1: Talk with your client, whether by email, on the phone, or in person. This will give you a clear understanding of the project, the audience and your client’s goals.”

Allsop asks multiple questions, including why, what, and who.

“[A]nswers to these questions will help you write copy that resonates with your audience….”

Great. Bredemarket and Allsop are pretty much in alignment.

But Chris is only on Step 1.

“Step 2: Take your conversation with your client a step further with thorough research.”

I gloss over this but it’s important. If you don’t know an industry it’s important to understand it. And if you do know an industry it’s important to understand it better. Even if a biometric product marketing expert is writing biometric content, it always helps to conduct research.

(Yeah, I’ll share the video. Later.)

Oh, and Chris isn’t done yet.

“Step 3: Study successful promotions, websites, and content in the topic or industry you’re working in. Ask yourself how each promotion got your attention.”

Good idea…to a point. Don’t slavishly imitate other promotions. The content from your client still needs to differentiate from the content from the competitors. And aping some popular brand to call yourself the “Uber of lawn care” just sounds bad when you spend two seconds thinking about it.

(Picture from an older version of https://www.yourgreenpal.com/blog/is-there-an-uber-for-lawn-care)

But whether you ask my seven questions or perform some other type of preparation, the act of preparation is important.

And for those who were waiting for me to share the “landscape” video…

Landscape.

And I might as well share the third of the three.

Bredemarket’s Biggest Accomplishments in 2025 (So Far)

I’m jumping ahead in the year-end post ridiculousness to cite Bredemarket’s two most notable accomplishments this year. Not to detract from my other accomplishments this year, but these two were biggies.

The first was my Biometric Update guest post in May, “Opinion: Vendors must disclose responsible uses of biometric data.” I discussed elsewhere my reasons for writing this, and created a Bredemarket-hosted video summarizing my main points.

Biometric vendors…

The second was my go-to-market effort for a Bredemarket client in September, which I discussed (without mentioning my participation) here. And there’s a video for that effort also.

Recent go-to-market.

I’ve accomplished many other things this year: client analyses, blog posts (both individually and in series), consultations, presentations, press releases, proposals, requirements documents, sales playbooks, and many more.

And I still have three more weeks to accomplish things.

Today’s Acronyms are CMMI, ISACA, and NSS

I’m going to discuss the acronyms CMMI and NSS, which I’ve kinda sorta discussed before but never in combination. (And as an added bonus I’ll discuss one more acronym.)

Capability Maturity Model Integrated (CMMI)

Back in February and in April I made passing references to CMMI, which stands for the Capability Maturity Model Integration. But I only mentioned it in passing because my experience is with the older Capability Maturity Model (CMM).

Who manages the CMMI?

Information Systems Audit and Control Association (ISACA)

Back in March and in April I either explicitly referenced or implicitly quoted from ISACA, which is the Information Systems Audit and Control Association.

Back in 2016 ISACA acquired the CMMI Institute, which managed CMMI. But the process suites originated earlier.

“CMMI was originally developed at the Software Engineering Institute, a federally funded research and development center within Carnegie Mellon University.”

Thus ISACA governs all CMMI-related activity, including assessments and certifications.

Which brings us to…

National Security Systems (NSS) and National Security Solutions (NSS)

‘Cause you know sometimes acronyms have two meanings.

It makes me wonder. And if you’re wondering, this is **NOT** Imagen 4. By Dina Regine – https://www.flickr.com/photos/divadivadina/465006384/, CC BY-SA 2.0, https://commons.wikimedia.org/w/index.php?curid=8022602.

Although in this case the two are related.

When a foreign-owned company wants to do business with the sensitive parts of the U.S. federal government, they have to set up a set up an entity that is free from foreign ownership, control, or influence. This is FOCI, a bonus acronym for you today.

In the biometric world, there are two notable FOCI-mitigated subsidiaries of foreign companies:

NEC National Security Systems (NSS), a subsidiary of the Japanese-owned NEC.

IDEMIA National Security Solutions (NSS), a subsidiary of the primarily U.S.-owned IDEMIA. Primarily, but not exclusively, because a small sliver of IDEMIA is French-owned.

Bringing all the acronyms together

Focusing on IDEMIA National Security Solutions, the company recently made a CMMI-related announcement:

“IDEMIA National Security Solutions (NSS), a subsidiary of IDEMIA, the leading provider of secure and trusted biometric-based solutions, is proud to announce that it has successfully earned re-certification at level 3 of ISACA’s Capability Maturity Model Integration (CMMI^®).”

You’ll recall that the CMMI levels go up to Level 5. So IDEMIA NSS is not at the maximum CMMI level, but Level 3 is impressive enough to issue a press release.

IDEMIA NSS’ extensive federal government work dictates that it maintain a number of certifications and conformances. CMMI gives the government agencies assurance that IDEMIA NSS provides its products according to specific quality and process improvement standards.

Is Your Organization (Not) Managing Your Identity Proofing Vendors?

A wildebeest process evaluator discovers that another wildebeest has no goals.

Today I’m doing something different.

Normally these blog posts are addressed to Bredemarket’s PROSPECTS, the vendors who provide solutions that use biometrics or other technology. Such as identity proofing solutions.
But I’ve targeted this post for another audience, the organizations that BUY biometrics and technology solutions such as identity proofing solutions. Who knows? Perhaps they can use Bredemarket’s content-proposal-analysis services also. Later I will explain why you should use Bredemarket, and how you can use Bredemarket.

So if you are with an organization that SELLS identity proofing solutions, you can stop reading now. You don’t want to know what I am about to tell your prospects…or do you?

But if you BUY identity proofing, read on for some helpful expert advice from the biometric product marketing expert.

Managing an identity proofing solution

When you buy an identity proofing solution, you take on many responsibilities. While your vendor may be able to help, the ultimate responsibility remains with you.

Here are some questions you must answer:

What are your business goals for the project? Do you want to confirm 99.9% of all identities? Do you want to reduce fraudulent charges below $10 million? How will you measure this?
What are your technology goals for the project? What is your desired balance between false positives and false negatives? How will you measure this?
How will the project achieve legal compliance? What privacy requirements apply to your end users—even if they live outside your legal jurisdiction? Are you obtaining the required consents? Can you delete end user data upon request? Are you prepared if an Illinois lawyer sues you? Do you like prison food?
What about artificial intelligence? Your vendor probably uses some form of artificial intelligence. What form? What does this mean for you? Again, do you like prison food?

Again…are you ready?

GAO, IRS, and DOA

So how do other organizations manage identity proofing solutions? According to Biometric Update, not well.

A new Government Accountability Office (GAO) audit found the Internal Revenue Service (IRS) has not exercised sufficient oversight of its digital identity-proofing program…

As many of you know, the IRS’ identity proofing vendor is ID.me. The GAO didn’t find any fault with ID.me. And frankly, it couldn’t…because according to the GAO, the IRS’ management of ID.me was found to be deficient.

“IRS was unable to show it had measurable goals and objectives for the program. IRS receives performance data from the vendor but did not show it independently identified outcomes it is seeking. IRS also has not shown documented procedures to routinely evaluate credential service providers’ performance. Without stronger performance reviews, IRS is hindered in its ability to take corrective actions as needed.

“ID.me acknowledges that its identity-proofing process involves the use of artificial intelligence (AI) technologies. However, IRS has not documented these uses in its AI inventory or taken steps to comply with its own AI oversight policies. Doing so would provide greater assurance that taxpayers’ rights are protected and that the technologies are accurate, reliable, effective, and transparent.”

So while ID.me meets the IRS’ key requirement of Identity Assurance Level 2 (IAL 2) compliance, is it performing well? The IRS needs to define what “performing well” means.

You would think the IRS had a process for this…but apparently it doesn’t.

Dead on arrival (DOA).

But I’m not the IRS!

I’ll grant that you’re not the IRS. But is your identity proofing program management better…or worse?

Do you know what questions to ask?

Let Bredemarket ask you some questions. Perhaps these can help you create relevant external and internal content (I’ve created over 22 types of content), manage an RFP proposal process, or analyze your industry, company, or competitors.

Let’s set up a free 30-minute consultation to assess your needs.

CPA

Wanna Know a “Why” Secret About Bredemarket’s TPRM Content?

Third party risk management, illustrated by a locked safe connected to a breached safe.

(The picture is only from Imagen 3. I’ve been using it since January, as you will see.)

Here’s a “why” question: why does Bredemarket write the things it writes about?

Several reasons:

To promote Bredemarket’s services so that you meet with me and buy them.
To educate about Bredemarket’s target industries of identity/biometrics, technology, and Inland Empire business.
To dive into specific topics that interest me, such as deepfakes, HiveLLM, identity assurance levels, IMEI uniqueness, and Leonardo Garcia Venegas (the guy with the REAL ID that was real).
Because I feel like it.

And then there are really specific reasons such as this one.

In late January I first wrote about third-party risk management (TPRM) and have continued to do so since.

Why?

TPRM firm 1

Because at that time, a TPRM firm had a need for content marketing and product marketing services, and Bredemarket started consulting for the firm.

I was very busy for 2 1/2 months, and the firm was happy with my work. And I got to dive into TPRM issues in great detail:

The incredibly large number of third parties that a vendor deals with…possibly numbering into the hundreds. If hundreds of third parties have YOUR data, and just ONE of those third parties is breached, bad things can happen.
The delicate balance between automated and manual work. News flash: if you look at my prior employers, you will see that I’ve dealt with this issue for over 30 years.
Organizational process maturity. News flash: I used to work for Motorola.
All the NIST standards related to TPRM, including NIST’s discussion of FARM (Frame, Assess, Respond, and Monitor). News flash: I’ve known NIST standards for many years.
Other relevant standards such as SOC 2. News flash: identity verification firms deal with SOC 2 also.
Fourth-party, fifth-party, and other risks. News flash: anyone that was around when AIDS emerged already knows about nth-party risk.

But for internal reasons that I can’t disclose (NDA, you know), the firm had to end my contract.

Never mind, I thought. I had amassed an incredible 75 days of TPRM experience—or about the same time that it takes for a BAD TPRM vendor to complete an assessment.

But how could I use this?

TPRM firm 2

Why not put my vast experience to use with another TPRM firm? (Honoring the first firm’s NDA, of course.)

So I applied for a product marketing position with another TPRM firm, highlighting my TPRM consulting experience.

The company decided to move forward with other candidates.

The firm had another product marketing opening, so I applied again.

The company decided to move forward with other candidates.

Even if this company had a third position, I couldn’t apply for it because of its “maximum 2 applications in 60 days” rule.

TPRM firm 3

Luckily for me, another TPRM firm had a product marketing opening. TPRM is active; the identity/biometrics industry isn’t hiring this many product marketers.

So I applied on Monday, June 2 and received an email confirmation:
And received a detailed email on Tuesday, June 3 outlining the firm’s hiring process.
And received a third email on Wednesday, June 4:

“Thank you for your application for the Senior Product Marketing Manager position at REDACTED. We really appreciate your interest in joining our company and we want to thank you for the time and energy you invested in your application to us.

“We received a large number of applications, and after carefully reviewing all of them, unfortunately, we have to inform you that this time we won’t be able to invite you to the next round of our hiring process.

“Due to the high number of applications, we are unfortunately not able to provide individual feedback to your application at this early stage of the process.

“Again, we really appreciated your application and we would welcome you to apply to REDACTED in the future. Be sure to keep up to date with future roles at REDACTED by following us on LinkedIn and our other social channels.

“We wish you all the best in your job search.”

Unfortunately, I apparently did not have “impressive credentials.” Oh well.

TPRM firm 4?

What now?

If nothing else, I will continue to write about TPRM and the issues I listed above.

Well, if any TPRM firm wants to contract with Bredemarket, schedule a meeting: https://bredemarket.com/cpa/

And if any TPRM firm wants to use my technology experience and hire me as a full-time product marketer, contact my personal LinkedIn account: https://www.linkedin.com/in/jbredehoft

I’m motivated to help your firm succeed, and make your competitors regret passing on me.

Sadly, despite my delusions of grandeur and expositor syndrome (to be addressed in a future Bredemarket blog post), I don’t think any TPRM CMOs are quaking in their boots and fearfully crying, “We missed out on Bredehoft, and now he’s going to work for the enemy and crush us!”

But I could be wrong.

Writers Must Disclose Responsible Contributions of Biometric Governance Opinions

You knew that I was going to link to THIS Biometric Update post, because…well, I wrote it.

You can read “Opinion: Vendors must disclose responsible uses of biometric data” here: https://www.biometricupdate.com/202505/opinion-vendors-must-disclose-responsible-uses-of-biometric-data

Excerpt:

“Usually, the government agency or private organization acts as the “controller” or owner of the biometric data, while the biometric vendor is just the “processor” of the data.

“But there are exceptions. In late April, Joel R. McConvey described a proposal in which the Milwaukee, Wisconsin Police Department would provide Biometrica with 2.5 million facial images from its jail records.

“Why would any biometric vendor want to be the controller of biometric data? One plausible reason is for internal testing to improve the vendor’s algorithms by continuously testing them against live data. There may be other reasons, such as offering new services.”

But this is actually the SECOND time I have been featured by Biometric Update. If you check its YouTube channel, you can find the 2015 gem “MorphoTrak (Safran) – MorphoWay demo”: https://youtube.com/shorts/mqfHAc227As

Stay tuned for my next Biometric Update appearance in 2035.

Too Many Trees in the Forrester?

As far as Forrester is concerned:

“[O]nly a quarter of firms employ a launch process even vaguely approaching best-in-class…”

But I take this with a grain of salt, because Forrester has a product it is marketing.

“We began by introducing attendees to our proprietary Product Marketing And Management (PMM) Model (client login required).”

I’m not a client, so I don’t have a login. But Forrester’s PMM Model appears to cover some important topics.

Proposals.
Market requirements.
Dashboards.
Defining your hungry people, although Forrester uses the legacy term target audience. (Hey, I try.)
Sales targets.
Competitive differentiation.

And that was just the beginning, because Forrester is certainly comprehensive.

Although it sounds like the full Forrester PMM Model process may be completely mystifying and overwhelming if you have no model at all. I know.

Better to start off moving from Level 1 to Level 2 in a maturity model rather than trying to jump to Level 5.

(Imagen 3)

Why Does TPRM Fail? Not Because of the TPRM Software Providers.

For years I have maintained that the difficulties in technology are not because of the technology itself.

Technology can do wonderful things.

The difficulties lie with the need for people to agree to use the technology.

And not beg ignorance by saying “I know nothing.”

(Image of actor John Banner as Sgt. Schultz on Hogan’s Heroes is public domain.)

Case in point

I just saw an article with the title “TPRM weaknesses emerge as relationship owners fail to report red flags.”

Unlike some clickbait-like article titles, this one from Communications Today succinctly encapsulates the problem up front.

It’s not that the TPRM software is failing to find the red flags. Oh, it finds them!

But the folks at Gartner discovered something:

“A Gartner survey of approximately 900 third-party relationship owners…revealed that while 95% saw a third-party red flag in the past 12 months, only around half of them escalate it to compliance teams.”

Among other things, the relationship owners worry about “the perceived return on investment (ROI) of sharing information.”

And that’s not a software issue. It’s a process issue.

wildebeests on a stairway, young to old, with the oldest wildebeest possessing a trophy — Wildebeest maturity model via Imagen 3.

No amount of coding or AI can fix that.

And this is not unique to the cybersecurity world. Let’s look at facial recognition.

Another case in point

I’ve said this over and over, but for U.S. criminal purposes, facial recognition results should ONLY be used as investigative leads.

It doesn’t matter whether they’re automated results, or if they have been reviewed by a trained forensic face examiner.

Facial recognition results should only be used as investigative leads.

Sorry for the repetition, but some people aren’t listening.

But it’s not the facial recognition vendors. Bredemarket has worked with numerous facial recognition vendors over the years, and of those who work with law enforcement, ALL of them have emphatically insisted that their software results should only be used as investigative leads.

All of them. Including…that one.

But the vendors have no way to control the actions of customers who feed poor-quality data into their systems, get a result…and immediately run out and get an arrest warrant without collecting corroborating evidence.

And that’s not a software issue. It’s a process issue.

No amount of coding or AI can fix that.

I hope the TPRM folks don’t mind my detour into biometrics, but there’s a good reason for it.

Product marketing for TPRM and facial recognition

Some product marketers, including myself, believe that it’s not enough to educate prospects and customers about your product. You also need to educate them about proper use of the product, including legal and ethical concerns.

If you don’t, your customers will do dumb things in Europe, Illinois, or elsewhere—and blame you when they are caught.

Be a leader in your industry by doing or saying the right thing.

And now here’s a word from our sponsor.

Bredemarket has openings

There’s a reason why this post specifically focused on cybersecurity and facial recognition.

If you need product marketing assistance with your product, Bredemarket has two openings. One for a cybersecurity client, and one for a facial recognition client.

I can offer

compelling content creation
winning proposal development
actionable analysis

If Bredemarket can help your stretched staff, book a free meeting with me: https://bredemarket.com/cpa/

Bredemarket has openings. Imagen 3 again.

Startups Entering the Wonderful World of Process

I’ve talked about governance and maturity models before in regards to cybersecurity. The complicating factor is that companies with little process maturity are flung into the world of standards and auditors.

For example, I was not initially part of the process team when the former seat-of-the-pants Printrak had to play CMM catch up with our new corporate overlord Motorola. But it was a bruising experience.

These days you have a lot of startups, not owned by multinationals, that are required by large customers and governments to comply with some standard or another. Winging it is not an option; winging it is failure. Or, in process-speak, winging it can result in a high statistical probability of a large number of adverse findings.

Vanta wants to help.

Its early April “Guide to working with auditors: Best practices for startups” contains several suggestions.

One is to engage with auditors early so that you become familiar with each other.
However, you should NOT give auditors access to your data early. Wait until you are ready. Assuming your data is in a Vanta instance:

“If you’re still finalizing controls in Vanta, granting early access could cause confusion. However, some firms prefer early access for familiarization—as long as they don’t start testing prematurely.”

Vanta’s guide is at https://www.vanta.com/resources/guide-to-working-with-auditors-for-startups

(Wombat image via Imagen 3)

PS to cybersecurity product marketers

Are you getting YOUR product’s message out? Or is a stretched team holding you back from creating stellar marketing materials?

Bredemarket has an opening for a cybersecurity client and can help with compelling content creation, winning proposal development, and actionable analysis. Book a call: https://bredemarket.com/cpa/

RACI WOMBAT Talk

A wombat in lingerie, or a racy wombat. Not a RACI wombat, the topic of the blog post.

Earlier this month I posted a revelation:

I don’t want to reveal Bredemarket’s secret process, so I’m just going to call it WOMBAT. Not that WOMBAT is unique to Bredemarket; far from it. Many companies use WOMBAT.

And many companies don’t use WOMBAT. In fact, they abhor WOMBAT and call it stifling. (Emotion words. Geddit?)

But I’ve found over the years that if you don’t use WOMBAT, there’s a very good chance that you’ll break things.

And who catches hell? The consultant. “Why did you do what we asked you to do? Now look at the mess you made!”

So out of a sense of fear and self-preservation (geddit?), there are times that I’ve secretly used WOMBAT and not told my clients I’m doing it.

Well, I’m going to reveal one component of WOMBAT in this post because I’m surprised that I haven’t already discussed it.

But there’s a risk involved, because once I discuss this component, there are about five people in the world who will immediately know what my WOMBAT is. But luckily for me, none of them read the Bredemarket blog, so my secret is safe.

(Speaking of risk, the racy—not RACI—wombat image was created by Imagen 3.)

RACI

As some of you undoubtedly figured out, I’m going to discuss RACI: Responsible, Accountable, Consulted, and Informed.

Assume for the moment that Bredemarket grows beyond its sole proprietorship origins and becomes a multinational employing thousands of people. At some point I’ll be sitting in my luxurious executive suite, nibbling on caviar, and I’ll bark out an order:

“Write a blog post about a wildebeest amusement park!”

Now the blog post won’t just magically happen. And because the fictional Bredemarket is a huge enterprise, it will take more than one person to make it so. Perhaps four, perhaps more, perhaps fewer. Here’s how Bob Kantor at CIO defines Responsible, Accountable, Consulted, and Informed:

Responsible: People or stakeholders who do the work. They must complete the task or objective or make the decision. Several people can be jointly Responsible.

Accountable: Person or stakeholder who is the “owner” of the work. He or she must sign off or approve when the task, objective or decision is complete. This person must make sure that responsibilities are assigned in the matrix for all related activities. Success requires that there is only one person Accountable, which means that “the buck stops there.”

Consulted: People or stakeholders who need to give input before the work can be done and signed-off on. These people are “in the loop” and active participants.

Informed: People or stakeholders who need to be kept “in the picture.” They need updates on progress or decisions, but they do not need to be formally consulted, nor do they contribute directly to the task or decision.

Personally, there may be cases when you only want a single person to be responsible for the work. But I agree that only one should be accountable.

Applying RACI

Using my ludicrous example, one (or more) people will be responsible for writing the wildebeest amusement park blog post, a single person (presumably one of my junior vice presidents) will be accountable for approving it, and various entities will be consulted for feedback (and, in the ideal world, may actually provide feedback). Then there are a few people who will be informed about the project, merely to roll their eyes at the whole thing.

Regardless of the process you institute, whether it is my super-secret WOMBAT process or something else, RACI responsibilities will help tremendously. Here’s another quote from Bob Kantor at CIO:

Having managed and rescued dozens of projects, and helped others do so, I’ve noted that there is always one critical success factor (CSF) that has either been effectively addressed or missed/messed up: clarity around the roles and responsibilities for each project participant and key stakeholder. No matter how detailed and complete a project plan may be for any project, confusion or omission of participant roles and responsibilities will cause major problems.

And some Accountable person approved what Kantor said.

Reapplying RACI

And this also affects Bredemarket’s content, proposal, and analysis work. For example, let’s look at the proposal that I recently helped a Bredemarket client win.

Two of us were jointly responsible for completing and submitting the proposal: myself, and a person at the client company. Yes, I know what I just said about preferring that only one person be responsible, but the federal agency in question would not let me submit the proposal; someone from the client had to do it.
This second person was the one who was accountable for the submission of the proposal.
There were several people who were consulted regarding this proposal. I cannot reveal their roles, but let’s just say that all of them were…um…critically important.
Then there were a few people here and there who were informed of the proposal progress.

Perhaps Bredemarket can work on a project with you. Let me know. https://bredemarket.com/cpa/