IBM Z: Mapping Z Security Confidence

IBM Z: Mapping Z Security Confidence

IBM Z: Mapping Z Security Confidence

A UX research study exploring how alignment to the NIST Cybersecurity Framework drives client confidence, sales enablement, and technical clarity.

A UX research study exploring how alignment to the NIST Cybersecurity Framework drives client confidence, sales enablement, and technical clarity.

A UX research study exploring how alignment to the NIST Cybersecurity Framework drives client confidence, sales enablement, and technical clarity.

Client

Client

Client

IBM

IBM

IBM

Date

Date

Date

May 2025 - August 2025 (Ongoing)

May 2025 - August 2025 (Ongoing)

May 2025 - August 2025 (Ongoing)

Team

Team

Team

1 user research intern, 2 design SMEs, 2 incubator sponsors, 1 cybersecurity architect

1 user research intern, 2 design SMEs, 2 incubator sponsors, 1 cybersecurity architect

1 user research intern, 2 design SMEs, 2 incubator sponsors, 1 cybersecurity architect

Role and Contribution

Role and Contribution

Role and Contribution

Research planning, stakeholder interviews, thematic analysis, insight synthesis, recommendations

Research planning, stakeholder interviews, thematic analysis, insight synthesis, recommendations

Research planning, stakeholder interviews, thematic analysis, insight synthesis, recommendations

Problem

Problem

Problem

Security Messaging Was Complex and Hard to Navigate 

Security Messaging Was Complex and Hard to Navigate 

Security Messaging Was Complex and Hard to Navigate 

Security Messaging Was Complex and Hard to Navigate 

IBM Z’s security portfolio includes dozens of tools across governance, protection, detection, and recovery.

IBM Z’s security portfolio includes dozens of tools across governance, protection, detection, and recovery.

IBM Z’s security portfolio includes dozens of tools across governance, protection, detection, and recovery.

While the NIST Cybersecurity Framework (CSF) was adopted to bring clarity, sellers and clients still struggled.

While the NIST Cybersecurity Framework (CSF) was adopted to bring clarity, sellers and clients still struggled.

While the NIST Cybersecurity Framework (CSF) was adopted to bring clarity, sellers and clients still struggled.

Global Messaging Gaps

Global Messaging Gaps

It was unclear how well this messaging resonated across different industries and global regions


It was unclear how well this messaging resonated across different industries and global regions

It was unclear how well this messaging resonated across different industries and global regions

It was unclear how well this messaging resonated across different industries and global regions

It was unclear how well this messaging resonated across different industries and global regions

Seller Complexity

Seller Complexity

Sellers face challenges using the messaging effectively due to product complexity and varying client maturity

Sellers face challenges using the messaging effectively due to product complexity and varying client maturity

Sellers face challenges using the messaging effectively due to product complexity and varying client maturity

Sellers face challenges using the messaging effectively due to product complexity and varying client maturity

Sellers face challenges using the messaging effectively due to product complexity and varying client maturity

Customers Need Clarity

Customers Need Clarity

There is limited insight into how customers perceive the NIST-aligned strategy in terms of trust, compliance, and strategic fit

There is limited insight into how customers perceive the NIST-aligned strategy in terms of trust, compliance, and strategic fit

Core challenge

Core challenge

Core challenge

To evaluate the effectiveness of IBM Z’s security strategy built around the NIST Cybersecurity Framework (CSF) among current and prospective customers

To evaluate the effectiveness of IBM Z’s security strategy built around the NIST Cybersecurity Framework (CSF) among current and prospective customers

To evaluate the effectiveness of IBM Z’s security strategy built around the NIST Cybersecurity Framework (CSF) among current and prospective customers

To evaluate the effectiveness of IBM Z’s security strategy built around the NIST Cybersecurity Framework (CSF) among current and prospective customers

Context

Context

Context

What is NIST Cybersecurity Framework?

What is NIST Cybersecurity Framework?

What is NIST Cybersecurity Framework?

What is NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) is a widely adopted set of best practices, standards, and guidelines developed by the National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risks.

The NIST Cybersecurity Framework (CSF) is a widely adopted set of best practices, standards, and guidelines developed by the National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risks.

The NIST Cybersecurity Framework (CSF) is a widely adopted set of best practices, standards, and guidelines developed by the National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risks.

Govern

Govern

Establish and monitor the cybersecurity risk management strategy, policies, and roles to align security with business goals.

Establish and monitor the cybersecurity risk management strategy, policies, and roles to align security with business goals.

Establish and monitor the cybersecurity risk management strategy, policies, and roles to align security with business goals.

Identify

Identify

Develop an understanding of the business context, assets, and risks to manage cybersecurity threats effectively.

Develop an understanding of the business context, assets, and risks to manage cybersecurity threats effectively.

Develop an understanding of the business context, assets, and risks to manage cybersecurity threats effectively.

Develop an understanding of the business context, assets, and risks to manage cybersecurity threats effectively.

Develop an understanding of the business context, assets, and risks to manage cybersecurity threats effectively.

Protect

Protect

Implement safeguards to ensure the delivery of critical services and limit the impact of potential cybersecurity events.

Implement safeguards to ensure the delivery of critical services and limit the impact of potential cybersecurity events.

Implement safeguards to ensure the delivery of critical services and limit the impact of potential cybersecurity events.

Implement safeguards to ensure the delivery of critical services and limit the impact of potential cybersecurity events.

Protect

Implement safeguards to ensure the delivery of critical services and limit the impact of potential cybersecurity events.

Detect

Enable timely discovery of cybersecurity incidents through continuous monitoring and threat identification processes.

Detect

Detect

Enable timely discovery of cybersecurity incidents through continuous monitoring and threat identification processes.

Enable timely discovery of cybersecurity incidents through continuous monitoring and threat identification processes.

Enable timely discovery of cybersecurity incidents through continuous monitoring and threat identification processes.

Respond

Respond

Take action to contain, mitigate, and communicate during and after a cybersecurity incident.

Take action to contain, mitigate, and communicate during and after a cybersecurity incident.

Take action to contain, mitigate, and communicate during and after a cybersecurity incident.

Take action to contain, mitigate, and communicate during and after a cybersecurity incident.

Take action to contain, mitigate, and communicate during and after a cybersecurity incident.

Recover

Recover

Restore capabilities and services impacted by a cybersecurity incident to ensure business resilience and continuity.

Restore capabilities and services impacted by a cybersecurity incident to ensure business resilience and continuity.

Restore capabilities and services impacted by a cybersecurity incident to ensure business resilience and continuity.

Goals

Goals

Goals

We Set Out to Understand What Resonates, and What Doesn’t 

We Set Out to Understand What Resonates, and What Doesn’t 

We Set Out to Understand What Resonates, and What Doesn’t 

We Set Out to Understand What Resonates, and What Doesn’t 

The research aimed to evaluate how IBM Z’s NIST CSF-aligned messaging was perceived by internal stakeholders and, in future phases, by clients. 

The research aimed to evaluate how IBM Z’s NIST CSF-aligned messaging was perceived by internal stakeholders and, in future phases, by clients. 

The research aimed to evaluate how IBM Z’s NIST CSF-aligned messaging was perceived by internal stakeholders and, in future phases, by clients. 

Clarity of Messaging

Clarity of Messaging

Clarity of Messaging

Assess the clarity, credibility of NIST CSF messaging 

Assess the clarity, credibility of NIST CSF messaging 

Assess the clarity, credibility of NIST CSF messaging 

Seller Enablement Gaps

Seller Enablement Gaps

Seller Enablement Gaps

Identify barriers to seller enablement

Identify barriers to seller enablement

Identify barriers to seller enablement

Identify barriers to seller enablement

Identify barriers to seller enablement

Client Perception Check

Client Perception Check

Client Perception Check

Explore client perceptions of IBM Z’s security strategy

Explore client perceptions of IBM Z’s security strategy

Explore client perceptions of IBM Z’s security strategy

Methods

Methods

Methods

A Research-Driven Approach to Messaging Evaluation

A Research-Driven Approach to Messaging Evaluation

A Research-Driven Approach to Messaging Evaluation

A Research-Driven Approach to Messaging Evaluation

7

7

7

Internal Interviews

Internal Interviews

  • Technical Sales Leads

  • Compliance Specialists

  • Security Architects

  • Technical Sales Leads

  • Compliance Specialists

  • Security Architects

  • Technical Sales Leads

  • Compliance Specialists

  • Security Architects

  • Technical Sales Leads

  • Compliance Specialists

  • Security Architects

  • Technical Sales Leads

  • Compliance Specialists

  • Security Architects

45 min

45 min

45 min

Semi-Structured Interviews

Semi-Structured Interviews

  • Conducted via video calls

  • Notes coded for thematic analysis

  • Interview guide adapted for each persona

  • Conducted via video calls

  • Notes coded for thematic analysis

  • Interview guide adapted for each persona

  • Conducted via video calls

  • Notes coded for thematic analysis

  • Interview guide adapted for each persona

5

5

5

Geographical Regions

Geographical Regions

  • North America

  • Latin America

  • Asia Pacific

  • European Union

  • United Kingdom

  • North America

  • Latin America

  • Asia Pacific

  • European Union

  • United Kingdom

  • North America

  • Latin America

  • Asia Pacific

  • European Union

  • United Kingdom

  • North America

  • Latin America

  • Asia Pacific

  • European Union

  • United Kingdom

  • North America

  • Latin America

  • Asia Pacific

  • European Union

  • United Kingdom

4

4

4

Focus Areas

Focus Areas

  • Effectiveness of NIST CSF aligned messaging

  • Regional and industry-specific relevance 

  • Seller challenges in communication

  • Suggestions for improvement 

  • Effectiveness of NIST CSF aligned messaging

  • Regional and industry-specific relevance 

  • Seller challenges in communication

  • Suggestions for improvement 

  • Effectiveness of NIST CSF aligned messaging

  • Regional and industry-specific relevance 

  • Seller challenges in communication

  • Suggestions for improvement 

  • Effectiveness of NIST CSF aligned messaging

  • Regional and industry-specific relevance 

  • Seller challenges in communication

  • Suggestions for improvement 

Insights

Insights

Insights

Insights That Shaped Our Recommendations

Insights That Shaped Our Recommendations

Insights That Shaped Our Recommendations

Insights That Shaped Our Recommendations

NIST CSF Is Trusted, but Needs Context

NIST CSF Is Trusted, but Needs Context

  • 6 out of 7 interviewees explicitly stated that they use or value NIST CSF in client conversations

  • Sellers use NIST as a credibility anchor 

  • Regional frameworks like DORA, ISO 27000, and CPS 234 are often more actionable 

  • Localization is essential for resonance 

  • 6 out of 7 interviewees explicitly stated that they use or value NIST CSF in client conversations

  • Sellers use NIST as a credibility anchor 

  • Regional frameworks like DORA, ISO 27000, and CPS 234 are often more actionable 

  • Localization is essential for resonance 

  • 6 out of 7 interviewees explicitly stated that they use or value NIST CSF in client conversations

  • Sellers use NIST as a credibility anchor 

  • Regional frameworks like DORA, ISO 27000, and CPS 234 are often more actionable 

  • Localization is essential for resonance 

“It helps me say, hey, it’s not me saying this... it’s a whole study, a whole company, big people that work on that” 

“In Europe, DORA has been a major focus... I customize presentations with NIST and local regulations” 

“You want to detect that someone is circling around your house every 5 minutes... then you describe: here’s the camera that allows you to do that.” 

Messaging Must Match Audience Maturity 

Messaging Must Match Audience Maturity 

  • Technical jargon alienates non-technical stakeholders 

  • Analogies and storytelling improve engagement 

  • Technical jargon alienates non-technical stakeholders 

  • Analogies and storytelling improve engagement 

  • Technical jargon alienates non-technical stakeholders 

  • Analogies and storytelling improve engagement 

Sellers Lack Quick-Reference Materials 

Sellers Lack Quick-Reference Materials 

  • Product complexity and unclear naming slow down conversations 

  • One-pagers, blueprints, and demo decks are needed 

  • Product complexity and unclear naming slow down conversations 

  • One-pagers, blueprints, and demo decks are needed 

  • Product complexity and unclear naming slow down conversations 

  • One-pagers, blueprints, and demo decks are needed 

“They tell me about 40-50 different product names... please let me know what they are good for” 

“Give me a straight, short description... not just a name” 

“They act when they are forced to... not the intent to improve the security of the platform” 

“Clients ask how IBM can help them demonstrate compliance with frameworks like NIST, DORA, or PCI” 

Compliance Is the Real Driver

  • 5 out of 7 interviewees emphasized that clients are more motivated by compliance mandates than by general security messaging

  • Clients act when compliance mandates require it 

  • Security messaging alone rarely motivates decisions

  • 5 out of 7 interviewees emphasized that clients are more motivated by compliance mandates than by general security messaging

  • Clients act when compliance mandates require it 

  • Security messaging alone rarely motivates decisions

  • 5 out of 7 interviewees emphasized that clients are more motivated by compliance mandates than by general security messaging

  • Clients act when compliance mandates require it 

  • Security messaging alone rarely motivates decisions

Messaging Is Disconnected From Product Launches

Messaging Is Disconnected From Product Launches

  • New tools often lack supporting materials 

  • Sellers want early access to roadmaps and demos 

  • New tools often lack supporting materials 

  • Sellers want early access to roadmaps and demos 

  • New tools often lack supporting materials 

  • Sellers want early access to roadmaps and demos 

“For me, the biggest thing I struggle with is not knowing futures on the products” 

Recommendations

Recommendations

Recommendations

Insights Into Actionable Recommendations 

Insights Into Actionable Recommendations 

Insights Into Actionable Recommendations 

Insights Into Actionable Recommendations 

Based on our findings, we proposed a series of concrete recommendations:

Based on our findings, we proposed a series of concrete recommendations:

Based on our findings, we proposed a series of concrete recommendations:

Tailor Messaging to Audience Maturity 

Tailor Messaging to Audience Maturity 

  • Create playbooks for technical sellers, executives, and compliance officers 

  • Use plain language, analogies, and real-world examples

  • Create playbooks for technical sellers, executives, and compliance officers 

  • Use plain language, analogies, and real-world examples

  • Create playbooks for technical sellers, executives, and compliance officers 

  • Use plain language, analogies, and real-world examples

Localize Messaging With Regional Frameworks

Localize Messaging With Regional Frameworks

  • Map IBM Z capabilities to both NIST and regional frameworks

  • Regional frameworks like DORA, PCI-DSS, CPS 234

  • Map IBM Z capabilities to both NIST and regional frameworks

  • Regional frameworks like DORA, PCI-DSS, CPS 234

  • Map IBM Z capabilities to both NIST and regional frameworks

  • Regional frameworks like DORA, PCI-DSS, CPS 234

Build a Centralized Messaging Toolkit

Build a Centralized Messaging Toolkit

  • Include one-pagers, demo decks, and product descriptions 

  • Frame each product around “what problem does this solve?” 

  • Include one-pagers, demo decks, and product descriptions 

  • Frame each product around “what problem does this solve?” 

  • Include one-pagers, demo decks, and product descriptions 

  • Frame each product around “what problem does this solve?” 

Segment the “Protect” Category

Segment the “Protect” Category

  • Group tools into meaningful categories

  • Some grouping suggestions are OS-native, add-on, and compliance-focused categories

  • Group tools into meaningful categories

  • Some grouping suggestions are OS-native, add-on, and compliance-focused categories

  • Group tools into meaningful categories

  • Some grouping suggestions are OS-native, add-on, and compliance-focused categories

  • Group tools into meaningful categories

  • Some grouping suggestions are OS-native, add-on, and compliance-focused categories

Lead With Compliance Outcomes


Lead With Compliance Outcomes

Lead With Compliance Outcomes

Lead With Compliance Outcomes

Lead With Compliance Outcomes

  • Highlight how IBM Z supports audit readiness and regulatory mandates 

  • Highlight how IBM Z supports audit readiness and regulatory mandates 

  • Highlight how IBM Z supports audit readiness and regulatory mandates 

Make Messaging Readiness a Launch Requirement

Make Messaging Readiness a Launch Requirement

  • Ensure demos, training, and messaging briefs are available at product launch 

  • Ensure demos, training, and messaging briefs are available at product launch 

  • Ensure demos, training, and messaging briefs are available at product launch 

Next Steps

Next Steps

Next Steps

Continuing the Research

Continuing the Research

Continuing the Research

Continuing the Research

Client interviews

Client interviews

  • Conduct interviews with current and prospective IBM Z clients across industries and regions 

  • Validate whether NIST CSF-aligned messaging resonates with their security and compliance priorities 

  • Synthesize data from client interviews for recommendations

  • Conduct interviews with current and prospective IBM Z clients across industries and regions 

  • Validate whether NIST CSF-aligned messaging resonates with their security and compliance priorities 

  • Synthesize data from client interviews for recommendations

  • Conduct interviews with current and prospective IBM Z clients across industries and regions 

  • Validate whether NIST CSF-aligned messaging resonates with their security and compliance priorities 

  • Synthesize data from client interviews for recommendations

Competitive Benchmarking

Competitive Benchmarking

  • Analyze how mainframe security competitors use NIST CSF or other frameworks in their messaging 

  • Compare clarity, structure, and regional adaptability

  • Identify best practices and opportunities for IBM Z to differentiate

  • Analyze how mainframe security competitors use NIST CSF or other frameworks in their messaging 

  • Compare clarity, structure, and regional adaptability

  • Identify best practices and opportunities for IBM Z to differentiate

  • Analyze how mainframe security competitors use NIST CSF or other frameworks in their messaging 

  • Compare clarity, structure, and regional adaptability

  • Identify best practices and opportunities for IBM Z to differentiate

  • Analyze how mainframe security competitors use NIST CSF or other frameworks in their messaging 

  • Compare clarity, structure, and regional adaptability

  • Identify best practices and opportunities for IBM Z to differentiate

Thank you for reading!

Thank you for reading!

Thank you for reading!

Thank you for reading!

Go back to top

Go back to top

More Projects

More Projects

More Projects

Petavue: Intelligent Assistant

Petavue: Intelligent Assistant

Petavue: Intelligent Assistant

Petavue: Intelligent Assistant

A virtual assistant to help deliver every day value to teams. including assisting them in analyzing data, drawing conclusions and make decisions.

A virtual assistant to help deliver every day value to teams. including assisting them in analyzing data, drawing conclusions and make decisions.

A virtual assistant to help deliver every day value to teams. including assisting them in analyzing data, drawing conclusions and make decisions.

A virtual assistant to help deliver every day value to teams. including assisting them in analyzing data, drawing conclusions and make decisions.

UX Research

UX Research

UI Design

UI Design

Visual Design

Visual Design

Petavue: Intelligent Assistant

A virtual assistant to help deliver every day value to teams. including assisting them in analyzing data, drawing conclusions and make decisions.

UX Research

UI Design

Visual Design

FlowScale AI: Collaborate, Deploy

FlowScale AI: Collaborate, Deploy

FlowScale AI: Collaborate, Deploy

A collaborative platform for building and deploying ComfyUI workflows, enabling teams to create, iterate, and launch generative AI applications.

A collaborative platform for building and deploying ComfyUI workflows, enabling teams to create, iterate, and launch generative AI applications.

UX Research

UX Research

UI Design

UI Design

Visual Design

Visual Design

Scrolled till here?

Don’t be a stranger,

let’s talk!

natashg@umich.edu

Scrolled till here?

Don’t be a stranger,

let’s talk!

natashg@umich.edu

Scrolled till here?

Don’t be a stranger,

let’s talk!

natashg@umich.edu

Scrolled till here?

Don’t be a stranger,

let’s talk!

natashg@umich.edu

Scrolled till here?

Don’t be a stranger,

let’s talk!

natashg@umich.edu