Microsoft IT has been developing an engineering based application security lifecycle for about 5 years now. The ACE team is responsible for helping develop and maintain this lifecycle called the Security Development Lifecycle for IT (SDL for IT) which is currently used to secure line of business applications developed by Microsoft IT. This lifecycle has been adapted to work with other business units within Microsoft. Microsoft IT has taken this experience building an adaptable and scalable application security development lifecycle and exposed it to our customers.

A large part of my job profile is to help large enterprise customers adapt the SDL for IT to work with their business. This is particularly challenging as the core-competency, organizational structure and technical depth of each company and each industry vertical is very different.

Customer: The First American Corporation (NYSE: FAF) is a large financial services organization based in Santa Ana, CA. The case study video features FAF executives Jeff Klopfer and Scott Campbell talking about First American's experience with the SDL for IT process.   

Making the video: In response to customer requests to hear success stories around SDL for IT, I started a quest to find a customer based within my region with whom we could conduct a case study. There were several challenges while making this video and I want to discuss my experience leading the creation of this case study.

The unique challenge here was to get funding and well, finding a producer who could do it in time (3 weeks from first contact to deliverable). Microsoft unlike a lot of companies has its own studios and several vendors who are well versed with making case study videos.

Things to do while making a video case study:

  1. Clarify objectives: You will find that a case study has a lot of moving parts and stakeholders. A set of written objectives and metrics on how to evaluate the achievement of those objectives is very critical. All the stakeholders need to approve this. Remember the customer will only endorse a study that they have analyzed to be accurately reflecting their views.
  2. Target Audience: The target audience should be identified and the messaging needs to address areas of interest to the target audience. Audiences one could consider while building an IT case study are technical: architects, developers, testers; sales and marketing; operational managers; or business decision makers
  3. Find Producer: Identifying a producer early during the project can have several advantages including an easier scheduling process and innovative story boards. Story boarding is very vital to highlight the points you want to leave the audience with. Remember that you have around 2-3 minutes to tell a story.
  4. Shooting: While at the customers location keep scouting for a cool location to shoot the video. Personally, I prefer locations that do not have too much going on in the background. Don't wear clothing which will blur in low quality videos. This includes stripped or checked clothes. Check with the video team and communicate this to the individuals involved ahead of time.
  5. Identify Executives: The case study needs to communicate some tangible message. My experience is that the message is best received from an organizational counterpart of your target audience. A CIO to a CIO or Architect to Architect.
  6. Editing: Editing a video requires a huge time commitment from the person commissioning the study. They have to work with the producer and editor to ensure that the messaging is accurate and more importantly they provide the domain expertise that the video team does not possess.
  7. Format: The case study should be available in both high and low quality. Also get the raw footage from the producer for subsequent alterations or expansions.

In any case, watch the case study and let me know what you think. In the meantime, I will begin lobbying for an Oscar category for case study videos.