Many companies still face big challenges to tackle a large number of security challenges in their organization. Whether it be technical challenges or cultural aspects to overcome, things take long to implement and to last in the future. Every challenge requires communication and practical actions of employees on all levels. Liberating Structures help to streamline those actions. Boost security in your organization with the help of Liberating Structures.
Key concepts
Before diving deeper in the topic, let’s explore what Liberating Structures in essence are. These are a set of facilitation techniques designed to encourage engagement, collaboration, and innovation within groups of any size. Henri Lipmanowicz and Keith McCandless developed them. Many organizations worldwide use them and the information on how to do so is freely available on the internet. Liberating Structures provide a set of simple and powerful interaction patterns that can replace or complement traditional approaches like presentations, brainstorming, or open discussions. This nature make them so powerful and versatile.
Why use it?
Companies that embrace Liberating Structures do so because of the benefits they see. Once they acknowledge failed projects of the past, they seek a new approach.
There are many benefits of using Liberating Structures over conventional approaches. Common characteristics to overcome conventional approaches include the following:
-
Scalable: they work well with small and large teams.
-
Inclusive: it supports many participants, not just a dominant small group .
-
Simple rules: the rules are easy to understand and follow.
These facilitation techniques are designed to address common pitfalls of traditional meetings, brainstorming sessions, and group discussions. All of the above mentioned aspects enable the encouragement of deeper conversations and better problem-solving. They unleash creativity and innovation in teams and help overcome communication barriers. Besides these, they also improve the feeling of shared responsibilities & ownership.
Popular examples
Organizations that start the adoption of Liberating Structures tend to seek popular and ready to use examples to get started. Examples that have a low barrier to start:
-
Open Space Technology: self-organizing group discussions around a central theme.
-
Troika Consulting: peer-to-peer coaching to address challenges.
-
World Café: rotating small group discussions to explore complex questions
-
Impromptu Networking: rapid conversations to quickly build connections between people from different departments or teams.
All of them empower groups to co-create solutions, harness collective intelligence, and improve group dynamics.
Combination with Agile/Scrum
Liberating Structures align very well with well understood Agile/Scrum practices. It focuses on Individuals and “Interactions Over Processes and Tools”. An example is the “Heard, Seen, Respected” one. This creates a safe space for individuals to share concerns or ideas. Perfect for scrum teams in which trust is a key aspect of succesful collaboration.
One of the core principles in the Agile Manifesto is “Working Software Over Comprehensive Documentation”. Liberating Structures helps to clarify priorities, ensuring the team delivers valuable software incrementally. This also helps organizations to build MVPs instead of just PoCs which value is of limited use in case no follow up is executed. The “15% Solutions” Liberating Structure is very useful here. It focus on small, immediate actions that drive progress.
Among these two examples, there are many more such as 1-2-4-All to gather and refine ideas from customers and stakeholders as well as Ecocycle Planning: Visualize workflows to identify areas of stagnation and renewal.
Common security related meeting scenarios
Once this common understanding is in place, it’s time to combine it with practical security related topics.
Liberating Structures can be used to addressing security vulnerabilities, conducting threat modeling, or running a post-incident review. It can transform traditional security meetings from rigid and hierarchical into engaging, innovative, and solution-oriented discussions.
Thread modeling
Suppose you want to conduct a Threat Modeling / Risk Assessment session, you could very well use 1-2-4-All Liberating Structure. For Vulnerability Prioritization the “What, So What, Now What?” Liberating Structure can be used. This facilitates group analysis and determines the next steps and leads to practical results in a timely manner.
Security awareness
If you allow participants to share real-life scenarios, relevant to an actual Security Awareness Training, Impromptu Networking is your choice here.
Security Incident Post-Mortem / retrospectives
Security incidents are in every company. From a business perspective, avoid the same incidents from happening again. Liberating Structures help to identify counterproductive behaviors and create strategies to prevent future incidents. For example by utilizing TRIZ.
Six steps
The following list depicts the proposed steps to follow during a Post-Mortem meeting which lasts a maximum of 50min. Using these steps and be keen in the time, helps to come to better results compared to an unstructured, energy-draining meeting with a lot of participants.
-
Step 1: Introduce the session (5 min)
-
Explain the purpose: Identify actions (or the lack of) that contributed to the security breach.
-
-
Step 2: Ask the TRIZ question (10 min)
-
"If we wanted to ensure a catastrophic security failure happens again, what would we do?"
-
-
Step 3: Brainstorm malicious actions (10 min)
-
Teams write down the worst possible behaviors (e.g., ignore patch updates, weak password policies).
-
-
Step 4: Reflect on reality (10 min)
-
"Are we doing anything like this right now?"
-
Identify overlaps between malicious actions and current behaviors.
-
-
Step 5: Identify improvements (15 min)
-
Create a concrete list of actions to address identified overlaps.
-
-
Step 6: Share & wrap-Up (10 min)
-
Teams share their top recommendations. Actions are listed and assigned to action-holders.
-
Using these steps, it helps everyone to actively participate without feeling unsafe or unheard. It leads to a set of actionable improvements to prevent future incidents of this kind.
A powerful combination
Some more tips and tricks to get most out of your investment:
-
Be transparent about goals: clearly communicate the meeting's objective to maintain focus.
-
Create a safe space: make it clear that every voice matters, even in technical or hierarchical discussions.
-
Rotate facilitators: allow team members to experience to leading sessions.
Conclusion
Liberating Structures are a great way to improve communication, collaboration and decision making in groups of various sizes. It aligns with the Agile Manifesto and it can be used for security related challenges. When practiced and applied in the right way, Liberating Structures such as 1-2-4-all, TRIZ and Impromptu Networking help to solve Incident Post-Mortem / Retrospective, Security Awareness Training programs and Threat Modeling / Risk Assessments.
