What is and Why Care?

The Genesis of “Making It Easy to Care”

Seven years ago, when I started Craftelli Design, my marketing materials were filled with words like "craft," "care," and "design." Industry colleagues were quick to offer advice: "Those words will not resonate well in executive boardrooms. You need to speak their language - optimization, efficiency, transformation." I was told to replace these "soft" terms with proper consulting vocabulary if I wanted to be taken seriously.

But I couldn't shake the feeling that care was exactly what we needed to talk about - especially now with generative AI technologies increasingly being used in decision-making.

This conviction came from deep conversations with my wife, a nurse of over two decades. As we shared stories about our days - hers in patient care, mine in technology systems - a striking pattern emerged. In nursing, she described how professionals enter the field with deep commitment to patient care, yet increasingly struggle to maintain that care amid administrative burdens, misaligned incentives, and efficiency metrics. The systems meant to ensure quality care were, ironically, making it harder to provide it.

As a designer in tech, this resonated powerfully. Technical professionals join organizations at their peak of caring about their craft - excited to build great systems, ensure security, and create lasting value for the organization. Yet somehow, that natural care gets eroded by rigid processes, unclear value chains, and misaligned incentives. The very systems we put in place to ensure quality often end up diminishing the human care that drives real excellence.

This parallel revealed something fundamental: organizations are unintentionally suppressing their most valuable resource - human care and attention. Whether in a hospital or a tech company, systems designed for control and efficiency were making it harder for people to maintain their natural desire to care deeply about their work.

The implications became even more critical as I observed the rise of AI and automation. As machines increasingly handle routine tasks, our uniquely human capacity for thoughtful care becomes more precious than ever. Our ability to notice subtle details, to exercise judgment, to care deeply about outcomes - these aren't limitations to be automated away, but core strengths to be preserved and amplified.

This realization led to our guiding principle: "Make it easy to care." Instead of building more control systems or stricter processes, what if we focused on understanding and supporting the natural patterns of human care? What if we designed systems that worked with, rather than against, people's inherent desire to do meaningful work?

In an AI-empowered world, where time and effort are no longer our primary constraints, our capacity for thoughtful care becomes the true limiting factor in creating value. The organizations that thrive will be those that successfully preserve and amplify this precious human resource.

So despite the well-meaning advice, we kept words like craft, care, and design. Because in the age of AI, our ability to care deeply and thoughtfully isn't a soft skill - it's our most crucial advantage. Making it easy to care isn't just a slogan - it's a fundamental principle for designing organizations that thrive by amplifying what makes us uniquely human.

Introducing the MESA Framework: Effective Governance by Making it Easy to Care

The MESA Framework

Developed by Craftelli Design Inc., the MESA (Managed Effectiveness through Systematic Alignment) framework represents an evolution in governance thinking. Built on the principle of "making it easy to care", this simple framework modernizes how organizations approach governance, risk, and compliance.

The challenge of running an effective governance program often stems from a fundamental problem: the lack of clear distinction between controls, mechanisms, and safeguards.

Organizations (and their consultants) frequently conflate these elements, leading to confusion, redundancy, and ineffective risk management. A security tool becomes a control, a policy becomes a safeguard, and a process becomes all three – creating a tangled web of overlapping definitions that obscures rather than clarifies.

Regardless of IT or cybersecurity role, you’ve seen this issue manifest as:

  • Tools are purchased without clear alignment to risk objectives

  • Controls are implemented without the mechanisms to make them effective

  • Safeguards exist on policies but fail to protect in practice

  • Teams struggle to demonstrate the value of their IT and Cybersecurity investments

  • Audit findings reveal head-scratching gaps despite significant spending

The MESA Layer: Creating Intuitive Connections

The MESA (Managed Effectiveness through Systematic Alignment) framework introduces a crucial layer that connects tools and capabilities with clearly defined safeguards. This layer serves as an intuitive core that maps to risk outcomes, critical assets, and compliance requirements.

MESA achieves this by establishing clear distinctions:

  • Mechanisms are the tools, processes, and systems that do the actual work

  • Safeguards are orchestrated packages of mechanisms that protect and enable value

  • Controls are verification structures that ensure effectiveness and compliance

This clarity transforms governance from a checkbox exercise into a strategic enabler. When a new compliance requirement emerges, MESA helps organizations quickly identify which safeguards are needed, what mechanisms support them, and how to verify their effectiveness. The framework eliminates the common trap of treating every requirement as a new control, instead focusing on how existing capabilities can be orchestrated to achieve the desired outcomes.

Beyond Silos: Creating Shared Understanding

Perhaps the most powerful aspect of MESA is how it moves organizations beyond arbitrary assessment questions, vendor sales pitches, and department heads competing for resources. By providing a clear framework for understanding what we care about and how we protect it, MESA creates a common language and shared understanding that naturally drives alignment.

This transformation occurs because:

  1. Assessment questions become grounded in real safeguards and mechanisms rather than arbitrary checklists

  2. Technology decisions focus on how tools support specific safeguards rather than feature comparisons

  3. Executive discussions center on risk outcomes and value creation rather than compliance checkboxes

  4. Teams naturally align around common objectives because they understand how their work contributes to protection

The result is a governance program that people rally behind not because they're forced to, but because it makes sense. When everyone understands what they're protecting and how their actions contribute to that protection, compliance becomes a natural outcome rather than a forced exercise.

Making it Easy to Care

At its core, MESA succeeds because it makes it easy to care about governance. It achieves this by:

  • Clarifying the relationship between actions and outcomes

  • Aligning controls with natural work patterns

  • Making protection strategies intuitive and meaningful

  • Creating clear connections between tools and value

This clarity eliminates the common frustration of governance activities feeling disconnected from real work. Instead, MESA creates a framework where doing the right thing becomes the easy thing, where protection becomes intuitive, and where compliance emerges naturally from effective operations.

Organizations implementing MESA find that their governance conversations change fundamentally. Instead of arguing about control requirements or tool selections, teams engage in meaningful discussions about how to better protect what matters. The framework's clarity eliminates the noise of competing priorities and political agendas, replacing them with a shared understanding of what needs to be protected and how best to protect it.

Moving Forward

As a design practice first and foremost, Craftelli Design Inc. approaches challenges through the lens of human-centered design. The MESA framework emerged from this perspective – not as another compliance framework, but as a natural expression of how people and organizations actually work to protect what they care about.

MESA represents just the beginning of Craftelli's approach to transforming governance, risk, and compliance. It provides the foundational thinking and core principles that enable truly human-centered GRC solutions. But it's only one piece of a larger vision. As a design practice, Craftelli continues to explore, innovate, and develop new ways to make governance more intuitive, effective, and aligned with how people naturally work.

The path forward isn't about adding more controls or compliance requirements. It's about understanding how people and organizations actually create and protect value, then designing solutions that enhance these natural patterns. This design-first approach, with MESA at its core, transforms governance from a burden into an enabler of organizational success.

By leading with design thinking and human understanding, Craftelli is reimagining what governance can be. The MESA framework is just the first step in this journey – a foundation for more innovations to come. In a world of increasing complexity and risk, this human-centered approach to governance isn't just beneficial – it's essential for sustainable success.

What’s next?

  • What and Why “Care”?

  • A pragmatic approach to identifying critical business functions

  • How to conduct a MESA Workshop?

Three Design Concepts You Should Apply In Information Security

Look, you’re probably thinking, designed things look great but I don’t need my security program to look pretty, I just need it to work. You designers can take your service blueprints, UX/UI, information architecture, graphics, and typography to our marketing team. Security Ops, on the other hand, is for serious people like us who deal with risk management, governance, controls, and audits.

To that I say, I get it, your IT and Security budgets are tighter, getting the right and competent security people is a chore, and the tools these days… each of them promises to do all-things-security but fails to deliver the basic feature you pay them for.

Audit, Remediate, Repeat

I’ve been there. I ran a sizable IT and Security operations for a 24/7 service provider for almost two decades. What bothers me the most is that even with the best tools, knowledge, and talent they have available, companies today still ran IT and Security operations the same old compliance way— Audit, Remediate, Repeat. No judgement, I did it the same way for most if it.

Now some companies implement Governance, Risk, and Compliance (GRC) systems as an attempt to get out of the vicious audit-remediate cycle to no avail. Implementing even the best GRC platform is an expensive, daunting and time-consuming affair. These projects end up being abandoned after a year, and the IT/SEC team is back to tracking spreadsheets with audit findings while spawning a bunch of security initiatives that seem to come from every direction.

Now, I’m not saying that GRC systems are worthless, companies just invest on them too early. GRC’s provide a centralized repository and inter-disciplinary workflows to ensure that stakeholders have access to the right information when performing the right processes. If only they have these figured out before implementation.

Security Design Disciplines

Information architecture (IA) - focuses on organizing, structuring, and labeling content in an effective and sustainable way. 

What does Secure coding principles, Physical Security, Data Loss Prevention, and Data Backup System all have in common? They are all security related words that you will encounter in a conversation with an auditor. Followed by questions on what you do with them and what artifacts you can produce as evidence.

Without an architecture that defines the taxonomy and relationship between security concepts, providing security assurance is close to impossible.

Here is how our Unified Control Framework will define those terms:

Service Blueprints - A service blueprint is a diagram that displays the entire process of service delivery, by listing all the activities that happen at each stage, performed by the different roles involved.

If you’re wondering why your patching numbers don’t add up (or you don’t get them at all), chances are, your asset management and patch management processes are not in sync, and your governance function hasn’t performed the necessary 2nd line process to manage this issue to resolution.

Your security functions are supported by interwoven services with ownership requirements, data dependencies, and timing considerations. If you haven’t mapped out their value delivery streams, you cannot have assurance that they will produce the value you expect.

User Experience and User Interface (UX/UI) -  encompasses all aspects of the end-user's interaction with the company, its services, and its products.

In IT and security, combining a clearly defined Information architecture with a mapped out service blueprint ensures that your processes exists to deliver value whether through efficient operations or risk mitigation activities.

UX/UI defines how stakeholders such as customers, users, executives, and your board of directors interact with your operational services and what value they can expect from each.

Design in Security

There you have it, three design disciplines you can apply in your IT and Security operations. Depending on the size of your organization, it can take 6 to 12 months to get all your Control Framework domains sorted out but at the end of it you can be assured of the following:

  1. Easier and organized InfoSec Audits

  2. Clear path to maturity on all security capabilities

  3. Measurable risk mitigation capabilities and performance of control activities

We’re here to help

We implement control frameworks to get companies like yours out of the audit-remediate cycle. If you’d like more information or assistance on getting yours setup, feel free to contact us here.

Security Inspired Design

Trend Towards Personal Products

We have all been told that the way to acquire and retain customers in a competitive market is to tailor our products to the personal needs of the few. By doing so, the data we capture about our customers will naturally become more individualized and in most cases, more sensitive.

In responsible hands, this data set can drive the development of profitable products that can turn interested consumers to loyal customers. On the flip side, the same data can be used to commit nefarious activities from the common fraud to sophisticated behavioral manipulation through targeted messaging based on preferential data.

Some will claim that the collection and inevitable misuse of these data sets are unintended consequences of business operations. This was justifiable years ago when security research and tools were exclusive to large companies.

Today, consumers, partners and regulators demand more transparency and accountability regarding data collection and use from businesses of any size.

Baby in a Rollercoaster

How do you secure a baby in a rollercoaster?

  1. Design a carseat intended to be attached to rollercoasters.

  2. Or, you don’t let them ride in the first place.

It sounds obvious and yet we have a market full of products intended to protect data in transit and at rest. These are your Firewalls, Data Loss Prevention (DLP), Encryption, Anti-Malware and File Integrity Protection to name a few. These tools are designed to protect your systems and data from unauthorized access and change.

When judged based on their merits, the best of these tools perform exactly as they are sold and more. With their benefits though, comes along the need for upkeep items such as license subscriptions, professional administration and maintenance.

In addition, alongside their costly implementation periods and configuration tuning phases is the inevitable disruption of your regular business flow because of glitches and outages. All these while you or your employees figure out a way around the protections because you need to perform your tasks the way you are accustomed to.

Even with such complexities, we simply tolerate them because the security guidelines, compliance standards and regulators require us to comply.

That is— if we want to continue allowing babies into our rollercoasters.

Alternative: Inspire Design with Security Intentions

You’re probably wondering that if we start with security and privacy intentions, wouldn’t that hinder the creative process?

First Look: Security and creativity are two opposing forces with one restricting and the later one maximizing.

Closer Look: Design is powered by creativity, productive creativity is driven by constraints, security and privacy intentions fit the constraint mold just fine.

Just like how we constraint our ideas with factors considering business viability, technical feasibility and user desirability during the design process, we argue that adding security and privacy as core product values is a natural evolution of the design process in today’s market.

Putting It All Together

At Craftelli Design, we value security, simplicity and storytelling.

  • Secure products are simpler to make and easier to market.

  • Simple products are easier to secure and come across as memorable in the market.

  • Story driven products are ones that have a simple and secure command of their values.

For a Free Consultation Session

Work with Us

Need More Information?

Contact us at info@craftelli.com