Anatomy of a Crisis: Managing a $350K Client Through Compliance Hell

Note: This is a skeleton draft for navigation testing.

Opening Hook

5am Mountain Time. Another daily standup meeting. Seven of them, one of me.

The stakes: A $350k ARR deal I closed. Crown jewel client for new ownership. An accessibility compliance crisis that could knock the dev team off roadmap for months.

My role: Sole company representative, months of daily meetings ahead.

This isn’t a hero story. This is about high-pressure crisis management and what it costs.

1. Context: How We Got Here

The Deal and the Acquisition

October: Closed a top-10 financial institution at $350k ARR, 5-year deal. Senior Solutions Engineer who closed it.

January: Company acquired, leadership transition. New leadership had no relationship with this “crown jewel” client.

Platform detail: Debian-based fork, not internet-facing, unique deployment.

The Vendor Review Problem

During the sales cycle, I filled out vendor compliance grids. Multiple categories: privacy, security, labor practices, accessibility.

Accessibility: Flagged as non-compliant in grid. Communicated to Head of NA sales. Company was being shopped for acquisition during the deal.

January crisis: Full surprise to new leadership (they didn’t have it or know about it). Original sales rep fired, institutional memory gone.

2. The Crisis Emerges

The Compliance Demand

Compliance department discovered non-compliance. Senior Vice President level. Their incentive: Portfolio compliance percentage, not security outcomes.

The demand: Platform must meet WCAG accessibility standards immediately.

Technical scope: ~50 accessibility issues identified across screen readers, keyboard navigation, colour contrast, forms, buttons.

The problem: Fixes needed on legacy Debian fork used only by this client.

Why This Was a Crisis

Security awareness business line was happy with the platform. But they had zero power to protect us from the compliance department.

Hierarchy: Compliance SVP > Security awareness VP/program managers.

The threat: Non-compliance allowed contract termination or penalty clauses.

Business impact: Would knock dev team off product roadmap for months.

Technical challenge: Maintaining dead Debian distro fork (all other clients on Ubuntu).

Meeting cadence demanded: Daily standups required. Email updates declined. Multiple stakeholders on every call.

3. The Cast of Characters

Their Side (The 7)

  1. Compliance PM: Ran meetings with aggressive style, set adversarial tone
  2. Junior compliance rep: Attended with PM
  3. Senior Vice President (compliance): 2x/week attendance
  4. Program Manager (VP level, security awareness): Silent attendee, ally but powerless
  5. Program admin (security awareness): Operational stakeholder
  6. Tech lead (security awareness): Technical stakeholder
  7. Accessibility reps (1-2): Presented content when needed

Dynamic: 7v1 most meetings. Hostile baseline: “Do you have any fixes for us today?”

Your Side (The Team I Protected)

Dev team: Eastern European, wildly different timezone. Head of dev team was my primary partner. 2-3 dedicated devs on sprint/cycle.

Needed shielding from: client pressure, unrealistic timelines, scope creep, direct client contact.

Support lead: Also Eastern European. Attended early meetings, became emotionally exhausted. I pulled him from meetings ~2 weeks in.

C-suite: CTO and CSO. Israeli-based, different timezone. Israeli cybersecurity leadership style - trusted with agency, never imposed controls.

4. Multi-Audience Stakeholder Management

What I had to balance:

To the bank: Show progress without overpromising. Create space around hard problems. Let them feel like they were managing us.

To dev team: “What do you need?” not “Here’s what you have to do.” Shield from unrealistic timelines, direct client pressure, scope creep.

To C-suite: Daily updates on progress, pressure, temperature. Risk assessment. Clarity on what I needed.

5. Technical and Tactical Execution

50+ WCAG accessibility issues on legacy Debian fork. Multiple rounds - some issues needed iteration after initial fix.

Provided dev instance (Docker on Hetzner) for their accessibility testing. This prevented batch-ship-and-discover-more-issues problem.

The delicate dance of saying “no” gracefully to a top-10 bank: Frame as “We can’t have that then” or “can’t have it exactly that way.”

6. Turning Points

The Worst Moment

Two weeks in. Ski trip. Hadn’t delivered anything yet. Support lead broken. I was sick, fevery, in bed all night. Crisis clearly not going away. Alone on this, months ahead.

When the Dynamic Shifted

Started delivering. Technical acceptance meetings began. Progress visible, not just promised.

“Do you have any fixes for us today?” doesn’t land when the answer is yes.

Meeting cadence reduced from daily to biweekly once all severe issues resolved. “We trust you now” inflection point.

7. Resolution and Aftermath

All 50+ issues resolved. Formal acceptance from bank. No formal thanks - compliance requirement met. “Ended with a whimper.”

Subsequent “smaller crises” with different business units within the bank. More in my domain (data modelling, UUID, country of origin). More able to push back.

When I was laid off (4th round): Relationship with bank was fantastic.

8. What I Learned

What I’d do differently: - Never go alone - get assigned co-SE for all meetings - Earlier escalation of support - Flag compliance concerns clearly, ensure they reach decision-makers with authority

What I learned about myself: - Can handle extreme pressure for extended periods - Multi-audience stakeholder management is my strength - Almost to burnout threshold (learned where the line is)

About organisations: - Large institutions are not monoliths (compliance vs. business line) - Incentive structures matter (compliance % vs. security outcomes) - Aggressive meeting styles become inappropriate when you’re producing

What This Demonstrates

Multi-audience stakeholder management across bank (7 different roles), dev team (different timezone, culture), and C-suite (different timezone, need for agency + visibility).

Crisis management under pressure. Daily high-stakes meetings for months. Solo company representative.

Technical diplomacy. Saying “no” gracefully. Creating space for hard problems.

Risk assessment and communication. “What’s next risk? What risks are we choosing?”

Content status: Skeleton draft for navigation testing. Full case study in development.