Communication Plan for compliance pipeline removal and security policy migration

Background

Please read this as background for this issue

Problem

We want to ensure that the upcoming deprecation of compliance pipelines and subsequent migration to security policies is effectively communicated with impacted GitLab customers. We hope to not only minimise any impact of the said migration for those customers, but also increase the adoption of compliance pipelines in security policy, as that would be the default method to setting compliance pipelines in the future.

Solution

We want to come up with an effective communication plan at every step of the way, before the removal of compliance pipelines in 18.0, to ensure that all users understand that they are not able to use compliance pipelines in compliance frameworks and start to use them in security policies, establishing that as the default practice by the 18.0 release.

The proposed communication strategy may consist of the following, with the associated milestones

Milestone	Communication Pieces	Impact
17.2	1 x YouTube video, explaining the initiative, why this work is undertaken and the expected timelines for the migration to be completed. Highlight that deprecation is happening from 17.3 (internal only - for CSMs consumption). Communicate with CSMs of affected accounts about the rollout schedule (share in #customer-success channel, then cross post to #cs-pm-sec channel). Create a public feedback issue with the timelines for the deprecation clearly spelled out for customers	CSMs can learn about the upcoming deprecation and prepare their customers to move their pipelines over to security policies once policy execution types is out for either 17.2 or 17.3 release (aiming for 17.2 atm)
17.3	1 x YouTube video, explaining the new warning banners that come up now to warn folks about the migration, and show them a workflow of how they can set compliance pipelines in security policies instead. Highlight that deprecation is starting from now. 1 x blog post, explaining the initiative, why this work is undertaken and the expected timelines for the migration to be completed. Include multiple warnings at the start and end of the associated docs pages for compliance pipelines, so that anyone reading the pages is aware of the migration. (There are 2 mentions on this page) Update public feedback issue with the next stage of the deprecation (issue) Communicate with CSMs of affected accounts about the rollout schedule. Create a support readiness issue (here) (example from token incident) [created here] Create the deprecation notice https://docs.gitlab.com/ee/update/deprecations.html#compliance-pipelines (MR)	CSMs can share the video with impacted accounts to start getting them to use compliance pipelines in security policies instead. Existing users that rely on the docs to understand how compliance pipelines work can now see the warnings and start to move off to using compliance pipelines in security policies instead.
17.5	1 x blog post, explaining the initiative, why this work is undertaken and the expected timelines for the migration to be completed. 1 x YouTube video that details the migration flow from compliance pipelines to security policies. Use marketing operations to send out emails to inform impacted customers (Use the operational email template in their issue tracker https://gitlab.com/gitlab-com/marketing/marketing-operations/-/issues/new. Here's an example of tracking dedicated comms: https://gitlab.com/gitlab-com/gl-infra/gitlab-dedicated/team/-/issues/4958.) At this point, we want to 'over-communicate' the fact that the migration and subsequent deprecation of the feature is imminent and to repeat this point again and again.	Be able to communicate with customers after the migration workflow has been released
17.6	1 x YouTube video that details the migration flow from compliance pipelines to security policies. Communicate with CSMs of affected accounts about the rollout schedule. Use the PDI data (that has been requested here) to see which accounts still have compliance pipelines, and do personal outreach via their CSMs.	CSMs can share the video with impacted accounts to start getting them to use compliance pipelines in security policies instead. Existing users that rely on the docs to understand how compliance pipelines work can now see the warnings and start to move off to using compliance pipelines in security policies instead.
17.7	Use the PDI data (that has been requested here) to see which accounts still have compliance pipelines, and do personal outreach via their CSMs.	Target accounts that specifically still use compliance pipelines or have trouble moving over.
17.9	Inform CSMs that removal date for compliance pipelines has changed from 18.0 - 19.0 Change the dates mentioned in the blog post. Change the dates mentioned in the depreciation notice. Send out a Slack message in the SME channel to ensure that they understand that they can't suggest compliance pipelines for pre-sales Send out a message via the field email ticker like last time.	We want to communicate the decision that was made to assist customers with moving over to PEP. Make it clear that it is still going to be removed and to not delay.
18.0	1 x YouTube video talking about why we decided to move the date to 19.0 + what to expect (e.g. no improvements to compliance pipelines, everyone will still be asked to move to PEP). 1 x blog post talking about why we decided to move the date to 19.0	Communicates the decision more clearly to customers with reasons for moving the date to 19.0.
18.3 -> 18.4	1 x YouTube video detailing out the fixes that we are working on for PEP, what has been completed vs what is yet to be completed. @g.hickman 1 x Blog Post outlining differences in behavior between compliance pipelines and PEP to aide in migration. @g.hickman Send emails to all customers still using compliance pipelines urging them to move to PEP (similar to the marketing operation email that we had sent previously).	Shows that we are making progress on migration blockers and users can be assured that we are supporting PEP as a first class feature in place of compliance pipelines.
18.5 -> 18.6	Use telemetry to ask CSMs of those accounts to communicate with customers about the removal of compliance pipelines by 19.0 Send emails to all customers still using compliance pipelines urging them to move to PEP (similar to the marketing operation email that we had sent previously).	Target exact customers that might be affected by PEP migration
18.7	1 x YouTube video on all the fixes that we've brought to PEP. @g.hickman	Give customers confidence that PEP is a first class feature and encourage them to migrate
18.8	Evaluate based on decision matrix on whether to continue communication plan to keep compliance pipelines or start removal of compliance pipelines from the product.	N/A

Summary of work phases

1. Compliance pipelines deprecation (&12324 - closed)
   • Adding banners and migration workflow, and docs
   • Working on this now
   • Scheduled to be released 17.3
2. Communication Plan for compliance pipeline remo... (#467295)
   • issues, blogs, tutorials, docs etc
   • Scheduled to start work on this 17.2
   • Scheduled to be released 17.3
3. Deter new compliance pipelines (&14150 - closed)
   • Adding warning banners for new pipelines
   • encourage users to try the pipeline execution policy instead
   • Scheduled to start work on this 17.4
   • Scheduled to be released 17.6
4. Compliance pipelines removal (&12325 - closed) (Remove compliance pipelines)
   • Scheduled to start work on this 18.8
   • Scheduled to be released 19.0