Knowledge transfer refers to the process of transferring knowledge and best practices from one part of an organization to another, or from person to person. For InfoSec companies, keeping team members up to date and knowledgeable is indispensable.
And yet, knowledge transfer is often not made a true priority at InfoSec companies. In the rush of constantly tackling projects, the knowledge transfer process often falls by the wayside and is ignored.
In this article (part of a series on making your InfoSec company stand out), we’ll look at some reasons why knowledge transfer is so important. And we’ll give you action steps you can take today to help improve knowledge transfer at your company.
Before discussing ways to improve knowledge transfer, let’s go through some of the main reasons why knowledge transfer is so important.
State-of-the-art status in the information security field changes daily. New technologies, applications, and upgrades come out constantly, and new vulnerabilities are continually being discovered. You have to stay on top of new technologies and information, or you run the risk of missing vulnerabilities and looking bad to clients and colleagues.
If knowledge transfer doesn’t happen and your team isn’t up to date, it leads to all kinds of problems in your company’s workflow and efficiency.
Is the following scenario familiar?
An employee, John, does a security assessment on an Android app. He finishes the job, makes a few notes in a company wiki, and moves on to other jobs. A few months later, another employee, David, works on another Android app, his first one in several months. David takes a look at John’s notes, but the notes are far from complete and aren’t in an easy-to-follow format. So David just ends up doing the research on his own to get up to speed on new Android vulnerabilities and attack vectors.
This is a common occurrence at many InfoSec companies. If knowledge transfer were optimal, there would be a system in place that ensured that John communicated his learnings in a complete format to his colleagues. It’s not enough that John occasionally writes up his findings; there needs to be a system in place that ensures it is always done. And if the way John writes up his findings is not standardized and organized, it’s going to be difficult for other team members to get much use out of it. Without a process in place that makes it easy for the rest of the team to absorb the information and put it to good use in the next test, team members will likely ignore it.
Most importantly, an optimal system will ensure that the new knowledge is used. Often, there’s no mechanism in place that makes it mandatory for the knowledge transfer to take place. Your team might be doing their best to keep your methodologies and procedures up to date, but it doesn’t mean much if there is no process in place to ensure that that documentation is being used.
When your team transfers information efficiently, lots of good things happen:
Also, apart from making your clients happy, efficient knowledge transfer makes your team happy. They are trained up on more technologies and, as a result, their resumés are improved. Your company also becomes a more sought-after place to work, which is great for attracting talent.
To be fair, knowledge transfer is difficult at any company; it’s just a lot more difficult in InfoSec because there’s so much new information coming out all the time.
Also, most people in InfoSec know that knowledge transfer is important. The main challenge is in the implementation of knowledge transfer. It’s not a question of “Why would we do that?” but a question of “How do we make it happen?”
One of the main obstacles in changing any business process at an InfoSec company is workload: there are often so many projects coming so fast that it’s difficult to set aside time to brainstorm and administratively set up a process. (This is what leads to most problems in implementing process improvement.)
Sometimes there is a knowledge transfer process in place, but it is mostly ignored. As was the case in the previous example (with John and David), the “official” process may say: “Testers have to write down their findings on new vulnerabilities for this application in the content management system.” But there is nothing that actually verifies this is being done, nor is there a template for this report, so it falls by the wayside.
Or a company might put specific team members in charge of updating specific methodologies. For example, one person might be in charge of keeping the WordPress testing methodology up to date. And he does this, and does it well, and the company thinks it is doing its part in enabling knowledge transfer. But what the company doesn’t know is that nobody is actually using the information.
Some InfoSec companies try to address knowledge transfer by holding regular team meetings, in which new work and vulnerabilities are discussed. These meetings may be great for team building, and a breath of fresh air coming off of working on back-to-back projects, but often these meetings are just paying lip service to knowledge transfer. Often the meetings are informal and not everyone is present. Also, if the meetings are not yielding concrete changes to the process (which they usually won’t), they are not valuable in terms of long-term knowledge transfer. The team members present may learn a few odds and ends and connect socially, but there is no real transfer of knowledge to the entire team or to a dedicated database.
Knowledge transfer is about more than making information available. It is about putting in place processes that push the information where it needs to go.
Now let’s take a look at the steps of knowledge transfer. Again, this is pretty rudimentary and may seem like common sense. But breaking this process down into discrete steps can help you understand what your company needs to do to optimize their process.
Here are a few suggestions for processes you can put in place to start improving knowledge transfer. What’s best for you will depend largely on what systems you already have in place, but we’ve tried to give some good general tips.
The first step on the path to improvement is not to set up a knowledge-sharing meeting or to put people in charge of being methodology “owners.” These may seem to be tempting and easy first steps. The problem, though, is that they don’t help the process. And, as we’ve been saying often in this series, it’s all about the process.
If you don’t yet have a knowledge transfer process in place, the first step is to set one up, no matter how simple. If you already have a process, the first step is to improve it in some way, no matter how small.
For example, maybe you currently have a basic knowledge transfer process that involves testers leaving a few basic notes on your internal wiki. Some steps toward improvement might be:
These are just examples, and much will depend on what you currently have in place. But the point is that your first thoughts should focus on improving the process and making the process not only required, but verifiable and auditable.
Dedicated InfoSec software platforms can also be a part of the overall solution, as these applications are focused on process standardization.
In our previous article, about scoping, we discussed how surveys of clients can be important. You should also have surveys and questionnaires in place for your workers.
For example, a post-project survey of the tester can ask questions for each technology, such as:
The longer the tester waits to complete the survey, the more information will be lost. So, ideally, it will be part of the process to complete it right after the test is done. Perhaps an automated form could be emailed to the tester, scheduled on the same day as the scheduled test completion date. And the form could expire after a certain amount of time, which would notify a manager that the survey wasn’t completed in a timely manner.
And, most importantly, there must a process in place to do something with this information. It must be required to be shared and used.
It’s important and valuable to ask for employee input on problems. Testers are the ones closest to the problem; they are often the ones with the best ideas on how to solve problems with the process. Sometimes, though, their input is never tapped.
One specific question you can ask is: What processes have you seen in place at other companies you’ve worked for that you thought were very effective? This will often give you many suggestions and opinions on processes that have worked and not worked.
Aside from pure information, asking for input lets employees know their opinion is valuable, which is great for morale. It will get them thinking about other ways they can help improve the process.
Improving a business process of any kind can seem like a daunting challenge. It can feel like the problem is too large and amorphous to tackle effectively.
Alan Weiss, the business consultant, is famous for making the following point: If you improve just 1% a day, you’ll double in ability roughly every 70 days. In other words: small, incremental changes can quickly add up and become large over time. So don’t be discouraged by the apparent difficulty in tackling process change. Remember that every little thing you do to improve a process will have a large cumulative effect as time goes on. Focus on improving just 1%, but for every project your team delivers.
Hopefully we’ve given you some new ideas on ways you might improve knowledge transfer at your company. Let us know if you found the information helpful or if you have some unique things you’ve done to improve knowledge transfer at your company.
In the next few articles in this series, we’ll be discussing some other areas of project management, including ways to improve report standardization, and ways to stabilize and/or increase revenue.