Author Archives: Daniel

Security Assessment Process: The Problem With “Good Enough”

The Current Process

As a freelance security consultant, researcher, and software developer, you could say Robin Wood is someone who knows their way around the security assessment process. On his site DigiNinja, you can find more than 50 security-related projects he’s released to the community.

Several years ago, Robin’s workflow involved using a basic text editor to log his clients’ vulnerability issues. He would then use those notes to produce his final reports. He did not use a structured or dedicated system or software platform.

Robin tested primarily web applications. This meant that the issues he discovered were pretty diverse from project to project. This project diversity was the major reason Robin felt that standardization of his project management would be difficult to implement.

He did recognize that his process had shortcomings. For one thing, he was often “reinventing the wheel” – writing about vulnerabilities that were similar to ones he’d written about before. He didn’t have an organized way to compare issues and easily re-use that content.

But, by and large, Robin’s process was “good enough” – it worked for him and he was doing fine. Mainly he felt that it would be too difficult and time consuming for him to switch to a new way of doing things.

Security assessment process quote about Dradis Pro

Enter Dradis Pro

A few years ago, Robin found himself working with an InfoSec company that was using Dradis Pro for logging issues and creating reports. At first he didn’t believe that learning the new software was worth the trouble. At any rate, he did it because it was part of the company’s process.

After getting used to using Dradis, though, Robin realized that his speed and efficiency had increased substantially. He continued to use Dradis from that point onward, even when he left that company and went to work for himself.

As Robin put it, “The problem is that you think, ‘My process works as it is, so I don’t have the time to put more effort into it. I’ll just use what I have.’ Then you’ll improve something and find a better way of doing it, and think, ‘Why didn’t I do this six months ago? Why didn’t I do this a year ago?’”

We’ll look at some of the ways in which Dradis Pro has helped improve Robin’s workflow and his clients’ experiences with the security assessment process.

Greater Project Structure and Organization

Even though Robin’s clients and projects are diverse, Dradis Pro has allowed him to standardize his project management. Dradis gives him a consistent way to do everything associated with a project: use and update methodologies, organize an assessment, take notes, and include screenshots and other evidence.

“All my stuff is in a nice place where I know where it is, and it’s all recorded in a constant fashion. The organization is the same every time.”

Easier Report Creation

Dradis can be connected to a library of vulnerability descriptions. Robin connects Dradis to MediaWiki (free, open-source software) to create his own library of preferred descriptions that can be easily edited and reused as he sees fit.

“It makes such a big difference. In every test you do, you think, ‘I know I’ve written that one up before.’ And before, I’d have to dig through all the reports, going, ‘How did I write that up before? I know I did a good description of this at some point.’ With the issue library, I write a good description and I put it in the library and it’s always there for me. I don’t have to reinvent the wheel. It saves so much time and effort.”

The library is always growing and always improving.

“You don’t put in an issue and forget about it. It’s always getting better over time. Whenever I find something I don’t understand or think I can improve, I go back in and improve it and that goes back in the library. It might even be minor improvements, like the odd typo or spelling mistake. So even in small ways, the client is getting a win out of it.”

Dradis customized report

Easier Report Customization

Dradis helps Robin even for his clients whose findings and reports require customization. In fact, with Dradis you can have multiple types of templates for different types of jobs. Once you have all of your project data in one place, you can export it in a variety of formats, such as Word, Excel, and HTML.

“I don’t use the same template for everyone because everyone is not the same. But I don’t want to be rewriting the same thing over again, either. So I just go in, take what I’ve got, and edit it to be bespoke for that customer, and that goes in the report. Even for the more rare or obscure issues, I still have a template that I can start with, instead of redoing it.”

Long-Term Storage and Retrieval

Dradis allows encrypted storage of projects, which makes it easy to keep projects secure and to revisit past projects.

“I had a client get in touch yesterday. Their test took place six months ago and they had questions about it. I can easily pull the archive, decrypt it, and I have all the data for them. It’s just there, ready to go.”

Improved Client Perception

Additionally, Dradis Pro has been key in helping Robin organize his projects as well as his clients’ perceptions of his work when he does on-site assessments.

“A client can come and sit down beside me while I’m on a site, and I can walk through each issue with them. There’s a nice display on screen with a full list of issues. I can click on them, show them the descriptions, and there’s a graph that shows how many high, medium, and low risks. If you tried to do that with a basic text file, obviously that doesn’t look as good.”

Improved Client Results

Improved project organization doesn’t just help Robin; most importantly, it improves his clients’ results.

“My clients really do get value out of it. They are getting more detailed and more time-tested descriptions. This makes it easier for them to understand what’s going on and makes it easier for them to remediate issues.”

New Features and Updates

Regularly, Dradis Pro adds and updates features in response to customer feedback and ideas.

“There are new versions and new features coming out frequently. It’s nice to be able to offload a technical issue to someone else. Unsurprisingly, [the Dradis team is] responsive to requests for features.”

Check out our newest edition release

A Necessary Tool

Dradis Pro has proven to be an indispensable part of Robin’s workflow.
We asked Robin, considering the many strengths of Dradis Pro, why isn’t everyone in InfoSec using something like it?

“It can seem like a lot of effort to learn a new security assessment process. I think that might put some people off. But like I did, you start small and just slowly build up into it. And at each step, you realize that you’ve made a big jump up and improved your efficiency and quality. It’s definitely worth the effort.”

Try Dradis for 30 Days

We are confident that Dradis Pro will improve your InfoSec workflow as it did for Robin’s. Conversely, if you try Dradis Pro for 30 days and don’t believe you’ve gotten your money’s worth, just let us know and we’ll give you your money back. Check out our straightforward plans here.

Want to ask us a question about how Dradis Pro can help your project management and report creation? Reach out to us on our Contact Page.

Creating Sustainable Cultural Change

In previous articles in this series on differentiating your InfoSec consulting company, we’ve talked about the importance of two core areas:

  • Process improvement and
  • Improving the customer experience

Most everyone would agree these are worthwhile aims. We all want our processes to get better and more efficient, and we all want clients to be satisfied with our work. Truly improving in these areas requires a culture aligned with these values.

But the nature of many InfoSec companies can make it difficult to change the culture. For one thing, there is often a rather frantic focus on just getting projects finished, and this doesn’t leave time to discuss bigger picture philosophies or allow time to get everyone onboard for a larger process change.

Also, the high value of technical talent often means that managers are hesitant to tackle process changes. They don’t want to take the risk of aggravating talent; they want to keep them happy. Keeping talent happy is a great goal, of course–it only becomes a negative when it interferes with other, important areas of improvement.

In this article, we’ll go over some strategies for enacting sustainable process change at your InfoSec company whilst keeping your team members happy. This article will assume you have either already read the other articles in our series or that you have some specific cultural changes you want to implement but are having some problems.

Explain How Changes Impact The Customer

Any meaningful improvement to a product or service will stem from a focus on the client experience. And most team members do want their clients to have a good experience.

But you must explain to your team members why your proposed changes are important to your clients. For example. it’s not enough to simply command: “Starting today, you must create testing methodologies after every project and share them with the team.” Your team must fully understand the full chain of events that make a new procedure important, which would go something like this:

  1. Improving methodologies means less time spent on easily repeatable tasks.
  2. Less time spent on easily repeatable tasks means more time spent on unique project challenges.
  3. More time spent on unique challenges means better service for the client.

And they should understand the downside to continuing to do things the old way.

For example, when all team members use their own methodologies and there is no consistency from project to project, this hurts the client’s experience (especially for repeat clients).

Major takeaway: Talk to your team about the greater philosophical reasons for your changes. Make them see that you are doing this for the customer.

Explain How Changes Impact The Team

In a similar way, team members need to see how changes help them do their job more easily and help them hone their craft. The logic here is basically:

  1. Making procedures more efficient means team members spend less project time on easily repeatable tasks.
  2. This leaves team members more project time for doing the fun and creative hacking–the stuff they love to do.
  3. More time spent on interesting and challenging hacking makes a hacker smarter and better at his job, which improves his standing in the industry, increases his reputation, payrate, etc.

To create real cultural change, it’s necessary to get true buy-in from everyone. And this means that your team needs to see what’s in it for them. The more you can make them see what’s in it for them, the more buy-in you get and the easier it is to shift the culture.

If you haven’t already, check out one of our past articles on how more process standardization can, perhaps counterintuitively to some people, actually increase creativity.

Get Management and Influential People Onboard

If a large company change does not have the buy-in of senior and influential members of your team, it probably won’t succeed. For example, if you have a senior tester or manager denigrate a new process openly, that has a huge impact on whether the people working with him will be more or less likely to use it.

To mitigate this conflict, try to help these team members understand the importance of the changes you’ve put in place, both for your clients and for them personally. Also explain that their buy-in is especially important in creating a trickle-down effect in the company.

An important point: You may have employees who are not technically in powerful positions but who nonetheless may be very socially influential. It’s important to discover who those team members are so you can do your best to persuade them, too.

A potential stumbling block. One possible obstacle is that some of your more senior team members may have had negative past experiences with failed process overhauls. They may be thinking, “Yeah, I’ve seen people try to do this kind of thing before. It’s pointless and won’t work.” This is actually a great opportunity to ask those members about those past attempts at change. What worked and why did it work? What didn’t work and why not? If you give them a chance to be a part of the discussion, they will feel more involved and positive about the effort.

Use Real Stories

When you try to sell the changes to your team, use real stories and anecdotes. Real stories are powerful and convincing and help people see the value of the new way of doing things. This is why companies use testimonials from customers to show the value of their products. Thought of in another way, what you are doing can be thought of as selling ideas to your team, so be willing to use any promotional tactics at your disposal.

For example, at a team meeting, you can talk about how a new procedure resulted in measurable positive results for a specific client, and read a testimonial from the satisfied client. Go on to explain how that got you thinking about extrapolating similar results across the board, and how that translated into the changes that you are going to be implementing over the next few weeks. They key message to convey is that new ideas are not coming out of thin air; they are grounded in solid value added to your clients, the company or the team. You just need to find the right way to let team members know how you got to the conclusions you did, and what needs to happen next.

Or you can get a team member to describe how a new procedure saved them time on a project and how they had more time to devote to tests that were actually intellectually engaging.

Consider Remote Workers

These days, most InfoSec companies rely on remote workers. If you have remote workers, don’t forget about them. Process changes need to be done company-wide or it’s unlikely they’ll be successful.

Plan ways to communicate the new processes to your remote workers. When was the last time you had a one-to-one with each of your remote workers? How can you expect for them to be invested and onboard new processes if you haven’t checked in with them for several months? Schedule video conferences and make sure your team knows that these are important events. If anyone can’t attend them (e.g. they need to be off-site for a client visit), go out of your way to bring them in the loop. You need to reach out to anyone and take the time to explain the importance of what you are doing, if you want them to embrace your ideas.

If at all possible, consider having all your workers travel to a single location to roll out and talk about the new changes.

Set Goals That Are Measurable (and Failable)

When the goals of a change initiative are too vague, the initiative will rarely succeed. You need to have goals that are measurable, so that you know if the cultural changes are sticking. You need to have goals that can fail, so that you know when you are not succeeding.

For example, if one of your goals is something ambiguous like: “Improve internal understanding of tech methodologies,” there is no real way to measure that. You will never know if you’ve actually succeeded.

So make your goals concrete and measurable, like “Review 1–2 methodologies each month.”

Go For Small Wins (and Small Failures)

It can be daunting to create large cultural and procedural changes at a company, we know. Especially because the people responsible for those changes can sometimes be blamed for things that go wrong.

So it’s worth pointing out that some of the best and most long-lasting process improvements start small and grow from there. You should focus on making small but lasting and widely-used improvements. You don’t have to roll out a hugely complex series of changes all at once. Instead, you can make small changes that create noticeable benefits, then track and measure them. This will create a snowball effect that leads to bigger and more widespread changes.

For some of our best ideas on making this happen in your company, read “Getting Quick Wins”.


Hopefully this article has shown you a few ideas for creating long-lasting, sustainable cultural change at your InfoSec consulting company. If you liked this article, check back on our site for future related articles.

Was This Article Helpful?

Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.

Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch right away.

Stabilizing (and Increasing) Revenue

Many information security companies these days are struggling to maintain revenue. Many are finding it difficult to maintain their rates and their client list. The InfoSec market has been increasingly commoditized, with many standalone pentesting tools and many new competitors.

With these new market pressures, InfoSec consultancies are trying to provide as much value to their clients as possible, and are looking for ways to provide new and ongoing services.

In this article, we’ll look at some ideas for stabilizing and increasing revenue at your InfoSec company. Some of these ideas are currently being used by some InfoSec companies, but at Security Roots, we believe these ideas are deserving of wider implementation and experimentation.

You can think of this article as a brainstorming tool. As you read these insights, apply them to your company and your specific clients.

Pre-Booking Work

The first idea we’ll look at is the pre-booking of work, which is the point when you sell your services to a client for a specific time in the future. For example, a client has an app scheduled for release six months away, so you pre-sell them 60 man-hours that they can use any time during that month.

Often, this is used in conjunction with a discount on the usual rate. Maybe you offer your services at 80% of your normal rate when booked six months ahead or during a typically quiet block of time on your calendar.

This is a technique used in a lot of industries to exert some control on the ebb and flow of demand. For example, the airline industry lowers its rates during slow seasons in order to maintain smoothness in its bookings. Offering a pre-booking discount could also be a way for your consultancy to maintain some smoothness in your schedule and even out the times of the year you know are historically slow or unpredictable.

Another way to implement this would be to have clients pay for x number of man-hours, which they could use at any time, as needed. Tweak this approach even further by charging higher rates to ensure immediate access and a rapid response from your team.

Retainer Service Agreements

With retainers, clients pay in advance for work to be specified later.

Some types of retainer-type agreements include:

  • Paying for emergency response work in the event something goes wrong. This retainer usage is kind of like insurance.For a fee, you’re ensuring that someone is available for an immediate response.
  • Clients pay upfront for a certain amount of pentesting and vulnerability-seeking per month (this is basically what we talked about above, with pre-booking of hours).
  • Clients pay upfront for guaranteed access to your team consulting and discussion.

With regards to this last idea, there are many ways you might provide clients access to your team’s expertise. Your team has deep insights into vulnerabilities and testing, of course, but they probably also have a lot of thoughts on secure development practices. So, for example, let’s say a software company client is adding an LDAP authentication layer to their software. This client might find it valuable to get input from one of your team members on the process to help them minimize risks of a future compromise.

Subscription Services

With subscription services, you are trying to achieve more passive income and move away from time-intensive tasks to more automatic ones. The main difference that separates subscription-based services from retainer-type services is that your subscription offerings are not tied to the specifics of a single project. Your subscription offerings are ways to bundle your expertise and knowledge into more packageable, automatic chunks. (Subscriptions can overlap with retainer agreements a bit, depending on the services offered.)

The traditional subscription service in the industry has been the Vulnerability Assessment service, which is often mandated by different policies and regulatory bodies (e.g. monthly PCI scans). But that is not the only service you can offer.

Examples of subscription services:

Automated (or semi-automated) newsletters/emails. With a content management system, you can create a database of which clients have specific technologies, and then automatically send security-related news about those individual techs every month (or more frequently) to your clients (e.g., security releases by vendors, new vulnerability classes, latest research / white papers / conference presentations / etc.). Basically, it’s kind of an automated, personalized newsletter. You can also add in items related to specific industries (for example, sending banking-related security news to your bank clients).

Product-specific recurring vulnerability scanning. (This could also be thought of as a retainer-based deal.) The idea is that you’re running automatic scans of specific products and technologies without much need for human oversight of the tests. We’ve seen this service with WordPress site scanning, but it also works for any other widely available product category: CMS, e-commerce shop, blogging platform, enterprise portal, etc.

Threat intelligence. No matter what your opinion is on the merits of “threat intelligence”, the truth is that vendors providing these types of service have found a profitable recurring subscription model.

Compliance and legal issues. In the same way, you could automatically gather news/updates on legal and compliance issues that affect clients in certain industries, certain regions, or certain technologies, and send that as an automatic email. This ongoing communication lets your clients know that you’re watching trends and watching out for them on multiple levels as you’re saving their mental bandwidth.

Recurring Testing Services

You could charge a retainer/subscription-type service for recurring vulnerability testing of various kinds. Examples of recurring tests are:

  • Recurring scans of critical assets
  • Perimeter monitoring
  • Social engineering and phishing attempts of company’s employees
  • Random DDoS fire drills

For all testing and scanning you do, you should be tracking your activities and the related improvements in the client’s system. This will let you easily prove the worth of the work your team is doing. Keep in mind that it’s not the raw data that is important to your clients; your main value is in providing them actionable information, which will come in the form of trends, delta reporting, and comparisons with other companies.

Recurring Training and Education

You could also provide recurring training and education for your clients. This could take many forms, depending on your area of expertise or the client’s needs. Ideas include:

Employee Awareness Campaigns

These could be occasional in-person or online training sessions, dedicated to improving the client workforce’s understanding of security threats. The more specific to a client’s needs and workplace you can make this, obviously the more value the client gets. But even a fully-automatic online training could improve things for many clients.

Awareness and training doesn’t have to be limited to lessons, video, or audio. It can also mean monitoring the news and forwarding to your clients specific instances where lack of awareness resulted in a breach or some other negative outcome. The idea is to make your client’s employees have an “aha” moment and think, “Well, I didn’t know about that vulnerability, and we could be the next headline.” This targeted information can prove to them the value of your regular input on security issues.

Training on Specific Products/Tech

You could do customized or automated online training on specific products and their vulnerabilities (e.g., WordPress, Sharepoint, etc.). This goes hand in hand with your product-specific scanning service. The knowledge you gain through the scanning service can be repackaged and offered as training material, hardening guides, etc.

Monthly Calls

Similar to the retainer-style agreement, you could have clients pay upfront for a certain number of hours to talk to your staff about practical issues they are facing or potential threats they want to discuss.

Better Opportunity Tracking

We might be saving the strongest idea for last here. One of the major ways InfoSec companies drop the ball is that they don’t optimally track the many ways they might continue to provide value for their existing clients. Here are some ideas on how to improve discovery of new opportunities:

  • Follow-up. Do you check back with existing clients regularly to see what they are doing and what they may need? It should be a part of your standard protocol to check in with clients.
  • Post-project surveys. When projects are done, a survey should be given to your clients. Not only does this help discover their opinions and thoughts on the completed project, it helps illuminate the value you just provided them, which might otherwise be a bit unclear. (For example, ask, “What potential future issues might have arisen if our team had not uncovered this vulnerability?”) The survey can also bring to light other areas in which you might offer them value.
  • Tracking products and technology used. By keeping files on what products and tech your clients are using, this will allow you to proactively look for opportunities to win work from them. For example, if there is a major vulnerability discovered in Android, it can be part of your process to send an email about this to your Android app clients.

Start Small and Improve

As we’ve talked about in past articles, you shouldn’t be afraid to start small. Some people put off making changes to their product/service offerings because they think there has to be some huge, overarching plan in place before they make changes. But if there are obvious quick and easy wins you can get by making the change, go ahead and do it.

For example, you could start offering retainer-type services tomorrow if you wanted. You could toss up some copy about these services immediately and that might have an immediate impact on attracting a new client.

The thing to remember about making these changes: you will be continuously improving them. As your clients give you feedback and as your team understands the product better, you will get better at doing it. You’ll figure out how to optimize the process, how to reach more clients, and how to make more money.

So, in short, don’t be afraid to start small and improve from there.


Hopefully this article has helped you brainstorm some ideas on how to stabilize and increase revenue at your InfoSec consultancy.

If this article strikes a chord with you, please reach out and let us know the financial challenges at your company and maybe some unique changes you’ve instituted to improve your situation.

In our next article in this series, we’ll be discussing ways to enact long-term and meaningful cultural change at your InfoSec company.

Was This Article Helpful?

Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.

Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch right away.

Praise for Dradis Pro from a Customer

We recently talked to one of our Dradis Pro users. You may be familiar with him: security consultant, researcher, and software developer Robin Wood. He goes by @digininja on Twitter, and has a pretty large following on there. His site is at

We asked Robin some questions about how he uses Dradis Pro, what he finds most useful, and his tips for new users to the software. Here are the edited results of our talk.

Can you walk us through a typical workflow for you and how Dradis Pro plays a role in that?

RW: Projects usually start when a client confirms the job and sends over an initial brief with things like IP addresses, URLs, and other information. At that point, I create a new project in Dradis. I put all the info in to get it started–basically just an initial capture. This might be a week or two weeks before the job itself.

Once the project has begun, it’s fairly typical. I collect all the data into Dradis.just like most people would collect data, no matter where they’re collecting it. I don’t tend to use any bulk import features because a lot of the work I do is web apps, so the findings are more bespoke.

As I’m working, I put findings directly into Dradis Pro and I pulli prewritten findings from MediaWiki, which I use as a findings repository because Dradis communicates easily with MediaWiki. So even for the more sort of rarer or obscure issues, I will still have some kind of template I can start with, instead of redoing it.

Obviously not every client is the same. So I don’t want to give out the same templates or findings to everyone. But I also don’t want to be rewriting the same thing over again. So I just go in, slightly manipulate it around to be bespoke for that customer, and then that goes into the report.

So during the test, I’m going through, doing all the testing, building up all the findings. I always try to take more notes than are necessary, and note everything I find, particularly when it’s an onsite test because I know I can’t go back and check things. In Dradis, I take screenshots, I write up notes on everything, I record everything down to individual IP addresses and one-liners that may be useful. They may not be useful, but then I’ve got them just in case.

At the end of the test, the report creation depends on who I’m working for. Some companies or agencies like to use their own reporting template. If there’s a Word doc template, for example, I’ll do a bit of copying and pasting from Dradis into the document.

It’s much easier when I’m doing work for my own clients, because Dradis has automated reporting features. I just hit a button to generate the reports in whatever format I want, and out pops the report at my end, mostly done for me. Then it’s just a case of a little tweaking and putting a few last bits of customization on it.

How has Dradis proven useful for you?

RW: As soon as you start using a structured format for projects, you realize it’s so much easier to go through and see what everything is.

It’s like: ‘Why haven’t I been doing this the whole time?’ The problem is that you think, ‘My process works as it is, so I don’t have the time to put more effort into it. I’ll just use what I have.’ Then you’ll improve something and find a better way of doing it, and think, ‘Why didn’t I do this six months ago? Why didn’t I do this a year ago?’

What would you say is your favorite feature in Dradis?

RW: Probably having the issue library. It makes a big difference. In every test you do, you think, ‘I know I’ve written that one up before.’ And before, I’d have to dig through all the reports, going, ‘How did I write that up before? I know I did a good description of this at some point.’ With the issue library, I write a good description and I put it in the library and it’s always there for me. I don’t have to reinvent the wheel.

What sequence would you recommend for new Dradis users?

RW: I would go with the issue library first, because on most projects you’ll be repeating many issues. So start getting the library built up fairly quickly. From there, you’d go to the reporting side of it, and try to get yourself a report template made up. You’ll want to start small and slowly build into it.

How does Dradis Pro help your clients?

RW: They get more detailed and more time-tested descriptions. This makes it easier for them to understand what’s going on and makes it easier for them to remediate issues.

It also helps with on-site tests as I can sit down with the client and walk through each issue with them. There’s a nice onscreen display with a full list of issues. I can click on them, show them the descriptions, and there’s a graph that shows how many high, medium, and low risks. You can’t do that with a basic text file.

Also, it’s easy to find past project data. I had a client get in touch yesterday. Their test took place six months ago and they had questions about it. I can easily pull the archive, decrypt it, and I have all the data for them. It’s there, ready to go.

Thanks a lot to Robin for taking the time to talk to us and sharing his experiences. We very much appreciate it.

Standardization Makes Your InfoSec Company Smarter and More Responsive

So far in our series of articles on InfoSec business improvement, we’ve talked a lot about the benefits of setting up processes. Established processes, like having defined and regularly updated methodologies, improve the consistency and accuracy of your tests; this benefits your clients and, as a result, your company.

And we know we’re probably preaching to the choir a bit on this one. Most owners and managers would agree that having set methodologies in place is ideal. The problem comes in implementation: getting people to follow the established procedures all the time, every time.

Process improvement can be especially difficult at InfoSec companies. This is often for cultural reasons. One major obstacle is the hacker ethos, which places a high valuation on creativity and spontaneity. For many pentest professionals, the mere idea of processes and procedures can be a killjoy. Standardization is not, on the surface, fun or exciting.

But what is often not understood is that process standardization actually leads to more opportunities to be creative, not fewer. In this article, we’ll talk about:

  • The reasons why standardization fosters creativity
  • Other cultural obstacles you may be facing that impede standardization
  • Some steps you can take to start shifting your company culture towards acceptance of standardization

Why Standardization Increases Creative Opportunities

Why does putting standards in place lead to more creativity?

To make a long story short:

  1. Standardization reduces time spent on oft-repeated tasks that you already consider correct (e.g.; your up-to-date methodologies and procedures that don’t need to be reinvented).
  2. By saving time on those oft-repeated tasks, there’s more time left to work creatively on the problem at hand.

Let’s imagine a craftsman who makes wooden chairs by hand. The craftsman has a process he follows. He selects the wood a certain way, he cuts the wood a certain way, he assembles the pieces using established, proven techniques. It’s only towards the end of his process that he adds the details that are most outwardly creative and that have the most in common with art: ornamental carvings and designs, maybe some painting.

The main bulk of his work, though, is a set process that he follows. The more efficient he makes his fundamental process, the more time he has to dedicate to the more creative elements.

This is a bit similar to pentesting. Pentesting is also more a craft than it is an art, but it does offer the opportunity for creative and artistic problem-solving. The bulk of the time on a pentest (maybe 75%) should be established procedures: i.e., your testers are using a given methodology for the technologies involved. The remainder of the project time (maybe 25%) can then be spent on creative approaches to breaking the system.

Without Standardization, Pentesters Are Wasting Time

Without set, standardized, and organized methodologies in place, your testers are often winging it on a job. They are spending a lot of time “re-inventing the wheel.”

For example, a tester may be doing the same vulnerability test on a Citrix environment as another tester did the week before, but because there’s no set repository for your company’s knowledge and no set methodology, the tester spends time researching the most current attack vectors and techniques worth pursuing. And that’s time he could have spent creatively hacking, after performing the minimum, required tests.

So instead of spending 25% of the project time trying some unique approaches to breaking the system, he winds up running out of time, having only enough time to complete the bare minimum required tests. He may get some small satisfaction out of feeling he “did everything on his own”, but at what price? He has lost an opportunity to really focus his creative talents on the system at hand. Most importantly, the client has not been served optimally, either.

Obstacles to Standardization

Let’s look at the major cultural obstacles to instituting established methodologies at InfoSec companies.

Hacker Ethos

People who are interested in hacking and pentesting often have a lot of traits in common, such as:

  • A high value on creativity.
  • A high value on being able to do things spontaneously and off the cuff (because that shows true understanding).
  • Disdain for following rules.
  • Disdain for authority.

Understanding that these traits may be true for some of your team members will help you communicate with them. This may also help you convince them why standardization should be something they support and not something to fight or run from. Standardization will leave them more time to have fun (i.e., break stuff and learn new things).


In our last article we talked about knowledge transfer and how important it is for your team members to share information. But tech workers can have a lot of ego and pride associated with the knowledge and experience they’ve accumulated. This can manifest as an unwillingness to share knowledge, and possibly even a desire to hide knowledge.

This is not just a problem in InfoSec. This happens in many companies, across all industries.

Hiding knowledge can also be seen as a strategy to make oneself more irreplaceable. The thinking goes: “If I tell my coworkers everything I know, what use am I? They’ll easily replace me.”

But this is a false conclusion. It is based on the idea that an employee’s worth is based on mere facts, checklists, and procedures when, in fact, an employee’s worth is based on much broader factors, including:

  • The ability to learn new things and understand how things work together.
  • A willingness to contribute to a team.

One way to combat this obstacle is to show the many benefits of sharing knowledge, including:

  • Other people more easily recognize your expertise, which leads to respect from peers.
  • Other people recognize your willingness to share and teach others, which also leads to respect.
  • Others are more willing to share with you the things that they know, which increases your knowledge.

Again, these can be ingrained cultural obstacles that are hard to overcome. But the more you can make your team members see these benefits, the more you can start to make progress in shifting the culture.

Past Process Failures

Another obstacle may be that your workers have negative associations with past company attempts at standardization. This may be attempts made at your company or at companies they’ve previously worked for.

For example, one of your testers may hear that you’re trying to set up repositories for methodologies and think something like: “They tried this at my last company. They had me go through weeks of establishing methodologies and putting them in certain places. And what happened? Nobody cared and nobody ended up using them. These attempts at standardization are a waste of time.”

Unfortunately, due to the sub-par way most process improvement is implemented, this can be an understandable reaction. Understanding this resistance on the part of your team members can help you combat that resistance in terms they will understand.

Start Small

For all the obstacles mentioned above, it’s important to start with small steps.

One of the first small steps is simply communicating with your team. Talk to your team members and try to educate them on the ideas in this article.

Have team meetings where you emphasize that standard protocols won’t constrict them; they’re a ticket to more creative freedom.Tell them you want to save their prime brainpower for solving the big problems, not reinventing the wheel on the usual ones, and standardization allows them to do that.

As we talked about in our last article on Knowledge Transfer, it’s important to first ensure that a process is being used by everyone. In other words, don’t spend massive amounts of hours on trying to set up a process and getting people to contribute to methodology repositories if you’re not sure or can even verify if the process is being used.

Start small. Create a simple process that your team members must follow (even if that means they are still doing a lot of other things on their own). Make sure the process is being followed by all team members and establish a simple means of verifying that it is a living, useful tool.

Once you have a system in place that is being used, then you can incrementally improve it. As we’ve been talking about in this series, this is the basis for long-term, lasting improvement in a company.

This Applies To Everything

This improvement process can play out in all other aspects of your company.

For example, once you standardize your scoping and scheduling, and get them down to an exact, efficient science, that leaves more time for your team to work on more important things, like brainstorming new, creative ways to do those tasks, or working on getting new business. Or if your salespeople have a streamlined system for handling and nurturing leads, this will result in them spending more time on brainstorming better selling strategies.

In short: every system you standardize opens up more room for creativity and improvement.


Hopefully with this article we’ve given you increased clarity on some ways to combat some cultural obstacles you may be facing at your company. Specifically, we hope this article has helped you see the reasons why process standardization leads to your testers being more creative and productive, not less.

If this article strikes a chord with you, please reach out and let us know the challenges at your company and maybe some unique things you’ve done to enact change.

In the next few articles in this series, we’ll discuss some other areas of InfoSec project management, including ways to stabilize and/or increase revenue, and more strategies for creating sustainable cultural change.

Was This Article Helpful?

Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.

Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch right away.

Dradis Pro and a reluctant convert…

My small consultancy company has used Dradis since before the Pro version existed, back when it was a community project only. At that time, I was a pure Dradis consumer. My partner was the Ruby pro, both for coding and creating our own internal systems.

When my partner left for higher things last year, I have to say that I seriously considered switching from Dradis to another program. I am pretty much a dyed-in-the-wool Windows person with no Ruby knowledge and limited experience of having to support an application running on an open source stack. I also doubted that I would get a lot of benefit from the application, as a lot of its strength is in enabling collaboration between multiple testers working on the same project rather than servicing a single user like me.

Nearly a year on and I am still with Dradis, so I thought I would share some of the reasons why.

First, I’ve not had a lot of support issues. It comes as a VM appliance and just runs–there is no necessity to start compiling it yourself or be constantly fiddling about with it. I appreciate this as I essentially start a new test every week, and the last thing I need on a Monday morning is to be trying to get the test platform to work. Because it is browser based, I can run it on any device and I tend to run it in IE in one window while I use Firefox for my testing browser in the other.

Second, it helps me to keep organized well–and this is surprisingly difficult even when you are working on your own. Like most testers, I like the actual testing part much more that the data crunching and report writing parts, because (like most testers) I have a tendency to go off on tangents that look interesting. Having each host listed (for infrastructure) and using a methodology template (for web) enables me to enter up each finding as I discover it. This means I don’t come back at the end of the test unable to remember which one of the ten VPNs I reviewed had the aggressive mode enabled, or whether I had checked a particular site for session fixation. Being able to attach screenshots is useful too, as it makes the whole test portable rather than reliant on being attached to a specific file store.

Third, reporting is easy. This is the major advantage of Dradis to me. A lot of the work I do requires a very elaborate report template involving multiple tables, headings, narrative section, etc. A lot of testing companies seem to like repeating themselves in their report several times, and Dradis not only generates the complicated tables straight from the application, but also ensures that I have the correct list of hosts with the correct vulnerability in all the sections where they occur. (Anyone who has ever tried to correlate four different sections of a hundred-page Word document will be right with me here.) In fact, with a little judicious use of VBA to import some graphics, I can write a table with thirty findings straight into the report and be finished with it in the time it would have taken to make the headers manually.

Fourth, I haven’t found an acceptable alternative. I’ve had a pretty extensive look around, and couldn’t find anything that came close in price or simplicity. For a small consultancy I don’t want something that costs £1000s and takes a team of analysts to set up. The other obvious alternative would be to write something myself, but I am not sure the payoff from having something entirely customized for me is worth the billable hours lost when I am coding and not testing (assuming, of course, that my coding skills are up to it, which they probably aren’t).

I can’t say that Dradis is a perfect tool, as there are definitely changes I would like to see implemented. I’m also not the perfect fit as a customer as I work alone and one of Dradis’ huge strengths is in coordinating multiple people on one test.

But for value for money and something which makes every test easier, Dradis Pro works for me.

Marion McCune is a security consultant and the principal of Scotsts.

Making The Most of Your Team’s Knowledge and Experience

Knowledge transfer refers to the process of transferring knowledge and best practices from one part of an organization to another, or from person to person. For InfoSec companies, keeping team members up to date and knowledgeable is indispensable.

And yet, knowledge transfer is often not made a true priority at InfoSec companies. In the rush of constantly tackling projects, the knowledge transfer process often falls by the wayside and is ignored.

In this article (part of a series on making your InfoSec company stand out), we’ll look at some reasons why knowledge transfer is so important. And we’ll give you action steps you can take today to help improve knowledge transfer at your company.

Why Is Knowledge Transfer Important?

Before discussing ways to improve knowledge transfer, let’s go through some of the main reasons why knowledge transfer is so important.

Information Changes Quickly

State-of-the-art status in the information security field changes daily. New technologies, applications, and upgrades come out constantly, and new vulnerabilities are continually being discovered. You have to stay on top of new technologies and information, or you run the risk of missing vulnerabilities and looking bad to clients and colleagues.

More Knowledgeable Team = More Efficiency and Profitability

If knowledge transfer doesn’t happen and your team isn’t up to date, it leads to all kinds of problems in your company’s workflow and efficiency.

Is the following scenario familiar?

An employee, John, does a security assessment on an Android app. He finishes the job, makes a few notes in a company wiki, and moves on to other jobs. A few months later, another employee, David, works on another Android app, his first one in several months. David takes a look at John’s notes, but the notes are far from complete and aren’t in an easy-to-follow format. So David just ends up doing the research on his own to get up to speed on new Android vulnerabilities and attack vectors.

This is a common occurrence at many InfoSec companies. If knowledge transfer were optimal, there would be a system in place that ensured that John communicated his learnings in a complete format to his colleagues. It’s not enough that John occasionally writes up his findings; there needs to be a system in place that ensures it is always done. And if the way John writes up his findings is not standardized and organized, it’s going to be difficult for other team members to get much use out of it. Without a process in place that makes it easy for the rest of the team to absorb the information and put it to good use in the next test, team members will likely ignore it.

Most importantly, an optimal system will ensure that the new knowledge is used. Often, there’s no mechanism in place that makes it mandatory for the knowledge transfer to take place. Your team might be doing their best to keep your methodologies and procedures up to date, but it doesn’t mean much if there is no process in place to ensure that that documentation is being used.

When your team transfers information efficiently, lots of good things happen:

  • Testers can work well on many types of projects (not just the technologies they were experts on when they joined your team).
  • They spend less time on routine, documented tasks and more time doing important, job-specific work.
  • They spend less time digging around for information that should already be present and easily available for them.
  • You can more easily prove to clients why your technicians are able to handle the jobs and technologies they’re assigned.
  • Your company gets more jobs done and is more efficient overall.
  • Your company performs better (which improves your reputation and helps justify your rates).

Technicians Are Happier

Also, apart from making your clients happy, efficient knowledge transfer makes your team happy. They are trained up on more technologies and, as a result, their resumés are improved. Your company also becomes a more sought-after place to work, which is great for attracting talent.

Obstacles and Struggles with Knowledge Transfer

To be fair, knowledge transfer is difficult at any company; it’s just a lot more difficult in InfoSec because there’s so much new information coming out all the time.

Also, most people in InfoSec know that knowledge transfer is important. The main challenge is in the implementation of knowledge transfer. It’s not a question of “Why would we do that?” but a question of “How do we make it happen?”

One of the main obstacles in changing any business process at an InfoSec company is workload: there are often so many projects coming so fast that it’s difficult to set aside time to brainstorm and administratively set up a process. (This is what leads to most problems in implementing process improvement.)

Sometimes there is a knowledge transfer process in place, but it is mostly ignored. As was the case in the previous example (with John and David), the “official” process may say: “Testers have to write down their findings on new vulnerabilities for this application in the content management system.” But there is nothing that actually verifies this is being done, nor is there a template for this report, so it falls by the wayside.

Or a company might put specific team members in charge of updating specific methodologies. For example, one person might be in charge of keeping the WordPress testing methodology up to date. And he does this, and does it well, and the company thinks it is doing its part in enabling knowledge transfer. But what the company doesn’t know is that nobody is actually using the information.

Some InfoSec companies try to address knowledge transfer by holding regular team meetings, in which new work and vulnerabilities are discussed. These meetings may be great for team building, and a breath of fresh air coming off of working on back-to-back projects, but often these meetings are just paying lip service to knowledge transfer. Often the meetings are informal and not everyone is present. Also, if the meetings are not yielding concrete changes to the process (which they usually won’t), they are not valuable in terms of long-term knowledge transfer. The team members present may learn a few odds and ends and connect socially, but there is no real transfer of knowledge to the entire team or to a dedicated database.

Knowledge transfer is about more than making information available. It is about putting in place processes that push the information where it needs to go.

Overview of Knowledge Transfer Process

Now let’s take a look at the steps of knowledge transfer. Again, this is pretty rudimentary and may seem like common sense. But breaking this process down into discrete steps can help you understand what your company needs to do to optimize their process.

  1. Identify who has the knowledge in an organization (e.g., testers who have recently performed tests on specific technologies, or testers who are known to be experts in specific techs)
  2. Giving the knowledge holders motivation to share knowledge (e.g., through negative incentives, positive incentives, or by showing them how the process itself benefits them)
  3. Using a set process to facilitate the transfer (e.g., a process that must be followed step by step; or it might involve a software that ensures steps are followed)
  4. Measuring and evaluating knowledge transfer (e.g., testing team members themselves, or using post-project surveys to see if knowledge transfer is happening and is effective)

Improving Knowledge Transfer

Here are a few suggestions for processes you can put in place to start improving knowledge transfer. What’s best for you will depend largely on what systems you already have in place, but we’ve tried to give some good general tips.

Create Or Improve The Process

The first step on the path to improvement is not to set up a knowledge-sharing meeting or to put people in charge of being methodology “owners.” These may seem to be tempting and easy first steps. The problem, though, is that they don’t help the process. And, as we’ve been saying often in this series, it’s all about the process.

If you don’t yet have a knowledge transfer process in place, the first step is to set one up, no matter how simple. If you already have a process, the first step is to improve it in some way, no matter how small.

For example, maybe you currently have a basic knowledge transfer process that involves testers leaving a few basic notes on your internal wiki. Some steps toward improvement might be:

  1. Creating a specific format of post-project information that must be completed for every project, by every tester
  2. Having a way to incorporate that information into your official written methodology for that technology
  3. Requiring a sign-off in a spreadsheet that that information was recorded
  4. For subsequent projects involving that same technology, requiring a sign-off by testers that shows that they reviewed the current methodology
  5. Requiring a post-project survey by subsequent testers that judges the existing methodology information

These are just examples, and much will depend on what you currently have in place. But the point is that your first thoughts should focus on improving the process and making the process not only required, but verifiable and auditable.

Dedicated InfoSec software platforms can also be a part of the overall solution, as these applications are focused on process standardization.


In our previous article, about scoping, we discussed how surveys of clients can be important. You should also have surveys and questionnaires in place for your workers.

For example, a post-project survey of the tester can ask questions for each technology, such as:

  • Were there any problems with the existing methodology as written? What were they and how would you fix them?
  • What resources (e.g., online documents, presentations, or internal resources) did you use in working on this project? Where can they be found?

The longer the tester waits to complete the survey, the more information will be lost. So, ideally, it will be part of the process to complete it right after the test is done. Perhaps an automated form could be emailed to the tester, scheduled on the same day as the scheduled test completion date. And the form could expire after a certain amount of time, which would notify a manager that the survey wasn’t completed in a timely manner.

And, most importantly, there must a process in place to do something with this information. It must be required to be shared and used.

Ask For Employee Input

It’s important and valuable to ask for employee input on problems. Testers are the ones closest to the problem; they are often the ones with the best ideas on how to solve problems with the process. Sometimes, though, their input is never tapped.

One specific question you can ask is: What processes have you seen in place at other companies you’ve worked for that you thought were very effective? This will often give you many suggestions and opinions on processes that have worked and not worked.

Aside from pure information, asking for input lets employees know their opinion is valuable, which is great for morale. It will get them thinking about other ways they can help improve the process.


Improving a business process of any kind can seem like a daunting challenge. It can feel like the problem is too large and amorphous to tackle effectively.

Alan Weiss, the business consultant, is famous for making the following point: If you improve just 1% a day, you’ll double in ability roughly every 70 days. In other words: small, incremental changes can quickly add up and become large over time. So don’t be discouraged by the apparent difficulty in tackling process change. Remember that every little thing you do to improve a process will have a large cumulative effect as time goes on. Focus on improving just 1%, but for every project your team delivers.


Hopefully we’ve given you some new ideas on ways you might improve knowledge transfer at your company. Let us know if you found the information helpful or if you have some unique things you’ve done to improve knowledge transfer at your company.

In the next few articles in this series, we’ll be discussing some other areas of project management, including ways to improve report standardization, and ways to stabilize and/or increase revenue.

Was This Article Helpful?

Security Roots’ founder Daniel Martin conceived and created the open-source collaboration tool Dradis Framework in 2007. The success of that application led to the creation of the Security Roots company and Dradis Professional Edition software.

Over the years, Security Roots has helped hundreds of InfoSec clients improve their team collaboration and report creation processes. If you have any questions about what we do or the solutions we provide, please fill out our Contact Form and we’ll be in touch right away.

If you’ve found this article helpful, please reach out and let us know how the information has worked for you. And keep an eye out for the future articles in this series.