Business practices at information security companies can be difficult to change, often due to unceasing project work and a cultural lack of focus on the client experience. This article (part of a series) discusses strategies for implementing long-term, continual process improvement at an InfoSec company. It focuses on: 1) using the report as a driver for process improvement, and 2) getting your technical staff on the same page.
2. (Note: This article is part of a series about
differentiating your InfoSec company from
competitors and improving your perceived value.)
3. In our last article, we talked about some ways to get
some “quick wins” at your InfoSec company through
practical steps you could immediately begin to
affect some process improvement. But, as you
know, making long-term change at an InfoSec
company (or any company) requires dedication and
patience.
4. Continual Improvement is a philosophy aimed at
continually evaluating and improving a business
process by using customer feedback on the product
or service.
By continually improving the interactions that make
clients happy and by continually eliminating those
things that aren’t important (waste), a company
continually approaches perfection.
5. In this article, we’ll look at a couple of major ways to
implement continual improvement in your InfoSec
company, such as:
—Using the deliverable (the report) as a driver for
process improvement
—Giving your team proper motivation and incentive
to change
7. Most InfoSec companies are already entirely
focused (often overly so) on the deliverable. At these
companies, the report is the only thing that matters,
and once it’s delivered, the conversation with the
client is pretty much over. So making changes to
what’s required to be in the report can be a great
way to drive other process changes.
8. Ideally, as we’ve talked about in past articles (and
often on our blog), a report will be much more than
just a simple collection of vulnerabilities. To be the
best it can be, and to set your company apart from
the competition, a report should:
9. Give practical, actionable information on results. In
other words, how significant or dangerous are the
findings?
10. Contain an easy-to-understand executive summary.
As your most important audience is often non-
technical employees, the more you can
communicate the situation to them, the more
valuable your reports will be.
11. Showcase your methodology and processes. If you
have great processes in place, you want to
showcase them in the report. A report composed
primarily of findings misses an opportunity to
communicate how those results were created and
why they can be trusted.
12. Showcase technical talent and allocation. Your
company should have a way to ensure that the best
people work on the problem, and this should be
showcased in the report.
13. By creating requirements that contain these
elements (effectively and accurately!) in every single
report, you are also, simultaneously, creating
process change.
When reports are only required to contain the
findings, it’s easy for your team members (managers
and techies) to overlook the process, and the
process is vital.
14. Some examples of what you can require to be in the
report and how that can create broader, cultural
change:
15. —The report must contain information about how
team members were chosen. This forces you to
put in place an effective process of selecting
talent for projects.
16. —The report must prove the technical expertise of
the team members who worked on the project.
This will encourage you to create and reinforce
methods of spreading knowledge efficiently
throughout your organization. A more
knowledgeable staff means that you have more
people available to handle specific technologies,
which makes scheduling jobs easier and improves
the client experience.
17. —The report must contain information about your
process and its consistency. This forces you to
initiate processes that demonstrate said
consistency (e.g., team collaboration tools, up-to-
date and shared testing methodologies, standard
issue descriptions and ratings).
18. —The report automatically is set up to contain all of
the checks possible on a specific technology.**
This serves as a reminder to your team that those
checks must be done, every time.
19. —The report is automatically set
up to contain a section for
soliciting client feedback. That
feedback will always be
collected and be used to
improve your process.
20. These requirements for the report act as powerful
feedback loops that help continually improve your
process. These requirements help managers easily
check that the desired steps were followed on every
project.
And once your team gets used to the new
requirements, they will automatically start to think of
ways to improve the process, if only to make life
easier on themselves. Which brings us to...
22. True company change will seldom happen without
cultural change. In other words, a business will
seldom really change its ways unless there is buy-in
from its employees. Employees must have proper
motivations and incentives for acting in the desired
way.
23. It’s not enough to tell your team, “The boss wants it
this way and that’s just how it is.” And it’s also not
effective management to say, “Do this or you’ll be
punished.” Behavioral change must come from
within team members and should be positively
motivated, not negatively motivated.
24. Creating cultural change may be one of the biggest
obstacle at InfoSec companies. Here are cultural
challenges we face in this industry:
25. —Technical ability is highly valued, and there is
often a tendency to “bow down” to highly-skilled
workers and let them operate how they want to
operate.
26. —Technical workers like to think about real,
technical things, and there can be a lack of
awareness (and sometimes outright disdain) for
“softer” issues like customer experience and
customer support.
27. So how might you tackle this problem? What are
some ways you might communicate to your team
why the changes you are implementing are
valuable? Here are some ideas:
28. Show your team that the request for process change
is coming from the client, not from management.
The demand for change starts with the client. All
changes you make should be derived from
understanding what will improve your clients’
experiences. Ideally you will have already gone
through some steps to get clear about what makes
your clients happy (these were discussed in our last
article).
29. It’s easier to sell the need for change to your
workers when you show them exactly how your
clients are asking for change. It’s harder to sell the
need for change when it’s phrased as something
“we just have to do now”, without explanation. So
share the relevant feedback and emails from clients
that are driving the change.
30. Explain the importance of client
happiness to the company’s
health, their jobs, and their lives.
Client happiness is not a wishy-
washy, abstract concept. Client
happiness can be the difference
between your company’s
success or failure. Success
means more money to go
around and more industry
respect for your team members.
31. The more you can make your team see how the
process changes have real benefits to them, the
easier the changes are to implement.
One way to do this is to track and analyze some key
performance indicators as changes are made over
time (e.g., number of repeat contracts, client survey
average scores, time spent on projects) so that your
team can see the concrete ways your changes are
helping.
32. A more efficient process makes their work lives
easier. Your technical team wants to work on
technical tasks; they don’t want to spend time
working on boring administrative tasks or editing
the wording of a report.
33. One aspect of continual improvement is enhancing
your process and making it more efficient. (One
example: automated report creation software
reduces the need to constantly write new
descriptions for the same vulnerability classes every
time.)
34. When team members see that the process changes
lead to less time spent on things they don’t want to
do, and more time spent on the things they want to
do, change is easier to sell.
35. Sharing technical knowledge efficiently helps
everyone. Part of improving your processes is
increasing your knowledge transmission; i.e., how
technical knowledge is shared throughout your
organization. (We will be talking more about
knowledge transmission in a later article.)
36. Effective knowledge transmission, of course, means
better client service, but it also means that your
team members learn a lot more than they otherwise
would. Learning new tech skills makes workers
more valuable and gives them more earning
potential. (It then follows that a more educated
workforce makes it easier to book and schedule
jobs.)
37. Good performance is rewarded. When team
members perform at or above your expectations,
have systems in place to reward them. It can be a
financial reward, or it can be non-financial (e.g.,
granting them access to new tech training or time
off). One caveat is to not hurt morale by making the
workers who weren’t rewarded feel punished.
39. As you move forward with a continual improvement
process, you should remember that the majority of
company problems stem from processes, not
employees. There can be a reflex tendency to blame
individuals when procedures are not being followed
and goals not being met.
40. But, by and large, these
problems come down to not
having good processes. Most
employees want to do a good
job and be rewarded for doing a
good job. The problem for
managers is mainly one of
defining what constitutes a
good job and making it easy for
workers to jump through those
hoops.
41. Another major aspect of Continual Improvement is
to encourage your team members to report
problems with the process, and to make it easy for
them to do so.
42. Your tech team contains the people most
knowledgeable about how the current process
impacts their ability to get things done. They are the
best people to get input from about your processes.
Ask them questions, give them surveys, and make it
easy for them to give criticism (even anonymously).
43. Once you get feedback on a process and you see
the feedback is valid, you should act on it quickly.
This avoids procrastination and shows your team
that you are serious about improvement and
encourages them to come forward with their ideas.
44. Two great resources on process improvement that
we recommend are The E-Myth Revisited and Work
The System.
45. Next...
Hopefully this article has given you some ideas on
how to start down the continual-improvement road.
In the next few articles, we’ll be discussing some
specifics of project management, including:
—Improving scoping and scheduling
—Knowledge transmission
—Project standardization
46. Was This Article Helpful?
Security Roots’ founder Daniel Martin conceived
and created the open-source collaboration tool
Dradis Framework in 2007. The success of that
application led to the creation of the Security Roots
company and Dradis Professional Edition software.
47. Over the years, Security Roots has helped hundreds
of InfoSec clients improve their team collaboration
and report creation processes. If you have any
questions about what we do or the solutions we
provide, please fill out our Contact Form and we’ll
be in touch soon.
If you’ve found this article helpful, please reach out
and let us know how the information has worked for
you. And keep an eye out for the future articles in
this series.