In our last article, we talked about some ways to get some “quick wins” at your InfoSec company through practical steps you could immediately begin to affect some process improvement. But, as you know, making long-term change at an InfoSec company (or any company) requires dedication and patience.
Continual Improvement is a philosophy aimed at continually evaluating and improving a business process by using customer feedback on the product or service. By continually improving the interactions that make clients happy and by continually eliminating those things that aren’t important (waste), a company continually approaches perfection.
In this article, we’ll look at a couple of major ways to implement continual improvement in your InfoSec company, such as:
Most InfoSec companies are already entirely focused (often overly so) on the deliverable. At these companies, the report is the only thing that matters, and once it’s delivered, the conversation with the client is pretty much over. So making changes to what’s required to be in the report can be a great way to drive other process changes.
Ideally, as we’ve talked about in past articles (and often on our blog), a report will be much more than just a simple collection of vulnerabilities. To be the best it can be, and to set your company apart from the competition, a report should:
Give practical, actionable information on results. In other words, how significant or dangerous are the findings?
Contain an easy-to-understand executive summary. As your most important audience is often non-technical employees, the more you can communicate the situation to them, the more valuable your reports will be.
Showcase your methodology and processes. If you have great processes in place, you want to showcase them in the report. A report composed primarily of findings misses an opportunity to communicate how those results were created and why they can be trusted.
Showcase technical talent and allocation. Your company should have a way to ensure that the best people work on the problem, and this should be showcased in the report.
By creating requirements that contain these elements (effectively and accurately!) in every single report, you are also, simultaneously, creating process change. When reports are only required to contain the findings, it’s easy for your team members (managers and techies) to overlook the process, and the process is vital.
Some examples of what you can require to be in the report and how that can create broader, cultural change:
These requirements for the report act as powerful feedback loops that help continually improve your process. These requirements help managers easily check that the desired steps were followed on every project. And once your team gets used to the new requirements, they will automatically start to think of ways to improve the process, if only to make life easier on themselves. Which brings us to…
True company change will seldom happen without cultural change. In other words, a business will seldom really change its ways unless there is buy-in from its employees. Employees must have proper motivations and incentives for acting in the desired way.
It’s not enough to tell your team, “The boss wants it this way and that’s just how it is.” And it’s also not effective management to say, “Do this or you’ll be punished.” Behavioral change must come from within team members and should be positively motivated, not negatively motivated.
Creating cultural change may be one of the biggest obstacle at InfoSec companies. Here are cultural challenges we face in this industry:
So how might you tackle this problem? What are some ways you might communicate to your team why the changes you are implementing are valuable? Here are some ideas:
Show your team that the request for process change is coming from the client, not from management. The demand for change starts with the client. All changes you make should be derived from understanding what will improve your clients’ experiences. Ideally you will have already gone through some steps to get clear about what makes your clients happy (these were discussed in our last article). It’s easier to sell the need for change to your workers when you show them exactly how your clients are asking for change. It’s harder to sell the need for change when it’s phrased as something “we just have to do now”, without explanation. So share the relevant feedback and emails from clients that are driving the change.
Explain the importance of client happiness to the company’s health, their jobs, and their lives. Client happiness is not a wishy-washy, abstract concept. Client happiness can be the difference between your company’s success or failure. Success means more money to go around and more industry respect for your team members. The more you can make your team see how the process changes have real benefits to them, the easier the changes are to implement. One way to do this is to track and analyze some key performance indicators as changes are made over time (e.g., number of repeat contracts, client survey average scores, time spent on projects) so that your team can see the concrete ways your changes are helping.
A more efficient process makes their work lives easier. Your technical team wants to work on technical tasks; they don’t want to spend time working on boring administrative tasks or editing the wording of a report. One aspect of continual improvement is enhancing your process and making it more efficient. (One example: automated report creation software reduces the need to constantly write new descriptions for the same vulnerability classes every time.) When team members see that the process changes lead to less time spent on things they don’t want to do, and more time spent on the things they want to do, change is easier to sell.
Sharing technical knowledge efficiently helps everyone. Part of improving your processes is increasing your knowledge transmission; i.e., how technical knowledge is shared throughout your organization. (We will be talking more about knowledge transmission in a later article.) Effective knowledge transmission, of course, means better client service, but it also means that your team members learn a lot more than they otherwise would. Learning new tech skills makes workers more valuable and gives them more earning potential. (It then follows that a more educated workforce makes it easier to book and schedule jobs.)
Good performance is rewarded. When team members perform at or above your expectations, have systems in place to reward them. It can be a financial reward, or it can be non-financial (e.g., granting them access to new tech training or time off). One caveat is to not hurt morale by making the workers who weren’t rewarded feel punished.
As you move forward with a continual improvement process, you should remember that the majority of company problems stem from processes, not employees. There can be a reflex tendency to blame individuals when procedures are not being followed and goals not being met.
But, by and large, these problems come down to not having good processes. Most employees want to do a good job and be rewarded for doing a good job. The problem for managers is mainly one of defining what constitutes a good job and making it easy for workers to jump through those hoops.
Another major aspect of Continual Improvement is to encourage your team members to report problems with the process, and to make it easy for them to do so. Your tech team contains the people most knowledgeable about how the current process impacts their ability to get things done. They are the best people to get input from about your processes. Ask them questions, give them surveys, and make it easy for them to give criticism (even anonymously).
Once you get feedback on a process and you see the feedback is valid, you should act on it quickly. This avoids procrastination and shows your team that you are serious about improvement and encourages them to come forward with their ideas.
Two great resources on process improvement that we recommend are The E-Myth Revisited and Work The System.
Hopefully this article has given you some ideas on how to start down the continual-improvement road. In the next few articles, we’ll be discussing some specifics of project management, including:
Your email is kept private. We don't do the spam thing.